eslint-plugin-node-security 4.0.0

package/src/rules/no-zip-slip/index.js

@@ -0,0 +1,451 @@
+"use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noZipSlip = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+exports.noZipSlip = (0, eslint_devkit_1.createRule)({
+    name: 'no-zip-slip',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects zip slip/archive extraction vulnerabilities',
+        },
+        fixable: 'code',
+        hasSuggestions: true,
+        messages: {
+            zipSlipVulnerability: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Zip Slip Vulnerability',
+                cwe: 'CWE-22',
+                description: 'Archive extraction vulnerable to path traversal',
+                severity: '{{severity}}',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/22.html',
+            }),
+            unsafeArchiveExtraction: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unsafe Archive Extraction',
+                cwe: 'CWE-22',
+                description: 'Archive extraction without path validation',
+                severity: 'HIGH',
+                fix: 'Use safe extraction libraries or validate all paths',
+                documentationLink: 'https://snyk.io/research/zip-slip-vulnerability',
+            }),
+            pathTraversalInArchive: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Path Traversal in Archive',
+                cwe: 'CWE-22',
+                description: 'Archive contains path traversal sequences',
+                severity: 'CRITICAL',
+                fix: 'Reject archives with path traversal or sanitize paths',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/22.html',
+            }),
+            unvalidatedArchivePath: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unvalidated Archive Path',
+                cwe: 'CWE-22',
+                description: 'Archive entry path used without validation',
+                severity: 'HIGH',
+                fix: 'Validate paths before extraction',
+                documentationLink: 'https://snyk.io/research/zip-slip-vulnerability',
+            }),
+            dangerousArchiveDestination: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Dangerous Archive Destination',
+                cwe: 'CWE-22',
+                description: 'Archive extracted to sensitive location',
+                severity: 'MEDIUM',
+                fix: 'Extract to safe temporary directory',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/22.html',
+            }),
+            useSafeArchiveExtraction: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Use Safe Archive Extraction',
+                description: 'Use libraries with built-in path validation',
+                severity: 'LOW',
+                fix: 'Use yauzl, safe-archive-extract, or similar safe libraries',
+                documentationLink: 'https://www.npmjs.com/package/yauzl',
+            }),
+            validateArchivePaths: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Validate Archive Paths',
+                description: 'Validate all archive entry paths',
+                severity: 'LOW',
+                fix: 'Check paths don\'t contain ../ and are within destination directory',
+                documentationLink: 'https://snyk.io/research/zip-slip-vulnerability',
+            }),
+            sanitizeArchiveNames: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Sanitize Archive Names',
+                description: 'Sanitize archive entry names',
+                severity: 'LOW',
+                fix: 'Use path.basename() or custom sanitization',
+                documentationLink: 'https://nodejs.org/api/path.html#pathbasenamepath-ext',
+            }),
+            strategyPathValidation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Path Validation Strategy',
+                description: 'Validate paths before any file operations',
+                severity: 'LOW',
+                fix: 'Check path.startsWith(destination) and no ../ sequences',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/22.html',
+            }),
+            strategySafeLibraries: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Safe Libraries Strategy',
+                description: 'Use archive libraries with built-in safety',
+                severity: 'LOW',
+                fix: 'Use yauzl, adm-zip with validation, or safe-archive-extract',
+                documentationLink: 'https://www.npmjs.com/package/safe-archive-extract',
+            }),
+            strategySandboxing: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Sandboxing Strategy',
+                description: 'Extract archives in sandboxed environment',
+                severity: 'LOW',
+                fix: 'Use temporary directories and restrict permissions',
+                documentationLink: 'https://nodejs.org/api/fs.html#fsopentempdirprefix-options-callback',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    archiveFunctions: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['extract', 'extractAll', 'extractAllTo', 'unzip', 'untar', 'extractArchive'],
+                    },
+                    pathValidationFunctions: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['validatePath', 'sanitizePath', 'checkPath', 'safePath'],
+                    },
+                    safeLibraries: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['yauzl', 'safe-archive-extract', 'tar-stream', 'unzipper'],
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            archiveFunctions: ['extract', 'extractAll', 'extractAllTo', 'unzip', 'untar', 'extractArchive'],
+            pathValidationFunctions: ['validatePath', 'sanitizePath', 'checkPath', 'safePath'],
+            safeLibraries: ['yauzl', 'safe-archive-extract', 'tar-stream', 'unzipper'],
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { archiveFunctions = ['extract', 'extractAll', 'extractAllTo', 'unzip', 'untar', 'extractArchive'], pathValidationFunctions = ['validatePath', 'sanitizePath', 'checkPath', 'safePath'], safeLibraries = ['yauzl', 'safe-archive-extract', 'tar-stream', 'unzipper'], } = options;
+        const filename = context.filename || context.getFilename();
+        // Safety checks are implemented directly in the handlers
+        /**
+         * Check if this is an archive extraction operation
+         */
+        const isArchiveExtraction = (node) => {
+            const callee = node.callee;
+            // Check for archive method calls (e.g., zip.extractAllTo)
+            if (callee.type === 'MemberExpression' &&
+                callee.property.type === 'Identifier' &&
+                archiveFunctions.includes(callee.property.name)) {
+                return true;
+            }
+            // Check for standalone archive functions (e.g., extractArchive)
+            if (callee.type === 'Identifier' &&
+                archiveFunctions.includes(callee.name)) {
+                return true;
+            }
+            return false;
+        };
+        /**
+         * Check if path contains dangerous traversal sequences
+         */
+        const containsPathTraversal = (pathText) => {
+            // Check for ../ sequences
+            return /\.\.\//.test(pathText) ||
+                /\.\.\\/.test(pathText) || // Windows paths
+                /^\.\./.test(pathText) || // Leading ..
+                /\/\.\./.test(pathText); // Embedded /..
+        };
+        /**
+         * Check if path has been validated
+         */
+        const isPathValidated = (pathNode) => {
+            let current = pathNode;
+            while (current) {
+                if (current.type === 'CallExpression' &&
+                    current.callee.type === 'Identifier' &&
+                    pathValidationFunctions.includes(current.callee.name)) {
+                    return true;
+                }
+                current = current.parent;
+            }
+            return false;
+        };
+        /**
+         * Check if this uses a safe library
+         */
+        const isSafeLibrary = (node) => {
+            const callee = node.callee;
+            if (callee.type === 'MemberExpression' &&
+                callee.object.type === 'Identifier' &&
+                safeLibraries.includes(callee.object.name)) {
+                return true;
+            }
+            return false;
+        };
+        /**
+         * Check if destination is dangerous
+         */
+        const isDangerousDestination = (destText) => {
+            return destText.includes('/tmp') ||
+                destText.includes('/var') ||
+                destText.includes('/usr') ||
+                destText.includes('/etc') ||
+                destText.includes('/root') ||
+                destText.includes('/home') ||
+                destText.includes('C:\\Windows') ||
+                destText.includes('C:\\Program Files') ||
+                destText.includes('C:\\Users');
+        };
+        return {
+            // Check archive extraction calls
+            CallExpression(node) {
+                if (isArchiveExtraction(node) && !isSafeLibrary(node)) {
+                    // Check for @safe annotations in the source
+                    const sourceCode = context.sourceCode;
+                    let hasSafeAnnotation = false;
+                    // Look for @safe comments in the source code
+                    const allComments = sourceCode.getAllComments();
+                    for (const comment of allComments) {
+                        if (comment.type === 'Block' && comment.value.includes('@safe')) {
+                            hasSafeAnnotation = true;
+                            break;
+                        }
+                    }
+                    if (hasSafeAnnotation) {
+                        return; // Skip reporting if marked as safe
+                    }
+                    // Check if destination is dangerous
+                    const args = node.arguments;
+                    let destArg;
+                    // Determine which argument is the destination based on the function
+                    if (node.callee.type === 'MemberExpression' && node.callee.property.type === 'Identifier') {
+                        const methodName = node.callee.property.name;
+                        if (['extractAllTo', 'unzip'].includes(methodName)) {
+                            // Destination is the first argument
+                            destArg = args[0];
+                        }
+                        else if (archiveFunctions.includes(methodName)) {
+                            // For other archive functions, destination is typically the second argument
+                            destArg = args.length >= 2 ? args[1] : undefined;
+                        }
+                    }
+                    else if (node.callee.type === 'Identifier' && archiveFunctions.includes(node.callee.name)) {
+                        // For standalone functions like extractArchive(file, dest)
+                        destArg = args.length >= 2 ? args[1] : undefined;
+                    }
+                    const destText = destArg && destArg.type === 'Literal' && typeof destArg.value === 'string' ? destArg.value : '';
+                    const isDestDangerous = isDangerousDestination(destText);
+                    const isMethodCall = node.callee.type === 'MemberExpression';
+                    if (isMethodCall) {
+                        // Method calls report unsafeArchiveExtraction unless destination is a safe relative path
+                        const isSafeRelativePath = destText.startsWith('./') || destText.startsWith('../');
+                        if (!isSafeRelativePath) {
+                            context.report({
+                                node,
+                                messageId: 'unsafeArchiveExtraction',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                                suggest: [
+                                    {
+                                        messageId: 'useSafeArchiveExtraction',
+                                        fix: () => null,
+                                    },
+                                ],
+                            });
+                        }
+                        // For safe relative paths, don't report any error
+                        // Additionally report dangerous destination for dangerous destinations
+                        if (isDestDangerous) {
+                            context.report({
+                                node: destArg || node,
+                                messageId: 'dangerousArchiveDestination',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                    else {
+                        // Standalone calls: report dangerousArchiveDestination for dangerous destinations, unsafeArchiveExtraction otherwise
+                        if (isDestDangerous) {
+                            context.report({
+                                node,
+                                messageId: 'dangerousArchiveDestination',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                        else {
+                            context.report({
+                                node,
+                                messageId: 'unsafeArchiveExtraction',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                                suggest: [
+                                    {
+                                        messageId: 'useSafeArchiveExtraction',
+                                        fix: () => null
+                                    },
+                                ],
+                            });
+                        }
+                    }
+                }
+                // Check for path.join or similar operations with archive entry names
+                const callee = node.callee;
+                if (callee.type === 'MemberExpression' &&
+                    callee.property.type === 'Identifier' &&
+                    ['join', 'resolve', 'relative', 'normalize'].includes(callee.property.name)) {
+                    // Check arguments for potential archive entry usage
+                    const args = node.arguments;
+                    for (const arg of args) {
+                        if (arg.type === 'MemberExpression' &&
+                            arg.property.type === 'Identifier' &&
+                            ['name', 'path', 'fileName', 'entryName', 'relativePath', 'filename', 'pathname'].includes(arg.property.name)) {
+                            // This looks like path.join(dest, entry.name) - check if validated
+                            if (!isPathValidated(arg)) {
+                                context.report({
+                                    node: arg,
+                                    messageId: 'unvalidatedArchivePath',
+                                    data: {
+                                        filePath: filename,
+                                        line: String(node.loc?.start.line ?? 0),
+                                    },
+                                });
+                            }
+                        }
+                    }
+                }
+            },
+            // Check string literals for dangerous paths
+            Literal(node) {
+                if (typeof node.value !== 'string') {
+                    return;
+                }
+                const text = node.value;
+                // Check for path traversal in strings that look like file paths
+                if ((text.includes('/') || text.includes('\\')) && containsPathTraversal(text)) {
+                    // Check if this is in an archive-related context
+                    let current = node;
+                    let isArchiveContext = false;
+                    while (current && !isArchiveContext) {
+                        if (current.type === 'CallExpression' && isArchiveExtraction(current)) {
+                            isArchiveContext = true;
+                            break;
+                        }
+                        if (current.type === 'VariableDeclarator' &&
+                            current.id.type === 'Identifier' &&
+                            (current.id.name.includes('archive') ||
+                                current.id.name.includes('zip') ||
+                                current.id.name.includes('tar') ||
+                                current.id.name.includes('path') ||
+                                current.id.name.includes('file') ||
+                                current.id.name.includes('entry'))) {
+                            isArchiveContext = true;
+                            break;
+                        }
+                        current = current.parent;
+                    }
+                    // Also check if the variable name suggests archive usage
+                    const parent = node.parent;
+                    if (parent && parent.type === 'VariableDeclarator' && parent.id.type === 'Identifier') {
+                        const varName = parent.id.name.toLowerCase();
+                        if (varName.includes('archive') || varName.includes('zip') || varName.includes('tar') ||
+                            varName.includes('path') || varName.includes('file') || varName.includes('extract') ||
+                            varName.includes('entry')) {
+                            isArchiveContext = true;
+                        }
+                    }
+                    if (isArchiveContext) {
+                        context.report({
+                            node,
+                            messageId: 'pathTraversalInArchive',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+                // Dangerous destinations are handled by the CallExpression handler to avoid duplicates
+                // Only check for dangerous destinations not related to archive extraction
+                if (isDangerousDestination(text) && !containsPathTraversal(text)) {
+                    // Check if this is used as an extraction destination
+                    let current = node;
+                    let isExtractionDest = false;
+                    while (current && !isExtractionDest) {
+                        if (current.type === 'CallExpression' && isArchiveExtraction(current)) {
+                            // Check if this node is a destination argument
+                            const args = current.arguments;
+                            const callee = current.callee;
+                            const isMethodCall = callee.type === 'MemberExpression';
+                            if ((isMethodCall && args.length >= 1 && args[0] === node) ||
+                                (!isMethodCall && args.length >= 2 && args[1] === node)) {
+                                isExtractionDest = true;
+                                break;
+                            }
+                        }
+                        current = current.parent;
+                    }
+                    // Only report if not already handled by CallExpression handler
+                    if (!isExtractionDest) {
+                        context.report({
+                            node,
+                            messageId: 'dangerousArchiveDestination',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+            },
+            // Check variable assignments
+            VariableDeclarator(node) {
+                if (!node.init || node.id.type !== 'Identifier') {
+                    return;
+                }
+                const varName = node.id.name.toLowerCase();
+                // Check if this variable holds archive-related data
+                if (varName.includes('entry') || varName.includes('file') || varName.includes('path')) {
+                    if (node.init.type === 'MemberExpression' &&
+                        node.init.property.type === 'Identifier' &&
+                        ['name', 'path'].includes(node.init.property.name)) {
+                        // This looks like: const entryName = entry.name;
+                        // Check if this variable is used unsafely later
+                        // This is a simplified check - in practice we'd need more sophisticated analysis
+                    }
+                }
+            }
+        };
+    },
+});
+//# sourceMappingURL=index.js.map

package/src/rules/no-zip-slip/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-node-security/src/rules/no-zip-slip/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAkBH,4DAAsD;AACtD,4DAA0E;AA4B7D,QAAA,SAAS,GAAG,IAAA,0BAAU,EAA0B;IAC3D,IAAI,EAAE,aAAa;IACnB,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,qDAAqD;SACnE;QACD,OAAO,EAAE,MAAM;QACf,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,oBAAoB,EAAE,IAAA,gCAAgB,EAAC;gBACrC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,wBAAwB;gBACnC,GAAG,EAAE,QAAQ;gBACb,WAAW,EAAE,iDAAiD;gBAC9D,QAAQ,EAAE,cAAc;gBACxB,GAAG,EAAE,qBAAqB;gBAC1B,iBAAiB,EAAE,gDAAgD;aACpE,CAAC;YACF,uBAAuB,EAAE,IAAA,gCAAgB,EAAC;gBACxC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,2BAA2B;gBACtC,GAAG,EAAE,QAAQ;gBACb,WAAW,EAAE,4CAA4C;gBACzD,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,qDAAqD;gBAC1D,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,sBAAsB,EAAE,IAAA,gCAAgB,EAAC;gBACvC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,2BAA2B;gBACtC,GAAG,EAAE,QAAQ;gBACb,WAAW,EAAE,2CAA2C;gBACxD,QAAQ,EAAE,UAAU;gBACpB,GAAG,EAAE,uDAAuD;gBAC5D,iBAAiB,EAAE,gDAAgD;aACpE,CAAC;YACF,sBAAsB,EAAE,IAAA,gCAAgB,EAAC;gBACvC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,0BAA0B;gBACrC,GAAG,EAAE,QAAQ;gBACb,WAAW,EAAE,4CAA4C;gBACzD,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,kCAAkC;gBACvC,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,2BAA2B,EAAE,IAAA,gCAAgB,EAAC;gBAC5C,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,+BAA+B;gBAC1C,GAAG,EAAE,QAAQ;gBACb,WAAW,EAAE,yCAAyC;gBACtD,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,qCAAqC;gBAC1C,iBAAiB,EAAE,gDAAgD;aACpE,CAAC;YACF,wBAAwB,EAAE,IAAA,gCAAgB,EAAC;gBACzC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,6BAA6B;gBACxC,WAAW,EAAE,6CAA6C;gBAC1D,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,4DAA4D;gBACjE,iBAAiB,EAAE,qCAAqC;aACzD,CAAC;YACF,oBAAoB,EAAE,IAAA,gCAAgB,EAAC;gBACrC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,wBAAwB;gBACnC,WAAW,EAAE,kCAAkC;gBAC/C,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,qEAAqE;gBAC1E,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,oBAAoB,EAAE,IAAA,gCAAgB,EAAC;gBACrC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,wBAAwB;gBACnC,WAAW,EAAE,8BAA8B;gBAC3C,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,4CAA4C;gBACjD,iBAAiB,EAAE,uDAAuD;aAC3E,CAAC;YACF,sBAAsB,EAAE,IAAA,gCAAgB,EAAC;gBACvC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,0BAA0B;gBACrC,WAAW,EAAE,2CAA2C;gBACxD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,yDAAyD;gBAC9D,iBAAiB,EAAE,gDAAgD;aACpE,CAAC;YACF,qBAAqB,EAAE,IAAA,gCAAgB,EAAC;gBACtC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,yBAAyB;gBACpC,WAAW,EAAE,4CAA4C;gBACzD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,6DAA6D;gBAClE,iBAAiB,EAAE,oDAAoD;aACxE,CAAC;YACF,kBAAkB,EAAE,IAAA,gCAAgB,EAAC;gBACnC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,qBAAqB;gBAChC,WAAW,EAAE,2CAA2C;gBACxD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,oDAAoD;gBACzD,iBAAiB,EAAE,qEAAqE;aACzF,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,gBAAgB,EAAE;wBAChB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,CAAC,SAAS,EAAE,YAAY,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,EAAE,gBAAgB,CAAC;qBACvF;oBACD,uBAAuB,EAAE;wBACvB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,CAAC,cAAc,EAAE,cAAc,EAAE,WAAW,EAAE,UAAU,CAAC;qBACnE;oBACD,aAAa,EAAE;wBACb,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,CAAC,OAAO,EAAE,sBAAsB,EAAE,YAAY,EAAE,UAAU,CAAC;qBACrE;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,gBAAgB,EAAE,CAAC,SAAS,EAAE,YAAY,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,EAAE,gBAAgB,CAAC;YAC/F,uBAAuB,EAAE,CAAC,cAAc,EAAE,cAAc,EAAE,WAAW,EAAE,UAAU,CAAC;YAClF,aAAa,EAAE,CAAC,OAAO,EAAE,sBAAsB,EAAE,YAAY,EAAE,UAAU,CAAC;SAC3E;KACF;IACD,MAAM,CAAC,OAAsD;QAC3D,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACzC,MAAM,EACJ,gBAAgB,GAAG,CAAC,SAAS,EAAE,YAAY,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,EAAE,gBAAgB,CAAC,EAChG,uBAAuB,GAAG,CAAC,cAAc,EAAE,cAAc,EAAE,WAAW,EAAE,UAAU,CAAC,EACnF,aAAa,GAAG,CAAC,OAAO,EAAE,sBAAsB,EAAE,YAAY,EAAE,UAAU,CAAC,GAC5E,GAAY,OAAO,CAAC;QAErB,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QAE3D,yDAAyD;QAEzD;;WAEG;QACH,MAAM,mBAAmB,GAAG,CAAC,IAA6B,EAAW,EAAE;YACrE,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YAE3B,0DAA0D;YAC1D,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBAClC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;gBACrC,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBACpD,OAAO,IAAI,CAAC;YACd,CAAC;YAED,gEAAgE;YAChE,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY;gBAC5B,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC3C,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,qBAAqB,GAAG,CAAC,QAAgB,EAAW,EAAE;YAC1D,0BAA0B;YAC1B,OAAO,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,gBAAgB;gBAC3C,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,aAAa;gBACvC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAE,eAAe;QAClD,CAAC,CAAC;QAGF;;WAEG;QACH,MAAM,eAAe,GAAG,CAAC,QAAuB,EAAW,EAAE;YAC3D,IAAI,OAAO,GAA8B,QAAQ,CAAC;YAElD,OAAO,OAAO,EAAE,CAAC;gBACf,IAAI,OAAO,CAAC,IAAI,KAAK,gBAAgB;oBACjC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;oBACpC,uBAAuB,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC1D,OAAO,IAAI,CAAC;gBACd,CAAC;gBACD,OAAO,GAAG,OAAO,CAAC,MAAuB,CAAC;YAC5C,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,aAAa,GAAG,CAAC,IAA6B,EAAW,EAAE;YAC/D,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YAE3B,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBAClC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;gBACnC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/C,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,sBAAsB,GAAG,CAAC,QAAgB,EAAW,EAAE;YAC3D,OAAO,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACzB,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACzB,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACzB,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACzB,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAC1B,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAC1B,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAChC,QAAQ,CAAC,QAAQ,CAAC,mBAAmB,CAAC;gBACtC,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACxC,CAAC,CAAC;QAEF,OAAO;YACL,iCAAiC;YACjC,cAAc,CAAC,IAA6B;gBAC1C,IAAI,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;oBACtD,4CAA4C;oBAC5C,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;oBACtC,IAAI,iBAAiB,GAAG,KAAK,CAAC;oBAE9B,6CAA6C;oBAC7C,MAAM,WAAW,GAAG,UAAU,CAAC,cAAc,EAAE,CAAC;oBAChD,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;wBAClC,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,IAAI,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;4BAChE,iBAAiB,GAAG,IAAI,CAAC;4BACzB,MAAM;wBACR,CAAC;oBACH,CAAC;oBAED,IAAI,iBAAiB,EAAE,CAAC;wBACtB,OAAO,CAAC,mCAAmC;oBAC7C,CAAC;oBAED,oCAAoC;oBACpC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;oBAC5B,IAAI,OAAkC,CAAC;oBAEvC,oEAAoE;oBACpE,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;wBAC1F,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBAC7C,IAAI,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;4BACnD,oCAAoC;4BACpC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;wBACpB,CAAC;6BAAM,IAAI,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;4BACjD,4EAA4E;4BAC5E,OAAO,GAAG,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;wBACnD,CAAC;oBACH,CAAC;yBAAM,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,IAAI,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC5F,2DAA2D;wBAC3D,OAAO,GAAG,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;oBACnD,CAAC;oBAED,MAAM,QAAQ,GAAG,OAAO,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;oBACjH,MAAM,eAAe,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAC;oBACzD,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,CAAC;oBAE7D,IAAI,YAAY,EAAE,CAAC;wBACjB,yFAAyF;wBACzF,MAAM,kBAAkB,GAAG,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;wBAEnF,IAAI,CAAC,kBAAkB,EAAE,CAAC;4BACxB,OAAO,CAAC,MAAM,CAAC;gCACb,IAAI;gCACJ,SAAS,EAAE,yBAAyB;gCACpC,IAAI,EAAE;oCACJ,QAAQ,EAAE,QAAQ;oCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;iCACxC;gCACD,OAAO,EAAE;oCACP;wCACE,SAAS,EAAE,0BAA0B;wCACrC,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qCAChB;iCACF;6BACF,CAAC,CAAC;wBACL,CAAC;wBACD,kDAAkD;wBAElD,uEAAuE;wBACvE,IAAI,eAAe,EAAE,CAAC;4BACpB,OAAO,CAAC,MAAM,CAAC;gCACb,IAAI,EAAE,OAAO,IAAI,IAAI;gCACrB,SAAS,EAAE,6BAA6B;gCACxC,IAAI,EAAE;oCACJ,QAAQ,EAAE,QAAQ;oCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;iCACxC;6BACF,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,qHAAqH;wBACrH,IAAI,eAAe,EAAE,CAAC;4BACpB,OAAO,CAAC,MAAM,CAAC;gCACb,IAAI;gCACJ,SAAS,EAAE,6BAA6B;gCACxC,IAAI,EAAE;oCACJ,QAAQ,EAAE,QAAQ;oCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;iCACxC;6BACF,CAAC,CAAC;wBACL,CAAC;6BAAM,CAAC;4BACN,OAAO,CAAC,MAAM,CAAC;gCACb,IAAI;gCACJ,SAAS,EAAE,yBAAyB;gCACpC,IAAI,EAAE;oCACJ,QAAQ,EAAE,QAAQ;oCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;iCACxC;gCACD,OAAO,EAAE;oCACP;wCACE,SAAS,EAAE,0BAA0B;wCACrC,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qCAChB;iCACF;6BACF,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,qEAAqE;gBACrE,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;gBAC3B,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB;oBAClC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;oBACrC,CAAC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;oBAEhF,oDAAoD;oBACpD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;oBAC5B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;wBACvB,IAAI,GAAG,CAAC,IAAI,KAAK,kBAAkB;4BAC/B,GAAG,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;4BAClC,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,cAAc,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;4BAElH,mEAAmE;4BACnE,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;gCAC1B,OAAO,CAAC,MAAM,CAAC;oCACb,IAAI,EAAE,GAAG;oCACT,SAAS,EAAE,wBAAwB;oCACnC,IAAI,EAAE;wCACJ,QAAQ,EAAE,QAAQ;wCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;qCACxC;iCACF,CAAC,CAAC;4BACL,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,4CAA4C;YAC5C,OAAO,CAAC,IAAsB;gBAC5B,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACnC,OAAO;gBACT,CAAC;gBAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC;gBAExB,gEAAgE;gBAChE,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC/E,iDAAiD;oBACjD,IAAI,OAAO,GAA8B,IAAI,CAAC;oBAC9C,IAAI,gBAAgB,GAAG,KAAK,CAAC;oBAE7B,OAAO,OAAO,IAAI,CAAC,gBAAgB,EAAE,CAAC;wBACpC,IAAI,OAAO,CAAC,IAAI,KAAK,gBAAgB,IAAI,mBAAmB,CAAC,OAAO,CAAC,EAAE,CAAC;4BACtE,gBAAgB,GAAG,IAAI,CAAC;4BACxB,MAAM;wBACR,CAAC;wBACD,IAAI,OAAO,CAAC,IAAI,KAAK,oBAAoB;4BACrC,OAAO,CAAC,EAAE,CAAC,IAAI,KAAK,YAAY;4BAChC,CAAC,OAAO,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;gCACnC,OAAO,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gCAC/B,OAAO,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gCAC/B,OAAO,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;gCAChC,OAAO,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;gCAChC,OAAO,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;4BACxC,gBAAgB,GAAG,IAAI,CAAC;4BACxB,MAAM;wBACR,CAAC;wBACD,OAAO,GAAG,OAAO,CAAC,MAAuB,CAAC;oBAC5C,CAAC;oBAED,yDAAyD;oBACzD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;oBAC3B,IAAI,MAAM,IAAI,MAAM,CAAC,IAAI,KAAK,oBAAoB,IAAI,MAAM,CAAC,EAAE,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;wBACtF,MAAM,OAAO,GAAG,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;wBAC7C,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC;4BACjF,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;4BACnF,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;4BAC9B,gBAAgB,GAAG,IAAI,CAAC;wBAC1B,CAAC;oBACH,CAAC;oBAED,IAAI,gBAAgB,EAAE,CAAC;wBACrB,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI;4BACJ,SAAS,EAAE,wBAAwB;4BACnC,IAAI,EAAE;gCACJ,QAAQ,EAAE,QAAQ;gCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;6BACxC;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBAED,uFAAuF;gBACvF,0EAA0E;gBAC1E,IAAI,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;oBACjE,qDAAqD;oBACrD,IAAI,OAAO,GAA8B,IAAI,CAAC;oBAC9C,IAAI,gBAAgB,GAAG,KAAK,CAAC;oBAE7B,OAAO,OAAO,IAAI,CAAC,gBAAgB,EAAE,CAAC;wBACpC,IAAI,OAAO,CAAC,IAAI,KAAK,gBAAgB,IAAI,mBAAmB,CAAC,OAAO,CAAC,EAAE,CAAC;4BACtE,+CAA+C;4BAC/C,MAAM,IAAI,GAAG,OAAO,CAAC,SAAS,CAAC;4BAC/B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;4BAC9B,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,KAAK,kBAAkB,CAAC;4BAExD,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC;gCACtD,CAAC,CAAC,YAAY,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,EAAE,CAAC;gCAC5D,gBAAgB,GAAG,IAAI,CAAC;gCACxB,MAAM;4BACR,CAAC;wBACH,CAAC;wBACD,OAAO,GAAG,OAAO,CAAC,MAAuB,CAAC;oBAC5C,CAAC;oBAED,+DAA+D;oBAC/D,IAAI,CAAC,gBAAgB,EAAE,CAAC;wBACtB,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI;4BACJ,SAAS,EAAE,6BAA6B;4BACxC,IAAI,EAAE;gCACJ,QAAQ,EAAE,QAAQ;gCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;6BACxC;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,6BAA6B;YAC7B,kBAAkB,CAAC,IAAiC;gBAClD,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oBAChD,OAAO;gBACT,CAAC;gBAED,MAAM,OAAO,GAAG,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBAE3C,oDAAoD;gBACpD,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;oBACtF,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,kBAAkB;wBACrC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;wBACxC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;wBAEvD,iDAAiD;wBACjD,gDAAgD;wBAChD,iFAAiF;oBACnF,CAAC;gBACH,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/prefer-native-crypto/index.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: prefer-native-crypto
+ * Suggests using native crypto over third-party libraries
+ * CWE-1104: Use of Unmaintained Third Party Components
+ *
+ * Native crypto is maintained by Node.js/browser vendors and is always up-to-date
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'preferNative' | 'useNodeCrypto' | 'useWebCrypto';
+export interface Options {
+    /** Severity level. Default: 'warn' */
+    severity?: 'error' | 'warn';
+}
+type RuleOptions = [Options?];
+export declare const preferNativeCrypto: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export type { Options as PreferNativeCryptoOptions };

package/src/rules/prefer-native-crypto/index.js

@@ -0,0 +1,124 @@
+"use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.preferNativeCrypto = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+// Third-party crypto libraries that should be replaced with native
+const THIRD_PARTY_CRYPTO_LIBS = new Set([
+    'crypto-js',
+    'cryptojs',
+    'sjcl', // Stanford JavaScript Crypto Library
+    'forge', // node-forge
+    'node-forge',
+    'jsencrypt',
+    'bcryptjs', // pure JS bcrypt (prefer native bcrypt)
+    'js-sha256',
+    'js-sha512',
+    'js-sha3',
+    'js-md5',
+    'blueimp-md5',
+    'aes-js',
+]);
+exports.preferNativeCrypto = (0, eslint_devkit_1.createRule)({
+    name: 'prefer-native-crypto',
+    meta: {
+        type: 'suggestion',
+        docs: {
+            description: 'Prefer native crypto over third-party libraries',
+        },
+        hasSuggestions: true,
+        messages: {
+            preferNative: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.WARNING,
+                issueName: 'Third-party crypto library',
+                cwe: 'CWE-1104',
+                description: '{{library}} is a third-party crypto library. Native crypto (Node.js crypto or Web Crypto API) is faster, more secure, and always maintained.',
+                severity: 'MEDIUM',
+                fix: 'Migrate to native crypto module',
+                documentationLink: 'https://nodejs.org/api/crypto.html',
+            }),
+            useNodeCrypto: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Node.js crypto',
+                description: 'Node.js crypto module is built-in and maintained',
+                severity: 'LOW',
+                fix: 'import crypto from "node:crypto"',
+                documentationLink: 'https://nodejs.org/api/crypto.html',
+            }),
+            useWebCrypto: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Web Crypto API',
+                description: 'Web Crypto API is built into browsers and Node.js 15+',
+                severity: 'LOW',
+                fix: 'globalThis.crypto.subtle',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    severity: {
+                        type: 'string',
+                        enum: ['error', 'warn'],
+                        default: 'warn',
+                        description: 'Severity level',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            severity: 'warn',
+        },
+    ],
+    create(context) {
+        function reportThirdPartyLib(node, library) {
+            /* c8 ignore next 15 -- suggestions with fix: () => null cannot be tested with RuleTester */
+            context.report({
+                node,
+                messageId: 'preferNative',
+                data: { library },
+                suggest: [
+                    {
+                        messageId: 'useNodeCrypto',
+                        fix: () => null,
+                    },
+                    {
+                        messageId: 'useWebCrypto',
+                        fix: () => null,
+                    },
+                ],
+            });
+        }
+        return {
+            ImportDeclaration(node) {
+                if (typeof node.source.value === 'string') {
+                    const lib = node.source.value.split('/')[0]; // Get base package name
+                    if (THIRD_PARTY_CRYPTO_LIBS.has(lib)) {
+                        reportThirdPartyLib(node, lib);
+                    }
+                }
+            },
+            CallExpression(node) {
+                if (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                    node.callee.name === 'require' &&
+                    node.arguments.length === 1 &&
+                    node.arguments[0].type === eslint_devkit_1.AST_NODE_TYPES.Literal &&
+                    typeof node.arguments[0].value === 'string') {
+                    const lib = node.arguments[0].value.split('/')[0];
+                    if (THIRD_PARTY_CRYPTO_LIBS.has(lib)) {
+                        reportThirdPartyLib(node, lib);
+                    }
+                }
+            },
+        };
+    },
+});
+//# sourceMappingURL=index.js.map

package/src/rules/prefer-native-crypto/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-node-security/src/rules/prefer-native-crypto/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAUH,4DAAsG;AActG,mEAAmE;AACnE,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,WAAW;IACX,UAAU;IACV,MAAM,EAAY,qCAAqC;IACvD,OAAO,EAAW,aAAa;IAC/B,YAAY;IACZ,WAAW;IACX,UAAU,EAAQ,wCAAwC;IAC1D,WAAW;IACX,WAAW;IACX,SAAS;IACT,QAAQ;IACR,aAAa;IACb,QAAQ;CACT,CAAC,CAAC;AAEU,QAAA,kBAAkB,GAAG,IAAA,0BAAU,EAA0B;IACpE,IAAI,EAAE,sBAAsB;IAC5B,IAAI,EAAE;QACJ,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE;YACJ,WAAW,EAAE,iDAAiD;SAC/D;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,YAAY,EAAE,IAAA,gCAAgB,EAAC;gBAC7B,IAAI,EAAE,4BAAY,CAAC,OAAO;gBAC1B,SAAS,EAAE,4BAA4B;gBACvC,GAAG,EAAE,UAAU;gBACf,WAAW,EAAE,8IAA8I;gBAC3J,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,iCAAiC;gBACtC,iBAAiB,EAAE,oCAAoC;aACxD,CAAC;YACF,aAAa,EAAE,IAAA,gCAAgB,EAAC;gBAC9B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,oBAAoB;gBAC/B,WAAW,EAAE,kDAAkD;gBAC/D,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,kCAAkC;gBACvC,iBAAiB,EAAE,oCAAoC;aACxD,CAAC;YACF,YAAY,EAAE,IAAA,gCAAgB,EAAC;gBAC7B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,oBAAoB;gBAC/B,WAAW,EAAE,uDAAuD;gBACpE,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,0BAA0B;gBAC/B,iBAAiB,EAAE,iEAAiE;aACrF,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,QAAQ,EAAE;wBACR,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC;wBACvB,OAAO,EAAE,MAAM;wBACf,WAAW,EAAE,gBAAgB;qBAC9B;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,QAAQ,EAAE,MAAM;SACjB;KACF;IACD,MAAM,CAAC,OAAsD;QAC3D,SAAS,mBAAmB,CAAC,IAAmB,EAAE,OAAe;YAC/D,4FAA4F;YAC5F,OAAO,CAAC,MAAM,CAAC;gBACb,IAAI;gBACJ,SAAS,EAAE,cAAc;gBACzB,IAAI,EAAE,EAAE,OAAO,EAAE;gBACjB,OAAO,EAAE;oBACP;wBACE,SAAS,EAAE,eAAe;wBAC1B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qBAChB;oBACD;wBACE,SAAS,EAAE,cAAc;wBACzB,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qBAChB;iBACF;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO;YACL,iBAAiB,CAAC,IAAgC;gBAChD,IAAI,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,wBAAwB;oBACrE,IAAI,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;wBACrC,mBAAmB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;oBACjC,CAAC;gBACH,CAAC;YACH,CAAC;YAED,cAAc,CAAC,IAA6B;gBAC1C,IACE,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,8BAAc,CAAC,UAAU;oBAC9C,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,SAAS;oBAC9B,IAAI,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC;oBAC3B,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,8BAAc,CAAC,OAAO;oBACjD,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,QAAQ,EAC3C,CAAC;oBACD,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBAClD,IAAI,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;wBACrC,mBAAmB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;oBACjC,CAAC;gBACH,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/require-dependency-integrity/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+export interface Options {
+}
+type RuleOptions = [Options?];
+export declare const requireDependencyIntegrity: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener> & {
+    name: string;
+};
+export {};