Product
Introducing GitHub Actions Scanning Support
Detect malware, unsafe data flows, and license issues in GitHub Actions with Socket’s new workflow scanning support.
By Rakesh Chatrath, Greg Tystahl -  Oct 23, 2025
🚀 DAY 4 OF LAUNCH WEEK: Introducing GitHub Actions Scanning Support.Learn more →
eslint-plugin-security
Advanced tools
eslint-plugin-security
ESLint rules for Node Security
This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
Installation
npm install --save-dev eslint-plugin-security
or
yarn add --dev eslint-plugin-security
Usage
Flat config (requires eslint >= v8.23.0)
Add the following to your eslint.config.js file:
const pluginSecurity = require('eslint-plugin-security');
module.exports = [pluginSecurity.configs.recommended];
eslintrc config (deprecated)
Add the following to your .eslintrc file:
module.exports = {
extends: ['plugin:security/recommended-legacy'],
};
Developer guide
- Use GitHub pull requests.
- Conventions:
- We use our custom ESLint setup.
- Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
npm run-script cont-int
Tests
npm test
Rules
⚠️ Configurations set to warn in.
âś… Set in the recommended configuration.
| Name                                 | Description | ⚠️ |
|---|---|---|
| detect-bidi-characters | Detects trojan source attacks that employ unicode bidi attacks to inject malicious code. | âś… |
| detect-buffer-noassert | Detects calls to "buffer" with "noAssert" flag set. | âś… |
| detect-child-process | Detects instances of "child_process" & non-literal "exec()" calls. | âś… |
| detect-disable-mustache-escape | Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities. | âś… |
| detect-eval-with-expression | Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process. | âś… |
| detect-new-buffer | Detects instances of new Buffer(argument) where argument is any non-literal value. | âś… |
| detect-no-csrf-before-method-override | Detects Express "csrf" middleware setup before "method-override" middleware. | âś… |
| detect-non-literal-fs-filename | Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system. | âś… |
| detect-non-literal-regexp | Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression. | âś… |
| detect-non-literal-require | Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk. | âś… |
| detect-object-injection | Detects "variable[key]" as a left- or right-hand assignment operand. | âś… |
| detect-possible-timing-attacks | Detects insecure comparisons (==, !=, !== and ===), which check input sequentially. | âś… |
| detect-pseudoRandomBytes | Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect. | âś… |
| detect-unsafe-regex | Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop. | âś… |
TypeScript support
Type definitions for this package are managed by DefinitelyTyped. Use @types/eslint-plugin-security for type checking.
npm install --save-dev @types/eslint-plugin-security
# OR
yarn add --dev @types/eslint-plugin-security
Other packages similar to eslint-plugin-security
eslint-plugin-no-unsanitized
eslint-plugin-no-unsanitized is an ESLint plugin that focuses on preventing the use of unsanitized methods that can lead to XSS vulnerabilities. It is similar to eslint-plugin-security in that it helps identify potential security issues, but it specifically targets unsanitized DOM manipulations.
eslint-plugin-scanjs-rules
eslint-plugin-scanjs-rules is an ESLint plugin that provides a set of security rules based on the Mozilla ScanJS project. It is similar to eslint-plugin-security in that it aims to identify security issues in JavaScript code, but it includes a different set of rules inspired by the ScanJS project.
Keywords
FAQs
Security rules for eslint
The npm package eslint-plugin-security receives a total of 829,670 weekly downloads. As such, eslint-plugin-security popularity was classified as popular.
We found that eslint-plugin-security demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Package last updated on 14 Jun 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Product
Introducing Webhook Events for Pull Request Scans
Add real-time Socket webhook events to your workflows to automatically receive pull request scan results and security alerts in real time.
By Jeppe Hasseriis -  Oct 22, 2025
Research
Malicious NuGet Packages Typosquat Nethereum to Exfiltrate Wallet Keys
The Socket Threat Research Team uncovered malicious NuGet packages typosquatting the popular Nethereum project to steal wallet keys.
By Kirill Boychenko -  Oct 22, 2025