@n8n/eslint-plugin-community-nodes 0.20.0 → 0.21.0

package/src/rules/cred-filename-against-convention.ts

@@ -0,0 +1,48 @@
+import * as path from 'node:path';
+
+import { isCredentialTypeClass, isFileType, createRule } from '../utils/index.js';
+
+export const CredFilenameAgainstConventionRule = createRule({
+	name: 'cred-filename-against-convention',
+	meta: {
+		type: 'problem',
+		docs: {
+			description: 'Credential filename must match the credential class name',
+		},
+		messages: {
+			renameFile:
+				'Credential filename must match the class name "{{className}}". Rename file to "{{expected}}".',
+		},
+		schema: [],
+	},
+	defaultOptions: [],
+	create(context) {
+		if (!isFileType(context.filename, '.credentials.ts')) {
+			return {};
+		}
+
+		return {
+			ClassDeclaration(node) {
+				if (!isCredentialTypeClass(node)) {
+					return;
+				}
+
+				const classNameNode = node.id;
+				if (!classNameNode) {
+					return;
+				}
+
+				const className = classNameNode.name;
+				const actualBaseName = path.basename(context.filename, '.credentials.ts');
+
+				if (actualBaseName !== className) {
+					context.report({
+						node: classNameNode,
+						messageId: 'renameFile',
+						data: { className, expected: `${className}.credentials.ts` },
+					});
+				}
+			},
+		};
+	},
+});

package/src/rules/icon-prefer-themed-variants.test.ts

@@ -0,0 +1,128 @@
+import { RuleTester } from '@typescript-eslint/rule-tester';
+
+import { IconPreferThemedVariantsRule } from './icon-prefer-themed-variants.js';
+
+const ruleTester = new RuleTester();
+
+const nodeFilePath = '/tmp/TestNode.node.ts';
+const credentialFilePath = '/tmp/TestCredential.credentials.ts';
+
+function createNodeCode(icon?: string | { light: string; dark: string }): string {
+	let iconProperty = '';
+	if (icon) {
+		if (typeof icon === 'string') {
+			iconProperty = `icon: '${icon}',`;
+		} else {
+			iconProperty = `icon: {
+			light: '${icon.light}',
+			dark: '${icon.dark}'
+		},`;
+		}
+	}
+
+	return `
+import type { INodeType, INodeTypeDescription } from 'n8n-workflow';
+
+export class TestNode implements INodeType {
+	description: INodeTypeDescription = {
+		displayName: 'Test Node',
+		name: 'testNode',
+		${iconProperty}
+		group: ['input'],
+		version: 1,
+		description: 'A test node',
+		defaults: {
+			name: 'Test Node',
+		},
+		inputs: ['main'],
+		outputs: ['main'],
+		properties: [],
+	};
+}`;
+}
+
+function createCredentialCode(icon?: string | { light: string; dark: string }): string {
+	let iconProperty = '';
+	if (icon) {
+		if (typeof icon === 'string') {
+			iconProperty = `icon = '${icon}';`;
+		} else {
+			iconProperty = `icon = {
+		light: '${icon.light}',
+		dark: '${icon.dark}'
+	};`;
+		}
+	}
+
+	return `
+import type { ICredentialType, INodeProperties } from 'n8n-workflow';
+
+export class TestCredential implements ICredentialType {
+	name = 'testApi';
+	displayName = 'Test API';
+	${iconProperty}
+	properties: INodeProperties[] = [];
+}`;
+}
+
+function createNonNodeClass(icon: string): string {
+	return `
+export class NotANode {
+	icon = '${icon}';
+}`;
+}
+
+ruleTester.run('icon-prefer-themed-variants', IconPreferThemedVariantsRule, {
+	valid: [
+		{
+			name: 'non-node class ignored',
+			filename: nodeFilePath,
+			code: createNonNodeClass('file:icon.svg'),
+		},
+		{
+			name: 'non-node file ignored',
+			filename: '/tmp/regular-file.ts',
+			code: createNodeCode('file:icon.svg'),
+		},
+		{
+			name: 'node with no icon property ignored',
+			filename: nodeFilePath,
+			code: createNodeCode(),
+		},
+		{
+			name: 'node with themed light/dark icons',
+			filename: nodeFilePath,
+			code: createNodeCode({
+				light: 'file:icons/icon.light.svg',
+				dark: 'file:icons/icon.dark.svg',
+			}),
+		},
+		{
+			name: 'credential with no icon property ignored',
+			filename: credentialFilePath,
+			code: createCredentialCode(),
+		},
+		{
+			name: 'credential with themed light/dark icons',
+			filename: credentialFilePath,
+			code: createCredentialCode({
+				light: 'file:icons/icon.light.svg',
+				dark: 'file:icons/icon.dark.svg',
+			}),
+		},
+	],
+	invalid: [
+		{
+			name: 'node with single string icon',
+			filename: nodeFilePath,
+			code: createNodeCode('file:icons/icon.svg'),
+			errors: [{ messageId: 'missingThemedVariants' }],
+		},
+		{
+			name: 'credential with single string icon',
+			filename: credentialFilePath,
+			code: createCredentialCode('file:icons/icon.svg'),
+			errors: [{ messageId: 'missingThemedVariants' }],
+		},
+	],
+});

package/src/rules/icon-prefer-themed-variants.ts

@@ -0,0 +1,70 @@
+import { TSESTree } from '@typescript-eslint/utils';
+
+import {
+	isNodeTypeClass,
+	isCredentialTypeClass,
+	findClassProperty,
+	findObjectProperty,
+	isFileType,
+	createRule,
+} from '../utils/index.js';
+
+const messages = {
+	missingThemedVariants:
+		'Icon is defined as a single file. Provide both light and dark variants using the `{ light, dark }` form so the icon renders well on both themes.',
+} as const;
+
+export const IconPreferThemedVariantsRule = createRule({
+	name: 'icon-prefer-themed-variants',
+	meta: {
+		type: 'suggestion',
+		docs: {
+			description:
+				'Encourage node and credential icons to provide light/dark variants instead of a single icon file',
+		},
+		messages,
+		schema: [],
+	},
+	defaultOptions: [],
+	create(context) {
+		if (
+			!isFileType(context.filename, '.node.ts') &&
+			!isFileType(context.filename, '.credentials.ts')
+		) {
+			return {};
+		}
+
+		const checkIconValue = (iconValue: TSESTree.Node) => {
+			if (
+				iconValue.type === TSESTree.AST_NODE_TYPES.Literal &&
+				typeof iconValue.value === 'string'
+			) {
+				context.report({
+					node: iconValue,
+					messageId: 'missingThemedVariants',
+				});
+			}
+		};
+
+		return {
+			ClassDeclaration(node) {
+				if (isNodeTypeClass(node)) {
+					const descriptionProperty = findClassProperty(node, 'description');
+					if (descriptionProperty?.value?.type !== TSESTree.AST_NODE_TYPES.ObjectExpression) {
+						return;
+					}
+
+					const iconProperty = findObjectProperty(descriptionProperty.value, 'icon');
+					if (iconProperty) {
+						checkIconValue(iconProperty.value);
+					}
+				} else if (isCredentialTypeClass(node)) {
+					const iconProperty = findClassProperty(node, 'icon');
+					if (iconProperty?.value) {
+						checkIconValue(iconProperty.value);
+					}
+				}
+			},
+		};
+	},
+});

package/src/rules/icon-validation.test.ts

@@ -146,6 +146,11 @@ ruleTester.run('icon-validation', IconValidationRule, {
 			filename: nodeFilePath,
 			code: createNodeCode('file:icons/TestNode.svg', true),
 		},
+		{
+			name: 'node with valid PNG string icon in description',
+			filename: nodeFilePath,
+			code: createNodeCode('file:icons/NotSvg.png', true),
+		},
 		{
 			name: 'node with valid light/dark icons in description',
 			filename: nodeFilePath,
@@ -162,6 +167,11 @@ ruleTester.run('icon-validation', IconValidationRule, {
 			filename: credentialFilePath,
 			code: createCredentialCode('file:icons/TestNode.svg'),
 		},
+		{
+			name: 'credential with valid PNG string icon',
+			filename: credentialFilePath,
+			code: createCredentialCode('file:icons/NotSvg.png'),
+		},
 		{
 			name: 'credential with valid light/dark icons',
 			filename: credentialFilePath,

package/src/rules/icon-validation.ts

@@ -9,20 +9,18 @@ import {
 	findObjectProperty,
 	getStringLiteralValue,
 	validateIconPath,
-	findSimilarSvgFiles,
+	findSimilarIconFiles,
 	isFileType,
 	createRule,
 } from '../utils/index.js';
 
 const messages = {
 	iconFileNotFound: 'Icon file "{{ iconPath }}" does not exist',
-	iconNotSvg: 'Icon file "{{ iconPath }}" must be an SVG file (end with .svg)',
 	lightDarkSame: 'Light and dark icons cannot be the same file. Both point to "{{ iconPath }}"',
 	invalidIconPath: 'Icon path "{{ iconPath }}" must use file: protocol and be a string',
 	missingIcon: 'Node/Credential class must have an icon property defined',
 	addPlaceholder: 'Add icon property with placeholder',
 	addFileProtocol: "Add 'file:' protocol to icon path",
-	changeExtension: "Change icon extension to '.svg'",
 	similarIcon: "Use existing icon '{{ suggestedName }}'",
 } as const;
 
@@ -32,7 +30,7 @@ export const IconValidationRule = createRule({
 		type: 'problem',
 		docs: {
 			description:
-				'Validate node and credential icon files exist, are SVG format, and light/dark icons are different',
+				'Validate node and credential icon files exist, use the file: protocol, and that light/dark icons are different',
 		},
 		messages,
 		schema: [],
@@ -80,34 +78,12 @@ export const IconValidationRule = createRule({
 				return false;
 			}
 
-			if (!validation.isSvg) {
-				const relativePath = iconPath.replace(/^file:/, '');
-				const suggestions: ReportSuggestionArray<keyof typeof messages> = [];
-
-				const pathWithoutExt = relativePath.replace(/\.[^/.]+$/, '');
-				const svgPath = `${pathWithoutExt}.svg`;
-				suggestions.push({
-					messageId: 'changeExtension',
-					fix(fixer) {
-						return fixer.replaceText(node, `"file:${svgPath}"`);
-					},
-				});
-
-				context.report({
-					node,
-					messageId: 'iconNotSvg',
-					data: { iconPath: relativePath },
-					suggest: suggestions,
-				});
-				return false;
-			}
-
 			if (!validation.exists) {
 				const relativePath = iconPath.replace(/^file:/, '');
 				const suggestions: ReportSuggestionArray<keyof typeof messages> = [];
 
-				// Find similar SVG files in the same directory
-				const similarFiles = findSimilarSvgFiles(relativePath, currentDir);
+				// Find similar icon files in the same directory
+				const similarFiles = findSimilarIconFiles(relativePath, currentDir);
 				for (const similarFile of similarFiles) {
 					suggestions.push({
 						messageId: 'similarIcon',

package/src/rules/index.ts

@@ -5,15 +5,19 @@ import { CredClassFieldIconMissingRule } from './cred-class-field-icon-missing.j
 import { CredClassNameFieldConventionsRule } from './cred-class-name-field-conventions.js';
 import { CredClassNameSuffixRule } from './cred-class-name-suffix.js';
 import { CredClassOAuth2NamingRule } from './cred-class-oauth2-naming.js';
+import { CredFilenameAgainstConventionRule } from './cred-filename-against-convention.js';
 import { CredentialDocumentationUrlRule } from './credential-documentation-url.js';
 import { CredentialPasswordFieldRule } from './credential-password-field.js';
 import { CredentialTestRequiredRule } from './credential-test-required.js';
+import { IconPreferThemedVariantsRule } from './icon-prefer-themed-variants.js';
 import { IconValidationRule } from './icon-validation.js';
 import { MissingPairedItemRule } from './missing-paired-item.js';
 import { N8nObjectValidationRule } from './n8n-object-validation.js';
 import { NoBuilderHintLeakageRule } from './no-builder-hint-leakage.js';
 import { NoCredentialReuseRule } from './no-credential-reuse.js';
+import { NoDangerousFunctionsRule } from './no-dangerous-functions.js';
 import { NoDeprecatedWorkflowFunctionsRule } from './no-deprecated-workflow-functions.js';
+import { NoEmojiInOptionsRule } from './no-emoji-in-options.js';
 import { NoForbiddenLifecycleScriptsRule } from './no-forbidden-lifecycle-scripts.js';
 import { NoHttpRequestWithManualAuthRule } from './no-http-request-with-manual-auth.js';
 import { NoOverridesFieldRule } from './no-overrides-field.js';
@@ -23,7 +27,9 @@ import { NoRuntimeDependenciesRule } from './no-runtime-dependencies.js';
 import { NoTemplatePlaceholdersRule } from './no-template-placeholders.js';
 import { NodeClassDescriptionIconMissingRule } from './node-class-description-icon-missing.js';
 import { NodeConnectionTypeLiteralRule } from './node-connection-type-literal.js';
+import { NodeFilenameAgainstConventionRule } from './node-filename-against-convention.js';
 import { NodeOperationErrorItemIndexRule } from './node-operation-error-itemindex.js';
+import { NodeRegistrationCompleteRule } from './node-registration-complete.js';
 import { NodeUsableAsToolRule } from './node-usable-as-tool.js';
 import { OptionsSortedAlphabeticallyRule } from './options-sorted-alphabetically.js';
 import { PackageNameConventionRule } from './package-name-convention.js';
@@ -31,7 +37,9 @@ import { RequireCommunityNodeKeywordRule } from './require-community-node-keywor
 import { RequireContinueOnFailRule } from './require-continue-on-fail.js';
 import { RequireNodeApiErrorRule } from './require-node-api-error.js';
 import { RequireNodeDescriptionFieldsRule } from './require-node-description-fields.js';
+import { RequireVersionRule } from './require-version.js';
 import { ResourceOperationPatternRule } from './resource-operation-pattern.js';
+import { ValidAuthorRule } from './valid-author.js';
 import { ValidCredentialReferencesRule } from './valid-credential-references.js';
 import { ValidDescriptionRule } from './valid-description.js';
 import { ValidPeerDependenciesRule } from './valid-peer-dependencies.js';
@@ -43,17 +51,20 @@ export const rules = {
 	'no-restricted-imports': NoRestrictedImportsRule,
 	'credential-password-field': CredentialPasswordFieldRule,
 	'no-deprecated-workflow-functions': NoDeprecatedWorkflowFunctionsRule,
+	'no-emoji-in-options': NoEmojiInOptionsRule,
 	'node-usable-as-tool': NodeUsableAsToolRule,
 	'options-sorted-alphabetically': OptionsSortedAlphabeticallyRule,
 	'package-name-convention': PackageNameConventionRule,
 	'credential-test-required': CredentialTestRequiredRule,
 	'no-credential-reuse': NoCredentialReuseRule,
+	'no-dangerous-functions': NoDangerousFunctionsRule,
 	'no-forbidden-lifecycle-scripts': NoForbiddenLifecycleScriptsRule,
 	'no-http-request-with-manual-auth': NoHttpRequestWithManualAuthRule,
 	'no-overrides-field': NoOverridesFieldRule,
 	'no-runtime-dependencies': NoRuntimeDependenciesRule,
 	'no-template-placeholders': NoTemplatePlaceholdersRule,
 	'icon-validation': IconValidationRule,
+	'icon-prefer-themed-variants': IconPreferThemedVariantsRule,
 	'resource-operation-pattern': ResourceOperationPatternRule,
 	'credential-documentation-url': CredentialDocumentationUrlRule,
 	'node-class-description-icon-missing': NodeClassDescriptionIconMissingRule,
@@ -61,8 +72,11 @@ export const rules = {
 	'cred-class-name-field-conventions': CredClassNameFieldConventionsRule,
 	'cred-class-name-suffix': CredClassNameSuffixRule,
 	'cred-class-oauth2-naming': CredClassOAuth2NamingRule,
+	'cred-filename-against-convention': CredFilenameAgainstConventionRule,
 	'node-connection-type-literal': NodeConnectionTypeLiteralRule,
+	'node-filename-against-convention': NodeFilenameAgainstConventionRule,
 	'node-operation-error-itemindex': NodeOperationErrorItemIndexRule,
+	'node-registration-complete': NodeRegistrationCompleteRule,
 	'missing-paired-item': MissingPairedItemRule,
 	'no-builder-hint-leakage': NoBuilderHintLeakageRule,
 	'n8n-object-validation': N8nObjectValidationRule,
@@ -70,6 +84,8 @@ export const rules = {
 	'require-continue-on-fail': RequireContinueOnFailRule,
 	'require-node-api-error': RequireNodeApiErrorRule,
 	'require-node-description-fields': RequireNodeDescriptionFieldsRule,
+	'require-version': RequireVersionRule,
+	'valid-author': ValidAuthorRule,
 	'valid-credential-references': ValidCredentialReferencesRule,
 	'valid-description': ValidDescriptionRule,
 	'valid-peer-dependencies': ValidPeerDependenciesRule,

package/src/rules/no-dangerous-functions.test.ts

@@ -0,0 +1,83 @@
+import { RuleTester } from '@typescript-eslint/rule-tester';
+
+import { NoDangerousFunctionsRule } from './no-dangerous-functions.js';
+
+const ruleTester = new RuleTester();
+
+ruleTester.run('no-dangerous-functions', NoDangerousFunctionsRule, {
+	valid: [
+		// `exec`/`spawn` not originating from `child_process` must not be flagged.
+		{ name: 'regex exec', code: 'const match = /foo/.exec(input);' },
+		{ name: 'regex exec via variable', code: 'regex.exec(input);' },
+		{ name: 'unrelated exec member', code: 'db.exec("SELECT 1");' },
+		{ name: 'unrelated spawn member', code: 'queue.spawn(job);' },
+		{ name: 'locally declared exec', code: 'function exec() {} exec();' },
+		// Importing without calling is fine.
+		{ name: 'import without call', code: "import { exec } from 'child_process';" },
+		// Non-dangerous members of the namespace import are fine.
+		{
+			name: 'non-dangerous namespace member',
+			code: "import * as cp from 'child_process'; const p = cp.execPath;",
+		},
+		// `eval`/`Function` as identifier references (not calls) are fine.
+		{ name: 'eval reference only', code: 'const f = eval;' },
+		{ name: 'Function reference only', code: 'const F = Function;' },
+		// Non-child_process module is irrelevant.
+		{
+			name: 'spawn from unrelated module',
+			code: "import { spawn } from 'some-lib'; spawn('x');",
+		},
+	],
+	invalid: [
+		{
+			name: 'SECURITY: eval call',
+			code: "eval('1 + 1');",
+			errors: [{ messageId: 'noEval' }],
+		},
+		{
+			name: 'SECURITY: Function constructor with new',
+			code: "const fn = new Function('return process');",
+			errors: [{ messageId: 'noFunctionConstructor' }],
+		},
+		{
+			name: 'SECURITY: Function constructor without new',
+			code: "const fn = Function('return 1');",
+			errors: [{ messageId: 'noFunctionConstructor' }],
+		},
+		{
+			name: 'SECURITY: exec from child_process',
+			code: "import { exec } from 'child_process'; exec('ls');",
+			errors: [{ messageId: 'noChildProcess', data: { name: 'exec' } }],
+		},
+		{
+			name: 'SECURITY: aliased exec from node:child_process',
+			code: "import { exec as run } from 'node:child_process'; run('ls');",
+			errors: [{ messageId: 'noChildProcess', data: { name: 'exec' } }],
+		},
+		{
+			name: 'SECURITY: spawn from child_process',
+			code: "import { spawn } from 'child_process'; spawn('ls', ['-la']);",
+			errors: [{ messageId: 'noChildProcess', data: { name: 'spawn' } }],
+		},
+		{
+			name: 'SECURITY: namespace execSync',
+			code: "import * as cp from 'child_process'; cp.execSync('ls');",
+			errors: [{ messageId: 'noChildProcess', data: { name: 'execSync' } }],
+		},
+		{
+			name: 'SECURITY: default import spawnSync',
+			code: "import childProcess from 'node:child_process'; childProcess.spawnSync('ls');",
+			errors: [{ messageId: 'noChildProcess', data: { name: 'spawnSync' } }],
+		},
+		{
+			name: 'SECURITY: destructured require execFile',
+			code: "const { execFile } = require('child_process'); execFile('ls');",
+			errors: [{ messageId: 'noChildProcess', data: { name: 'execFile' } }],
+		},
+		{
+			name: 'SECURITY: namespace require fork',
+			code: "const cp = require('node:child_process'); cp.fork('./worker.js');",
+			errors: [{ messageId: 'noChildProcess', data: { name: 'fork' } }],
+		},
+	],
+});

package/src/rules/no-dangerous-functions.ts

@@ -0,0 +1,155 @@
+import { TSESTree } from '@typescript-eslint/utils';
+
+import {
+	createRule,
+	getModulePath,
+	isDirectRequireCall,
+	isRequireMemberCall,
+} from '../utils/index.js';
+
+const { AST_NODE_TYPES } = TSESTree;
+
+const CHILD_PROCESS_MODULES = new Set(['child_process', 'node:child_process']);
+
+/**
+ * `child_process` functions that spawn OS processes and are therefore
+ * vulnerable to command injection when fed untrusted input.
+ */
+const DANGEROUS_CHILD_PROCESS_FUNCTIONS = new Set([
+	'exec',
+	'execSync',
+	'execFile',
+	'execFileSync',
+	'spawn',
+	'spawnSync',
+	'fork',
+]);
+
+const isChildProcessModule = (node: TSESTree.Node | null): boolean => {
+	const modulePath = getModulePath(node);
+	return modulePath !== null && CHILD_PROCESS_MODULES.has(modulePath);
+};
+
+export const NoDangerousFunctionsRule = createRule({
+	name: 'no-dangerous-functions',
+	meta: {
+		type: 'problem',
+		docs: {
+			description:
+				'Disallow `eval`, the `Function` constructor, and `child_process` process-spawning functions (`exec`, `spawn`, etc.) in community nodes.',
+		},
+		messages: {
+			noEval:
+				'Use of `eval` is not allowed. It executes arbitrary code and is a common source of remote code execution vulnerabilities.',
+			noFunctionConstructor:
+				'Use of the `Function` constructor is not allowed. Like `eval`, it executes arbitrary code from strings.',
+			noChildProcess:
+				'Use of `{{ name }}` from `child_process` is not allowed. Spawning OS processes is not permitted in community nodes and can lead to command injection.',
+		},
+		schema: [],
+	},
+	defaultOptions: [],
+	create(context) {
+		// Local names bound to dangerous named imports, e.g. `import { exec as run }` -> `run`.
+		const dangerousLocalNames = new Map<string, string>();
+		// Local names bound to the whole module, e.g. `import * as cp` or `const cp = require(...)`.
+		const namespaceNames = new Set<string>();
+
+		const recordDestructuredModule = (pattern: TSESTree.ObjectPattern) => {
+			for (const property of pattern.properties) {
+				if (
+					property.type !== AST_NODE_TYPES.Property ||
+					property.key.type !== AST_NODE_TYPES.Identifier ||
+					!DANGEROUS_CHILD_PROCESS_FUNCTIONS.has(property.key.name)
+				) {
+					continue;
+				}
+
+				if (property.value.type === AST_NODE_TYPES.Identifier) {
+					dangerousLocalNames.set(property.value.name, property.key.name);
+				}
+			}
+		};
+
+		return {
+			ImportDeclaration(node) {
+				if (!CHILD_PROCESS_MODULES.has(node.source.value)) return;
+
+				for (const specifier of node.specifiers) {
+					if (
+						specifier.type === AST_NODE_TYPES.ImportSpecifier &&
+						specifier.imported.type === AST_NODE_TYPES.Identifier &&
+						DANGEROUS_CHILD_PROCESS_FUNCTIONS.has(specifier.imported.name)
+					) {
+						dangerousLocalNames.set(specifier.local.name, specifier.imported.name);
+					} else if (
+						specifier.type === AST_NODE_TYPES.ImportNamespaceSpecifier ||
+						specifier.type === AST_NODE_TYPES.ImportDefaultSpecifier
+					) {
+						namespaceNames.add(specifier.local.name);
+					}
+				}
+			},
+
+			VariableDeclarator(node) {
+				if (
+					node.init?.type !== AST_NODE_TYPES.CallExpression ||
+					!(isDirectRequireCall(node.init) || isRequireMemberCall(node.init)) ||
+					!isChildProcessModule(node.init.arguments[0] ?? null)
+				) {
+					return;
+				}
+
+				if (node.id.type === AST_NODE_TYPES.ObjectPattern) {
+					recordDestructuredModule(node.id);
+				} else if (node.id.type === AST_NODE_TYPES.Identifier) {
+					namespaceNames.add(node.id.name);
+				}
+			},
+
+			NewExpression(node) {
+				if (node.callee.type === AST_NODE_TYPES.Identifier && node.callee.name === 'Function') {
+					context.report({ node, messageId: 'noFunctionConstructor' });
+				}
+			},
+
+			CallExpression(node) {
+				const { callee } = node;
+
+				if (callee.type === AST_NODE_TYPES.Identifier) {
+					if (callee.name === 'eval') {
+						context.report({ node, messageId: 'noEval' });
+						return;
+					}
+
+					if (callee.name === 'Function') {
+						context.report({ node, messageId: 'noFunctionConstructor' });
+						return;
+					}
+
+					const originalName = dangerousLocalNames.get(callee.name);
+					if (originalName) {
+						context.report({ node, messageId: 'noChildProcess', data: { name: originalName } });
+					}
+
+					return;
+				}
+
+				if (
+					callee.type === AST_NODE_TYPES.MemberExpression &&
+					!callee.computed &&
+					callee.object.type === AST_NODE_TYPES.Identifier &&
+					namespaceNames.has(callee.object.name) &&
+					callee.property.type === AST_NODE_TYPES.Identifier &&
+					DANGEROUS_CHILD_PROCESS_FUNCTIONS.has(callee.property.name)
+				) {
+					context.report({
+						node,
+						messageId: 'noChildProcess',
+						data: { name: callee.property.name },
+					});
+				}
+			},
+		};
+	},
+});