🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more →
eslint-plugin-security
Advanced tools
eslint-plugin-security - npm Package Compare versions
Comparing version 1.7.1 to 2.0.0
| # Changelog | ||
| ## [2.0.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v1.7.1...v2.0.0) (2023-10-17) | ||
| ### ⚠ BREAKING CHANGES | ||
| * switch the recommended config to flat (#118) | ||
| ### Features | ||
| * switch the recommended config to flat ([#118](https://www.github.com/eslint-community/eslint-plugin-security/issues/118)) ([e20a366](https://www.github.com/eslint-community/eslint-plugin-security/commit/e20a3664c2f638466286ae9a97515722fc98f97c)) | ||
| ### [1.7.1](https://www.github.com/eslint-community/eslint-plugin-security/compare/v1.7.0...v1.7.1) (2023-02-02) | ||
@@ -4,0 +15,0 @@ |
@@ -97,3 +97,3 @@ # The Dangers of Square Bracket Notation | ||
| Edge cases are uncommon, but because they are uncommon the problems with them are not well known, and they frequently go un-noticed during code review. If the code works, these types of problems tend to disappear. If the code works, and the problems are buried in a module nested n-levels deep, it's likely it won't be found until it causes problems, and by then it's too late. A blind require is essentially running untrusted code in your application. Be [aware of what you require.](https://requiresafe.com) | ||
| Edge cases are uncommon, but because they are uncommon the problems with them are not well known, and they frequently go un-noticed during code review. If the code works, these types of problems tend to disappear. If the code works, and the problems are buried in a module nested n-levels deep, it's likely it won't be found until it causes problems, and by then it's too late. A blind require is essentially running untrusted code in your application. Be aware of the code you're requiring. | ||
@@ -100,0 +100,0 @@ ## How do I fix it? |
52
index.js
@@ -7,3 +7,9 @@ /** | ||
| module.exports = { | ||
| const pkg = require('./package.json'); | ||
| const plugin = { | ||
| meta: { | ||
| name: pkg.name, | ||
| version: pkg.version, | ||
| }, | ||
| rules: { | ||
@@ -41,23 +47,27 @@ 'detect-unsafe-regex': require('./rules/detect-unsafe-regex'), | ||
| }, | ||
| configs: { | ||
| recommended: { | ||
| plugins: ['security'], | ||
| rules: { | ||
| 'security/detect-buffer-noassert': 'warn', | ||
| 'security/detect-child-process': 'warn', | ||
| 'security/detect-disable-mustache-escape': 'warn', | ||
| 'security/detect-eval-with-expression': 'warn', | ||
| 'security/detect-new-buffer': 'warn', | ||
| 'security/detect-no-csrf-before-method-override': 'warn', | ||
| 'security/detect-non-literal-fs-filename': 'warn', | ||
| 'security/detect-non-literal-regexp': 'warn', | ||
| 'security/detect-non-literal-require': 'warn', | ||
| 'security/detect-object-injection': 'warn', | ||
| 'security/detect-possible-timing-attacks': 'warn', | ||
| 'security/detect-pseudoRandomBytes': 'warn', | ||
| 'security/detect-unsafe-regex': 'warn', | ||
| 'security/detect-bidi-characters': 'warn', | ||
| }, | ||
| }, | ||
| configs: {}, // was assigned later so we can reference `plugin` | ||
| }; | ||
| const recommended = { | ||
| plugins: { security: plugin }, | ||
| rules: { | ||
| 'security/detect-buffer-noassert': 'warn', | ||
| 'security/detect-child-process': 'warn', | ||
| 'security/detect-disable-mustache-escape': 'warn', | ||
| 'security/detect-eval-with-expression': 'warn', | ||
| 'security/detect-new-buffer': 'warn', | ||
| 'security/detect-no-csrf-before-method-override': 'warn', | ||
| 'security/detect-non-literal-fs-filename': 'warn', | ||
| 'security/detect-non-literal-regexp': 'warn', | ||
| 'security/detect-non-literal-require': 'warn', | ||
| 'security/detect-object-injection': 'warn', | ||
| 'security/detect-possible-timing-attacks': 'warn', | ||
| 'security/detect-pseudoRandomBytes': 'warn', | ||
| 'security/detect-unsafe-regex': 'warn', | ||
| 'security/detect-bidi-characters': 'warn', | ||
| }, | ||
| }; | ||
| Object.assign(plugin.configs, { recommended }); | ||
| module.exports = plugin; |
| { | ||
| "name": "eslint-plugin-security", | ||
| "version": "1.7.1", | ||
| "version": "2.0.0", | ||
| "description": "Security rules for eslint", | ||
@@ -49,8 +49,9 @@ "main": "index.js", | ||
| "devDependencies": { | ||
| "@eslint/js": "^8.51.0", | ||
| "changelog": "1.3.0", | ||
| "eslint": "^8.11.0", | ||
| "eslint": "^8.51.0", | ||
| "eslint-config-nodesecurity": "^1.3.1", | ||
| "eslint-config-prettier": "^8.5.0", | ||
| "eslint-doc-generator": "^1.0.2", | ||
| "eslint-plugin-eslint-plugin": "^5.0.2", | ||
| "eslint-plugin-eslint-plugin": "^5.1.1", | ||
| "lint-staged": "^12.3.7", | ||
@@ -57,0 +58,0 @@ "markdownlint-cli": "^0.32.2", |
@@ -23,8 +23,8 @@ # eslint-plugin-security | ||
| Add the following to your `.eslintrc` file: | ||
| Add the following to your `eslint.config.js` file: | ||
| ```js | ||
| "extends": [ | ||
| "plugin:security/recommended" | ||
| ] | ||
| const pluginSecurity = require('eslint-plugin-security'); | ||
| module.exports = [pluginSecurity.configs.recommended]; | ||
| ``` | ||
@@ -31,0 +31,0 @@ |
Sorry, the diff of this file is not supported yet
New alerts
URL strings
Supply chain riskPackage contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.
Found 1 instance in 1 package
Fixed alerts
URL strings
Supply chain riskPackage contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
134947
0.71%- Lines of code
2332
2.01%Worsened metrics
- Dev dependency count
14
7.69%No dependency changes