npm - eslint-plugin-crypto - Versions diffs - 1.0.0 → 2.0.0 - Mend

eslint-plugin-crypto 1.0.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/AGENTS.md CHANGED Viewed

@@ -1,12 +1,59 @@
-# AGENTS.md - AI Agent Context for eslint-plugin-crypto
+# AGENTS.md
+> Context for AI coding agents working on eslint-plugin-crypto
+## Setup Commands
+```bash
+# Install dependencies (from monorepo root)
+pnpm install
+# Build this package
+nx build eslint-plugin-crypto
+# Run tests
+nx test eslint-plugin-crypto
+# Run tests with coverage
+nx test eslint-plugin-crypto --coverage
+# Lint this package
+nx lint eslint-plugin-crypto
+```
+## Code Style
+- TypeScript strict mode with `@interlace/eslint-devkit` types
+- Use `AST_NODE_TYPES` constants, never string literals for node types
+- Use `formatLLMMessage()` for all rule error messages
+- Include CWE, CVSS, CVE references in every security message
+- Use `c8 ignore` comments with documented reasons for untestable code
+- Single-pass AST traversal patterns (O(n) complexity)
+## Testing Instructions
+- Tests use `@typescript-eslint/rule-tester` with Vitest
+- Each rule has `index.ts` (implementation) and `*.test.ts` (tests) in same directory
+- Run specific rule test: `nx test eslint-plugin-crypto --testPathPattern="no-weak-hash"`
+- Coverage target: ≥90% lines, ≥95% functions
+- All tests must pass before committing
+## Project Structure
+```
+src/
+├── index.ts          # Plugin entry, 5 configs
+├── types/index.ts    # 24 rule option types
+└── rules/            # 24 rule directories
+```
 ## Plugin Purpose
 Security-focused ESLint plugin with **24 rules** for cryptographic best practices. Covers Node.js `crypto`, Web Crypto API, and npm packages (crypto-hash, crypto-random-string, crypto-js).
-## Quick Reference
+## Rule Categories
-### Core Crypto Rules (8)
+### Core Node.js Crypto Rules (8)
 | Rule                          | CWE | Detects        | Fix              |
 | ----------------------------- | --- | -------------- | ---------------- |
@@ -15,68 +62,40 @@ Security-focused ESLint plugin with **24 rules** for cryptographic best practice
 | `no-deprecated-cipher-method` | 327 | createCipher() | createCipheriv() |
 | `no-static-iv`                | 329 | Hardcoded IVs  | randomBytes(16)  |
 | `no-ecb-mode`                 | 327 | ECB mode       | GCM or CBC       |
-| `no-insecure-key-derivation`  | 916 | PBKDF2 < 100k  | ≥100k iterations |
+| `no-insecure-key-derivation`  | 916 | PBKDF2 <100k   | ≥100k iterations |
 | `no-hardcoded-crypto-key`     | 321 | Literal keys   | env vars/KMS     |
 | `require-random-iv`           | 329 | Non-random IVs | randomBytes()    |
 ### CVE-Specific Rules (3)
-| Rule                           | CVE        | Vulnerability |
-| ------------------------------ | ---------- | ------------- |
-| `no-insecure-rsa-padding`      | 2023-46809 | Marvin Attack |
-| `no-cryptojs-weak-random`      | 2020-36732 | Weak PRNG     |
-| `require-secure-pbkdf2-digest` | 2023-46233 | SHA1 PBKDF2   |
-### Advanced Security (7)
-| Rule                               | CWE | Focus           |
-| ---------------------------------- | --- | --------------- |
-| `no-math-random-crypto`            | 338 | Insecure PRNG   |
-| `no-predictable-salt`              | 331 | Weak salts      |
-| `require-authenticated-encryption` | 327 | CBC without MAC |
-| `no-key-reuse`                     | 323 | Same key twice  |
-| `no-self-signed-certs`             | 295 | TLS bypass      |
-| `no-timing-unsafe-compare`         | 208 | Timing attacks  |
-| `require-key-length`               | 326 | AES-128/192     |
-| `no-web-crypto-export`             | 321 | Key export      |
-### Package Rules (6)
-| Rule                        | Package              | Issue          |
-| --------------------------- | -------------------- | -------------- |
-| `no-sha1-hash`              | crypto-hash          | sha1()         |
-| `require-sufficient-length` | crypto-random-string | < 32 chars     |
-| `no-numeric-only-tokens`    | crypto-random-string | Low entropy    |
-| `no-cryptojs`               | crypto-js            | Deprecated     |
-| `no-cryptojs-weak-random`   | crypto-js            | CVE-2020-36732 |
-| `prefer-native-crypto`      | Various              | Third-party    |
-## Fix Patterns
-```diff
-# Weak Hash
-- crypto.createHash('md5')
-+ crypto.createHash('sha256')
-# RSA Padding (CVE-2023-46809)
-- padding: crypto.constants.RSA_PKCS1_PADDING
-+ padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
-# Math.random for crypto
-- const token = Math.random().toString(36)
-+ const token = crypto.randomBytes(32).toString('hex')
-# Timing-safe compare
-- if (userToken === storedToken)
-+ if (crypto.timingSafeEqual(Buffer.from(userToken), Buffer.from(storedToken)))
-# Authenticated encryption
-- crypto.createCipheriv('aes-256-cbc', key, iv)
-+ crypto.createCipheriv('aes-256-gcm', key, iv)
-# TLS validation
-- { rejectUnauthorized: false }
-+ { rejectUnauthorized: true }
+| Rule                           | CVE            | Vulnerability |
+| ------------------------------ | -------------- | ------------- |
+| `no-insecure-rsa-padding`      | CVE-2023-46809 | Marvin Attack |
+| `no-cryptojs-weak-random`      | CVE-2020-36732 | Weak PRNG     |
+| `require-secure-pbkdf2-digest` | CVE-2023-46233 | SHA1 PBKDF2   |
+## Common Fix Patterns
+```typescript
+// Weak Hash
+// BAD: crypto.createHash('md5')
+// GOOD: crypto.createHash('sha256')
+// RSA Padding (CVE-2023-46809)
+// BAD: padding: crypto.constants.RSA_PKCS1_PADDING
+// GOOD: padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
+// Math.random for crypto
+// BAD: const token = Math.random().toString(36)
+// GOOD: const token = crypto.randomBytes(32).toString('hex')
+// Timing-safe compare
+// BAD: if (userToken === storedToken)
+// GOOD: if (crypto.timingSafeEqual(Buffer.from(userToken), Buffer.from(storedToken)))
+// Authenticated encryption
+// BAD: crypto.createCipheriv('aes-256-cbc', key, iv)
+// GOOD: crypto.createCipheriv('aes-256-gcm', key, iv)
 ```
 ## Presets (5)
@@ -89,22 +108,12 @@ Security-focused ESLint plugin with **24 rules** for cryptographic best practice
 | `nodejs-only`        | Server-side only        |
 | `cve-focused`        | Known CVE protection    |
-## Architecture
-```
-src/
-├── index.ts          # Plugin entry, 5 configs
-├── types/index.ts    # 24 rule option types
-└── rules/            # 24 rule directories
-    ├── no-weak-hash-algorithm/
-    ├── no-insecure-rsa-padding/
-    └── ...
-```
 ## CWE Coverage
 208, 295, 321, 323, 326, 327, 328, 329, 330, 331, 338, 916, 1104
-## Version
+## Security Considerations
-1.0.0 (24 rules)
+- Detects 3 specific CVEs: CVE-2023-46809, CVE-2020-36732, CVE-2023-46233
+- Marvin Attack detection for RSA padding
+- crypto-js weak PRNG detection

package/README.md CHANGED Viewed

@@ -1,4 +1,5 @@
 # eslint-plugin-crypto
+[![codecov](https://codecov.io/gh/ofri-peretz/eslint/graph/badge.svg?component=crypto)](https://app.codecov.io/gh/ofri-peretz/eslint/components?components%5B0%5D=crypto)
 > Security-focused ESLint plugin with **24 AI-parseable rules** for cryptographic best practices.
@@ -139,6 +140,18 @@ All rules include LLM-optimized error messages with:
 - Direct fix suggestions with code examples
 - Documentation links
+## 🔗 Related ESLint Plugins
+Part of the **Forge-JS ESLint Ecosystem** — AI-native security plugins with LLM-optimized error messages:
+| Plugin                                                                                               | Description                                              | Rules |
+| ---------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | :---: |
+| [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-secure-coding)           | Universal security (OWASP Top 10 Web + Mobile)           |  89   |
+| [`eslint-plugin-jwt`](https://www.npmjs.com/package/eslint-plugin-jwt)                               | JWT security (algorithm confusion, weak secrets, claims) |  13   |
+| [`eslint-plugin-pg`](https://www.npmjs.com/package/eslint-plugin-pg)                                 | PostgreSQL/node-postgres security                        |  13   |
+| [`eslint-plugin-vercel-ai-security`](https://www.npmjs.com/package/eslint-plugin-vercel-ai-security) | Vercel AI SDK security                                   |  19   |
+| [`eslint-plugin-import-next`](https://www.npmjs.com/package/eslint-plugin-import-next)               | High-performance import linting                          |  12   |
 ## License
 MIT © [Ofri Peretz](https://github.com/ofri-peretz)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "eslint-plugin-crypto",
-  "version": "1.0.0",
+  "version": "2.0.0",
   "description": "Security-focused ESLint plugin with 24 AI-parseable rules for cryptographic best practices. Detects weak algorithms, insecure key handling, CVE-specific vulnerabilities, and deprecated crypto patterns.",
   "type": "commonjs",
   "main": "./src/index.js",
@@ -64,17 +64,19 @@
   },
   "dependencies": {
     "@interlace/eslint-devkit": "^1.2.1",
-    "tslib": "^2.3.0"
+    "tslib": "^2.3.0",
+    "vitest": "^4.0.6",
+    "@nx/vite": "^22.0.3"
+  },
+  "scripts": {
+    "test": "vitest run",
+    "test:watch": "vitest watch",
+    "test:coverage": "vitest run --coverage"
   },
   "devDependencies": {
     "@typescript-eslint/parser": "^8.46.2",
     "@typescript-eslint/rule-tester": "^8.46.2",
     "@vitest/coverage-v8": "^4.0.6",
     "vitest": "^4.0.6"
-  },
-  "scripts": {
-    "test": "vitest run",
-    "test:watch": "vitest watch",
-    "test:coverage": "vitest run --coverage"
   }
-}
+}

package/LICENSE DELETED Viewed

@@ -1,21 +0,0 @@
-MIT License
-Copyright (c) 2025 Ofri Peretz
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.