Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
A ESLint warning tracker to help introduce rules into a legacy code base
An ESLint warning tracker to help introduce rules into a legacy code base
Linting is a powerful way to catch bad code and enforce best practices. That said, turning a rule on for an existing project can be difficult. It can surface hidden violations that you must fix before you can use the rule at all.
Instead, esplint allows you to turn new rules on as “warnings,” and prevent further violations. esplint tracks the number of eslint “warnings” in each file and prevents the number of “warnings” from increasing. When the number of “warnings” decreases, esplint records the new lower number. This way you can fix existing, legacy violations over time while avoiding further violations.
For more information about the motivation behind esplint, read this post.
Install esplint as a dev dependency of your project.
$ npm install esplint --save-dev
Create .esplintrc.js
and add your configurations.
module.exports = {
surfaceArea: [ ... ],
rules: [ ...the rules you wish to track... ]
};
Run
$ ./node_modules/.bin/esplint
This will create a .esplint.rec.json
record file that stores the number of eslint warnings per file. Add this file to your git repository.
NOTE: This record file will only include files with warnings. If a file is included in the esplint "surfaceArea" but not present in the record file then it has none of the tracked warnings.
Now add this esplint check to your validation on commit hooks (using lint-staged) or CI.
Here's an example using lint-staged:
// package.json
{
...
"scripts": {
"precommit": "lint-staged"
},
"lint-staged": {
"*.js": [
"esplint --stage-record-file"
]
},
...
}
See a full example here.
$ ./node_modules/.bin/esplint --help
esplint [files..]
Run check and update record
Commands:
esplint [files..] Run check and update record [default]
esplint stats Print stats about eslint violations
esplint suppress <rule> [files..] Disable eslint on specific lines to
suppress a rule
Positionals:
files Paths to files or directories to run esplint on [default: []]
Options:
--version Show version number [boolean]
--help Show help [boolean]
--overwrite Ignore existing record file [boolean] [default: false]
--no-write Don't update record file [boolean] [default: false]
--stage-record-file Git add record file. Helpful when running esplint on a
pre-commit hook. [boolean] [default: false]
esplint
Run check and update record.
The options are:
--overwrite
— Ignore existing record file. Useful to bypass the esplint check and force an increase in the number of warnings.--no-write
— Only perform warning count check and don't update the record file if the warning count goes down.--stage-record-file
— After esplint succeeds, this will git add the record file. This is helpful when running esplint on a pre-commit hook.esplint stats
Print stats about eslint violations.
esplint suppress
Will suppress all existing violations of a eslint rule. It does this by inserting disable-eslint-next-line
comments into your code.
NOTE:
esplint suppress
doesn't work very well with JSX because comments in JSX are very finicky. If you have an idea, let me know and open an issue.
// .esplintrc.js
module.exports = {
surfaceArea: [ ... ],
eslint: { ... },
rules: [ ... ],
write: true,
};
The options are:
surfaceArea
— An array of files and/or directories to track. Use [ "." ]
to track all Javascript files in the current directory. These files and directories are used if no files or directories are specified from the CLIeslint
— ESLint class options.rules
— An array of eslint rule names to track.write
— Corresponds to the negation of the --no-write
CLI option. See Command line options.Git conflicts can sometimes occur in the record file. If that happens, running esplint
should fix most cases.
FAQs
A ESLint warning tracker to help introduce rules into a legacy code base
We found that esplint demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.