eslint-plugin-secure-coding 2.2.1 → 2.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +43 -9
- package/CHANGELOG.md +16 -0
- package/README.md +11 -0
- package/package.json +1 -1
package/AGENTS.md
CHANGED
|
@@ -5,8 +5,8 @@
|
|
|
5
5
|
| Field | Value |
|
|
6
6
|
| --------------- | ---------------------------------------------------------------------------------------- |
|
|
7
7
|
| **Name** | eslint-plugin-secure-coding |
|
|
8
|
-
| **Version** |
|
|
9
|
-
| **Description** | Security-focused ESLint plugin with
|
|
8
|
+
| **Version** | 3.0.0 |
|
|
9
|
+
| **Description** | Security-focused ESLint plugin with 89 LLM-optimized rules for detecting vulnerabilities |
|
|
10
10
|
| **Type** | ESLint Plugin |
|
|
11
11
|
| **Language** | TypeScript |
|
|
12
12
|
| **Node.js** | >=18.0.0 |
|
|
@@ -37,11 +37,12 @@ export default [secureCoding.configs.recommended];
|
|
|
37
37
|
|
|
38
38
|
## Available Presets
|
|
39
39
|
|
|
40
|
-
| Preset | Rules
|
|
41
|
-
| ---------------- |
|
|
42
|
-
| **recommended** |
|
|
43
|
-
| **strict** |
|
|
44
|
-
| **owasp-top-10** | 32 rules
|
|
40
|
+
| Preset | Rules | Description |
|
|
41
|
+
| ---------------- | --------------------- | ----------------------------------- |
|
|
42
|
+
| **recommended** | 89 rules (mixed) | Balanced security (Web + Mobile) |
|
|
43
|
+
| **strict** | 89 rules (all errors) | Maximum security enforcement |
|
|
44
|
+
| **owasp-top-10** | 32 rules | OWASP Top 10 2021 compliance |
|
|
45
|
+
| **owasp-mobile** | 40 rules | OWASP Mobile Top 10 2024 compliance |
|
|
45
46
|
|
|
46
47
|
## Rule Categories
|
|
47
48
|
|
|
@@ -127,6 +128,39 @@ export default [secureCoding.configs.recommended];
|
|
|
127
128
|
- `no-unlimited-resource-allocation` - CWE-770 - Unbounded allocations
|
|
128
129
|
- `no-unchecked-loop-condition` - CWE-835 - Infinite loop conditions
|
|
129
130
|
|
|
131
|
+
### Mobile Security (30 rules)
|
|
132
|
+
|
|
133
|
+
- `no-http-urls` - CWE-319 - Prevent insecure HTTP URLs
|
|
134
|
+
- `no-hardcoded-credentials` - CWE-798 - Detect hardcoded secrets
|
|
135
|
+
- `no-credentials-in-storage-api` - CWE-522 - Prevent credentials in localStorage
|
|
136
|
+
- `no-credentials-in-query-params` - CWE-598 - Detect credentials in URLs
|
|
137
|
+
- `no-allow-arbitrary-loads` - CWE-295 - Prevent insecure ATS configuration
|
|
138
|
+
- `no-disabled-certificate-validation` - CWE-295 - Detect disabled cert validation
|
|
139
|
+
- `require-https-only` - CWE-319 - Enforce HTTPS-only connections
|
|
140
|
+
- `require-network-timeout` - CWE-400 - Require network timeouts
|
|
141
|
+
- `detect-weak-password-validation` - CWE-521 - Detect weak password requirements
|
|
142
|
+
- `no-client-side-auth-logic` - CWE-602 - Prevent client-side auth logic
|
|
143
|
+
- `no-hardcoded-session-tokens` - CWE-798 - Detect hardcoded session tokens
|
|
144
|
+
- `no-unvalidated-deeplinks` - CWE-939 - Unvalidated deep link usage
|
|
145
|
+
- `require-url-validation` - CWE-601 - Require URL validation
|
|
146
|
+
- `require-mime-type-validation` - CWE-434 - Require MIME type validation
|
|
147
|
+
- `no-arbitrary-file-access` - CWE-22 - Prevent path traversal
|
|
148
|
+
- `no-pii-in-logs` - CWE-532 - Prevent PII in logs
|
|
149
|
+
- `no-tracking-without-consent` - CWE-359 - Require tracking consent
|
|
150
|
+
- `no-sensitive-data-in-analytics` - CWE-359 - Prevent PII in analytics
|
|
151
|
+
- `require-data-minimization` - CWE-213 - Enforce data minimization
|
|
152
|
+
- `no-debug-code-in-production` - CWE-489 - Detect debug code
|
|
153
|
+
- `require-code-minification` - CWE-656 - Require code minification
|
|
154
|
+
- `no-verbose-error-messages` - CWE-209 - Prevent verbose error messages
|
|
155
|
+
- `require-secure-defaults` - CWE-276 - Require secure defaults
|
|
156
|
+
- `no-sensitive-data-in-cache` - CWE-524 - Prevent sensitive data in cache
|
|
157
|
+
- `no-data-in-temp-storage` - CWE-312 - Prevent sensitive data in temp storage
|
|
158
|
+
- `require-secure-deletion` - CWE-459 - Require secure deletion
|
|
159
|
+
- `require-storage-encryption` - CWE-311 - Require storage encryption
|
|
160
|
+
- `no-unencrypted-local-storage` - CWE-312 - Prevent unencrypted local storage
|
|
161
|
+
- `require-credential-storage` - CWE-522 - Require secure credential storage
|
|
162
|
+
- `no-exposed-debug-endpoints` - CWE-489 - Prevent exposed debug endpoints
|
|
163
|
+
|
|
130
164
|
### Platform-Specific (2 rules)
|
|
131
165
|
|
|
132
166
|
- `no-electron-security-issues` - CWE-693 - Electron security misconfig
|
|
@@ -167,9 +201,9 @@ Configure in `.cursor/mcp.json`:
|
|
|
167
201
|
|
|
168
202
|
| Feature | Value |
|
|
169
203
|
| -------------------- | -------------------------------- |
|
|
170
|
-
| **Total Rules** |
|
|
204
|
+
| **Total Rules** | 89 |
|
|
171
205
|
| **CWE Coverage** | 100% (all rules include CWE IDs) |
|
|
172
|
-
| **OWASP Top 10** | Full 2021
|
|
206
|
+
| **OWASP Top 10** | Full Web (2021) + Mobile (2024) |
|
|
173
207
|
| **AI Auto-Fix Rate** | 60-80% |
|
|
174
208
|
| **Performance** | <10ms overhead per file |
|
|
175
209
|
| **Privacy** | 100% local, no cloud calls |
|
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,22 @@ All notable changes to this project will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [3.0.0] - 2025-12-14
|
|
9
|
+
|
|
10
|
+
### Added
|
|
11
|
+
|
|
12
|
+
- **OWASP Mobile Top 10 Coverage**: Added 40 new rules targeting mobile security risks (M1-M10).
|
|
13
|
+
- **New Presets**:
|
|
14
|
+
- `owasp-mobile-top-10`: Comprehensive mobile security ruleset.
|
|
15
|
+
- **Documentation**:
|
|
16
|
+
- Full "Mobile Security" table in README with CVSS scores and fixable icons.
|
|
17
|
+
- Updated `AGENTS.md` with complete rule catalog for AI assistants.
|
|
18
|
+
|
|
19
|
+
### Changed
|
|
20
|
+
|
|
21
|
+
- **Recommended Config**: Now includes critical mobile security rules for hybrid web/mobile apps.
|
|
22
|
+
- **Rule Improvements**: Refined AST detection for `no-clickjacking` and `no-unvalidated-deeplinks` to reduce false positives.
|
|
23
|
+
|
|
8
24
|
## [1.0.0] - 2025-01-01
|
|
9
25
|
|
|
10
26
|
### Added
|
package/README.md
CHANGED
|
@@ -382,6 +382,17 @@ This plugin runs **100% locally**. No data ever leaves your machine.
|
|
|
382
382
|
|
|
383
383
|
---
|
|
384
384
|
|
|
385
|
+
**Q: Does it work with ESLint 9 flat config?**
|
|
386
|
+
A: Yes, fully compatible.
|
|
387
|
+
|
|
388
|
+
## 🔗 Related ESLint Plugins
|
|
389
|
+
|
|
390
|
+
- [`eslint-plugin-vercel-ai-security`](https://www.npmjs.com/package/eslint-plugin-vercel-ai-security) - specialized security rules for Vercel AI SDK applications.
|
|
391
|
+
|
|
385
392
|
## 📄 License
|
|
386
393
|
|
|
387
394
|
MIT © [Ofri Peretz](https://github.com/ofri-peretz)
|
|
395
|
+
|
|
396
|
+
```
|
|
397
|
+
|
|
398
|
+
```
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "eslint-plugin-secure-coding",
|
|
3
|
-
"version": "2.2.
|
|
3
|
+
"version": "2.2.3",
|
|
4
4
|
"description": "Security-focused ESLint plugin with 89 AI-parseable rules for detecting and preventing vulnerabilities. OWASP Top 10 2021 + Mobile Top 10 2024 coverage, CWE references, and AI-assisted fix guidance.",
|
|
5
5
|
"type": "commonjs",
|
|
6
6
|
"main": "./src/index.js",
|