eslint-plugin-secure-coding 3.0.1 → 3.0.3

package/src/index.js

@@ -9,31 +9,24 @@ exports.configs = exports.plugin = exports.rules = void 0;
 /**
  * eslint-plugin-secure-coding
  *
- * A comprehensive security-focused ESLint plugin with 48+ rules
- * for detecting and preventing security vulnerabilities in JavaScript/TypeScript code.
+ * A comprehensive security-focused ESLint plugin restricted to "pure coding security rules"
+ * (logic, AST patterns, and generic vulnerabilities independent of environment).
  *
- * Features:
- * - LLM-optimized error messages with CWE references
- * - OWASP Top 10 coverage
- * - Auto-fix capabilities where safe
- * - Structured context for AI assistants
+ * Rules focus on:
+ * - Language-level logic flaws
+ * - AST pattern risks
+ * - Generic injection patterns
+ * - Cryptographic logic (logic level)
  *
  * @see https://github.com/ofri-peretz/eslint#readme
  */
 // Security rules - Injection
-const detect_eval_with_expression_1 = require("./rules/detect-eval-with-expression");
-const detect_child_process_1 = require("./rules/detect-child-process");
-const no_unsafe_dynamic_require_1 = require("./rules/no-unsafe-dynamic-require");
 const no_graphql_injection_1 = require("./rules/no-graphql-injection");
 const no_xxe_injection_1 = require("./rules/no-xxe-injection");
 const no_xpath_injection_1 = require("./rules/no-xpath-injection");
 const no_ldap_injection_1 = require("./rules/no-ldap-injection");
 const no_directive_injection_1 = require("./rules/no-directive-injection");
 const no_format_string_injection_1 = require("./rules/no-format-string-injection");
-// Security rules - Path & File
-const detect_non_literal_fs_filename_1 = require("./rules/detect-non-literal-fs-filename");
-const no_zip_slip_1 = require("./rules/no-zip-slip");
-const no_toctou_vulnerability_1 = require("./rules/no-toctou-vulnerability");
 // Security rules - Regex
 const detect_non_literal_regexp_1 = require("./rules/detect-non-literal-regexp");
 const no_redos_vulnerable_regex_1 = require("./rules/no-redos-vulnerable-regex");
@@ -44,170 +37,53 @@ const no_unsafe_deserialization_1 = require("./rules/no-unsafe-deserialization")
 // Security rules - Credentials & Crypto
 const no_hardcoded_credentials_1 = require("./rules/no-hardcoded-credentials");
 const no_insecure_comparison_1 = require("./rules/no-insecure-comparison");
-// Security rules - Input Validation & XSS
-const no_unvalidated_user_input_1 = require("./rules/no-unvalidated-user-input");
-const no_unescaped_url_parameter_1 = require("./rules/no-unescaped-url-parameter");
+// Security rules - Input Validation
 const no_improper_sanitization_1 = require("./rules/no-improper-sanitization");
 const no_improper_type_validation_1 = require("./rules/no-improper-type-validation");
 // Security rules - Authentication & Authorization
 const no_missing_authentication_1 = require("./rules/no-missing-authentication");
 const no_privilege_escalation_1 = require("./rules/no-privilege-escalation");
 const no_weak_password_recovery_1 = require("./rules/no-weak-password-recovery");
-// Security rules - Session & Cookies
-const no_missing_csrf_protection_1 = require("./rules/no-missing-csrf-protection");
-// Security rules - Network & Headers
-const no_missing_cors_check_1 = require("./rules/no-missing-cors-check");
-const no_missing_security_headers_1 = require("./rules/no-missing-security-headers");
-const no_insecure_redirects_1 = require("./rules/no-insecure-redirects");
-const no_unencrypted_transmission_1 = require("./rules/no-unencrypted-transmission");
-const no_clickjacking_1 = require("./rules/no-clickjacking");
+const require_backend_authorization_1 = require("./rules/require-backend-authorization");
 // Security rules - Data Exposure
-const no_exposed_sensitive_data_1 = require("./rules/no-exposed-sensitive-data");
 const no_sensitive_data_exposure_1 = require("./rules/no-sensitive-data-exposure");
-// Security rules - Buffer & Memory
-const no_buffer_overread_1 = require("./rules/no-buffer-overread");
+const no_pii_in_logs_1 = require("./rules/no-pii-in-logs");
 // Security rules - Resource & DoS
 const no_unlimited_resource_allocation_1 = require("./rules/no-unlimited-resource-allocation");
 const no_unchecked_loop_condition_1 = require("./rules/no-unchecked-loop-condition");
-// Security rules - Platform Specific
-const no_electron_security_issues_1 = require("./rules/no-electron-security-issues");
-// OWASP Mobile Top 10 2023/2024 - Mobile Security Rules (40 rules)
-// M1: Improper Credential Usage (3 rules)
-const no_credentials_in_query_params_1 = require("./rules/no-credentials-in-query-params");
-const require_secure_credential_storage_1 = require("./rules/require-secure-credential-storage");
-// M2: Inadequate Supply Chain Security (4 rules)
-const require_dependency_integrity_1 = require("./rules/require-dependency-integrity");
-const detect_suspicious_dependencies_1 = require("./rules/detect-suspicious-dependencies");
-const no_dynamic_dependency_loading_1 = require("./rules/no-dynamic-dependency-loading");
-const require_package_lock_1 = require("./rules/require-package-lock");
-// M3: Insecure Authentication/Authorization (5 rules)
-const no_client_side_auth_logic_1 = require("./rules/no-client-side-auth-logic");
-const require_backend_authorization_1 = require("./rules/require-backend-authorization");
-const no_hardcoded_session_tokens_1 = require("./rules/no-hardcoded-session-tokens");
-const detect_weak_password_validation_1 = require("./rules/detect-weak-password-validation");
-const no_password_in_url_1 = require("./rules/no-password-in-url");
-// M4: Insufficient Input/Output Validation (6 rules)
-const no_unvalidated_deeplinks_1 = require("./rules/no-unvalidated-deeplinks");
-const require_url_validation_1 = require("./rules/require-url-validation");
-const no_arbitrary_file_access_1 = require("./rules/no-arbitrary-file-access");
-const require_mime_type_validation_1 = require("./rules/require-mime-type-validation");
-const require_csp_headers_1 = require("./rules/require-csp-headers");
-// M5: Insecure Communication (7 rules)
-const no_http_urls_1 = require("./rules/no-http-urls");
-const no_disabled_certificate_validation_1 = require("./rules/no-disabled-certificate-validation");
-const require_https_only_1 = require("./rules/require-https-only");
-const no_insecure_websocket_1 = require("./rules/no-insecure-websocket");
-const detect_mixed_content_1 = require("./rules/detect-mixed-content");
-const no_allow_arbitrary_loads_1 = require("./rules/no-allow-arbitrary-loads");
-const require_network_timeout_1 = require("./rules/require-network-timeout");
-// M6: Inadequate Privacy Controls (4 rules)
-const no_pii_in_logs_1 = require("./rules/no-pii-in-logs");
-const no_tracking_without_consent_1 = require("./rules/no-tracking-without-consent");
-const require_data_minimization_1 = require("./rules/require-data-minimization");
-const no_sensitive_data_in_analytics_1 = require("./rules/no-sensitive-data-in-analytics");
-// M7: Insufficient Binary Protections (2 rules)
-const no_debug_code_in_production_1 = require("./rules/no-debug-code-in-production");
-const require_code_minification_1 = require("./rules/require-code-minification");
-// M8: Security Misconfiguration (4 rules)
-const no_verbose_error_messages_1 = require("./rules/no-verbose-error-messages");
-const no_exposed_debug_endpoints_1 = require("./rules/no-exposed-debug-endpoints");
-const require_secure_defaults_1 = require("./rules/require-secure-defaults");
-const no_permissive_cors_1 = require("./rules/no-permissive-cors");
-// M9: Insecure Data Storage (5 rules)
-const no_sensitive_data_in_cache_1 = require("./rules/no-sensitive-data-in-cache");
-const require_storage_encryption_1 = require("./rules/require-storage-encryption");
-const no_data_in_temp_storage_1 = require("./rules/no-data-in-temp-storage");
-const require_secure_deletion_1 = require("./rules/require-secure-deletion");
 /**
- * Collection of all security ESLint rules
+ * Collection of all core security ESLint rules
  */
 exports.rules = {
-    // Flat rule names (recommended usage)
-    'detect-eval-with-expression': detect_eval_with_expression_1.detectEvalWithExpression,
-    'detect-child-process': detect_child_process_1.detectChildProcess,
-    'no-unsafe-dynamic-require': no_unsafe_dynamic_require_1.noUnsafeDynamicRequire,
+    // Fundamental Injection (6 rules)
     'no-graphql-injection': no_graphql_injection_1.noGraphqlInjection,
     'no-xxe-injection': no_xxe_injection_1.noXxeInjection,
     'no-xpath-injection': no_xpath_injection_1.noXpathInjection,
     'no-ldap-injection': no_ldap_injection_1.noLdapInjection,
     'no-directive-injection': no_directive_injection_1.noDirectiveInjection,
     'no-format-string-injection': no_format_string_injection_1.noFormatStringInjection,
-    'detect-non-literal-fs-filename': detect_non_literal_fs_filename_1.detectNonLiteralFsFilename,
-    'no-zip-slip': no_zip_slip_1.noZipSlip,
-    'no-toctou-vulnerability': no_toctou_vulnerability_1.noToctouVulnerability,
+    // Regex Safety & Stability (3 rules)
     'detect-non-literal-regexp': detect_non_literal_regexp_1.detectNonLiteralRegexp,
     'no-redos-vulnerable-regex': no_redos_vulnerable_regex_1.noRedosVulnerableRegex,
     'no-unsafe-regex-construction': no_unsafe_regex_construction_1.noUnsafeRegexConstruction,
+    // Data & Logic Integrity (5 rules)
     'detect-object-injection': detect_object_injection_1.detectObjectInjection,
     'no-unsafe-deserialization': no_unsafe_deserialization_1.noUnsafeDeserialization,
-    'no-hardcoded-credentials': no_hardcoded_credentials_1.noHardcodedCredentials,
     'no-insecure-comparison': no_insecure_comparison_1.noInsecureComparison,
-    'no-unvalidated-user-input': no_unvalidated_user_input_1.noUnvalidatedUserInput,
-    'no-unescaped-url-parameter': no_unescaped_url_parameter_1.noUnescapedUrlParameter,
     'no-improper-sanitization': no_improper_sanitization_1.noImproperSanitization,
     'no-improper-type-validation': no_improper_type_validation_1.noImproperTypeValidation,
+    // Auth/Access Logic (4 rules)
     'no-missing-authentication': no_missing_authentication_1.noMissingAuthentication,
     'no-privilege-escalation': no_privilege_escalation_1.noPrivilegeEscalation,
     'no-weak-password-recovery': no_weak_password_recovery_1.noWeakPasswordRecovery,
-    'no-missing-csrf-protection': no_missing_csrf_protection_1.noMissingCsrfProtection,
-    'no-missing-cors-check': no_missing_cors_check_1.noMissingCorsCheck,
-    'no-missing-security-headers': no_missing_security_headers_1.noMissingSecurityHeaders,
-    'no-insecure-redirects': no_insecure_redirects_1.noInsecureRedirects,
-    'no-unencrypted-transmission': no_unencrypted_transmission_1.noUnencryptedTransmission,
-    'no-clickjacking': no_clickjacking_1.noClickjacking,
-    'no-exposed-sensitive-data': no_exposed_sensitive_data_1.noExposedSensitiveData,
+    'require-backend-authorization': require_backend_authorization_1.requireBackendAuthorization,
+    // Secrets & Exposure (3 rules)
+    'no-hardcoded-credentials': no_hardcoded_credentials_1.noHardcodedCredentials,
     'no-sensitive-data-exposure': no_sensitive_data_exposure_1.noSensitiveDataExposure,
-    'no-buffer-overread': no_buffer_overread_1.noBufferOverread,
+    'no-pii-in-logs': no_pii_in_logs_1.noPiiInLogs,
+    // Resource Handling (2 rules)
     'no-unlimited-resource-allocation': no_unlimited_resource_allocation_1.noUnlimitedResourceAllocation,
     'no-unchecked-loop-condition': no_unchecked_loop_condition_1.noUncheckedLoopCondition,
-    'no-electron-security-issues': no_electron_security_issues_1.noElectronSecurityIssues,
-    // OWASP Mobile Top 10 2023/2024 rules (40 rules)
-    // M1: Improper Credential Usage (3 rules)
-    'no-credentials-in-query-params': no_credentials_in_query_params_1.noCredentialsInQueryParams,
-    'require-secure-credential-storage': require_secure_credential_storage_1.requireSecureCredentialStorage,
-    // M2: Inadequate Supply Chain Security (4 rules)
-    'require-dependency-integrity': require_dependency_integrity_1.requireDependencyIntegrity,
-    'detect-suspicious-dependencies': detect_suspicious_dependencies_1.detectSuspiciousDependencies,
-    'no-dynamic-dependency-loading': no_dynamic_dependency_loading_1.noDynamicDependencyLoading,
-    'require-package-lock': require_package_lock_1.requirePackageLock,
-    // M3: Insecure Authentication/Authorization (5 rules)
-    'no-client-side-auth-logic': no_client_side_auth_logic_1.noClientSideAuthLogic,
-    'require-backend-authorization': require_backend_authorization_1.requireBackendAuthorization,
-    'no-hardcoded-session-tokens': no_hardcoded_session_tokens_1.noHardcodedSessionTokens,
-    'detect-weak-password-validation': detect_weak_password_validation_1.detectWeakPasswordValidation,
-    'no-password-in-url': no_password_in_url_1.noPasswordInUrl,
-    // M4: Insufficient Input/Output Validation (6 rules)
-    'no-unvalidated-deeplinks': no_unvalidated_deeplinks_1.noUnvalidatedDeeplinks,
-    'require-url-validation': require_url_validation_1.requireUrlValidation,
-    'no-arbitrary-file-access': no_arbitrary_file_access_1.noArbitraryFileAccess,
-    'require-mime-type-validation': require_mime_type_validation_1.requireMimeTypeValidation,
-    'require-csp-headers': require_csp_headers_1.requireCspHeaders,
-    // M5: Insecure Communication (7 rules)
-    'no-http-urls': no_http_urls_1.noHttpUrls,
-    'no-disabled-certificate-validation': no_disabled_certificate_validation_1.noDisabledCertificateValidation,
-    'require-https-only': require_https_only_1.requireHttpsOnly,
-    'no-insecure-websocket': no_insecure_websocket_1.noInsecureWebsocket,
-    'detect-mixed-content': detect_mixed_content_1.detectMixedContent,
-    'no-allow-arbitrary-loads': no_allow_arbitrary_loads_1.noAllowArbitraryLoads,
-    'require-network-timeout': require_network_timeout_1.requireNetworkTimeout,
-    // M6: Inadequate Privacy Controls (4 rules)
-    'no-pii-in-logs': no_pii_in_logs_1.noPiiInLogs,
-    'no-tracking-without-consent': no_tracking_without_consent_1.noTrackingWithoutConsent,
-    'require-data-minimization': require_data_minimization_1.requireDataMinimization,
-    'no-sensitive-data-in-analytics': no_sensitive_data_in_analytics_1.noSensitiveDataInAnalytics,
-    // M7: Insufficient Binary Protections (2 rules)
-    'no-debug-code-in-production': no_debug_code_in_production_1.noDebugCodeInProduction,
-    'require-code-minification': require_code_minification_1.requireCodeMinification,
-    // M8: Security Misconfiguration (4 rules)
-    'no-verbose-error-messages': no_verbose_error_messages_1.noVerboseErrorMessages,
-    'no-exposed-debug-endpoints': no_exposed_debug_endpoints_1.noExposedDebugEndpoints,
-    'require-secure-defaults': require_secure_defaults_1.requireSecureDefaults,
-    'no-permissive-cors': no_permissive_cors_1.noPermissiveCors,
-    // M9: Insecure Data Storage (5 rules)
-    'no-sensitive-data-in-cache': no_sensitive_data_in_cache_1.noSensitiveDataInCache,
-    'require-storage-encryption': require_storage_encryption_1.requireStorageEncryption,
-    'no-data-in-temp-storage': no_data_in_temp_storage_1.noDataInTempStorage,
-    'require-secure-deletion': require_secure_deletion_1.requireSecureDeletion,
 };
 /**
  * ESLint Plugin object
@@ -215,7 +91,7 @@ exports.rules = {
 exports.plugin = {
     meta: {
         name: 'eslint-plugin-secure-coding',
-        version: '1.0.0',
+        version: '1.1.0',
     },
     rules: exports.rules,
 };
@@ -223,20 +99,11 @@ exports.plugin = {
  * Preset configurations for security rules
  */
 const recommendedRules = {
-    // Critical - Injection vulnerabilities (OWASP A03)
-    'secure-coding/detect-eval-with-expression': 'error',
-    'secure-coding/detect-child-process': 'error',
-    'secure-coding/no-unsafe-dynamic-require': 'error',
+    // Critical - Injection vulnerabilities
     'secure-coding/no-graphql-injection': 'error',
     'secure-coding/no-xxe-injection': 'error',
     'secure-coding/no-xpath-injection': 'error',
     'secure-coding/no-ldap-injection': 'error',
-    'secure-coding/no-directive-injection': 'error',
-    'secure-coding/no-format-string-injection': 'error',
-    // Critical - Path traversal & file operations
-    'secure-coding/detect-non-literal-fs-filename': 'error',
-    'secure-coding/no-zip-slip': 'error',
-    'secure-coding/no-toctou-vulnerability': 'error',
     // Critical - Deserialization
     'secure-coding/no-unsafe-deserialization': 'error',
     // High - Regex vulnerabilities
@@ -245,55 +112,26 @@ const recommendedRules = {
     'secure-coding/no-unsafe-regex-construction': 'warn',
     // High - Prototype pollution
     'secure-coding/detect-object-injection': 'warn',
-    // Critical - Cryptography (OWASP A02)
+    // Critical - Credentials
     'secure-coding/no-hardcoded-credentials': 'error',
     'secure-coding/no-insecure-comparison': 'warn',
-    // Critical - XSS vulnerabilities (OWASP A03)
-    'secure-coding/no-unvalidated-user-input': 'warn',
-    'secure-coding/no-unescaped-url-parameter': 'warn',
+    // Critical - Data integrity
     'secure-coding/no-improper-sanitization': 'error',
-    'secure-coding/no-improper-type-validation': 'warn',
-    // High - Authentication & Authorization (OWASP A01, A07)
+    // High - Logic
     'secure-coding/no-missing-authentication': 'warn',
     'secure-coding/no-privilege-escalation': 'warn',
     'secure-coding/no-weak-password-recovery': 'error',
-    // High - Session & Cookies
-    'secure-coding/no-missing-csrf-protection': 'warn',
-    // High - Network & Headers (OWASP A05)
-    'secure-coding/no-missing-cors-check': 'warn',
-    'secure-coding/no-missing-security-headers': 'warn',
-    'secure-coding/no-insecure-redirects': 'warn',
-    'secure-coding/no-unencrypted-transmission': 'warn',
-    'secure-coding/no-clickjacking': 'error',
-    // High - Data Exposure (OWASP A01)
-    'secure-coding/no-exposed-sensitive-data': 'error',
+    // High - Exposure
     'secure-coding/no-sensitive-data-exposure': 'warn',
-    // Medium - Buffer & Memory
-    'secure-coding/no-buffer-overread': 'error',
     // Medium - Resource & DoS
     'secure-coding/no-unlimited-resource-allocation': 'error',
     'secure-coding/no-unchecked-loop-condition': 'error',
-    // Medium - Platform specific
-    'secure-coding/no-electron-security-issues': 'error',
-    // Mobile & General Security (OWASP Mobile)
-    'secure-coding/no-credentials-in-query-params': 'error',
-    'secure-coding/no-http-urls': 'error',
-    'secure-coding/require-https-only': 'error',
-    'secure-coding/no-pii-in-logs': 'warn',
-    'secure-coding/no-verbose-error-messages': 'warn',
-    'secure-coding/no-hardcoded-session-tokens': 'error',
-    'secure-coding/detect-mixed-content': 'error',
-    'secure-coding/no-unvalidated-deeplinks': 'error',
-    'secure-coding/no-insecure-websocket': 'error',
-    'secure-coding/detect-suspicious-dependencies': 'warn',
 };
 exports.configs = {
     /**
      * Recommended security configuration
      *
-     * Enables all security rules with sensible severity levels:
-     * - Critical injection vulnerabilities as errors
-     * - Important security issues as warnings
+     * Enables all core security rules with sensible severity levels.
      */
     recommended: {
         plugins: {
@@ -304,7 +142,7 @@ exports.configs = {
     /**
      * Strict security configuration
      *
-     * All security rules set to 'error' for maximum protection
+     * All security rules set to 'error' for maximum protection.
      */
     strict: {
         plugins: {
@@ -315,7 +153,7 @@ exports.configs = {
     /**
      * OWASP Top 10 focused configuration
      *
-     * Rules mapped to OWASP Top 10 2021 categories
+     * Rules mapped to OWASP Top 10 2021 categories.
      */
     'owasp-top-10': {
         plugins: {
@@ -325,93 +163,21 @@ exports.configs = {
             // A01:2021 – Broken Access Control
             'secure-coding/no-missing-authentication': 'error',
             'secure-coding/no-privilege-escalation': 'error',
-            'secure-coding/no-exposed-sensitive-data': 'error',
-            'secure-coding/no-insecure-redirects': 'error',
             // A02:2021 – Cryptographic Failures
             'secure-coding/no-hardcoded-credentials': 'error',
-            'secure-coding/no-unencrypted-transmission': 'error',
             'secure-coding/no-sensitive-data-exposure': 'error',
             // A03:2021 – Injection
-            'secure-coding/detect-eval-with-expression': 'error',
-            'secure-coding/detect-child-process': 'error',
             'secure-coding/no-graphql-injection': 'error',
             'secure-coding/no-xxe-injection': 'error',
             'secure-coding/no-xpath-injection': 'error',
             'secure-coding/no-ldap-injection': 'error',
-            'secure-coding/no-unescaped-url-parameter': 'error',
             // A04:2021 – Insecure Design
             'secure-coding/no-weak-password-recovery': 'error',
             'secure-coding/no-improper-type-validation': 'error',
-            // A05:2021 – Security Misconfiguration
-            'secure-coding/no-missing-security-headers': 'error',
-            'secure-coding/no-missing-cors-check': 'error',
-            'secure-coding/no-clickjacking': 'error',
-            'secure-coding/no-electron-security-issues': 'error',
             // A07:2021 – Identification and Authentication Failures
             'secure-coding/no-insecure-comparison': 'error',
-            'secure-coding/no-missing-csrf-protection': 'error',
             // A08:2021 – Software and Data Integrity Failures
             'secure-coding/no-unsafe-deserialization': 'error',
-            'secure-coding/no-unsafe-dynamic-require': 'error',
-        },
-    },
-    /**
-     * OWASP Mobile Top 10 focused configuration
-     *
-     * Rules mapped to OWASP Mobile Top 10 2024 categories
-     */
-    'owasp-mobile-top-10': {
-        plugins: {
-            'secure-coding': exports.plugin,
-        },
-        rules: {
-            // M1: Improper Credential Usage
-            'secure-coding/no-credentials-in-query-params': 'error',
-            'secure-coding/require-secure-credential-storage': 'error',
-            'secure-coding/no-hardcoded-credentials': 'error',
-            // M2: Inadequate Supply Chain Security
-            'secure-coding/require-dependency-integrity': 'error',
-            'secure-coding/detect-suspicious-dependencies': 'error',
-            'secure-coding/no-dynamic-dependency-loading': 'error',
-            'secure-coding/require-package-lock': 'error',
-            // M3: Insecure Authentication/Authorization
-            'secure-coding/no-client-side-auth-logic': 'error',
-            'secure-coding/require-backend-authorization': 'error',
-            'secure-coding/no-hardcoded-session-tokens': 'error',
-            'secure-coding/detect-weak-password-validation': 'error',
-            'secure-coding/no-password-in-url': 'error',
-            // M4: Insufficient Input/Output Validation
-            'secure-coding/no-unvalidated-deeplinks': 'error',
-            'secure-coding/require-url-validation': 'error',
-            'secure-coding/no-arbitrary-file-access': 'error',
-            'secure-coding/require-mime-type-validation': 'error',
-            'secure-coding/require-csp-headers': 'error',
-            // M5: Insecure Communication
-            'secure-coding/no-http-urls': 'error',
-            'secure-coding/no-disabled-certificate-validation': 'error',
-            'secure-coding/require-https-only': 'error',
-            'secure-coding/no-insecure-websocket': 'error',
-            'secure-coding/detect-mixed-content': 'error',
-            'secure-coding/no-allow-arbitrary-loads': 'error',
-            'secure-coding/require-network-timeout': 'error',
-            // M6: Inadequate Privacy Controls
-            'secure-coding/no-pii-in-logs': 'error',
-            'secure-coding/no-tracking-without-consent': 'error',
-            'secure-coding/require-data-minimization': 'error',
-            'secure-coding/no-sensitive-data-in-analytics': 'error',
-            // M7: Insufficient Binary Protections
-            'secure-coding/no-debug-code-in-production': 'error',
-            'secure-coding/require-code-minification': 'error',
-            // M8: Security Misconfiguration
-            'secure-coding/no-verbose-error-messages': 'error',
-            'secure-coding/no-exposed-debug-endpoints': 'error',
-            'secure-coding/require-secure-defaults': 'error',
-            'secure-coding/no-permissive-cors': 'error',
-            // M9: Insecure Data Storage
-            'secure-coding/no-sensitive-data-in-cache': 'error',
-            'secure-coding/require-storage-encryption': 'error',
-            'secure-coding/no-data-in-temp-storage': 'error',
-            'secure-coding/require-secure-deletion': 'error',
         },
     },
 };

package/src/rules/detect-non-literal-regexp/index.d.ts

@@ -22,5 +22,7 @@ export interface Options {
     maxPatternLength?: number;
 }
 type RuleOptions = [Options?];
-export declare const detectNonLiteralRegexp: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export declare const detectNonLiteralRegexp: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
 export {};

package/src/rules/detect-object-injection/index.d.ts

@@ -29,5 +29,7 @@ export interface Options {
     strategy?: 'validate' | 'whitelist' | 'freeze' | 'auto';
 }
 type RuleOptions = [Options?];
-export declare const detectObjectInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export declare const detectObjectInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
 export {};

package/src/rules/detect-object-injection/index.js

@@ -378,6 +378,15 @@ exports.detectObjectInjection = (0, eslint_devkit_3.createRule)({
             if (propertyNode.type === eslint_devkit_1.AST_NODE_TYPES.Literal && typeof propertyNode.value === 'number') {
                 return false;
             }
+            // SAFE: Common numeric index variable names (i, j, k, index, idx, n)
+            // These are typically loop counters for array access
+            if (propertyNode.type === eslint_devkit_1.AST_NODE_TYPES.Identifier) {
+                const name = propertyNode.name;
+                const numericIndexNames = new Set(['i', 'j', 'k', 'index', 'idx', 'n', 'len']);
+                if (numericIndexNames.has(name)) {
+                    return false;
+                }
+            }
             // Check if it's a literal string first
             if (isLiteralString(propertyNode)) {
                 const propName = String(propertyNode.value);
@@ -402,6 +411,56 @@ exports.detectObjectInjection = (0, eslint_devkit_3.createRule)({
             // DANGEROUS: Any untyped/dynamic property access (e.g., obj[userInput])
             return true;
         };
+        /**
+         * Check if the object is a prototype-less object (Object.create(null))
+         * or is derived from an array spread/copy pattern
+         */
+        const isPrototypelessObject = (objectNode) => {
+            if (objectNode.type !== eslint_devkit_1.AST_NODE_TYPES.Identifier) {
+                return false;
+            }
+            const varName = objectNode.name;
+            // Walk up to find the variable declaration
+            let current = objectNode;
+            while (current) {
+                if (current.type === eslint_devkit_1.AST_NODE_TYPES.BlockStatement ||
+                    current.type === eslint_devkit_1.AST_NODE_TYPES.Program) {
+                    const statements = current.type === eslint_devkit_1.AST_NODE_TYPES.BlockStatement
+                        ? current.body
+                        : current.body;
+                    for (const stmt of statements) {
+                        if (stmt.type === eslint_devkit_1.AST_NODE_TYPES.VariableDeclaration) {
+                            for (const decl of stmt.declarations) {
+                                if (decl.id.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                                    decl.id.name === varName &&
+                                    decl.init) {
+                                    // Check for Object.create(null)
+                                    if (decl.init.type === eslint_devkit_1.AST_NODE_TYPES.CallExpression &&
+                                        decl.init.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
+                                        decl.init.callee.object.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                                        decl.init.callee.object.name === 'Object' &&
+                                        decl.init.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                                        decl.init.callee.property.name === 'create' &&
+                                        decl.init.arguments.length > 0 &&
+                                        decl.init.arguments[0].type === eslint_devkit_1.AST_NODE_TYPES.Literal &&
+                                        decl.init.arguments[0].value === null) {
+                                        return true;
+                                    }
+                                    // Check for array spread: [...array]
+                                    if (decl.init.type === eslint_devkit_1.AST_NODE_TYPES.ArrayExpression &&
+                                        decl.init.elements.length > 0 &&
+                                        decl.init.elements[0]?.type === eslint_devkit_1.AST_NODE_TYPES.SpreadElement) {
+                                        return true;
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+                current = current.parent;
+            }
+            return false;
+        };
         /**
          * Extract property access information
          */
@@ -445,6 +504,10 @@ exports.detectObjectInjection = (0, eslint_devkit_3.createRule)({
             if (!node.left.computed) {
                 return false;
             }
+            // SAFE: Object.create(null) objects have no prototype to pollute
+            if (isPrototypelessObject(node.left.object)) {
+                return false;
+            }
             const { propertyNode } = extractPropertyAccess(node);
             // Skip if the key has been validated (e.g., includes() or hasOwnProperty check)
             if (hasPrecedingValidation(propertyNode, node)) {

package/src/rules/detect-weak-password-validation/index.d.ts

@@ -6,5 +6,7 @@
 export interface Options {
 }
 type RuleOptions = [Options?];
-export declare const detectWeakPasswordValidation: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
+export declare const detectWeakPasswordValidation: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener> & {
+    name: string;
+};
 export {};

package/src/rules/no-directive-injection/index.d.ts

@@ -32,5 +32,7 @@ export interface Options extends SecurityRuleOptions {
     allowDynamicInComponents?: boolean;
 }
 type RuleOptions = [Options?];
-export declare const noDirectiveInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export declare const noDirectiveInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
 export {};

package/src/rules/no-electron-security-issues/index.d.ts

@@ -30,5 +30,7 @@ export interface Options extends SecurityRuleOptions {
     allowedIpcChannels?: string[];
 }
 type RuleOptions = [Options?];
-export declare const noElectronSecurityIssues: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export declare const noElectronSecurityIssues: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
 export {};

package/src/rules/no-format-string-injection/index.d.ts

@@ -38,5 +38,7 @@ export interface Options {
     strictMode?: boolean;
 }
 type RuleOptions = [Options?];
-export declare const noFormatStringInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export declare const noFormatStringInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
 export {};

package/src/rules/no-graphql-injection/index.d.ts

@@ -32,7 +32,16 @@ export interface Options extends SecurityRuleOptions {
     trustedGraphqlLibraries?: string[];
     /** Functions that validate GraphQL input */
     validationFunctions?: string[];
+    /**
+     * Callers where template literals should never be treated as GraphQL.
+     * Format: 'object.method' for member calls (e.g. 'console.log'),
+     * or 'ClassName' for constructors (e.g. 'URL', 'Error').
+     * These are merged with built-in safe callers.
+     */
+    safeTemplateLiteralCallers?: string[];
 }
 type RuleOptions = [Options?];
-export declare const noGraphqlInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export declare const noGraphqlInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
 export {};