eslint-plugin-mongodb-security 8.0.0

package/AGENTS.md

@@ -0,0 +1,181 @@
+# AI Agent Resolution Strategies
+
+This document provides resolution strategies for AI assistants (GitHub Copilot, Cursor, Claude) to automatically fix issues reported by `eslint-plugin-mongodb-security`.
+
+---
+
+## NoSQL Injection Rules
+
+### `no-unsafe-query`
+
+**Detection**: String concatenation or template literals in MongoDB query objects.
+
+**Resolution Strategy**:
+
+1. Replace string interpolation with explicit `$eq` operator
+2. Wrap user input with sanitization function
+3. Use schema-validated input
+
+```typescript
+// Before (vulnerable)
+db.collection('users').find({ username: userInput });
+
+// After (safe)
+db.collection('users').find({ username: { $eq: sanitize(userInput) } });
+```
+
+---
+
+### `no-operator-injection`
+
+**Detection**: Direct use of request body/params in MongoDB query operators.
+
+**Resolution Strategy**:
+
+1. Add explicit `$eq` wrapper around all user inputs
+2. Validate input type before use in query
+3. Use allow-list for expected values
+
+```typescript
+// Before (vulnerable - allows { password: { $ne: null } })
+User.findOne({ email: req.body.email, password: req.body.password });
+
+// After (safe)
+User.findOne({
+  email: { $eq: String(req.body.email) },
+  password: { $eq: String(req.body.password) },
+});
+```
+
+---
+
+### `no-unsafe-where`
+
+**Detection**: Use of `$where` operator with any dynamic input.
+
+**Resolution Strategy**:
+
+1. Remove `$where` entirely and replace with standard operators
+2. Never use `$where` with user input
+3. Use aggregation pipeline instead if complex logic needed
+
+```typescript
+// Before (vulnerable - CVE-2025-23061)
+db.collection('users').find({ $where: `this.age > ${age}` });
+
+// After (safe)
+db.collection('users').find({ age: { $gt: Number(age) } });
+```
+
+---
+
+### `no-unsafe-regex-query`
+
+**Detection**: `$regex` with unescaped user input.
+
+**Resolution Strategy**:
+
+1. Escape special regex characters
+2. Anchor pattern with `^` and `$` where possible
+3. Add timeout or complexity limits
+
+```typescript
+// Before (vulnerable)
+User.find({ name: { $regex: searchTerm } });
+
+// After (safe)
+const escaped = searchTerm.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+User.find({ name: { $regex: `^${escaped}`, $options: 'i' } });
+```
+
+---
+
+## Credential Rules
+
+### `no-hardcoded-connection-string`
+
+**Resolution Strategy**:
+
+1. Replace with `process.env.MONGODB_URI`
+2. Use secret management service
+
+```typescript
+// Before
+mongoose.connect('mongodb://admin:password@localhost:27017/mydb');
+
+// After
+mongoose.connect(process.env.MONGODB_URI!);
+```
+
+---
+
+### `require-tls-connection`
+
+**Resolution Strategy**:
+
+1. Add `{ tls: true }` to connection options
+2. Use `mongodb+srv://` protocol (TLS by default)
+
+```typescript
+// Before
+mongoose.connect(uri);
+
+// After
+mongoose.connect(uri, { tls: true, tlsCAFile: process.env.MONGO_CA_CERT });
+```
+
+---
+
+## Mongoose ODM Rules
+
+### `no-select-sensitive-fields`
+
+**Resolution Strategy**:
+
+1. Add `.select('-password -refreshToken')` to queries
+2. Use schema-level `select: false` option
+
+```typescript
+// Before
+const user = await User.findById(id);
+
+// After
+const user = await User.findById(id).select('-password -refreshToken -apiKey');
+```
+
+---
+
+### `require-lean-queries`
+
+**Resolution Strategy**:
+
+1. Add `.lean()` for read-only operations
+2. Keep full documents only when using middleware/virtuals
+
+```typescript
+// Before
+const users = await User.find({ active: true });
+
+// After
+const users = await User.find({ active: true }).lean();
+```
+
+---
+
+## Message Format
+
+All rules use LLM-optimized messages:
+
+```
+🔒 CWE-943 OWASP:A03-Injection CVSS:9.0 | NoSQL injection via user input | CRITICAL
+   Fix: Use { field: { $eq: sanitize(value) } } pattern
+   https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection
+```
+
+---
+
+## Related
+
+- [OWASP NoSQL Injection Testing](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)
+- [CWE-943: NoSQL Injection](https://cwe.mitre.org/data/definitions/943.html)
+- [CVE-2025-23061](https://nvd.nist.gov/vuln/detail/CVE-2025-23061)

package/CHANGELOG.md

@@ -0,0 +1,36 @@
+# Changelog
+
+All notable changes to `eslint-plugin-mongodb-security` will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.0.0] - 2026-01-XX
+
+### Added
+
+- Initial release with 16 security rules
+- **NoSQL Injection Prevention** (4 rules)
+  - `no-unsafe-query` - Prevents string concatenation in MongoDB queries
+  - `no-operator-injection` - Prevents $ne, $gt, $lt injection attacks
+  - `no-unsafe-where` - Prevents $where operator RCE (CVE-2025-23061, CVE-2024-53900)
+  - `no-unsafe-regex-query` - Prevents ReDoS via $regex
+- **Credentials & Connection Security** (4 rules)
+  - `no-hardcoded-connection-string` - Prevents credentials in connection URIs
+  - `no-hardcoded-credentials` - Prevents hardcoded auth options
+  - `require-tls-connection` - Requires TLS for production connections
+  - `require-auth-mechanism` - Requires explicit SCRAM-SHA-256
+- **Mongoose ODM Security** (5 rules)
+  - `require-schema-validation` - Requires Mongoose schema validators
+  - `no-select-sensitive-fields` - Prevents returning password/token fields
+  - `no-bypass-middleware` - Prevents bypassing pre/post hooks
+  - `no-unsafe-populate` - Prevents user-controlled populate()
+  - `require-lean-queries` - Suggests .lean() for read-only queries
+- **Best Practices** (3 rules)
+  - `no-unbounded-find` - Requires limit() on find queries
+  - `require-projection` - Requires field projection
+  - `no-debug-mode-production` - Prevents debug mode in production
+- Full support for `mongodb`, `mongoose`, `mongodb-client-encryption`, `@typegoose/typegoose`
+- AI-optimized error messages with CWE and OWASP references
+- Three configuration presets: `recommended`, `strict`, `mongoose`
+- OWASP Top 10 2021 mapping (A01-A07 coverage)

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Ofri Peretz
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,238 @@
+# eslint-plugin-mongodb-security
+
+> 🔐 Security-focused ESLint plugin for MongoDB & Mongoose. Detects NoSQL injection (CVE-2025-23061), operator attacks, credential exposure, and ODM-specific vulnerabilities with AI-optimized fix guidance.
+
+[![npm version](https://img.shields.io/npm/v/eslint-plugin-mongodb-security.svg)](https://www.npmjs.com/package/eslint-plugin-mongodb-security)
+[![npm downloads](https://img.shields.io/npm/dm/eslint-plugin-mongodb-security.svg)](https://www.npmjs.com/package/eslint-plugin-mongodb-security)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![codecov](https://codecov.io/gh/ofri-peretz/eslint/graph/badge.svg?component=mongodb-security)](https://app.codecov.io/gh/ofri-peretz/eslint/components?components%5B0%5D=mongodb-security)
+[![Jan 2026](https://img.shields.io/badge/Jan_2026-blue?logo=rocket&logoColor=white)](https://github.com/ofri-peretz/eslint)
+
+---
+
+## 🎯 The One-Stop Shop for MongoDB Security Linting
+
+**This is the comprehensive, actively-maintained ESLint plugin for MongoDB security in Node.js environments.**
+
+> ⚠️ **Note**: Other packages like `eslint-plugin-mongodb` and `eslint-plugin-mongo` exist on npm but are outdated, unmaintained, or limited in scope. **eslint-plugin-mongodb-security** is purpose-built for modern security needs, covering the entire MongoDB ecosystem with CVE detection, OWASP mapping, and AI-optimized error messages.
+
+---
+
+## 💡 What You Get
+
+- **16 Security Rules** — NoSQL injection, operator attacks, credential exposure, ODM patterns
+- **Full Ecosystem Coverage** — MongoDB driver, Mongoose ODM, Client-Side Encryption, Typegoose
+- **2025 CVE Detection** — CVE-2025-23061, CVE-2024-53900 ($where injection in Mongoose)
+- **OWASP Top 10 Mapped** — Every rule references CWE and OWASP categories
+- **AI-Optimized** — Structured messages for GitHub Copilot, Cursor, Claude assistance
+
+---
+
+## 📦 Installation
+
+```bash
+npm install --save-dev eslint-plugin-mongodb-security
+# or
+pnpm add -D eslint-plugin-mongodb-security
+```
+
+## 🚀 Quick Start
+
+### Flat Config (ESLint 9+)
+
+```javascript
+// eslint.config.js
+import mongodbSecurity from 'eslint-plugin-mongodb-security';
+
+export default [
+  mongodbSecurity.configs.recommended,
+  // or mongodbSecurity.configs.strict for maximum security
+];
+```
+
+### Custom Configuration
+
+```javascript
+import mongodbSecurity from 'eslint-plugin-mongodb-security';
+
+export default [
+  {
+    plugins: { 'mongodb-security': mongodbSecurity },
+    rules: {
+      // Critical - NoSQL Injection
+      'mongodb-security/no-unsafe-query': 'error',
+      'mongodb-security/no-operator-injection': 'error',
+      'mongodb-security/no-unsafe-where': 'error',
+
+      // High - Credentials & Connection
+      'mongodb-security/no-hardcoded-connection-string': 'error',
+      'mongodb-security/require-tls-connection': 'warn',
+
+      // Medium - ODM Best Practices
+      'mongodb-security/require-schema-validation': 'warn',
+      'mongodb-security/no-select-sensitive-fields': 'warn',
+    },
+  },
+];
+```
+
+---
+
+## 🔐 Rules
+
+💼 = Set in `recommended` | 🔧 = Auto-fixable | 💡 = Has suggestions
+
+### Critical Severity (NoSQL Injection)
+
+| Rule                                                         | CWE     | OWASP    | CVE            | Description                              | 💼  | 💡  |
+| ------------------------------------------------------------ | ------- | -------- | -------------- | ---------------------------------------- | --- | --- |
+| [no-unsafe-query](docs/rules/no-unsafe-query.md)             | CWE-943 | A03:2021 | —              | Prevents string concatenation in queries | 💼  | 💡  |
+| [no-operator-injection](docs/rules/no-operator-injection.md) | CWE-943 | A03:2021 | —              | Prevents $ne, $gt, $lt injection attacks | 💼  | 💡  |
+| [no-unsafe-where](docs/rules/no-unsafe-where.md)             | CWE-943 | A01:2021 | CVE-2025-23061 | Prevents $where operator RCE             | 💼  | 💡  |
+| [no-unsafe-regex-query](docs/rules/no-unsafe-regex-query.md) | CWE-400 | A03:2021 | —              | Prevents ReDoS via $regex                | 💼  | 💡  |
+
+### High Severity (Credentials & Connection)
+
+| Rule                                                                           | CWE     | OWASP    | Description                             | 💼  | 💡  |
+| ------------------------------------------------------------------------------ | ------- | -------- | --------------------------------------- | --- | --- |
+| [no-hardcoded-connection-string](docs/rules/no-hardcoded-connection-string.md) | CWE-798 | A07:2021 | Prevents credentials in connection URIs | 💼  | 💡  |
+| [no-hardcoded-credentials](docs/rules/no-hardcoded-credentials.md)             | CWE-798 | A07:2021 | Prevents hardcoded auth options         | 💼  | 💡  |
+| [require-tls-connection](docs/rules/require-tls-connection.md)                 | CWE-295 | A02:2021 | Requires TLS for production connections | 💼  | 💡  |
+| [require-auth-mechanism](docs/rules/require-auth-mechanism.md)                 | CWE-287 | A07:2021 | Requires explicit SCRAM-SHA-256         | 💼  | 💡  |
+
+### Medium Severity (Mongoose ODM)
+
+| Rule                                                                   | CWE     | OWASP    | Description                              | 💼  | 💡  |
+| ---------------------------------------------------------------------- | ------- | -------- | ---------------------------------------- | --- | --- |
+| [require-schema-validation](docs/rules/require-schema-validation.md)   | CWE-20  | A04:2021 | Requires Mongoose schema validators      | 💼  | 💡  |
+| [no-select-sensitive-fields](docs/rules/no-select-sensitive-fields.md) | CWE-200 | A01:2021 | Prevents returning password/token fields | 💼  | 💡  |
+| [no-bypass-middleware](docs/rules/no-bypass-middleware.md)             | CWE-284 | A01:2021 | Prevents bypassing pre/post hooks        | 💼  | 💡  |
+| [no-unsafe-populate](docs/rules/no-unsafe-populate.md)                 | CWE-943 | A03:2021 | Prevents user-controlled populate()      | 💼  | 💡  |
+
+### Low Severity (Best Practices)
+
+| Rule                                                               | CWE     | OWASP    | Description                            | 💼  | 💡  |
+| ------------------------------------------------------------------ | ------- | -------- | -------------------------------------- | --- | --- |
+| [no-unbounded-find](docs/rules/no-unbounded-find.md)               | CWE-400 | A04:2021 | Requires limit() on find queries       |     | 💡  |
+| [require-projection](docs/rules/require-projection.md)             | CWE-200 | A01:2021 | Requires field projection              |     | 💡  |
+| [require-lean-queries](docs/rules/require-lean-queries.md)         | CWE-400 | A04:2021 | Suggests .lean() for read-only queries |     | 💡  |
+| [no-debug-mode-production](docs/rules/no-debug-mode-production.md) | CWE-489 | A05:2021 | Prevents debug mode in production      | 💼  | 💡  |
+
+---
+
+## 📚 Supported Libraries
+
+This plugin analyzes code that uses the following MongoDB/Mongoose libraries. **Both are optional peer dependencies** — you only need to have installed the ones you're using:
+
+| Library                   | npm                                                             | Detection  | Notes                              |
+| ------------------------- | --------------------------------------------------------------- | ---------- | ---------------------------------- |
+| mongodb                   | ![npm](https://img.shields.io/npm/dw/mongodb)                   | ✅ Full    | Native MongoDB driver              |
+| mongoose                  | ![npm](https://img.shields.io/npm/dw/mongoose)                  | ✅ Full    | ODM with schema validation         |
+| @nestjs/mongoose          | ![npm](https://img.shields.io/npm/dw/@nestjs/mongoose)          | ✅ Full    | NestJS integration for Mongoose    |
+| mongodb-client-encryption | ![npm](https://img.shields.io/npm/dw/mongodb-client-encryption) | ✅ Full    | Client-Side Field Level Encryption |
+| @typegoose/typegoose      | ![npm](https://img.shields.io/npm/dw/@typegoose/typegoose)      | ✅ Partial | TypeScript decorators for Mongoose |
+
+> **Note**: `mongodb` and `mongoose` are listed as optional peer dependencies (`peerDependenciesMeta.optional: true`). The plugin works regardless of which MongoDB library you use — rules detect patterns in your code, not the presence of specific packages.
+>
+> **Not covered**: `mongodb-core` (deprecated, merged into mongodb 4.x), `mongodb-memory-server` (testing utility).
+>
+> **NestJS users**: `@nestjs/mongoose` uses standard Mongoose under the hood — all rules apply. For comprehensive NestJS coverage, combine with [`eslint-plugin-nestjs-security`](https://npmjs.com/package/eslint-plugin-nestjs-security).
+
+---
+
+## 🔒 OWASP Top 10 2021 Coverage
+
+| OWASP Category                         | Rules                                                                                                        | Coverage |
+| -------------------------------------- | ------------------------------------------------------------------------------------------------------------ | -------- |
+| **A01:2021 Broken Access Control**     | `no-unsafe-where`, `no-select-sensitive-fields`, `no-bypass-middleware`                                      | ✅       |
+| **A02:2021 Cryptographic Failures**    | `require-tls-connection`                                                                                     | ✅       |
+| **A03:2021 Injection**                 | `no-unsafe-query`, `no-operator-injection`, `no-unsafe-where`, `no-unsafe-regex-query`, `no-unsafe-populate` | ✅       |
+| **A04:2021 Insecure Design**           | `require-schema-validation`, `no-unbounded-find`, `require-lean-queries`                                     | ✅       |
+| **A05:2021 Security Misconfiguration** | `no-debug-mode-production`                                                                                   | ✅       |
+| **A07:2021 Identification Failures**   | `no-hardcoded-connection-string`, `no-hardcoded-credentials`, `require-auth-mechanism`                       | ✅       |
+
+---
+
+## 🛡️ Security Research Coverage
+
+### CVE-2025-23061 & CVE-2024-53900 (Mongoose $where Injection)
+
+The `no-unsafe-where` rule detects `$where` operator usage that allows RCE through JavaScript injection.
+
+```javascript
+// ❌ Vulnerable - Allows Remote Code Execution
+User.find({ $where: `this.name === '${userInput}'` });
+User.find().populate({ path: 'posts', match: { $where: userControlled } });
+
+// ✅ Safe - Use query operators
+User.find({ name: { $eq: sanitize(userInput) } });
+```
+
+### NoSQL Operator Injection
+
+The `no-operator-injection` rule prevents authentication bypass attacks.
+
+```javascript
+// ❌ Vulnerable - Attacker sends { password: { $ne: null } }
+User.findOne({ email: req.body.email, password: req.body.password });
+
+// ✅ Safe - Explicit equality operator
+User.findOne({ email: { $eq: email }, password: { $eq: password } });
+```
+
+---
+
+## ⚙️ Configuration Presets
+
+| Preset        | Description        | Rules                                  |
+| ------------- | ------------------ | -------------------------------------- |
+| `recommended` | Balanced security  | Critical=error, High=warn, Medium=warn |
+| `strict`      | Maximum security   | All 16 rules=error                     |
+| `mongoose`    | Mongoose ODM focus | ODM-specific rules only                |
+
+---
+
+## 🤖 AI-Optimized Messages
+
+Every rule uses `formatLLMMessage` for structured output:
+
+```
+🔒 CWE-943 OWASP:A03-Injection CVSS:9.0 | NoSQL injection via $where operator | CRITICAL
+   Fix: Remove $where and use standard query operators like $eq, $in, $regex
+   https://nvd.nist.gov/vuln/detail/CVE-2025-23061
+```
+
+---
+
+## 📖 References
+
+- [OWASP NoSQL Injection Testing](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)
+- [CVE-2025-23061 - Mongoose populate() bypass](https://nvd.nist.gov/vuln/detail/CVE-2025-23061)
+- [CVE-2024-53900 - Mongoose $where RCE](https://nvd.nist.gov/vuln/detail/CVE-2024-53900)
+- [MongoDB Security Checklist](https://www.mongodb.com/docs/manual/administration/security-checklist/)
+- [CWE-943: NoSQL Injection](https://cwe.mitre.org/data/definitions/943.html)
+
+---
+
+## 🔗 Related ESLint Plugins
+
+Part of the **Interlace ESLint Ecosystem** — AI-native security plugins with LLM-optimized error messages:
+
+| Plugin                                                                                               | Downloads                                                                                                                                | Description                                      | Rules |
+| ---------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ----- |
+| [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-secure-coding)           | [![npm](https://img.shields.io/npm/dm/eslint-plugin-secure-coding.svg)](https://npmjs.com/package/eslint-plugin-secure-coding)           | Universal security (OWASP Top 10 Web + Mobile)   | 75    |
+| [`eslint-plugin-pg`](https://www.npmjs.com/package/eslint-plugin-pg)                                 | [![npm](https://img.shields.io/npm/dm/eslint-plugin-pg.svg)](https://npmjs.com/package/eslint-plugin-pg)                                 | PostgreSQL/node-postgres security                | 13    |
+| [`eslint-plugin-crypto`](https://www.npmjs.com/package/eslint-plugin-crypto)                         | [![npm](https://img.shields.io/npm/dm/eslint-plugin-crypto.svg)](https://npmjs.com/package/eslint-plugin-crypto)                         | Cryptographic best practices                     | 24    |
+| [`eslint-plugin-jwt`](https://www.npmjs.com/package/eslint-plugin-jwt)                               | [![npm](https://img.shields.io/npm/dm/eslint-plugin-jwt.svg)](https://npmjs.com/package/eslint-plugin-jwt)                               | JWT security (algorithm confusion, weak secrets) | 13    |
+| [`eslint-plugin-browser-security`](https://www.npmjs.com/package/eslint-plugin-browser-security)     | [![npm](https://img.shields.io/npm/dm/eslint-plugin-browser-security.svg)](https://npmjs.com/package/eslint-plugin-browser-security)     | Browser/DOM security (XSS, postMessage, CSP)     | 21    |
+| [`eslint-plugin-vercel-ai-security`](https://www.npmjs.com/package/eslint-plugin-vercel-ai-security) | [![npm](https://img.shields.io/npm/dm/eslint-plugin-vercel-ai-security.svg)](https://npmjs.com/package/eslint-plugin-vercel-ai-security) | Vercel AI SDK security (OWASP LLM Top 10)        | 19    |
+| [`eslint-plugin-express-security`](https://www.npmjs.com/package/eslint-plugin-express-security)     | [![npm](https://img.shields.io/npm/dm/eslint-plugin-express-security.svg)](https://npmjs.com/package/eslint-plugin-express-security)     | Express.js security                              | 9     |
+| [`eslint-plugin-lambda-security`](https://www.npmjs.com/package/eslint-plugin-lambda-security)       | [![npm](https://img.shields.io/npm/dm/eslint-plugin-lambda-security.svg)](https://npmjs.com/package/eslint-plugin-lambda-security)       | AWS Lambda/Middy security                        | 13    |
+| [`eslint-plugin-nestjs-security`](https://www.npmjs.com/package/eslint-plugin-nestjs-security)       | [![npm](https://img.shields.io/npm/dm/eslint-plugin-nestjs-security.svg)](https://npmjs.com/package/eslint-plugin-nestjs-security)       | NestJS security (guards, throttling)             | 5     |
+| [`eslint-plugin-import-next`](https://www.npmjs.com/package/eslint-plugin-import-next)               | [![npm](https://img.shields.io/npm/dm/eslint-plugin-import-next.svg)](https://npmjs.com/package/eslint-plugin-import-next)               | High-performance import linting                  | 55    |
+
+---
+
+## 📄 License
+
+MIT © [Ofri Peretz](https://github.com/ofri-peretz)

package/package.json

@@ -0,0 +1,91 @@
+{
+  "name": "eslint-plugin-mongodb-security",
+  "version": "8.0.0",
+  "description": "Security-focused ESLint plugin for MongoDB & Mongoose. Detects NoSQL injection, operator attacks, credential exposure, and ODM-specific vulnerabilities with AI-optimized fix guidance.",
+  "type": "commonjs",
+  "main": "./src/index.js",
+  "types": "./src/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./src/index.d.ts",
+      "default": "./src/index.js"
+    },
+    "./types": {
+      "types": "./src/types/index.d.ts",
+      "default": "./src/types/index.js"
+    }
+  },
+  "author": "Ofri Peretz <ofriperetzdev@gmail.com>",
+  "license": "MIT",
+  "homepage": "https://github.com/ofri-peretz/eslint/blob/main/packages/eslint-plugin-mongodb-security/README.md",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/ofri-peretz/eslint.git",
+    "directory": "packages/eslint-plugin-mongodb-security"
+  },
+  "bugs": {
+    "url": "https://github.com/ofri-peretz/eslint/issues"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "src/",
+    "dist/",
+    "README.md",
+    "LICENSE",
+    "CHANGELOG.md",
+    "AGENTS.md"
+  ],
+  "keywords": [
+    "eslint",
+    "eslint-plugin",
+    "eslintplugin",
+    "mongodb",
+    "mongoose",
+    "nosql",
+    "security",
+    "nosql-injection",
+    "owasp",
+    "cwe",
+    "vulnerability",
+    "injection",
+    "llm-optimized",
+    "ai-assistant",
+    "typescript",
+    "linting",
+    "code-quality",
+    "ast",
+    "static-analysis",
+    "mcp",
+    "model-context-protocol",
+    "github-copilot",
+    "cursor-ai",
+    "claude-ai"
+  ],
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "peerDependencies": {
+    "mongodb": "^4.0.0 || ^5.0.0 || ^6.0.0",
+    "mongoose": "^6.0.0 || ^7.0.0 || ^8.0.0"
+  },
+  "peerDependenciesMeta": {
+    "mongodb": {
+      "optional": true
+    },
+    "mongoose": {
+      "optional": true
+    }
+  },
+  "dependencies": {
+    "@interlace/eslint-devkit": "^1.2.1",
+    "tslib": "^2.3.0"
+  },
+  "devDependencies": {
+    "@typescript-eslint/parser": "^8.46.2",
+    "@typescript-eslint/rule-tester": "^8.46.2",
+    "mongodb": "^6.12.0",
+    "mongoose": "^8.9.0"
+  }
+}

package/src/index.d.ts

@@ -0,0 +1,32 @@
+/**
+ * eslint-plugin-mongodb-security
+ *
+ * Security-focused ESLint plugin for MongoDB & Mongoose.
+ * Detects NoSQL injection, operator attacks, credential exposure,
+ * and ODM-specific vulnerabilities with AI-optimized fix guidance.
+ *
+ * Features:
+ * - LLM-optimized error messages with CWE references
+ * - OWASP Top 10 coverage (A01-A07)
+ * - CVE detection (CVE-2025-23061, CVE-2024-53900)
+ * - Full support for mongodb, mongoose, mongodb-client-encryption
+ *
+ * @see https://github.com/ofri-peretz/eslint/tree/main/packages/eslint-plugin-mongodb-security
+ */
+import { TSESLint } from '@interlace/eslint-devkit';
+/**
+ * Collection of all MongoDB security rules
+ */
+export declare const rules: Record<string, TSESLint.RuleModule<string, readonly unknown[]>>;
+/**
+ * ESLint Plugin object
+ */
+export declare const plugin: TSESLint.FlatConfig.Plugin;
+/**
+ * Preset configurations
+ */
+export declare const configs: Record<string, TSESLint.FlatConfig.Config>;
+/**
+ * Default export for ESLint plugin
+ */
+export default plugin;