eslint-plugin-secure-coding 2.3.2 → 2.3.3

package/src/rules/no-zip-slip/index.js

@@ -1,445 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noZipSlip = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-exports.noZipSlip = (0, eslint_devkit_1.createRule)({
-    name: 'no-zip-slip',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects zip slip/archive extraction vulnerabilities',
-        },
-        fixable: 'code',
-        hasSuggestions: true,
-        messages: {
-            zipSlipVulnerability: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Zip Slip Vulnerability',
-                cwe: 'CWE-22',
-                description: 'Archive extraction vulnerable to path traversal',
-                severity: '{{severity}}',
-                fix: '{{safeAlternative}}',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/22.html',
-            }),
-            unsafeArchiveExtraction: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Unsafe Archive Extraction',
-                cwe: 'CWE-22',
-                description: 'Archive extraction without path validation',
-                severity: 'HIGH',
-                fix: 'Use safe extraction libraries or validate all paths',
-                documentationLink: 'https://snyk.io/research/zip-slip-vulnerability',
-            }),
-            pathTraversalInArchive: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Path Traversal in Archive',
-                cwe: 'CWE-22',
-                description: 'Archive contains path traversal sequences',
-                severity: 'CRITICAL',
-                fix: 'Reject archives with path traversal or sanitize paths',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/22.html',
-            }),
-            unvalidatedArchivePath: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Unvalidated Archive Path',
-                cwe: 'CWE-22',
-                description: 'Archive entry path used without validation',
-                severity: 'HIGH',
-                fix: 'Validate paths before extraction',
-                documentationLink: 'https://snyk.io/research/zip-slip-vulnerability',
-            }),
-            dangerousArchiveDestination: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Dangerous Archive Destination',
-                cwe: 'CWE-22',
-                description: 'Archive extracted to sensitive location',
-                severity: 'MEDIUM',
-                fix: 'Extract to safe temporary directory',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/22.html',
-            }),
-            useSafeArchiveExtraction: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Use Safe Archive Extraction',
-                description: 'Use libraries with built-in path validation',
-                severity: 'LOW',
-                fix: 'Use yauzl, safe-archive-extract, or similar safe libraries',
-                documentationLink: 'https://www.npmjs.com/package/yauzl',
-            }),
-            validateArchivePaths: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Validate Archive Paths',
-                description: 'Validate all archive entry paths',
-                severity: 'LOW',
-                fix: 'Check paths don\'t contain ../ and are within destination directory',
-                documentationLink: 'https://snyk.io/research/zip-slip-vulnerability',
-            }),
-            sanitizeArchiveNames: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Sanitize Archive Names',
-                description: 'Sanitize archive entry names',
-                severity: 'LOW',
-                fix: 'Use path.basename() or custom sanitization',
-                documentationLink: 'https://nodejs.org/api/path.html#pathbasenamepath-ext',
-            }),
-            strategyPathValidation: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Path Validation Strategy',
-                description: 'Validate paths before any file operations',
-                severity: 'LOW',
-                fix: 'Check path.startsWith(destination) and no ../ sequences',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/22.html',
-            }),
-            strategySafeLibraries: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Safe Libraries Strategy',
-                description: 'Use archive libraries with built-in safety',
-                severity: 'LOW',
-                fix: 'Use yauzl, adm-zip with validation, or safe-archive-extract',
-                documentationLink: 'https://www.npmjs.com/package/safe-archive-extract',
-            }),
-            strategySandboxing: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Sandboxing Strategy',
-                description: 'Extract archives in sandboxed environment',
-                severity: 'LOW',
-                fix: 'Use temporary directories and restrict permissions',
-                documentationLink: 'https://nodejs.org/api/fs.html#fsopentempdirprefix-options-callback',
-            })
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    archiveFunctions: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['extract', 'extractAll', 'extractAllTo', 'unzip', 'untar', 'extractArchive'],
-                    },
-                    pathValidationFunctions: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['validatePath', 'sanitizePath', 'checkPath', 'safePath'],
-                    },
-                    safeLibraries: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['yauzl', 'safe-archive-extract', 'tar-stream', 'unzipper'],
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            archiveFunctions: ['extract', 'extractAll', 'extractAllTo', 'unzip', 'untar', 'extractArchive'],
-            pathValidationFunctions: ['validatePath', 'sanitizePath', 'checkPath', 'safePath'],
-            safeLibraries: ['yauzl', 'safe-archive-extract', 'tar-stream', 'unzipper'],
-        },
-    ],
-    create(context) {
-        const options = context.options[0] || {};
-        const { archiveFunctions = ['extract', 'extractAll', 'extractAllTo', 'unzip', 'untar', 'extractArchive'], pathValidationFunctions = ['validatePath', 'sanitizePath', 'checkPath', 'safePath'], safeLibraries = ['yauzl', 'safe-archive-extract', 'tar-stream', 'unzipper'], } = options;
-        const filename = context.filename || context.getFilename();
-        // Safety checks are implemented directly in the handlers
-        /**
-         * Check if this is an archive extraction operation
-         */
-        const isArchiveExtraction = (node) => {
-            const callee = node.callee;
-            // Check for archive method calls (e.g., zip.extractAllTo)
-            if (callee.type === 'MemberExpression' &&
-                callee.property.type === 'Identifier' &&
-                archiveFunctions.includes(callee.property.name)) {
-                return true;
-            }
-            // Check for standalone archive functions (e.g., extractArchive)
-            if (callee.type === 'Identifier' &&
-                archiveFunctions.includes(callee.name)) {
-                return true;
-            }
-            return false;
-        };
-        /**
-         * Check if path contains dangerous traversal sequences
-         */
-        const containsPathTraversal = (pathText) => {
-            // Check for ../ sequences
-            return /\.\.\//.test(pathText) ||
-                /\.\.\\/.test(pathText) || // Windows paths
-                /^\.\./.test(pathText) || // Leading ..
-                /\/\.\./.test(pathText); // Embedded /..
-        };
-        /**
-         * Check if path has been validated
-         */
-        const isPathValidated = (pathNode) => {
-            let current = pathNode;
-            while (current) {
-                if (current.type === 'CallExpression' &&
-                    current.callee.type === 'Identifier' &&
-                    pathValidationFunctions.includes(current.callee.name)) {
-                    return true;
-                }
-                current = current.parent;
-            }
-            return false;
-        };
-        /**
-         * Check if this uses a safe library
-         */
-        const isSafeLibrary = (node) => {
-            const callee = node.callee;
-            if (callee.type === 'MemberExpression' &&
-                callee.object.type === 'Identifier' &&
-                safeLibraries.includes(callee.object.name)) {
-                return true;
-            }
-            return false;
-        };
-        /**
-         * Check if destination is dangerous
-         */
-        const isDangerousDestination = (destText) => {
-            return destText.includes('/tmp') ||
-                destText.includes('/var') ||
-                destText.includes('/usr') ||
-                destText.includes('/etc') ||
-                destText.includes('/root') ||
-                destText.includes('/home') ||
-                destText.includes('C:\\Windows') ||
-                destText.includes('C:\\Program Files') ||
-                destText.includes('C:\\Users');
-        };
-        return {
-            // Check archive extraction calls
-            CallExpression(node) {
-                if (isArchiveExtraction(node) && !isSafeLibrary(node)) {
-                    // Check for @safe annotations in the source
-                    const sourceCode = context.sourceCode;
-                    let hasSafeAnnotation = false;
-                    // Look for @safe comments in the source code
-                    const allComments = sourceCode.getAllComments();
-                    for (const comment of allComments) {
-                        if (comment.type === 'Block' && comment.value.includes('@safe')) {
-                            hasSafeAnnotation = true;
-                            break;
-                        }
-                    }
-                    if (hasSafeAnnotation) {
-                        return; // Skip reporting if marked as safe
-                    }
-                    // Check if destination is dangerous
-                    const args = node.arguments;
-                    let destArg;
-                    // Determine which argument is the destination based on the function
-                    if (node.callee.type === 'MemberExpression' && node.callee.property.type === 'Identifier') {
-                        const methodName = node.callee.property.name;
-                        if (['extractAllTo', 'unzip'].includes(methodName)) {
-                            // Destination is the first argument
-                            destArg = args[0];
-                        }
-                        else if (archiveFunctions.includes(methodName)) {
-                            // For other archive functions, destination is typically the second argument
-                            destArg = args.length >= 2 ? args[1] : undefined;
-                        }
-                    }
-                    else if (node.callee.type === 'Identifier' && archiveFunctions.includes(node.callee.name)) {
-                        // For standalone functions like extractArchive(file, dest)
-                        destArg = args.length >= 2 ? args[1] : undefined;
-                    }
-                    const destText = destArg && destArg.type === 'Literal' && typeof destArg.value === 'string' ? destArg.value : '';
-                    const isDestDangerous = isDangerousDestination(destText);
-                    const isMethodCall = node.callee.type === 'MemberExpression';
-                    if (isMethodCall) {
-                        // Method calls report unsafeArchiveExtraction unless destination is a safe relative path
-                        const isSafeRelativePath = destText.startsWith('./') || destText.startsWith('../');
-                        if (!isSafeRelativePath) {
-                            context.report({
-                                node,
-                                messageId: 'unsafeArchiveExtraction',
-                                data: {
-                                    filePath: filename,
-                                    line: String(node.loc?.start.line ?? 0),
-                                },
-                                suggest: [
-                                    {
-                                        messageId: 'useSafeArchiveExtraction',
-                                        fix: () => null,
-                                    },
-                                ],
-                            });
-                        }
-                        // For safe relative paths, don't report any error
-                        // Additionally report dangerous destination for dangerous destinations
-                        if (isDestDangerous) {
-                            context.report({
-                                node: destArg || node,
-                                messageId: 'dangerousArchiveDestination',
-                                data: {
-                                    filePath: filename,
-                                    line: String(node.loc?.start.line ?? 0),
-                                },
-                            });
-                        }
-                    }
-                    else {
-                        // Standalone calls: report dangerousArchiveDestination for dangerous destinations, unsafeArchiveExtraction otherwise
-                        if (isDestDangerous) {
-                            context.report({
-                                node,
-                                messageId: 'dangerousArchiveDestination',
-                                data: {
-                                    filePath: filename,
-                                    line: String(node.loc?.start.line ?? 0),
-                                },
-                            });
-                        }
-                        else {
-                            context.report({
-                                node,
-                                messageId: 'unsafeArchiveExtraction',
-                                data: {
-                                    filePath: filename,
-                                    line: String(node.loc?.start.line ?? 0),
-                                },
-                                suggest: [
-                                    {
-                                        messageId: 'useSafeArchiveExtraction',
-                                        fix: () => null
-                                    },
-                                ],
-                            });
-                        }
-                    }
-                }
-                // Check for path.join or similar operations with archive entry names
-                const callee = node.callee;
-                if (callee.type === 'MemberExpression' &&
-                    callee.property.type === 'Identifier' &&
-                    ['join', 'resolve', 'relative', 'normalize'].includes(callee.property.name)) {
-                    // Check arguments for potential archive entry usage
-                    const args = node.arguments;
-                    for (const arg of args) {
-                        if (arg.type === 'MemberExpression' &&
-                            arg.property.type === 'Identifier' &&
-                            ['name', 'path', 'fileName', 'entryName', 'relativePath', 'filename', 'pathname'].includes(arg.property.name)) {
-                            // This looks like path.join(dest, entry.name) - check if validated
-                            if (!isPathValidated(arg)) {
-                                context.report({
-                                    node: arg,
-                                    messageId: 'unvalidatedArchivePath',
-                                    data: {
-                                        filePath: filename,
-                                        line: String(node.loc?.start.line ?? 0),
-                                    },
-                                });
-                            }
-                        }
-                    }
-                }
-            },
-            // Check string literals for dangerous paths
-            Literal(node) {
-                if (typeof node.value !== 'string') {
-                    return;
-                }
-                const text = node.value;
-                // Check for path traversal in strings that look like file paths
-                if ((text.includes('/') || text.includes('\\')) && containsPathTraversal(text)) {
-                    // Check if this is in an archive-related context
-                    let current = node;
-                    let isArchiveContext = false;
-                    while (current && !isArchiveContext) {
-                        if (current.type === 'CallExpression' && isArchiveExtraction(current)) {
-                            isArchiveContext = true;
-                            break;
-                        }
-                        if (current.type === 'VariableDeclarator' &&
-                            current.id.type === 'Identifier' &&
-                            (current.id.name.includes('archive') ||
-                                current.id.name.includes('zip') ||
-                                current.id.name.includes('tar') ||
-                                current.id.name.includes('path') ||
-                                current.id.name.includes('file') ||
-                                current.id.name.includes('entry'))) {
-                            isArchiveContext = true;
-                            break;
-                        }
-                        current = current.parent;
-                    }
-                    // Also check if the variable name suggests archive usage
-                    const parent = node.parent;
-                    if (parent && parent.type === 'VariableDeclarator' && parent.id.type === 'Identifier') {
-                        const varName = parent.id.name.toLowerCase();
-                        if (varName.includes('archive') || varName.includes('zip') || varName.includes('tar') ||
-                            varName.includes('path') || varName.includes('file') || varName.includes('extract') ||
-                            varName.includes('entry')) {
-                            isArchiveContext = true;
-                        }
-                    }
-                    if (isArchiveContext) {
-                        context.report({
-                            node,
-                            messageId: 'pathTraversalInArchive',
-                            data: {
-                                filePath: filename,
-                                line: String(node.loc?.start.line ?? 0),
-                            },
-                        });
-                    }
-                }
-                // Dangerous destinations are handled by the CallExpression handler to avoid duplicates
-                // Only check for dangerous destinations not related to archive extraction
-                if (isDangerousDestination(text) && !containsPathTraversal(text)) {
-                    // Check if this is used as an extraction destination
-                    let current = node;
-                    let isExtractionDest = false;
-                    while (current && !isExtractionDest) {
-                        if (current.type === 'CallExpression' && isArchiveExtraction(current)) {
-                            // Check if this node is a destination argument
-                            const args = current.arguments;
-                            const callee = current.callee;
-                            const isMethodCall = callee.type === 'MemberExpression';
-                            if ((isMethodCall && args.length >= 1 && args[0] === node) ||
-                                (!isMethodCall && args.length >= 2 && args[1] === node)) {
-                                isExtractionDest = true;
-                                break;
-                            }
-                        }
-                        current = current.parent;
-                    }
-                    // Only report if not already handled by CallExpression handler
-                    if (!isExtractionDest) {
-                        context.report({
-                            node,
-                            messageId: 'dangerousArchiveDestination',
-                            data: {
-                                filePath: filename,
-                                line: String(node.loc?.start.line ?? 0),
-                            },
-                        });
-                    }
-                }
-            },
-            // Check variable assignments
-            VariableDeclarator(node) {
-                if (!node.init || node.id.type !== 'Identifier') {
-                    return;
-                }
-                const varName = node.id.name.toLowerCase();
-                // Check if this variable holds archive-related data
-                if (varName.includes('entry') || varName.includes('file') || varName.includes('path')) {
-                    if (node.init.type === 'MemberExpression' &&
-                        node.init.property.type === 'Identifier' &&
-                        ['name', 'path'].includes(node.init.property.name)) {
-                        // This looks like: const entryName = entry.name;
-                        // Check if this variable is used unsafely later
-                        // This is a simplified check - in practice we'd need more sophisticated analysis
-                    }
-                }
-            }
-        };
-    },
-});

package/src/rules/require-backend-authorization/index.d.ts

@@ -1,6 +0,0 @@
-/**
- * @fileoverview Require server-side authorization checks
- */
-export interface Options {
-}
-export declare const requireBackendAuthorization: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/require-backend-authorization/index.js

@@ -1,60 +0,0 @@
-"use strict";
-/**
- * @fileoverview Require server-side authorization checks
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.requireBackendAuthorization = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.requireBackendAuthorization = (0, eslint_devkit_1.createRule)({
-    name: 'require-backend-authorization',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Require server-side authorization checks',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Client-Side Authorization',
-                cwe: 'CWE-602',
-                description: 'Authorization logic in client code - easily bypassed',
-                severity: 'CRITICAL',
-                fix: 'Move authorization checks to server-side API endpoints',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/602.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({ node, messageId: 'violationDetected' });
-        }
-        const authProperties = ['role', 'isAdmin', 'isAuthenticated', 'permissions', 'admin'];
-        return {
-            IfStatement(node) {
-                // Detect role-based access in client-side if statements
-                if (node.test.type === 'BinaryExpression') {
-                    const checkMember = (expr) => {
-                        if (expr.type === 'MemberExpression' &&
-                            expr.property.type === 'Identifier' &&
-                            authProperties.includes(expr.property.name)) {
-                            return true;
-                        }
-                        return false;
-                    };
-                    if (checkMember(node.test.left) ||
-                        checkMember(node.test.right)) {
-                        report(node);
-                    }
-                }
-                // Check for user.role or user.isAdmin access
-                if (node.test.type === 'MemberExpression' &&
-                    node.test.property.type === 'Identifier' &&
-                    authProperties.includes(node.test.property.name)) {
-                    report(node);
-                }
-            },
-        };
-    },
-});

package/src/rules/require-code-minification/index.d.ts

@@ -1,8 +0,0 @@
-/**
- * @fileoverview Require minification configuration
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/656.html
- */
-export interface Options {
-}
-export declare const requireCodeMinification: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/require-code-minification/index.js

@@ -1,47 +0,0 @@
-"use strict";
-/**
- * @fileoverview Require minification configuration
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/656.html
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.requireCodeMinification = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.requireCodeMinification = (0, eslint_devkit_1.createRule)({
-    name: 'require-code-minification',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Require minification configuration',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M7'],
-            cweIds: ["CWE-656"],
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'violation Detected',
-                cwe: 'CWE-656',
-                description: 'Require minification configuration detected - Build config without minification',
-                severity: 'LOW',
-                fix: 'Review and apply secure practices',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/656.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        return {
-            Property(node) {
-                if (node.key.type === 'Identifier' &&
-                    node.key.name === 'minimize' &&
-                    node.value.type === 'Literal' &&
-                    node.value.value === false) {
-                    context.report({ node, messageId: 'violationDetected' });
-                }
-            },
-        };
-    },
-});

package/src/rules/require-csp-headers/index.d.ts

@@ -1,6 +0,0 @@
-/**
- * @fileoverview Require Content Security Policy
- */
-export interface Options {
-}
-export declare const requireCspHeaders: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/require-csp-headers/index.js

@@ -1,64 +0,0 @@
-"use strict";
-/**
- * @fileoverview Require Content Security Policy
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.requireCspHeaders = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.requireCspHeaders = (0, eslint_devkit_1.createRule)({
-    name: 'require-csp-headers',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Require Content Security Policy headers',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Missing CSP',
-                cwe: 'CWE-1021',
-                description: 'HTML response without Content-Security-Policy header',
-                severity: 'MEDIUM',
-                fix: 'Use helmet.contentSecurityPolicy() or set CSP header manually',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/1021.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({ node, messageId: 'violationDetected' });
-        }
-        return {
-            CallExpression(node) {
-                // Detect res.send(html) with HTML content without CSP
-                if (node.callee.type === 'MemberExpression' &&
-                    node.callee.property.type === 'Identifier' &&
-                    node.callee.property.name === 'send') {
-                    const arg = node.arguments[0];
-                    // Check if sending HTML string
-                    if (arg && arg.type === 'TemplateLiteral') {
-                        const quasi = arg.quasis[0]?.value?.raw || '';
-                        if (quasi.includes('<html') || quasi.includes('<!DOCTYPE')) {
-                            report(node);
-                        }
-                    }
-                    if (arg && arg.type === 'Literal' && typeof arg.value === 'string') {
-                        if (arg.value.includes('<html') || arg.value.includes('<!DOCTYPE')) {
-                            report(node);
-                        }
-                    }
-                }
-                // Detect res.render() without CSP middleware
-                if (node.callee.type === 'MemberExpression' &&
-                    node.callee.property.type === 'Identifier' &&
-                    node.callee.property.name === 'render') {
-                    // This is a heuristic - flag render calls as a reminder
-                    // In real projects, you'd check for helmet middleware
-                    report(node);
-                }
-            },
-        };
-    },
-});

package/src/rules/require-data-minimization/index.d.ts

@@ -1,8 +0,0 @@
-/**
- * @fileoverview Identify excessive data collection
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/213.html
- */
-export interface Options {
-}
-export declare const requireDataMinimization: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;