eslint-plugin-security 1.7.1 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/.github/workflows/ci.yml +4 -4
  2. package/CHANGELOG.md +11 -0
  3. package/README.md +4 -4
  4. package/docs/the-dangers-of-square-bracket-notation.md +1 -1
  5. package/eslint.config.js +43 -0
  6. package/index.js +31 -21
  7. package/package.json +4 -3
  8. package/.eslintrc +0 -31
package/.github/workflows/ci.yml CHANGED
@@ -17,7 +17,7 @@ jobs:
17
17
  persist-credentials: false
18
18
  - uses: actions/setup-node@v3
19
19
  with:
20
- node-version: '16.x'
20
+ node-version: 18
21
21
 
22
22
  - name: Install Packages
23
23
  run: npm install
@@ -30,12 +30,12 @@ jobs:
30
30
  strategy:
31
31
  matrix:
32
32
  os: [ubuntu-latest]
33
- node: [18.x, 16.x, 14.x, 12.x, '12.22.0']
33
+ node: [12.22.0, 12, 14, 16, 18, 20]
34
34
  include:
35
35
  - os: windows-latest
36
- node: '16.x'
36
+ node: 18
37
37
  - os: macOS-latest
38
- node: '16.x'
38
+ node: 18
39
39
  runs-on: ${{ matrix.os }}
40
40
  permissions:
41
41
  contents: read
package/CHANGELOG.md CHANGED
@@ -1,5 +1,16 @@
1
1
  # Changelog
2
2
 
3
+ ## [2.0.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v1.7.1...v2.0.0) (2023-10-17)
4
+
5
+
6
+ ### ⚠ BREAKING CHANGES
7
+
8
+ * switch the recommended config to flat (#118)
9
+
10
+ ### Features
11
+
12
+ * switch the recommended config to flat ([#118](https://www.github.com/eslint-community/eslint-plugin-security/issues/118)) ([e20a366](https://www.github.com/eslint-community/eslint-plugin-security/commit/e20a3664c2f638466286ae9a97515722fc98f97c))
13
+
3
14
  ### [1.7.1](https://www.github.com/eslint-community/eslint-plugin-security/compare/v1.7.0...v1.7.1) (2023-02-02)
4
15
 
5
16
 
package/README.md CHANGED
@@ -20,12 +20,12 @@ yarn add --dev eslint-plugin-security
20
20
 
21
21
  ## Usage
22
22
 
23
- Add the following to your `.eslintrc` file:
23
+ Add the following to your `eslint.config.js` file:
24
24
 
25
25
  ```js
26
- "extends": [
27
- "plugin:security/recommended"
28
- ]
26
+ const pluginSecurity = require('eslint-plugin-security');
27
+
28
+ module.exports = [pluginSecurity.configs.recommended];
29
29
  ```
30
30
 
31
31
  ## Developer guide
package/docs/the-dangers-of-square-bracket-notation.md CHANGED
@@ -94,7 +94,7 @@ Well, yes and no. Is this particular vector a widespread problem? No, because cu
94
94
 
95
95
  Yes, we are talking about some fairly extreme edge cases, but don't make the assumption that your code doesn't have problems because of that - I have seen this issue in production code with some regularity. And, for the majority of node developers, a large portion of application code was not written by them, but rather included through required modules which may contain peculiar flaws like this one.
96
96
 
97
- Edge cases are uncommon, but because they are uncommon the problems with them are not well known, and they frequently go un-noticed during code review. If the code works, these types of problems tend to disappear. If the code works, and the problems are buried in a module nested n-levels deep, it's likely it won't be found until it causes problems, and by then it's too late. A blind require is essentially running untrusted code in your application. Be [aware of what you require.](https://requiresafe.com)
97
+ Edge cases are uncommon, but because they are uncommon the problems with them are not well known, and they frequently go un-noticed during code review. If the code works, these types of problems tend to disappear. If the code works, and the problems are buried in a module nested n-levels deep, it's likely it won't be found until it causes problems, and by then it's too late. A blind require is essentially running untrusted code in your application. Be aware of the code you're requiring.
98
98
 
99
99
  ## How do I fix it?
100
100
 
package/eslint.config.js ADDED
@@ -0,0 +1,43 @@
1
+ 'use strict';
2
+
3
+ const jsPlugin = require('@eslint/js');
4
+ const prettierConfig = require('eslint-config-prettier');
5
+ const eslintPluginRecommendedConfig = require('eslint-plugin-eslint-plugin/configs/recommended');
6
+
7
+ const eslintPluginConfigs = [
8
+ eslintPluginRecommendedConfig,
9
+ {
10
+ rules: {
11
+ 'eslint-plugin/prefer-message-ids': 'off', // TODO: enable
12
+ 'eslint-plugin/require-meta-docs-description': ['error', { pattern: '^(Detects|Enforces|Requires|Disallows) .+\\.$' }],
13
+ 'eslint-plugin/require-meta-docs-url': [
14
+ 'error',
15
+ {
16
+ pattern: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/{{name}}.md',
17
+ },
18
+ ],
19
+ 'eslint-plugin/require-meta-schema': 'off', // TODO: enable
20
+ 'eslint-plugin/require-meta-type': 'off', // TODO: enable
21
+ },
22
+ },
23
+ ];
24
+
25
+ module.exports = [
26
+ jsPlugin.configs.recommended,
27
+ prettierConfig,
28
+ ...eslintPluginConfigs,
29
+ {
30
+ languageOptions: {
31
+ sourceType: 'commonjs',
32
+ },
33
+ },
34
+ {
35
+ files: ['test/**/*.js'],
36
+ languageOptions: {
37
+ globals: {
38
+ describe: 'readonly',
39
+ it: 'readonly',
40
+ },
41
+ },
42
+ },
43
+ ];
package/index.js CHANGED
@@ -4,7 +4,13 @@
4
4
 
5
5
  'use strict';
6
6
 
7
- module.exports = {
7
+ const pkg = require('./package.json');
8
+
9
+ const plugin = {
10
+ meta: {
11
+ name: pkg.name,
12
+ version: pkg.version,
13
+ },
8
14
  rules: {
9
15
  'detect-unsafe-regex': require('./rules/detect-unsafe-regex'),
10
16
  'detect-non-literal-regexp': require('./rules/detect-non-literal-regexp'),
@@ -37,25 +43,29 @@ module.exports = {
37
43
  'detect-new-buffer': 0,
38
44
  'detect-bidi-characters': 0,
39
45
  },
40
- configs: {
41
- recommended: {
42
- plugins: ['security'],
43
- rules: {
44
- 'security/detect-buffer-noassert': 'warn',
45
- 'security/detect-child-process': 'warn',
46
- 'security/detect-disable-mustache-escape': 'warn',
47
- 'security/detect-eval-with-expression': 'warn',
48
- 'security/detect-new-buffer': 'warn',
49
- 'security/detect-no-csrf-before-method-override': 'warn',
50
- 'security/detect-non-literal-fs-filename': 'warn',
51
- 'security/detect-non-literal-regexp': 'warn',
52
- 'security/detect-non-literal-require': 'warn',
53
- 'security/detect-object-injection': 'warn',
54
- 'security/detect-possible-timing-attacks': 'warn',
55
- 'security/detect-pseudoRandomBytes': 'warn',
56
- 'security/detect-unsafe-regex': 'warn',
57
- 'security/detect-bidi-characters': 'warn',
58
- },
59
- },
46
+ configs: {}, // was assigned later so we can reference `plugin`
47
+ };
48
+
49
+ const recommended = {
50
+ plugins: { security: plugin },
51
+ rules: {
52
+ 'security/detect-buffer-noassert': 'warn',
53
+ 'security/detect-child-process': 'warn',
54
+ 'security/detect-disable-mustache-escape': 'warn',
55
+ 'security/detect-eval-with-expression': 'warn',
56
+ 'security/detect-new-buffer': 'warn',
57
+ 'security/detect-no-csrf-before-method-override': 'warn',
58
+ 'security/detect-non-literal-fs-filename': 'warn',
59
+ 'security/detect-non-literal-regexp': 'warn',
60
+ 'security/detect-non-literal-require': 'warn',
61
+ 'security/detect-object-injection': 'warn',
62
+ 'security/detect-possible-timing-attacks': 'warn',
63
+ 'security/detect-pseudoRandomBytes': 'warn',
64
+ 'security/detect-unsafe-regex': 'warn',
65
+ 'security/detect-bidi-characters': 'warn',
60
66
  },
61
67
  };
68
+
69
+ Object.assign(plugin.configs, { recommended });
70
+
71
+ module.exports = plugin;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "eslint-plugin-security",
3
- "version": "1.7.1",
3
+ "version": "2.0.0",
4
4
  "description": "Security rules for eslint",
5
5
  "main": "index.js",
6
6
  "scripts": {
@@ -46,12 +46,13 @@
46
46
  "safe-regex": "^2.1.1"
47
47
  },
48
48
  "devDependencies": {
49
+ "@eslint/js": "^8.51.0",
49
50
  "changelog": "1.3.0",
50
- "eslint": "^8.11.0",
51
+ "eslint": "^8.51.0",
51
52
  "eslint-config-nodesecurity": "^1.3.1",
52
53
  "eslint-config-prettier": "^8.5.0",
53
54
  "eslint-doc-generator": "^1.0.2",
54
- "eslint-plugin-eslint-plugin": "^5.0.2",
55
+ "eslint-plugin-eslint-plugin": "^5.1.1",
55
56
  "lint-staged": "^12.3.7",
56
57
  "markdownlint-cli": "^0.32.2",
57
58
  "mocha": "^9.2.2",
package/.eslintrc DELETED
@@ -1,31 +0,0 @@
1
- {
2
- "extends": ["eslint:recommended", "prettier", "plugin:eslint-plugin/recommended"],
3
- "parserOptions": {
4
- "ecmaVersion": "latest"
5
- },
6
- "env": {
7
- "node": true,
8
- "es2020": true
9
- },
10
- "rules": {
11
- "eslint-plugin/prefer-message-ids": "off", // TODO: enable
12
- "eslint-plugin/require-meta-docs-description": ["error", { "pattern": "^(Detects|Enforces|Requires|Disallows) .+\\.$" }],
13
- "eslint-plugin/require-meta-docs-url": [
14
- "error",
15
- {
16
- "pattern": "https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/{{name}}.md"
17
- }
18
- ],
19
- "eslint-plugin/require-meta-schema": "off", // TODO: enable
20
- "eslint-plugin/require-meta-type": "off" // TODO: enable
21
- },
22
- "overrides": [
23
- {
24
- "files": ["test/**/*.js"],
25
- "globals": {
26
- "describe": "readonly",
27
- "it": "readonly"
28
- }
29
- }
30
- ]
31
- }