Security News
NIST Misses 2024 Deadline to Clear NVD Backlog
NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.
By Protofire
This is an open source project for linting Solidity code. This project provides both Security and Style Guide validations.
You can install Solhint using npm:
npm install -g solhint
# verify that it was installed correctly
solhint -V
First initialize a configuration file, if you don't have one:
solhint init-config
This will create a .solhint.json
file with some default rules enabled. Then run Solhint with one or more Globs as arguments. For example, to lint all files inside contracts
directory, you can do:
solhint "contracts/**/*.sol"
To lint a single file:
solhint contracts/MyToken.sol
Solhint command description:
Usage: solhint [options] <file> [...other_files]
Linter for Solidity programming language
Options:
-V, --version output the version number
-f, --formatter [name] report formatter name (stylish, table, tap, unix)
-w, --max-warnings [maxWarningsNumber] number of allowed warnings
-c, --config [file_name] file to use as your .solhint.json
-q, --quiet report errors only - default: false
--ignore-path [file_name] file to use as your .solhintignore
--fix automatically fix problems
-h, --help output usage information
Commands:
stdin [options] linting of source code data provided to STDIN
init-config create in current directory configuration file for solhint
You can use a .solhint.json
file to configure Solhint globally.
To generate a new sample .solhint.json
file in current folder you can do:
solhint init-config
This file has the following format:
{
"extends": "solhint:recommended",
"plugins": [],
"rules": {
"avoid-suicide": "error",
"avoid-sha3": "warn"
}
}
A full list of all supported rules can be found here.
To ignore files / folders that do not require validation you may use .solhintignore
file. It supports rules in
.gitignore
format.
node_modules/
additional-tests.sol
You can use comments in the source code to configure solhint in a given line or file.
For example, to disable all validations in the line following a comment:
// solhint-disable-next-line
uint[] a;
You can disable rules on a given line. For example, to disable validation of time and block hash based computations in the next line:
// solhint-disable-next-line not-rely-on-time, not-rely-on-block-hash
uint pseudoRand = uint(keccak256(abi.encodePacked(now, blockhash(block.number))));
Disable validation on current line:
uint pseudoRand = uint(keccak256(abi.encodePacked(now, blockhash(block.number)))); // solhint-disable-line
Disable validation of time and block hash based computations on current line:
uint pseudoRand = uint(keccak256(abi.encodePacked(now, blockhash(block.number)))); // solhint-disable-line not-rely-on-time, not-rely-on-block-hash
You can disable a rule for a group of lines:
/* solhint-disable avoid-tx-origin */
function transferTo(address to, uint amount) public {
require(tx.origin == owner);
to.call.value(amount)();
}
/* solhint-enable avoid-tx-origin */
Or disable all validations for a group of lines:
/* solhint-disable */
function transferTo(address to, uint amount) public {
require(tx.origin == owner);
to.call.value(amount)();
}
/* solhint-enable */
Full list with all supported Security Rules
Full list with all supported Style Guide Rules
Full list with all supported Best Practices Rules
Related documentation you may find there.
The Solidity parser used is maintained by ConsenSys Diligence Team. You can find it here.
MIT
Solhint is free to use and open-sourced. If you value our effort and feel like helping us to keep pushing this tool forward, you can send us a small donation. We'll highly appreciate it :)
FAQs
Solidity Code Linter
The npm package solhint receives a total of 63,318 weekly downloads. As such, solhint popularity was classified as popular.
We found that solhint demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.
Security News
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
Security News
The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.