Security News
Input Validation Vulnerabilities Dominate MITRE's 2024 CWE Top 25 List
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
A ESLint warning tracker to help introduce rules into a legacy code base
An ESLint warning tracker to help introduce rules into a legacy code base
Linting is a powerful way to catch bad code and enforce best practices. That said, turning a rule on for an existing project can be difficult. It can surface hidden violations that you must fix before you can use the rule at all.
Instead, esplint allows you to turn new rules on as “warnings,” and prevent further violations. esplint tracks the number of eslint “warnings” in each file and prevents the number of “warnings” from increasing. When the number of “warnings” decreases, esplint records the new lower number. This way you can fix existing, legacy violations over time while avoiding further violations.
For more information about the motivation behind esplint, read this post.
Install esplint as a dev dependency of your project.
$ npm install esplint --save-dev
Create .esplintrc.js
and add your configurations.
module.exports = {
surfaceArea: [ ... ],
rules: [ ...the rules you wish to track... ]
};
Run
$ ./node_modules/.bin/esplint
This will create a .esplint.rec.json
record file that stores the number of eslint warnings per file. Add this file to your git repository.
NOTE: This record file will only include files with warnings. If a file is included in the esplint "surfaceArea" but not present in the record file then it has none of the tracked warnings.
Now add this esplint check to your validation on commit hooks (using lint-staged) or CI.
Here's an example using lint-staged:
// package.json
{
...
"scripts": {
"precommit": "lint-staged"
},
"lint-staged": {
"*.js": [
"esplint --stage-record-file"
]
},
...
}
See a full example here.
$ ./node_modules/.bin/esplint --help
esplint [files..]
Run check and update record
Commands:
esplint [files..] Run check and update record [default]
esplint stats Print stats about eslint violations
esplint suppress <rule> [files..] Disable eslint on specific lines to
suppress a rule
Positionals:
files Paths to files or directories to run esplint on [default: []]
Options:
--version Show version number [boolean]
--help Show help [boolean]
--overwrite Ignore existing record file [boolean] [default: false]
--no-write Don't update record file [boolean] [default: false]
--stage-record-file Git add record file. Helpful when running esplint on a
pre-commit hook. [boolean] [default: false]
esplint
Run check and update record.
The options are:
--overwrite
— Ignore existing record file. Useful to bypass the esplint check and force an increase in the number of warnings.--no-write
— Only perform warning count check and don't update the record file if the warning count goes down.--stage-record-file
— After esplint succeeds, this will git add the record file. This is helpful when running esplint on a pre-commit hook.esplint stats
Print stats about eslint violations.
esplint suppress
Will suppress all existing violations of a eslint rule. It does this by inserting disable-eslint-next-line
comments into your code.
NOTE:
esplint suppress
doesn't work very well with JSX because comments in JSX are very finicky. If you have an idea, let me know and open an issue.
// .esplintrc.js
module.exports = {
surfaceArea: [ ... ],
eslint: { ... },
rules: [ ... ],
write: true,
};
The options are:
surfaceArea
— An array of files and/or directories to track. Use [ "." ]
to track all Javascript files in the current directory. These files and directories are used if no files or directories are specified from the CLIeslint
— ESLint class options.rules
— An array of eslint rule names to track.write
— Corresponds to the negation of the --no-write
CLI option. See Command line options.Git conflicts can sometimes occur in the record file. If that happens, running esplint
should fix most cases.
FAQs
A ESLint warning tracker to help introduce rules into a legacy code base
The npm package esplint receives a total of 5,744 weekly downloads. As such, esplint popularity was classified as popular.
We found that esplint demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.