npm - eslint-plugin-secure-coding - Versions diffs - 3.0.0 → 3.0.2 - Mend

eslint-plugin-secure-coding 3.0.0 → 3.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (158) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "eslint-plugin-secure-coding",
-  "version": "3.0.0",
+  "version": "3.0.2",
   "description": "Security-focused ESLint plugin with 89 AI-parseable rules for detecting and preventing vulnerabilities. OWASP Top 10 2021 + Mobile Top 10 2024 coverage, CWE references, and AI-assisted fix guidance.",
   "type": "commonjs",
   "main": "./src/index.js",
@@ -17,10 +17,10 @@
   },
   "author": "Ofri Peretz <ofriperetzdev@gmail.com>",
   "license": "MIT",
-  "homepage": "https://github.com/ofri-peretz/eslint/blob/main/packages/eslint-plugin-secure-coding/README.md",
+  "homepage": "https://github.com/ofri-peretz/eslint/tree/main/packages/eslint-plugin-secure-coding#readme",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/ofri-peretz/eslint.git",
+    "url": "https://github.com/ofri-peretz/eslint",
     "directory": "packages/eslint-plugin-secure-coding"
   },
   "bugs": {
@@ -41,6 +41,7 @@
     "eslint",
     "eslint-plugin",
     "eslintplugin",
+    "interlace-security",
     "security",
     "secure-coding",
     "owasp",
@@ -69,8 +70,8 @@
     "node": ">=18.0.0"
   },
   "dependencies": {
-    "@interlace/eslint-devkit": "^1.2.1",
-    "tslib": "^2.3.0"
+    "tslib": "^2.3.0",
+    "@interlace/eslint-devkit": "^1.2.1"
   },
   "devDependencies": {
     "@typescript-eslint/parser": "^8.46.2",

package/src/index.d.ts CHANGED Viewed

@@ -1,20 +1,11 @@
 /**
- * eslint-plugin-secure-coding
- *
- * A comprehensive security-focused ESLint plugin with 48+ rules
- * for detecting and preventing security vulnerabilities in JavaScript/TypeScript code.
- *
- * Features:
- * - LLM-optimized error messages with CWE references
- * - OWASP Top 10 coverage
- * - Auto-fix capabilities where safe
- * - Structured context for AI assistants
- *
- * @see https://github.com/ofri-peretz/eslint#readme
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 import { TSESLint } from '@interlace/eslint-devkit';
 /**
- * Collection of all security ESLint rules
+ * Collection of all core security ESLint rules
  */
 export declare const rules: Record<string, TSESLint.RuleModule<string, readonly unknown[]>>;
 /**
@@ -29,4 +20,4 @@ export default plugin;
 /**
  * Re-export all types from the types barrel
  */
-export type { DetectEvalWithExpressionOptions, DetectChildProcessOptions, NoUnsafeDynamicRequireOptions, NoGraphqlInjectionOptions, NoXxeInjectionOptions, NoXpathInjectionOptions, NoLdapInjectionOptions, NoDirectiveInjectionOptions, NoFormatStringInjectionOptions, DetectNonLiteralFsFilenameOptions, NoZipSlipOptions, NoToctouVulnerabilityOptions, DetectNonLiteralRegexpOptions, NoRedosVulnerableRegexOptions, NoUnsafeRegexConstructionOptions, DetectObjectInjectionOptions, NoUnsafeDeserializationOptions, NoHardcodedCredentialsOptions, NoInsecureComparisonOptions, NoUnvalidatedUserInputOptions, NoUnescapedUrlParameterOptions, NoImproperSanitizationOptions, NoImproperTypeValidationOptions, NoMissingAuthenticationOptions, NoPrivilegeEscalationOptions, NoWeakPasswordRecoveryOptions, NoMissingCsrfProtectionOptions, NoMissingCorsCheckOptions, NoMissingSecurityHeadersOptions, NoInsecureRedirectsOptions, NoUnencryptedTransmissionOptions, NoClickjackingOptions, NoExposedSensitiveDataOptions, NoSensitiveDataExposureOptions, NoBufferOverreadOptions, NoUnlimitedResourceAllocationOptions, NoUncheckedLoopConditionOptions, NoElectronSecurityIssuesOptions, AllSecurityRulesOptions, } from './types/index';
+export type { AllSecurityRulesOptions, } from './types/index';

package/src/index.js CHANGED Viewed

@@ -1,34 +1,32 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.configs = exports.plugin = exports.rules = void 0;
 /**
  * eslint-plugin-secure-coding
  *
- * A comprehensive security-focused ESLint plugin with 48+ rules
- * for detecting and preventing security vulnerabilities in JavaScript/TypeScript code.
+ * A comprehensive security-focused ESLint plugin restricted to "pure coding security rules"
+ * (logic, AST patterns, and generic vulnerabilities independent of environment).
  *
- * Features:
- * - LLM-optimized error messages with CWE references
- * - OWASP Top 10 coverage
- * - Auto-fix capabilities where safe
- * - Structured context for AI assistants
+ * Rules focus on:
+ * - Language-level logic flaws
+ * - AST pattern risks
+ * - Generic injection patterns
+ * - Cryptographic logic (logic level)
  *
  * @see https://github.com/ofri-peretz/eslint#readme
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.configs = exports.plugin = exports.rules = void 0;
 // Security rules - Injection
-const detect_eval_with_expression_1 = require("./rules/detect-eval-with-expression");
-const detect_child_process_1 = require("./rules/detect-child-process");
-const no_unsafe_dynamic_require_1 = require("./rules/no-unsafe-dynamic-require");
 const no_graphql_injection_1 = require("./rules/no-graphql-injection");
 const no_xxe_injection_1 = require("./rules/no-xxe-injection");
 const no_xpath_injection_1 = require("./rules/no-xpath-injection");
 const no_ldap_injection_1 = require("./rules/no-ldap-injection");
 const no_directive_injection_1 = require("./rules/no-directive-injection");
 const no_format_string_injection_1 = require("./rules/no-format-string-injection");
-// Security rules - Path & File
-const detect_non_literal_fs_filename_1 = require("./rules/detect-non-literal-fs-filename");
-const no_zip_slip_1 = require("./rules/no-zip-slip");
-const no_toctou_vulnerability_1 = require("./rules/no-toctou-vulnerability");
 // Security rules - Regex
 const detect_non_literal_regexp_1 = require("./rules/detect-non-literal-regexp");
 const no_redos_vulnerable_regex_1 = require("./rules/no-redos-vulnerable-regex");
@@ -39,170 +37,53 @@ const no_unsafe_deserialization_1 = require("./rules/no-unsafe-deserialization")
 // Security rules - Credentials & Crypto
 const no_hardcoded_credentials_1 = require("./rules/no-hardcoded-credentials");
 const no_insecure_comparison_1 = require("./rules/no-insecure-comparison");
-// Security rules - Input Validation & XSS
-const no_unvalidated_user_input_1 = require("./rules/no-unvalidated-user-input");
-const no_unescaped_url_parameter_1 = require("./rules/no-unescaped-url-parameter");
+// Security rules - Input Validation
 const no_improper_sanitization_1 = require("./rules/no-improper-sanitization");
 const no_improper_type_validation_1 = require("./rules/no-improper-type-validation");
 // Security rules - Authentication & Authorization
 const no_missing_authentication_1 = require("./rules/no-missing-authentication");
 const no_privilege_escalation_1 = require("./rules/no-privilege-escalation");
 const no_weak_password_recovery_1 = require("./rules/no-weak-password-recovery");
-// Security rules - Session & Cookies
-const no_missing_csrf_protection_1 = require("./rules/no-missing-csrf-protection");
-// Security rules - Network & Headers
-const no_missing_cors_check_1 = require("./rules/no-missing-cors-check");
-const no_missing_security_headers_1 = require("./rules/no-missing-security-headers");
-const no_insecure_redirects_1 = require("./rules/no-insecure-redirects");
-const no_unencrypted_transmission_1 = require("./rules/no-unencrypted-transmission");
-const no_clickjacking_1 = require("./rules/no-clickjacking");
+const require_backend_authorization_1 = require("./rules/require-backend-authorization");
 // Security rules - Data Exposure
-const no_exposed_sensitive_data_1 = require("./rules/no-exposed-sensitive-data");
 const no_sensitive_data_exposure_1 = require("./rules/no-sensitive-data-exposure");
-// Security rules - Buffer & Memory
-const no_buffer_overread_1 = require("./rules/no-buffer-overread");
+const no_pii_in_logs_1 = require("./rules/no-pii-in-logs");
 // Security rules - Resource & DoS
 const no_unlimited_resource_allocation_1 = require("./rules/no-unlimited-resource-allocation");
 const no_unchecked_loop_condition_1 = require("./rules/no-unchecked-loop-condition");
-// Security rules - Platform Specific
-const no_electron_security_issues_1 = require("./rules/no-electron-security-issues");
-// OWASP Mobile Top 10 2023/2024 - Mobile Security Rules (40 rules)
-// M1: Improper Credential Usage (3 rules)
-const no_credentials_in_query_params_1 = require("./rules/no-credentials-in-query-params");
-const require_secure_credential_storage_1 = require("./rules/require-secure-credential-storage");
-// M2: Inadequate Supply Chain Security (4 rules)
-const require_dependency_integrity_1 = require("./rules/require-dependency-integrity");
-const detect_suspicious_dependencies_1 = require("./rules/detect-suspicious-dependencies");
-const no_dynamic_dependency_loading_1 = require("./rules/no-dynamic-dependency-loading");
-const require_package_lock_1 = require("./rules/require-package-lock");
-// M3: Insecure Authentication/Authorization (5 rules)
-const no_client_side_auth_logic_1 = require("./rules/no-client-side-auth-logic");
-const require_backend_authorization_1 = require("./rules/require-backend-authorization");
-const no_hardcoded_session_tokens_1 = require("./rules/no-hardcoded-session-tokens");
-const detect_weak_password_validation_1 = require("./rules/detect-weak-password-validation");
-const no_password_in_url_1 = require("./rules/no-password-in-url");
-// M4: Insufficient Input/Output Validation (6 rules)
-const no_unvalidated_deeplinks_1 = require("./rules/no-unvalidated-deeplinks");
-const require_url_validation_1 = require("./rules/require-url-validation");
-const no_arbitrary_file_access_1 = require("./rules/no-arbitrary-file-access");
-const require_mime_type_validation_1 = require("./rules/require-mime-type-validation");
-const require_csp_headers_1 = require("./rules/require-csp-headers");
-// M5: Insecure Communication (7 rules)
-const no_http_urls_1 = require("./rules/no-http-urls");
-const no_disabled_certificate_validation_1 = require("./rules/no-disabled-certificate-validation");
-const require_https_only_1 = require("./rules/require-https-only");
-const no_insecure_websocket_1 = require("./rules/no-insecure-websocket");
-const detect_mixed_content_1 = require("./rules/detect-mixed-content");
-const no_allow_arbitrary_loads_1 = require("./rules/no-allow-arbitrary-loads");
-const require_network_timeout_1 = require("./rules/require-network-timeout");
-// M6: Inadequate Privacy Controls (4 rules)
-const no_pii_in_logs_1 = require("./rules/no-pii-in-logs");
-const no_tracking_without_consent_1 = require("./rules/no-tracking-without-consent");
-const require_data_minimization_1 = require("./rules/require-data-minimization");
-const no_sensitive_data_in_analytics_1 = require("./rules/no-sensitive-data-in-analytics");
-// M7: Insufficient Binary Protections (2 rules)
-const no_debug_code_in_production_1 = require("./rules/no-debug-code-in-production");
-const require_code_minification_1 = require("./rules/require-code-minification");
-// M8: Security Misconfiguration (4 rules)
-const no_verbose_error_messages_1 = require("./rules/no-verbose-error-messages");
-const no_exposed_debug_endpoints_1 = require("./rules/no-exposed-debug-endpoints");
-const require_secure_defaults_1 = require("./rules/require-secure-defaults");
-const no_permissive_cors_1 = require("./rules/no-permissive-cors");
-// M9: Insecure Data Storage (5 rules)
-const no_sensitive_data_in_cache_1 = require("./rules/no-sensitive-data-in-cache");
-const require_storage_encryption_1 = require("./rules/require-storage-encryption");
-const no_data_in_temp_storage_1 = require("./rules/no-data-in-temp-storage");
-const require_secure_deletion_1 = require("./rules/require-secure-deletion");
 /**
- * Collection of all security ESLint rules
+ * Collection of all core security ESLint rules
  */
 exports.rules = {
-    // Flat rule names (recommended usage)
-    'detect-eval-with-expression': detect_eval_with_expression_1.detectEvalWithExpression,
-    'detect-child-process': detect_child_process_1.detectChildProcess,
-    'no-unsafe-dynamic-require': no_unsafe_dynamic_require_1.noUnsafeDynamicRequire,
+    // Fundamental Injection (6 rules)
     'no-graphql-injection': no_graphql_injection_1.noGraphqlInjection,
     'no-xxe-injection': no_xxe_injection_1.noXxeInjection,
     'no-xpath-injection': no_xpath_injection_1.noXpathInjection,
     'no-ldap-injection': no_ldap_injection_1.noLdapInjection,
     'no-directive-injection': no_directive_injection_1.noDirectiveInjection,
     'no-format-string-injection': no_format_string_injection_1.noFormatStringInjection,
-    'detect-non-literal-fs-filename': detect_non_literal_fs_filename_1.detectNonLiteralFsFilename,
-    'no-zip-slip': no_zip_slip_1.noZipSlip,
-    'no-toctou-vulnerability': no_toctou_vulnerability_1.noToctouVulnerability,
+    // Regex Safety & Stability (3 rules)
     'detect-non-literal-regexp': detect_non_literal_regexp_1.detectNonLiteralRegexp,
     'no-redos-vulnerable-regex': no_redos_vulnerable_regex_1.noRedosVulnerableRegex,
     'no-unsafe-regex-construction': no_unsafe_regex_construction_1.noUnsafeRegexConstruction,
+    // Data & Logic Integrity (5 rules)
     'detect-object-injection': detect_object_injection_1.detectObjectInjection,
     'no-unsafe-deserialization': no_unsafe_deserialization_1.noUnsafeDeserialization,
-    'no-hardcoded-credentials': no_hardcoded_credentials_1.noHardcodedCredentials,
     'no-insecure-comparison': no_insecure_comparison_1.noInsecureComparison,
-    'no-unvalidated-user-input': no_unvalidated_user_input_1.noUnvalidatedUserInput,
-    'no-unescaped-url-parameter': no_unescaped_url_parameter_1.noUnescapedUrlParameter,
     'no-improper-sanitization': no_improper_sanitization_1.noImproperSanitization,
     'no-improper-type-validation': no_improper_type_validation_1.noImproperTypeValidation,
+    // Auth/Access Logic (4 rules)
     'no-missing-authentication': no_missing_authentication_1.noMissingAuthentication,
     'no-privilege-escalation': no_privilege_escalation_1.noPrivilegeEscalation,
     'no-weak-password-recovery': no_weak_password_recovery_1.noWeakPasswordRecovery,
-    'no-missing-csrf-protection': no_missing_csrf_protection_1.noMissingCsrfProtection,
-    'no-missing-cors-check': no_missing_cors_check_1.noMissingCorsCheck,
-    'no-missing-security-headers': no_missing_security_headers_1.noMissingSecurityHeaders,
-    'no-insecure-redirects': no_insecure_redirects_1.noInsecureRedirects,
-    'no-unencrypted-transmission': no_unencrypted_transmission_1.noUnencryptedTransmission,
-    'no-clickjacking': no_clickjacking_1.noClickjacking,
-    'no-exposed-sensitive-data': no_exposed_sensitive_data_1.noExposedSensitiveData,
+    'require-backend-authorization': require_backend_authorization_1.requireBackendAuthorization,
+    // Secrets & Exposure (3 rules)
+    'no-hardcoded-credentials': no_hardcoded_credentials_1.noHardcodedCredentials,
     'no-sensitive-data-exposure': no_sensitive_data_exposure_1.noSensitiveDataExposure,
-    'no-buffer-overread': no_buffer_overread_1.noBufferOverread,
+    'no-pii-in-logs': no_pii_in_logs_1.noPiiInLogs,
+    // Resource Handling (2 rules)
     'no-unlimited-resource-allocation': no_unlimited_resource_allocation_1.noUnlimitedResourceAllocation,
     'no-unchecked-loop-condition': no_unchecked_loop_condition_1.noUncheckedLoopCondition,
-    'no-electron-security-issues': no_electron_security_issues_1.noElectronSecurityIssues,
-    // OWASP Mobile Top 10 2023/2024 rules (40 rules)
-    // M1: Improper Credential Usage (3 rules)
-    'no-credentials-in-query-params': no_credentials_in_query_params_1.noCredentialsInQueryParams,
-    'require-secure-credential-storage': require_secure_credential_storage_1.requireSecureCredentialStorage,
-    // M2: Inadequate Supply Chain Security (4 rules)
-    'require-dependency-integrity': require_dependency_integrity_1.requireDependencyIntegrity,
-    'detect-suspicious-dependencies': detect_suspicious_dependencies_1.detectSuspiciousDependencies,
-    'no-dynamic-dependency-loading': no_dynamic_dependency_loading_1.noDynamicDependencyLoading,
-    'require-package-lock': require_package_lock_1.requirePackageLock,
-    // M3: Insecure Authentication/Authorization (5 rules)
-    'no-client-side-auth-logic': no_client_side_auth_logic_1.noClientSideAuthLogic,
-    'require-backend-authorization': require_backend_authorization_1.requireBackendAuthorization,
-    'no-hardcoded-session-tokens': no_hardcoded_session_tokens_1.noHardcodedSessionTokens,
-    'detect-weak-password-validation': detect_weak_password_validation_1.detectWeakPasswordValidation,
-    'no-password-in-url': no_password_in_url_1.noPasswordInUrl,
-    // M4: Insufficient Input/Output Validation (6 rules)
-    'no-unvalidated-deeplinks': no_unvalidated_deeplinks_1.noUnvalidatedDeeplinks,
-    'require-url-validation': require_url_validation_1.requireUrlValidation,
-    'no-arbitrary-file-access': no_arbitrary_file_access_1.noArbitraryFileAccess,
-    'require-mime-type-validation': require_mime_type_validation_1.requireMimeTypeValidation,
-    'require-csp-headers': require_csp_headers_1.requireCspHeaders,
-    // M5: Insecure Communication (7 rules)
-    'no-http-urls': no_http_urls_1.noHttpUrls,
-    'no-disabled-certificate-validation': no_disabled_certificate_validation_1.noDisabledCertificateValidation,
-    'require-https-only': require_https_only_1.requireHttpsOnly,
-    'no-insecure-websocket': no_insecure_websocket_1.noInsecureWebsocket,
-    'detect-mixed-content': detect_mixed_content_1.detectMixedContent,
-    'no-allow-arbitrary-loads': no_allow_arbitrary_loads_1.noAllowArbitraryLoads,
-    'require-network-timeout': require_network_timeout_1.requireNetworkTimeout,
-    // M6: Inadequate Privacy Controls (4 rules)
-    'no-pii-in-logs': no_pii_in_logs_1.noPiiInLogs,
-    'no-tracking-without-consent': no_tracking_without_consent_1.noTrackingWithoutConsent,
-    'require-data-minimization': require_data_minimization_1.requireDataMinimization,
-    'no-sensitive-data-in-analytics': no_sensitive_data_in_analytics_1.noSensitiveDataInAnalytics,
-    // M7: Insufficient Binary Protections (2 rules)
-    'no-debug-code-in-production': no_debug_code_in_production_1.noDebugCodeInProduction,
-    'require-code-minification': require_code_minification_1.requireCodeMinification,
-    // M8: Security Misconfiguration (4 rules)
-    'no-verbose-error-messages': no_verbose_error_messages_1.noVerboseErrorMessages,
-    'no-exposed-debug-endpoints': no_exposed_debug_endpoints_1.noExposedDebugEndpoints,
-    'require-secure-defaults': require_secure_defaults_1.requireSecureDefaults,
-    'no-permissive-cors': no_permissive_cors_1.noPermissiveCors,
-    // M9: Insecure Data Storage (5 rules)
-    'no-sensitive-data-in-cache': no_sensitive_data_in_cache_1.noSensitiveDataInCache,
-    'require-storage-encryption': require_storage_encryption_1.requireStorageEncryption,
-    'no-data-in-temp-storage': no_data_in_temp_storage_1.noDataInTempStorage,
-    'require-secure-deletion': require_secure_deletion_1.requireSecureDeletion,
 };
 /**
  * ESLint Plugin object
@@ -210,7 +91,7 @@ exports.rules = {
 exports.plugin = {
     meta: {
         name: 'eslint-plugin-secure-coding',
-        version: '1.0.0',
+        version: '1.1.0',
     },
     rules: exports.rules,
 };
@@ -218,20 +99,11 @@ exports.plugin = {
  * Preset configurations for security rules
  */
 const recommendedRules = {
-    // Critical - Injection vulnerabilities (OWASP A03)
-    'secure-coding/detect-eval-with-expression': 'error',
-    'secure-coding/detect-child-process': 'error',
-    'secure-coding/no-unsafe-dynamic-require': 'error',
+    // Critical - Injection vulnerabilities
     'secure-coding/no-graphql-injection': 'error',
     'secure-coding/no-xxe-injection': 'error',
     'secure-coding/no-xpath-injection': 'error',
     'secure-coding/no-ldap-injection': 'error',
-    'secure-coding/no-directive-injection': 'error',
-    'secure-coding/no-format-string-injection': 'error',
-    // Critical - Path traversal & file operations
-    'secure-coding/detect-non-literal-fs-filename': 'error',
-    'secure-coding/no-zip-slip': 'error',
-    'secure-coding/no-toctou-vulnerability': 'error',
     // Critical - Deserialization
     'secure-coding/no-unsafe-deserialization': 'error',
     // High - Regex vulnerabilities
@@ -240,55 +112,26 @@ const recommendedRules = {
     'secure-coding/no-unsafe-regex-construction': 'warn',
     // High - Prototype pollution
     'secure-coding/detect-object-injection': 'warn',
-    // Critical - Cryptography (OWASP A02)
+    // Critical - Credentials
     'secure-coding/no-hardcoded-credentials': 'error',
     'secure-coding/no-insecure-comparison': 'warn',
-    // Critical - XSS vulnerabilities (OWASP A03)
-    'secure-coding/no-unvalidated-user-input': 'warn',
-    'secure-coding/no-unescaped-url-parameter': 'warn',
+    // Critical - Data integrity
     'secure-coding/no-improper-sanitization': 'error',
-    'secure-coding/no-improper-type-validation': 'warn',
-    // High - Authentication & Authorization (OWASP A01, A07)
+    // High - Logic
     'secure-coding/no-missing-authentication': 'warn',
     'secure-coding/no-privilege-escalation': 'warn',
     'secure-coding/no-weak-password-recovery': 'error',
-    // High - Session & Cookies
-    'secure-coding/no-missing-csrf-protection': 'warn',
-    // High - Network & Headers (OWASP A05)
-    'secure-coding/no-missing-cors-check': 'warn',
-    'secure-coding/no-missing-security-headers': 'warn',
-    'secure-coding/no-insecure-redirects': 'warn',
-    'secure-coding/no-unencrypted-transmission': 'warn',
-    'secure-coding/no-clickjacking': 'error',
-    // High - Data Exposure (OWASP A01)
-    'secure-coding/no-exposed-sensitive-data': 'error',
+    // High - Exposure
     'secure-coding/no-sensitive-data-exposure': 'warn',
-    // Medium - Buffer & Memory
-    'secure-coding/no-buffer-overread': 'error',
     // Medium - Resource & DoS
     'secure-coding/no-unlimited-resource-allocation': 'error',
     'secure-coding/no-unchecked-loop-condition': 'error',
-    // Medium - Platform specific
-    'secure-coding/no-electron-security-issues': 'error',
-    // Mobile & General Security (OWASP Mobile)
-    'secure-coding/no-credentials-in-query-params': 'error',
-    'secure-coding/no-http-urls': 'error',
-    'secure-coding/require-https-only': 'error',
-    'secure-coding/no-pii-in-logs': 'warn',
-    'secure-coding/no-verbose-error-messages': 'warn',
-    'secure-coding/no-hardcoded-session-tokens': 'error',
-    'secure-coding/detect-mixed-content': 'error',
-    'secure-coding/no-unvalidated-deeplinks': 'error',
-    'secure-coding/no-insecure-websocket': 'error',
-    'secure-coding/detect-suspicious-dependencies': 'warn',
 };
 exports.configs = {
     /**
      * Recommended security configuration
      *
-     * Enables all security rules with sensible severity levels:
-     * - Critical injection vulnerabilities as errors
-     * - Important security issues as warnings
+     * Enables all core security rules with sensible severity levels.
      */
     recommended: {
         plugins: {
@@ -299,7 +142,7 @@ exports.configs = {
     /**
      * Strict security configuration
      *
-     * All security rules set to 'error' for maximum protection
+     * All security rules set to 'error' for maximum protection.
      */
     strict: {
         plugins: {
@@ -310,7 +153,7 @@ exports.configs = {
     /**
      * OWASP Top 10 focused configuration
      *
-     * Rules mapped to OWASP Top 10 2021 categories
+     * Rules mapped to OWASP Top 10 2021 categories.
      */
     'owasp-top-10': {
         plugins: {
@@ -320,93 +163,21 @@ exports.configs = {
             // A01:2021 – Broken Access Control
             'secure-coding/no-missing-authentication': 'error',
             'secure-coding/no-privilege-escalation': 'error',
-            'secure-coding/no-exposed-sensitive-data': 'error',
-            'secure-coding/no-insecure-redirects': 'error',
             // A02:2021 – Cryptographic Failures
             'secure-coding/no-hardcoded-credentials': 'error',
-            'secure-coding/no-unencrypted-transmission': 'error',
             'secure-coding/no-sensitive-data-exposure': 'error',
             // A03:2021 – Injection
-            'secure-coding/detect-eval-with-expression': 'error',
-            'secure-coding/detect-child-process': 'error',
             'secure-coding/no-graphql-injection': 'error',
             'secure-coding/no-xxe-injection': 'error',
             'secure-coding/no-xpath-injection': 'error',
             'secure-coding/no-ldap-injection': 'error',
-            'secure-coding/no-unescaped-url-parameter': 'error',
             // A04:2021 – Insecure Design
             'secure-coding/no-weak-password-recovery': 'error',
             'secure-coding/no-improper-type-validation': 'error',
-            // A05:2021 – Security Misconfiguration
-            'secure-coding/no-missing-security-headers': 'error',
-            'secure-coding/no-missing-cors-check': 'error',
-            'secure-coding/no-clickjacking': 'error',
-            'secure-coding/no-electron-security-issues': 'error',
             // A07:2021 – Identification and Authentication Failures
             'secure-coding/no-insecure-comparison': 'error',
-            'secure-coding/no-missing-csrf-protection': 'error',
             // A08:2021 – Software and Data Integrity Failures
             'secure-coding/no-unsafe-deserialization': 'error',
-            'secure-coding/no-unsafe-dynamic-require': 'error',
-        },
-    },
-    /**
-     * OWASP Mobile Top 10 focused configuration
-     *
-     * Rules mapped to OWASP Mobile Top 10 2024 categories
-     */
-    'owasp-mobile-top-10': {
-        plugins: {
-            'secure-coding': exports.plugin,
-        },
-        rules: {
-            // M1: Improper Credential Usage
-            'secure-coding/no-credentials-in-query-params': 'error',
-            'secure-coding/require-secure-credential-storage': 'error',
-            'secure-coding/no-hardcoded-credentials': 'error',
-            // M2: Inadequate Supply Chain Security
-            'secure-coding/require-dependency-integrity': 'error',
-            'secure-coding/detect-suspicious-dependencies': 'error',
-            'secure-coding/no-dynamic-dependency-loading': 'error',
-            'secure-coding/require-package-lock': 'error',
-            // M3: Insecure Authentication/Authorization
-            'secure-coding/no-client-side-auth-logic': 'error',
-            'secure-coding/require-backend-authorization': 'error',
-            'secure-coding/no-hardcoded-session-tokens': 'error',
-            'secure-coding/detect-weak-password-validation': 'error',
-            'secure-coding/no-password-in-url': 'error',
-            // M4: Insufficient Input/Output Validation
-            'secure-coding/no-unvalidated-deeplinks': 'error',
-            'secure-coding/require-url-validation': 'error',
-            'secure-coding/no-arbitrary-file-access': 'error',
-            'secure-coding/require-mime-type-validation': 'error',
-            'secure-coding/require-csp-headers': 'error',
-            // M5: Insecure Communication
-            'secure-coding/no-http-urls': 'error',
-            'secure-coding/no-disabled-certificate-validation': 'error',
-            'secure-coding/require-https-only': 'error',
-            'secure-coding/no-insecure-websocket': 'error',
-            'secure-coding/detect-mixed-content': 'error',
-            'secure-coding/no-allow-arbitrary-loads': 'error',
-            'secure-coding/require-network-timeout': 'error',
-            // M6: Inadequate Privacy Controls
-            'secure-coding/no-pii-in-logs': 'error',
-            'secure-coding/no-tracking-without-consent': 'error',
-            'secure-coding/require-data-minimization': 'error',
-            'secure-coding/no-sensitive-data-in-analytics': 'error',
-            // M7: Insufficient Binary Protections
-            'secure-coding/no-debug-code-in-production': 'error',
-            'secure-coding/require-code-minification': 'error',
-            // M8: Security Misconfiguration
-            'secure-coding/no-verbose-error-messages': 'error',
-            'secure-coding/no-exposed-debug-endpoints': 'error',
-            'secure-coding/require-secure-defaults': 'error',
-            'secure-coding/no-permissive-cors': 'error',
-            // M9: Insecure Data Storage
-            'secure-coding/no-sensitive-data-in-cache': 'error',
-            'secure-coding/require-storage-encryption': 'error',
-            'secure-coding/no-data-in-temp-storage': 'error',
-            'secure-coding/require-secure-deletion': 'error',
         },
     },
 };

package/src/rules/detect-non-literal-regexp/index.d.ts CHANGED Viewed

@@ -1,3 +1,18 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: detect-non-literal-regexp
+ * Detects RegExp(variable), which might allow an attacker to DOS your server with a long-running regular expression
+ * LLM-optimized with comprehensive ReDoS prevention guidance
+ *
+ * @see https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
+ * @see https://cwe.mitre.org/data/definitions/400.html
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'regexpReDoS' | 'useStaticRegex' | 'validateInput' | 'useRegexLibrary' | 'addTimeout' | 'escapeUserInput';
 export interface Options {
     /** Allow literal string regex patterns. Default: false (stricter) */
     allowLiterals?: boolean;
@@ -6,4 +21,8 @@ export interface Options {
     /** Maximum allowed pattern length for dynamic regex */
     maxPatternLength?: number;
 }
-export declare const detectNonLiteralRegexp: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const detectNonLiteralRegexp: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/detect-non-literal-regexp/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.detectNonLiteralRegexp = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/detect-object-injection/index.d.ts CHANGED Viewed

@@ -1,3 +1,23 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: detect-object-injection
+ * Detects variable[key] as a left- or right-hand assignment operand (prototype pollution)
+ * LLM-optimized with comprehensive object injection prevention guidance
+ *
+ * Type-Aware Enhancement:
+ * This rule uses TypeScript type information when available to reduce false positives.
+ * If a property key is constrained to a union of string literals (e.g., 'name' | 'email'),
+ * the access is considered safe because the values are statically known at compile time.
+ *
+ * @see https://portswigger.net/web-security/prototype-pollution
+ * @see https://cwe.mitre.org/data/definitions/915.html
+ */
+import { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'objectInjection' | 'useMapInstead' | 'useHasOwnProperty' | 'whitelistKeys' | 'useObjectCreate' | 'freezePrototypes' | 'strategyValidate' | 'strategyWhitelist' | 'strategyFreeze';
 export interface Options {
     /** Allow bracket notation with literal strings. Default: false (stricter) */
     allowLiterals?: boolean;
@@ -8,4 +28,8 @@ export interface Options {
     /** Strategy for fixing object injection: 'validate', 'whitelist', 'freeze', or 'auto' */
     strategy?: 'validate' | 'whitelist' | 'freeze' | 'auto';
 }
-export declare const detectObjectInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const detectObjectInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/detect-object-injection/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.detectObjectInjection = void 0;
 /**

package/src/rules/detect-weak-password-validation/index.d.ts CHANGED Viewed

@@ -1,6 +1,12 @@
 /**
- * @fileoverview Identify weak password requirements
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 export interface Options {
 }
-export declare const detectWeakPasswordValidation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const detectWeakPasswordValidation: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/detect-weak-password-validation/index.js CHANGED Viewed

@@ -1,9 +1,14 @@
 "use strict";
 /**
- * @fileoverview Identify weak password requirements
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.detectWeakPasswordValidation = void 0;
+/**
+ * @fileoverview Identify weak password requirements
+ */
 const eslint_devkit_1 = require("@interlace/eslint-devkit");
 exports.detectWeakPasswordValidation = (0, eslint_devkit_1.createRule)({
     name: 'detect-weak-password-validation',