eslint-plugin-security 1.7.0 → 2.0.0

package/.github/workflows/ci.yml

@@ -17,7 +17,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@v3
         with:
-          node-version: '16.x'
+          node-version: 18
 
       - name: Install Packages
         run: npm install
@@ -30,12 +30,12 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest]
-        node: [18.x, 16.x, 14.x, 12.x, '12.22.0']
+        node: [12.22.0, 12, 14, 16, 18, 20]
         include:
           - os: windows-latest
-            node: '16.x'
+            node: 18
           - os: macOS-latest
-            node: '16.x'
+            node: 18
     runs-on: ${{ matrix.os }}
     permissions:
       contents: read

package/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## [2.0.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v1.7.1...v2.0.0) (2023-10-17)
+
+
+### ⚠ BREAKING CHANGES
+
+* switch the recommended config to flat (#118)
+
+### Features
+
+* switch the recommended config to flat ([#118](https://www.github.com/eslint-community/eslint-plugin-security/issues/118)) ([e20a366](https://www.github.com/eslint-community/eslint-plugin-security/commit/e20a3664c2f638466286ae9a97515722fc98f97c))
+
+### [1.7.1](https://www.github.com/eslint-community/eslint-plugin-security/compare/v1.7.0...v1.7.1) (2023-02-02)
+
+
+### Bug Fixes
+
+* false positives for static expressions in detect-non-literal-fs-filename, detect-child-process, detect-non-literal-regexp, and detect-non-literal-require ([#109](https://www.github.com/eslint-community/eslint-plugin-security/issues/109)) ([56102b5](https://www.github.com/eslint-community/eslint-plugin-security/commit/56102b50aed4bd632dd668770eb37de58788110b))
+
 ## [1.7.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v1.6.0...v1.7.0) (2023-01-26)
 
 

package/README.md

@@ -20,12 +20,12 @@ yarn add --dev eslint-plugin-security
 
 ## Usage
 
-Add the following to your `.eslintrc` file:
+Add the following to your `eslint.config.js` file:
 
 ```js
-"extends": [
-  "plugin:security/recommended"
-]
+const pluginSecurity = require('eslint-plugin-security');
+
+module.exports = [pluginSecurity.configs.recommended];
 ```
 
 ## Developer guide

package/docs/the-dangers-of-square-bracket-notation.md

@@ -94,7 +94,7 @@ Well, yes and no. Is this particular vector a widespread problem? No, because cu
 
 Yes, we are talking about some fairly extreme edge cases, but don't make the assumption that your code doesn't have problems because of that - I have seen this issue in production code with some regularity. And, for the majority of node developers, a large portion of application code was not written by them, but rather included through required modules which may contain peculiar flaws like this one.
 
-Edge cases are uncommon, but because they are uncommon the problems with them are not well known, and they frequently go un-noticed during code review. If the code works, these types of problems tend to disappear. If the code works, and the problems are buried in a module nested n-levels deep, it's likely it won't be found until it causes problems, and by then it's too late. A blind require is essentially running untrusted code in your application. Be [aware of what you require.](https://requiresafe.com)
+Edge cases are uncommon, but because they are uncommon the problems with them are not well known, and they frequently go un-noticed during code review. If the code works, these types of problems tend to disappear. If the code works, and the problems are buried in a module nested n-levels deep, it's likely it won't be found until it causes problems, and by then it's too late. A blind require is essentially running untrusted code in your application. Be aware of the code you're requiring.
 
 ## How do I fix it?
 

package/eslint.config.js

@@ -0,0 +1,43 @@
+'use strict';
+
+const jsPlugin = require('@eslint/js');
+const prettierConfig = require('eslint-config-prettier');
+const eslintPluginRecommendedConfig = require('eslint-plugin-eslint-plugin/configs/recommended');
+
+const eslintPluginConfigs = [
+  eslintPluginRecommendedConfig,
+  {
+    rules: {
+      'eslint-plugin/prefer-message-ids': 'off', // TODO: enable
+      'eslint-plugin/require-meta-docs-description': ['error', { pattern: '^(Detects|Enforces|Requires|Disallows) .+\\.$' }],
+      'eslint-plugin/require-meta-docs-url': [
+        'error',
+        {
+          pattern: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/{{name}}.md',
+        },
+      ],
+      'eslint-plugin/require-meta-schema': 'off', // TODO: enable
+      'eslint-plugin/require-meta-type': 'off', // TODO: enable
+    },
+  },
+];
+
+module.exports = [
+  jsPlugin.configs.recommended,
+  prettierConfig,
+  ...eslintPluginConfigs,
+  {
+    languageOptions: {
+      sourceType: 'commonjs',
+    },
+  },
+  {
+    files: ['test/**/*.js'],
+    languageOptions: {
+      globals: {
+        describe: 'readonly',
+        it: 'readonly',
+      },
+    },
+  },
+];

package/index.js

@@ -4,7 +4,13 @@
 
 'use strict';
 
-module.exports = {
+const pkg = require('./package.json');
+
+const plugin = {
+  meta: {
+    name: pkg.name,
+    version: pkg.version,
+  },
   rules: {
     'detect-unsafe-regex': require('./rules/detect-unsafe-regex'),
     'detect-non-literal-regexp': require('./rules/detect-non-literal-regexp'),
@@ -37,25 +43,29 @@ module.exports = {
     'detect-new-buffer': 0,
     'detect-bidi-characters': 0,
   },
-  configs: {
-    recommended: {
-      plugins: ['security'],
-      rules: {
-        'security/detect-buffer-noassert': 'warn',
-        'security/detect-child-process': 'warn',
-        'security/detect-disable-mustache-escape': 'warn',
-        'security/detect-eval-with-expression': 'warn',
-        'security/detect-new-buffer': 'warn',
-        'security/detect-no-csrf-before-method-override': 'warn',
-        'security/detect-non-literal-fs-filename': 'warn',
-        'security/detect-non-literal-regexp': 'warn',
-        'security/detect-non-literal-require': 'warn',
-        'security/detect-object-injection': 'warn',
-        'security/detect-possible-timing-attacks': 'warn',
-        'security/detect-pseudoRandomBytes': 'warn',
-        'security/detect-unsafe-regex': 'warn',
-        'security/detect-bidi-characters': 'warn',
-      },
-    },
+  configs: {}, // was assigned later so we can reference `plugin`
+};
+
+const recommended = {
+  plugins: { security: plugin },
+  rules: {
+    'security/detect-buffer-noassert': 'warn',
+    'security/detect-child-process': 'warn',
+    'security/detect-disable-mustache-escape': 'warn',
+    'security/detect-eval-with-expression': 'warn',
+    'security/detect-new-buffer': 'warn',
+    'security/detect-no-csrf-before-method-override': 'warn',
+    'security/detect-non-literal-fs-filename': 'warn',
+    'security/detect-non-literal-regexp': 'warn',
+    'security/detect-non-literal-require': 'warn',
+    'security/detect-object-injection': 'warn',
+    'security/detect-possible-timing-attacks': 'warn',
+    'security/detect-pseudoRandomBytes': 'warn',
+    'security/detect-unsafe-regex': 'warn',
+    'security/detect-bidi-characters': 'warn',
   },
 };
+
+Object.assign(plugin.configs, { recommended });
+
+module.exports = plugin;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "eslint-plugin-security",
-  "version": "1.7.0",
+  "version": "2.0.0",
   "description": "Security rules for eslint",
   "main": "index.js",
   "scripts": {
@@ -46,12 +46,13 @@
     "safe-regex": "^2.1.1"
   },
   "devDependencies": {
+    "@eslint/js": "^8.51.0",
     "changelog": "1.3.0",
-    "eslint": "^8.11.0",
+    "eslint": "^8.51.0",
     "eslint-config-nodesecurity": "^1.3.1",
     "eslint-config-prettier": "^8.5.0",
     "eslint-doc-generator": "^1.0.2",
-    "eslint-plugin-eslint-plugin": "^5.0.2",
+    "eslint-plugin-eslint-plugin": "^5.1.1",
     "lint-staged": "^12.3.7",
     "markdownlint-cli": "^0.32.2",
     "mocha": "^9.2.2",

package/rules/detect-child-process.js

@@ -6,6 +6,7 @@
 'use strict';
 
 const { getImportAccessPath } = require('../utils/import-utils');
+const { isStaticExpression } = require('../utils/is-static-expression');
 const childProcessPackageNames = ['child_process', 'node:child_process'];
 
 //------------------------------------------------------------------------------
@@ -41,7 +42,13 @@ module.exports = {
         }
 
         // Reports non-literal `exec()` calls.
-        if (!node.arguments.length || node.arguments[0].type === 'Literal') {
+        if (
+          !node.arguments.length ||
+          isStaticExpression({
+            node: node.arguments[0],
+            scope: context.getScope(),
+          })
+        ) {
           return;
         }
         const pathInfo = getImportAccessPath({

package/rules/detect-non-literal-fs-filename.js

@@ -10,21 +10,7 @@ const funcNames = Object.keys(fsMetaData);
 const fsPackageNames = ['fs', 'node:fs', 'fs/promises', 'node:fs/promises', 'fs-extra'];
 
 const { getImportAccessPath } = require('../utils/import-utils');
-
-//------------------------------------------------------------------------------
-// Utils
-//------------------------------------------------------------------------------
-
-function getIndices(node, argMeta) {
-  return (argMeta || []).filter((argIndex) => node.arguments[argIndex].type !== 'Literal');
-}
-
-function generateReport({ context, node, packageName, methodName, indices }) {
-  if (!indices || indices.length === 0) {
-    return;
-  }
-  context.report({ node, message: `Found ${methodName} from package "${packageName}" with non literal argument at index ${indices.join(',')}` });
-}
+const { isStaticExpression } = require('../utils/is-static-expression');
 
 //------------------------------------------------------------------------------
 // Rule Definition
@@ -87,15 +73,23 @@ module.exports = {
         }
         const packageName = pathInfo.packageName;
 
-        const indices = getIndices(node, fsMetaData[fnName]);
-
-        generateReport({
-          context,
-          node,
-          packageName,
-          methodName: fnName,
-          indices,
-        });
+        const indices = [];
+        for (const index of fsMetaData[fnName] || []) {
+          if (index >= node.arguments.length) {
+            continue;
+          }
+          const argument = node.arguments[index];
+          if (isStaticExpression({ node: argument, scope: context.getScope() })) {
+            continue;
+          }
+          indices.push(index);
+        }
+        if (indices.length) {
+          context.report({
+            node,
+            message: `Found ${fnName} from package "${packageName}" with non literal argument at index ${indices.join(',')}`,
+          });
+        }
       },
     };
   },

package/rules/detect-non-literal-regexp.js

@@ -5,6 +5,8 @@
 
 'use strict';
 
+const { isStaticExpression } = require('../utils/is-static-expression');
+
 //------------------------------------------------------------------------------
 // Rule Definition
 //------------------------------------------------------------------------------
@@ -24,7 +26,14 @@ module.exports = {
       NewExpression: function (node) {
         if (node.callee.name === 'RegExp') {
           const args = node.arguments;
-          if (args && args.length > 0 && args[0].type !== 'Literal') {
+          if (
+            args &&
+            args.length > 0 &&
+            !isStaticExpression({
+              node: args[0],
+              scope: context.getScope(),
+            })
+          ) {
             return context.report({ node: node, message: 'Found non-literal argument to RegExp Constructor' });
           }
         }

package/rules/detect-non-literal-require.js

@@ -5,6 +5,8 @@
 
 'use strict';
 
+const { isStaticExpression } = require('../utils/is-static-expression');
+
 //------------------------------------------------------------------------------
 // Rule Definition
 //------------------------------------------------------------------------------
@@ -25,8 +27,12 @@ module.exports = {
         if (node.callee.name === 'require') {
           const args = node.arguments;
           if (
-            (args && args.length > 0 && args[0].type === 'TemplateLiteral' && args[0].expressions.length > 0) ||
-            (args[0].type !== 'TemplateLiteral' && args[0].type !== 'Literal')
+            args &&
+            args.length > 0 &&
+            !isStaticExpression({
+              node: args[0],
+              scope: context.getScope(),
+            })
           ) {
             return context.report({ node: node, message: 'Found non-literal argument in require' });
           }

package/test/detect-child-process.js

@@ -50,6 +50,14 @@ tester.run(ruleName, rule, {
     function fn () {
       require('child_process').spawn(str)
     }`,
+    `
+    var child_process = require('child_process');
+    var FOO = 'ls';
+    child_process.exec(FOO);`,
+    `
+    import child_process from 'child_process';
+    const FOO = 'ls';
+    child_process.exec(FOO);`,
   ],
   invalid: [
     {

package/test/detect-non-literal-fs-filename.js

@@ -3,7 +3,7 @@
 const RuleTester = require('eslint').RuleTester;
 const tester = new RuleTester({
   parserOptions: {
-    ecmaVersion: 6,
+    ecmaVersion: 13,
     sourceType: 'module',
   },
 });
@@ -24,6 +24,51 @@ tester.run(ruleName, require(`../rules/${ruleName}`), {
       code: `var something = require('fs').readFile, readFile = require('foo').readFile;
              readFile(c);`,
     },
+    {
+      code: `
+            import { promises as fsp } from 'fs';
+            import fs from 'fs';
+            import path from 'path';
+            
+            const index = await fsp.readFile(path.resolve(__dirname, './index.html'), 'utf-8');
+            const key = fs.readFileSync(path.join(__dirname, './ssl.key'));
+            await fsp.writeFile(path.resolve(__dirname, './sitemap.xml'), sitemap);`,
+      globals: {
+        __dirname: 'readonly',
+      },
+    },
+    {
+      code: `
+            import fs from 'fs';
+            import path from 'path';
+            const dirname = path.dirname(__filename)
+            const key = fs.readFileSync(path.resolve(dirname, './index.html'));`,
+      globals: {
+        __filename: 'readonly',
+      },
+    },
+    {
+      code: `
+            import fs from 'fs';
+            const key = fs.readFileSync(\`\${process.cwd()}/path/to/foo.json\`);`,
+      globals: {
+        process: 'readonly',
+      },
+    },
+    `
+    import fs from 'fs';
+    import path from 'path';
+    import url from 'url';
+    const dirname = path.dirname(url.fileURLToPath(import.meta.url));
+    const html = fs.readFileSync(path.resolve(dirname, './index.html'), 'utf-8');`,
+    {
+      code: `
+      import fs from 'fs';
+      const pkg = fs.readFileSync(require.resolve('eslint/package.json'), 'utf-8');`,
+      globals: {
+        require: 'readonly',
+      },
+    },
   ],
   invalid: [
     /// requires
@@ -141,5 +186,15 @@ tester.run(ruleName, require(`../rules/${ruleName}`), {
       code: "var fs = require('fs');\nfunction foo () {\nvar { readFile: something } = fs.promises;\nsomething(filename);\n}",
       errors: [{ message: 'Found readFile from package "fs" with non literal argument at index 0' }],
     },
+    {
+      code: `
+            import fs from 'fs';
+            import path from 'path';
+            const key = fs.readFileSync(path.resolve(__dirname, foo));`,
+      globals: {
+        __filename: 'readonly',
+      },
+      errors: [{ message: 'Found readFileSync from package "fs" with non literal argument at index 0' }],
+    },
   ],
 });

package/test/detect-non-literal-regexp.js

@@ -7,7 +7,14 @@ const ruleName = 'detect-non-literal-regexp';
 const invalid = "var a = new RegExp(c, 'i')";
 
 tester.run(ruleName, require(`../rules/${ruleName}`), {
-  valid: [{ code: "var a = new RegExp('ab+c', 'i')" }],
+  valid: [
+    { code: "var a = new RegExp('ab+c', 'i')" },
+    {
+      code: `
+            var source = 'ab+c'
+            var a = new RegExp(source, 'i')`,
+    },
+  ],
   invalid: [
     {
       code: invalid,

package/test/detect-non-literal-require.js

@@ -7,7 +7,21 @@ const tester = new RuleTester({ parserOptions: { ecmaVersion: 6 } });
 const ruleName = 'detect-non-literal-require';
 
 tester.run(ruleName, require(`../rules/${ruleName}`), {
-  valid: [{ code: "var a = require('b')" }, { code: 'var a = require(`b`)' }],
+  valid: [
+    { code: "var a = require('b')" },
+    { code: 'var a = require(`b`)' },
+    {
+      code: `
+  const d = 'debounce'
+  var a = require(\`lodash/\${d}\`)`,
+    },
+    {
+      code: "const utils = require(__dirname + '/utils');",
+      globals: {
+        __dirname: 'readonly',
+      },
+    },
+  ],
   invalid: [
     {
       code: 'var a = require(c)',

package/test/utils/is-static-expression.js

@@ -0,0 +1,252 @@
+'use strict';
+
+const { isStaticExpression } = require('../../utils/is-static-expression');
+const { deepStrictEqual } = require('assert');
+
+const Linter = require('eslint').Linter;
+
+/**
+ * Get the return value using `isStaticExpression()`.
+ * Give `isStaticExpression()` the argument given to `target()` in the code as an expression.
+ */
+function getIsStaticExpressionResult(code) {
+  const linter = new Linter();
+  const result = [];
+  linter.defineRule('test-rule', {
+    create(context) {
+      return {
+        'CallExpression[callee.name = target]'(node) {
+          result.push(
+            ...node.arguments.map((expr) =>
+              isStaticExpression({
+                node: expr,
+                scope: context.getScope(),
+              })
+            )
+          );
+        },
+      };
+    },
+  });
+
+  const linterResult = linter.verify(code, {
+    parserOptions: {
+      ecmaVersion: 11,
+      sourceType: 'module',
+    },
+    globals: {
+      __dirname: 'readonly',
+      __filename: 'readonly',
+      require: 'readonly',
+    },
+    rules: {
+      'test-rule': 'error',
+    },
+  });
+  deepStrictEqual(linterResult, []);
+
+  return result;
+}
+
+describe('isStaticExpression', () => {
+  describe('The result of isStaticExpression should be as expected.', () => {
+    for (const { code, result } of [
+      {
+        code: `target('foo');`,
+        result: [true],
+      },
+      {
+        code: `target(a);`,
+        result: [false],
+      },
+      {
+        code: `
+        const a = 'i'
+        target(a);`,
+        result: [true],
+      },
+      {
+        code: `
+        const a = b
+        target(a);`,
+        result: [false],
+      },
+      {
+        code: `
+        const a = a
+        target(a);`,
+        result: [false],
+      },
+      {
+        code: `
+        var a = 'foo'
+        var a = 'bar'
+        target(a);`,
+        result: [false],
+      },
+      {
+        code: `
+        var a = 'foo'
+        a = 'bar'
+        var b = 'bar'
+        target(a);
+        target(b);`,
+        result: [false, true],
+      },
+      {
+        code: `target(\`foo\`);`,
+        result: [true],
+      },
+      {
+        code: `
+        target(\`foo\${a}\`);`,
+        result: [false],
+      },
+      {
+        code: `
+        const a = 'i'
+        target(\`foo\${a}\`);`,
+        result: [true],
+      },
+      {
+        code: `
+        const a = 'i'
+        target('foo' + 'bar');
+        target(a + 'foo');
+        target('foo' + a + 'bar');
+        `,
+        result: [true, true, true],
+      },
+      {
+        code: `
+        const a = 'i'
+        target(b + 'bar');
+        target('foo' + a + b);
+        `,
+        result: [false, false],
+      },
+      {
+        code: `
+        target(__dirname, __filename);
+        `,
+        result: [true, true],
+      },
+      {
+        code: `
+        function fn(__dirname) {
+          target(__dirname, __filename);
+        }
+        `,
+        result: [false, true],
+      },
+      {
+        code: `
+        const __filename = a
+        target(__dirname, __filename);
+        `,
+        result: [true, false],
+      },
+      {
+        code: `
+        import path from 'path';
+        target(path.resolve(__dirname, './index.html'));
+        target(path.join(__dirname, './ssl.key'));
+        target(path.resolve(__dirname, './sitemap.xml'));
+        `,
+        result: [true, true, true],
+      },
+      {
+        code: `
+        import { posix as path } from 'path';
+        target(path.resolve(__dirname, './index.html'));
+        `,
+        result: [true],
+      },
+      {
+        code: `
+        const path = require('path');
+        target(path.resolve(__dirname, './index.html'));
+        `,
+        result: [true],
+      },
+      {
+        code: `
+        import path from 'unknown';
+        target(path.resolve(__dirname, './index.html'));
+        `,
+        result: [false],
+      },
+      {
+        code: `
+        import path from 'path';
+        target(path.unknown(__dirname, './index.html'));
+        `,
+        result: [false],
+      },
+      {
+        code: `
+        import path from 'path';
+        target(path.resolve.unknown(__dirname, './index.html'));
+        `,
+        result: [false],
+      },
+      {
+        code: `
+        import path from 'path';
+        const FOO = 'static'
+        target(path.resolve(__dirname, foo));
+        target(path.resolve(__dirname, FOO));
+        `,
+        result: [false, true],
+      },
+      {
+        code: `
+        import path from 'path';
+        const FOO = 'static'
+        target(__dirname + path.sep + foo);
+        target(__dirname + path.sep + FOO);
+        `,
+        result: [false, true],
+      },
+      {
+        code: `
+        target(require.resolve('static'));
+        target(require.resolve(foo));
+        `,
+        result: [true, false],
+      },
+      {
+        code: `
+        target(require);
+        target(require('static'));
+        `,
+        result: [false, false],
+      },
+      {
+        code: `
+        import url from "node:url";
+        import path from "node:path";
+
+        const filename = url.fileURLToPath(import.meta.url);
+        const dirname = path.dirname(url.fileURLToPath(import.meta.url));
+
+        target(filename);
+        target(dirname);
+        `,
+        result: [true, true],
+      },
+      {
+        code: `
+        import url from "node:url";
+        target(import.meta.url);
+        target(url.unknown(import.meta.url));
+        `,
+        result: [true, false],
+      },
+    ]) {
+      it(code, () => {
+        deepStrictEqual(getIsStaticExpressionResult(code), result);
+      });
+    }
+  });
+});

package/utils/find-variable.js

@@ -0,0 +1,18 @@
+module.exports.findVariable = findVariable;
+
+/**
+ * Find the variable of a given name.
+ * @param {import("eslint").Scope.Scope} scope the scope to start finding
+ * @param {string} name the variable name to find.
+ * @returns {import("eslint").Scope.Variable | null}
+ */
+function findVariable(scope, name) {
+  while (scope != null) {
+    const variable = scope.set.get(name);
+    if (variable != null) {
+      return variable;
+    }
+    scope = scope.upper;
+  }
+  return null;
+}

package/utils/import-utils.js

@@ -1,3 +1,5 @@
+const { findVariable } = require('./find-variable');
+
 module.exports.getImportAccessPath = getImportAccessPath;
 
 /**
@@ -182,15 +184,3 @@ function getImportAccessPath({ node, scope, packageNames }) {
     return node && node.type === 'ImportDeclaration' && packageNames.includes(node.source.value);
   }
 }
-
-/** @returns {import("eslint").Scope.Variable | null} */
-function findVariable(scope, name) {
-  while (scope != null) {
-    const variable = scope.set.get(name);
-    if (variable != null) {
-      return variable;
-    }
-    scope = scope.upper;
-  }
-  return null;
-}

package/utils/is-static-expression.js

@@ -0,0 +1,219 @@
+const { findVariable } = require('./find-variable');
+const { getImportAccessPath } = require('./import-utils');
+
+module.exports.isStaticExpression = isStaticExpression;
+
+const PATH_PACKAGE_NAMES = ['path', 'node:path', 'path/posix', 'node:path/posix'];
+const URL_PACKAGE_NAMES = ['url', 'node:url'];
+const PATH_CONSTRUCTION_METHOD_NAMES = new Set(['basename', 'dirname', 'extname', 'join', 'normalize', 'relative', 'resolve', 'toNamespacedPath']);
+const PATH_STATIC_MEMBER_NAMES = new Set(['delimiter', 'sep']);
+
+/**
+ * @type {WeakMap<import("estree").Expression, boolean>}
+ */
+const cache = new WeakMap();
+
+/**
+ * Checks whether the given expression node is a static or not.
+ *
+ * @param {Object} params
+ * @param {import("estree").Expression} params.node The node to check.
+ * @param {import("eslint").Scope.Scope} params.scope The scope of the given node.
+ * @returns {boolean} if true, the given expression node is a static.
+ */
+function isStaticExpression({ node, scope }) {
+  const tracked = new Set();
+  return isStatic(node);
+
+  /**
+   * @param {import("estree").Expression} node
+   * @returns {boolean}
+   */
+  function isStatic(node) {
+    let result = cache.get(node);
+    if (result == null) {
+      result = isStaticWithoutCache(node);
+      cache.set(node, result);
+    }
+    return result;
+  }
+  /**
+   * @param {import("estree").Expression} node
+   * @returns {boolean}
+   */
+  function isStaticWithoutCache(node) {
+    if (tracked.has(node)) {
+      // Guard infinite loops.
+      return false;
+    }
+    tracked.add(node);
+    if (node.type === 'Literal') {
+      return true;
+    }
+    if (node.type === 'TemplateLiteral') {
+      // A node is static if all interpolations are static.
+      return node.expressions.every(isStatic);
+    }
+    if (node.type === 'BinaryExpression') {
+      // An expression is static if both operands are static.
+      return isStatic(node.left) && isStatic(node.right);
+    }
+    if (node.type === 'Identifier') {
+      const variable = findVariable(scope, node.name);
+      if (variable) {
+        if (variable.defs.length === 0) {
+          if (node.name === '__dirname' || node.name === '__filename') {
+            // It is a global variable that can be used in CJS of Node.js.
+            return true;
+          }
+        } else if (variable.defs.length === 1) {
+          const def = variable.defs[0];
+          if (
+            def.type === 'Variable' &&
+            // It has an initial value.
+            def.node.init &&
+            // It does not write new values.
+            variable.references.every((ref) => ref.isReadOnly() || ref.identifier === def.name)
+          ) {
+            // A variable is static if its initial value is static.
+            return isStatic(def.node.init);
+          }
+        }
+      } else {
+        return false;
+      }
+    }
+    return isStaticPath(node) || isStaticFileURLToPath(node) || isStaticImportMetaUrl(node) || isStaticRequireResolve(node) || isStaticCwd(node);
+  }
+
+  /**
+   * Checks whether the given expression is a static path construction.
+   *
+   * @param {import("estree").Expression} node The node to check.
+   * @returns {boolean} if true, the given expression is a static path construction.
+   */
+  function isStaticPath(node) {
+    const pathInfo = getImportAccessPath({
+      node: node.type === 'CallExpression' ? node.callee : node,
+      scope,
+      packageNames: PATH_PACKAGE_NAMES,
+    });
+    if (!pathInfo) {
+      return false;
+    }
+    /** @type {string | undefined} */
+    let name;
+    if (pathInfo.path.length === 1) {
+      // e.g. import path from 'path'
+      name = pathInfo.path[0];
+    } else if (pathInfo.path.length === 2 && pathInfo.path[0] === 'posix') {
+      // e.g. import { posix as path } from 'path'
+      name = pathInfo.path[1];
+    }
+    if (name == null) {
+      return false;
+    }
+
+    if (node.type === 'CallExpression') {
+      if (!PATH_CONSTRUCTION_METHOD_NAMES.has(name)) {
+        return false;
+      }
+      return Boolean(node.arguments.length) && node.arguments.every(isStatic);
+    }
+
+    return PATH_STATIC_MEMBER_NAMES.has(name);
+  }
+
+  /**
+   * Checks whether the given expression is a static `url.fileURLToPath()`.
+   *
+   * @param {import("estree").Expression} node The node to check.
+   * @returns {boolean} if true, the given expression is a static `url.fileURLToPath()`.
+   */
+  function isStaticFileURLToPath(node) {
+    if (node.type !== 'CallExpression') {
+      return false;
+    }
+    const pathInfo = getImportAccessPath({
+      node: node.callee,
+      scope,
+      packageNames: URL_PACKAGE_NAMES,
+    });
+    if (!pathInfo || pathInfo.path.length !== 1) {
+      return false;
+    }
+    let name = pathInfo.path[0];
+    if (name !== 'fileURLToPath') {
+      return false;
+    }
+    return Boolean(node.arguments.length) && node.arguments.every(isStatic);
+  }
+
+  /**
+   * Checks whether the given expression is an `import.meta.url`.
+   *
+   * @param {import("estree").Expression} node The node to check.
+   * @returns {boolean} if true, the given expression is an `import.meta.url`.
+   */
+  function isStaticImportMetaUrl(node) {
+    return (
+      node.type === 'MemberExpression' &&
+      !node.computed &&
+      node.property.type === 'Identifier' &&
+      node.property.name === 'url' &&
+      node.object.type === 'MetaProperty' &&
+      node.object.meta.name === 'import' &&
+      node.object.property.name === 'meta'
+    );
+  }
+
+  /**
+   * Checks whether the given expression is a static `require.resolve()`.
+   *
+   * @param {import("estree").Expression} node The node to check.
+   * @returns {boolean} if true, the given expression is a static `require.resolve()`.
+   */
+  function isStaticRequireResolve(node) {
+    if (
+      node.type !== 'CallExpression' ||
+      node.callee.type !== 'MemberExpression' ||
+      node.callee.computed ||
+      node.callee.property.type !== 'Identifier' ||
+      node.callee.property.name !== 'resolve' ||
+      node.callee.object.type !== 'Identifier' ||
+      node.callee.object.name !== 'require'
+    ) {
+      return false;
+    }
+    const variable = findVariable(scope, node.callee.object.name);
+    if (!variable || variable.defs.length !== 0) {
+      return false;
+    }
+    return Boolean(node.arguments.length) && node.arguments.every(isStatic);
+  }
+
+  /**
+   * Checks whether the given expression is a static `process.cwd()`.
+   *
+   * @param {import("estree").Expression} node The node to check.
+   * @returns {boolean} if true, the given expression is a static `process.cwd()`.
+   */
+  function isStaticCwd(node) {
+    if (
+      node.type !== 'CallExpression' ||
+      node.callee.type !== 'MemberExpression' ||
+      node.callee.computed ||
+      node.callee.property.type !== 'Identifier' ||
+      node.callee.property.name !== 'cwd' ||
+      node.callee.object.type !== 'Identifier' ||
+      node.callee.object.name !== 'process'
+    ) {
+      return false;
+    }
+    const variable = findVariable(scope, node.callee.object.name);
+    if (!variable || variable.defs.length !== 0) {
+      return false;
+    }
+    return true;
+  }
+}

package/.eslintrc

@@ -1,31 +0,0 @@
-{
-  "extends": ["eslint:recommended", "prettier", "plugin:eslint-plugin/recommended"],
-  "parserOptions": {
-    "ecmaVersion": "latest"
-  },
-  "env": {
-    "node": true,
-    "es2020": true
-  },
-  "rules": {
-    "eslint-plugin/prefer-message-ids": "off", // TODO: enable
-    "eslint-plugin/require-meta-docs-description": ["error", { "pattern": "^(Detects|Enforces|Requires|Disallows) .+\\.$" }],
-    "eslint-plugin/require-meta-docs-url": [
-      "error",
-      {
-        "pattern": "https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/{{name}}.md"
-      }
-    ],
-    "eslint-plugin/require-meta-schema": "off", // TODO: enable
-    "eslint-plugin/require-meta-type": "off" // TODO: enable
-  },
-  "overrides": [
-    {
-      "files": ["test/**/*.js"],
-      "globals": {
-        "describe": "readonly",
-        "it": "readonly"
-      }
-    }
-  ]
-}