npm - @critiq/rules - Versions diffs - 0.1.0 → 0.2.0 - Mend

@critiq/rules 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/rules/typescript/ts.correctness.unnecessary-return-await.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.unnecessary-return-await
+  title: Unnecessary Return Await
+  summary: Remove redundant return await
+  rationale: Remove redundant return await:return await in async functions outside try/catch adds stack overhead without changing behavior.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.unnecessary-return-await
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: low
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: Unnecessary Return Await
+    summary: "`${captures.issue.text}` matches ts.correctness.unnecessary-return-await."
+  remediation:
+    summary: Remove redundant return await:return await in async functions outside try/catch adds stack overhead without changing behavior.

package/rules/typescript/ts.correctness.use-number-is-nan.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.use-number-is-nan
+  title: Use Number.isNaN for NaN checks
+  summary: Do not compare values to NaN with `===` or `==`.
+  rationale: NaN is not equal to itself; identity comparisons are always false.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-029
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.use-number-is-nan
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - language
+  message:
+    title: Replace NaN identity comparison
+    summary: "`${captures.issue.text}` compares to NaN with an equality operator."
+  remediation:
+    summary: Use `Number.isNaN(value)` (or `Number.isNaN` after coercion) instead of `value === NaN`.

package/rules/typescript/ts.next.server-action-missing-local-auth.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Authenticate Next.js Server Actions before mutations
   summary: Server Actions that mutate state must validate sessions locally before reaching privileged sinks.
   rationale: Server Actions behave like public POST endpoints and inherit the same authentication obligations as route handlers.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
   tags:
     - security
     - next
@@ -33,3 +45,4 @@ emit:
   remediation:
     summary: >-
       Call your auth/session helper before mutations and enforce ownership inside database predicates.

package/rules/typescript/ts.performance.no-await-in-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.performance.no-await-in-loop
+  title: No Await In Loop
+  summary: Avoid await inside loops
+  rationale: Avoid await inside loops:sequential awaits in loops multiply latency; batch work or use Promise.all when safe.
+  tags:
+    - performance
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: performance.no-await-in-loop
+    bind: issue
+emit:
+  finding:
+    category: performance
+    severity: medium
+    confidence: 0.85
+    tags:
+      - performance
+  message:
+    title: No Await In Loop
+    summary: "`${captures.issue.text}` matches ts.performance.no-await-in-loop."
+  remediation:
+    summary: Avoid await inside loops:sequential awaits in loops multiply latency; batch work or use Promise.all when safe.

package/rules/typescript/ts.quality.no-empty-function.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.quality.no-empty-function
+  title: No Empty Function
+  summary: Avoid empty function bodies
+  rationale: Avoid empty function bodies:empty implementations hide missing logic; use a comment, throw, or remove the stub.
+  tags:
+    - quality
+    - rules-catalog
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: quality.empty-function
+    bind: issue
+emit:
+  finding:
+    category: quality
+    severity: low
+    confidence: 0.85
+    tags:
+      - quality
+  message:
+    title: No Empty Function
+    summary: "`${captures.issue.text}` matches ts.quality.no-empty-function."
+  remediation:
+    summary: Avoid empty function bodies:empty implementations hide missing logic; use a comment, throw, or remove the stub.

package/rules/typescript/ts.react.no-bind-in-jsx-props.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-bind-in-jsx-props
+  title: Avoid inline functions and bind in JSX props
+  summary: Creating `function` handlers or `.bind()` calls inside JSX forces new function identities every render and makes memoized children re-render unnecessarily.
+  rationale: Stable handler references keep render work predictable and make dependency lists in memoized components meaningful.
+  tags:
+    - react
+    - performance
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.bind-in-jsx-prop
+    bind: issue
+emit:
+  finding:
+    category: performance.ui
+    severity: medium
+    confidence: 0.78
+    tags:
+      - react
+      - performance
+      - ui
+  message:
+    title: Hoist JSX event handlers out of render
+    summary: "`${captures.issue.text}` creates a new handler on every render."
+  remediation:
+    summary: Define handlers on the class instance, bind once in the constructor, or use useCallback for function components.

package/rules/typescript/ts.react.no-children-prop.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-children-prop
+  title: Prefer nested JSX children over the children prop
+  summary: Passing `children` as a named prop is harder to read than composing elements between opening and closing tags.
+  rationale: Nested children match React composition idioms and keep component APIs consistent across the tree.
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.children-prop
+    bind: issue
+emit:
+  finding:
+    category: maintainability.ui
+    severity: low
+    confidence: 0.8
+    tags:
+      - react
+      - ui
+  message:
+    title: Nest JSX children instead of using the children prop
+    summary: "`${captures.issue.text}` passes children through a prop attribute."
+  remediation:
+    summary: Place child elements between the component tags or accept `children` through normal function parameters without a JSX prop.

package/rules/typescript/ts.react.no-direct-state-mutation.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-direct-state-mutation
+  title: Do not mutate React state directly
+  summary: Assigning to `this.state` bypasses React change detection and produces stale UI.
+  rationale: State updates must flow through setState or hooks so React can schedule renders and enforce immutability guarantees.
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.direct-state-mutation
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: high
+    confidence: 0.88
+    tags:
+      - react
+      - ui
+  message:
+    title: Update React state with setState
+    summary: "`${captures.issue.text}` mutates state directly."
+  remediation:
+    summary: Call setState with the next value or replace the state object immutably instead of assigning into this.state.

package/rules/typescript/ts.react.no-duplicate-jsx-attributes.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-duplicate-jsx-attributes
+  title: Remove duplicate JSX attributes
+  summary: Repeating the same prop on a JSX element makes the last value win silently and hides author intent.
+  rationale: Duplicate attributes are usually copy-paste mistakes that change runtime behavior without type errors.
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.duplicate-jsx-attribute
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: medium
+    confidence: 0.9
+    tags:
+      - react
+      - ui
+  message:
+    title: Keep only one JSX attribute with the same name
+    summary: "`${captures.issue.text}` appears more than once on the same JSX element."
+  remediation:
+    summary: Remove the duplicate attribute or merge the values into a single prop expression.

package/rules/typescript/ts.react.no-jsx-props-spread.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-jsx-props-spread
+  title: Avoid spreading props onto JSX elements
+  summary: Unfiltered prop spreads hide which attributes reach the DOM and defeat static analysis of event handlers and accessibility props.
+  rationale: Explicit prop forwarding documents the component contract and avoids accidentally passing invalid or sensitive attributes downstream.
+  tags:
+    - react
+    - performance
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.jsx-props-spread
+    bind: issue
+emit:
+  finding:
+    category: maintainability.ui
+    severity: low
+    confidence: 0.75
+    tags:
+      - react
+      - ui
+  message:
+    title: Forward JSX props explicitly
+    summary: "`${captures.issue.text}` spreads props onto a JSX element."
+  remediation:
+    summary: Destructure the props you intend to pass, whitelist safe attributes, or use a typed wrapper component.

package/rules/typescript/ts.react.no-set-state-in-component-did-mount.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-set-state-in-component-did-mount
+  title: Avoid setState in componentDidMount
+  summary: Synchronous state updates during mount trigger an extra render before the browser paints the initial tree.
+  rationale: Initial state belongs in the constructor or class field initializers so the first render already reflects the mounted view.
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.set-state-in-component-did-mount
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: medium
+    confidence: 0.82
+    tags:
+      - react
+      - ui
+  message:
+    title: Initialize state before mount completes
+    summary: "`${captures.issue.text}` calls setState inside componentDidMount."
+  remediation:
+    summary: Move the initial value into state initialization or derive it from props with a guarded update strategy.

package/rules/typescript/ts.react.no-set-state-in-component-did-update.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-set-state-in-component-did-update
+  title: Guard setState in componentDidUpdate
+  summary: Unconditional setState in componentDidUpdate can recurse through renders when props or state change on every pass.
+  rationale: Updates should compare against prevProps or prevState so the component only re-renders when inputs actually changed.
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.set-state-in-component-did-update
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: medium
+    confidence: 0.8
+    tags:
+      - react
+      - ui
+  message:
+    title: Compare previous inputs before updating state
+    summary: "`${captures.issue.text}` calls setState inside componentDidUpdate without a prevProps or prevState guard."
+  remediation:
+    summary: Wrap the update in a conditional that compares prevProps or prevState, or move synchronization into getDerivedStateFromProps.

package/rules/typescript/ts.react.no-target-blank-without-rel.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-target-blank-without-rel
+  title: Add rel=noopener to target=_blank links
+  summary: Opening links in a new tab without rel=noopener lets the destination page access window.opener.
+  rationale: Untrusted destinations can navigate or phish the opener tab unless noopener severs that relationship.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+  tags:
+    - react
+    - security
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.target-blank-without-rel
+    bind: issue
+emit:
+  finding:
+    category: security.ui
+    severity: high
+    confidence: 0.9
+    tags:
+      - react
+      - security
+      - ui
+  message:
+    title: Harden external links opened in a new tab
+    summary: "`${captures.issue.text}` uses target=_blank without rel containing noopener."
+  remediation:
+    summary: Add rel=noopener or rel="noopener noreferrer" whenever target="_blank" is present.

package/rules/typescript/ts.react.no-this-in-function-component.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-this-in-function-component
+  title: Do not use this in function components
+  summary: Function components have no instance, so `this` references are almost always mistakes copied from class components.
+  rationale: Hooks, props, and closures replace instance fields; leaving `this` in place breaks at runtime or hides missing refactors.
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.this-in-function-component
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: high
+    confidence: 0.76
+    tags:
+      - react
+      - ui
+  message:
+    title: Remove this from function components
+    summary: "`${captures.issue.text}` uses this inside a function component."
+  remediation:
+    summary: Use props, hooks, module-level helpers, or refs instead of instance fields accessed through this.

package/rules/typescript/ts.runtime.no-process-exit.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.runtime.no-process-exit
+  title: Avoid `process.exit` in application code
+  summary: Do not call `process.exit` from application logic; reserve termination for CLI entrypoints.
+  rationale: Forced process termination bypasses graceful shutdown, in-flight request draining, and cleanup hooks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - runtime
+    - node
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: runtime.process-exit
+    bind: issue
+emit:
+  finding:
+    category: security.reliability
+    severity: medium
+    confidence: 0.9
+    tags:
+      - runtime
+      - node
+  message:
+    title: Avoid `process.exit` in application code
+    summary: "`${captures.issue.text}` terminates the process abruptly and should be limited to CLI entrypoints."
+  remediation:
+    summary: Propagate errors to the caller or use graceful shutdown hooks instead of calling `process.exit`.

package/rules/typescript/ts.security.ajv-insecure-configuration.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Harden AJV compile options
   summary: AJV should not compile schemas with allErrors true unless strict mode is enabled.
   rationale: Missing strict-mode options historically enabled schema compilation DoS and unexpected coercion behavior.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - validation
@@ -32,3 +41,4 @@ emit:
     summary: "${captures.issue.text} enables allErrors without strict, strictTypes, or strictSchema."
   remediation:
     summary: Enable AJV strict options appropriate to your major version and avoid compiling untrusted schemas with permissive settings.

package/rules/typescript/ts.security.angular-dom-sanitizer-bypass-untrusted-input.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Avoid trusting unsanitized Angular bypass sinks
   summary: DomSanitizer bypass helpers should not receive route, storage, or request-derived values without validation.
   rationale: Bypass helpers disable Angular templating protections and turn downstream sinks into XSS execution points.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Angular security guide
+      url: https://angular.dev/best-practices/security
   tags:
     - security
     - angular
@@ -33,3 +45,4 @@ emit:
   remediation:
     summary: >-
       Keep sensitive markup on Angular-safe bindings or sanitize with a reviewed helper before calling bypassSecurityTrust helpers.

package/rules/typescript/ts.security.apollo-server-csrf-disabled.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Keep Apollo Server CSRF protections enabled
   summary: Apollo Server should not explicitly disable CSRF prevention for browser-accessible endpoints.
   rationale: GraphQL POST endpoints are vulnerable to cross-site writes when CSRF defenses are turned off.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Apollo Server security
+      url: https://www.apollographql.com/docs/apollo-server/security/security
   tags:
     - security
     - graphql
@@ -34,3 +49,4 @@ emit:
   remediation:
     summary: >-
       Remove `csrfPrevention: false` or replace it with an equivalent POST-only plus preflight strategy documented by Apollo.

package/rules/typescript/ts.security.apollo-server-graphql-dev-tooling-exposure.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Avoid shipping GraphQL dev landing or playground plugins without a production guard
   summary: Apollo Server dev landing pages, sandbox UIs, and GraphQL Playground-style plugins should not load unconditionally in production builds.
   rationale: Interactive GraphQL explorers widen attack surface and often expose schema details beyond what production APIs should advertise by default.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-400
+      title: Uncontrolled Resource Consumption
+    - kind: owasp
+      title: GraphQL Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Apollo Server security
+      url: https://www.apollographql.com/docs/apollo-server/security/security
   tags:
     - security
     - graphql
@@ -34,3 +49,4 @@ emit:
   remediation:
     summary: >-
       Load sandbox or local landing plugins only outside production, prefer `ApolloServerPluginLandingPageProductionDefault`, or disable interactive explorers behind authentication at the edge.

package/rules/typescript/ts.security.apollo-server-introspection-exposure.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Avoid unconditional GraphQL introspection
   summary: Apollo Server should not hard-enable introspection without environment guards.
   rationale: Introspection aids attackers in mapping schemas on production deployments.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-400
+      title: Uncontrolled Resource Consumption
+    - kind: owasp
+      title: GraphQL Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Apollo Server security
+      url: https://www.apollographql.com/docs/apollo-server/security/security
   tags:
     - security
     - graphql
@@ -33,3 +48,4 @@ emit:
     summary: Apollo Server enables introspection with a literal `true` flag.
   remediation:
     summary: Bind introspection to non-production environments or protect the endpoint behind authenticated tooling.