ESLint rules for Node Security
Probably not something you want to just toss and leave in a project. It will help identify potential security hotspots, but finds a lot of false positives that needs triaged by a human.
npm install --save-dev eslint-plugin-security
Add the following to your .eslintrc file:
"plugins": [
"security"
]detect-unsafe-regex- Locates potentially unsafe regular expressionsdetect-buffer-noassert- Detects calls to buffer with noassert flag setdetect-child-process- Detects instances of child_process & non-literal cp.exec()detect-disable-mustache-escape-detect-eval-with-expression- Detects eval(var)detect-no-csrf-before-method-override- Detects Express.csrf before method-overridedetect-non-literal-fs-filename- Detects var in filename argument of fs callsdetect-non-literal-regexp- Detects RegExp(var)detect-non-literal-require- Detects require(var)detect-object-injection- Detects var[var]detect-possible-timing-attacks- Detects insecure comparisons (== != !== ===)detect-pseudoRandomBytes- Detects if pseudoRandomBytes() is in use
- Use GitHub pull requests.
- Conventions:
- We use our custom ESLint setup.
- Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
npm run-script cont-intnpm test
![@github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=64&v=4){kind=small}
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
