npm - eslint-plugin-security - Versions diffs - 1.7.1 → 2.1.0 - Mend

eslint-plugin-security 1.7.1 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/.eslint-doc-generatorrc.js CHANGED Viewed

@@ -3,6 +3,7 @@ const prettierRC = require('./.prettierrc.json');
 /** @type {import('eslint-doc-generator').GenerateOptions} */
 const config = {
+  ignoreConfig: ['recommended-legacy'],
   postprocess: (doc) => format(doc, { ...prettierRC, parser: 'markdown' }),
 };

package/.github/workflows/ci.yml CHANGED Viewed

@@ -17,7 +17,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@v3
         with:
-          node-version: '16.x'
+          node-version: 18
       - name: Install Packages
         run: npm install
@@ -30,12 +30,12 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest]
-        node: [18.x, 16.x, 14.x, 12.x, '12.22.0']
+        node: [12.22.0, 12, 14, 16, 18, 20]
         include:
           - os: windows-latest
-            node: '16.x'
+            node: 18
           - os: macOS-latest
-            node: '16.x'
+            node: 18
     runs-on: ${{ matrix.os }}
     permissions:
       contents: read

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,23 @@
 # Changelog
+## [2.1.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v2.0.0...v2.1.0) (2023-12-15)
+### Features
+* add config recommended-legacy ([#132](https://www.github.com/eslint-community/eslint-plugin-security/issues/132)) ([13d3f2f](https://www.github.com/eslint-community/eslint-plugin-security/commit/13d3f2fc6ba327c894959db30462f3fda0272f0c))
+## [2.0.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v1.7.1...v2.0.0) (2023-10-17)
+### ⚠ BREAKING CHANGES
+* switch the recommended config to flat (#118)
+### Features
+* switch the recommended config to flat ([#118](https://www.github.com/eslint-community/eslint-plugin-security/issues/118)) ([e20a366](https://www.github.com/eslint-community/eslint-plugin-security/commit/e20a3664c2f638466286ae9a97515722fc98f97c))
 ### [1.7.1](https://www.github.com/eslint-community/eslint-plugin-security/compare/v1.7.0...v1.7.1) (2023-02-02)

package/README.md CHANGED Viewed

@@ -20,12 +20,24 @@ yarn add --dev eslint-plugin-security
 ## Usage
+### Flat config (requires eslint >= v8.23.0)
+Add the following to your `eslint.config.js` file:
+```js
+const pluginSecurity = require('eslint-plugin-security');
+module.exports = [pluginSecurity.configs.recommended];
+```
+### eslintrc config (deprecated)
 Add the following to your `.eslintrc` file:
 ```js
-"extends": [
-  "plugin:security/recommended"
-]
+module.exports = {
+  extends: ['plugin:security/recommended-legacy'],
+};
 ```
 ## Developer guide

package/docs/the-dangers-of-square-bracket-notation.md CHANGED Viewed

@@ -94,7 +94,7 @@ Well, yes and no. Is this particular vector a widespread problem? No, because cu
 Yes, we are talking about some fairly extreme edge cases, but don't make the assumption that your code doesn't have problems because of that - I have seen this issue in production code with some regularity. And, for the majority of node developers, a large portion of application code was not written by them, but rather included through required modules which may contain peculiar flaws like this one.
-Edge cases are uncommon, but because they are uncommon the problems with them are not well known, and they frequently go un-noticed during code review. If the code works, these types of problems tend to disappear. If the code works, and the problems are buried in a module nested n-levels deep, it's likely it won't be found until it causes problems, and by then it's too late. A blind require is essentially running untrusted code in your application. Be [aware of what you require.](https://requiresafe.com)
+Edge cases are uncommon, but because they are uncommon the problems with them are not well known, and they frequently go un-noticed during code review. If the code works, these types of problems tend to disappear. If the code works, and the problems are buried in a module nested n-levels deep, it's likely it won't be found until it causes problems, and by then it's too late. A blind require is essentially running untrusted code in your application. Be aware of the code you're requiring.
 ## How do I fix it?

package/eslint.config.js ADDED Viewed

@@ -0,0 +1,43 @@
+'use strict';
+const jsPlugin = require('@eslint/js');
+const prettierConfig = require('eslint-config-prettier');
+const eslintPluginRecommendedConfig = require('eslint-plugin-eslint-plugin/configs/recommended');
+const eslintPluginConfigs = [
+  eslintPluginRecommendedConfig,
+  {
+    rules: {
+      'eslint-plugin/prefer-message-ids': 'off', // TODO: enable
+      'eslint-plugin/require-meta-docs-description': ['error', { pattern: '^(Detects|Enforces|Requires|Disallows) .+\\.$' }],
+      'eslint-plugin/require-meta-docs-url': [
+        'error',
+        {
+          pattern: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/{{name}}.md',
+        },
+      ],
+      'eslint-plugin/require-meta-schema': 'off', // TODO: enable
+      'eslint-plugin/require-meta-type': 'off', // TODO: enable
+    },
+  },
+];
+module.exports = [
+  jsPlugin.configs.recommended,
+  prettierConfig,
+  ...eslintPluginConfigs,
+  {
+    languageOptions: {
+      sourceType: 'commonjs',
+    },
+  },
+  {
+    files: ['test/**/*.js'],
+    languageOptions: {
+      globals: {
+        describe: 'readonly',
+        it: 'readonly',
+      },
+    },
+  },
+];

package/index.js CHANGED Viewed

@@ -4,7 +4,13 @@
 'use strict';
-module.exports = {
+const pkg = require('./package.json');
+const plugin = {
+  meta: {
+    name: pkg.name,
+    version: pkg.version,
+  },
   rules: {
     'detect-unsafe-regex': require('./rules/detect-unsafe-regex'),
     'detect-non-literal-regexp': require('./rules/detect-non-literal-regexp'),
@@ -37,25 +43,37 @@ module.exports = {
     'detect-new-buffer': 0,
     'detect-bidi-characters': 0,
   },
-  configs: {
-    recommended: {
-      plugins: ['security'],
-      rules: {
-        'security/detect-buffer-noassert': 'warn',
-        'security/detect-child-process': 'warn',
-        'security/detect-disable-mustache-escape': 'warn',
-        'security/detect-eval-with-expression': 'warn',
-        'security/detect-new-buffer': 'warn',
-        'security/detect-no-csrf-before-method-override': 'warn',
-        'security/detect-non-literal-fs-filename': 'warn',
-        'security/detect-non-literal-regexp': 'warn',
-        'security/detect-non-literal-require': 'warn',
-        'security/detect-object-injection': 'warn',
-        'security/detect-possible-timing-attacks': 'warn',
-        'security/detect-pseudoRandomBytes': 'warn',
-        'security/detect-unsafe-regex': 'warn',
-        'security/detect-bidi-characters': 'warn',
-      },
-    },
+  configs: {}, // was assigned later so we can reference `plugin`
+};
+const recommended = {
+  plugins: { security: plugin },
+  rules: {
+    'security/detect-buffer-noassert': 'warn',
+    'security/detect-child-process': 'warn',
+    'security/detect-disable-mustache-escape': 'warn',
+    'security/detect-eval-with-expression': 'warn',
+    'security/detect-new-buffer': 'warn',
+    'security/detect-no-csrf-before-method-override': 'warn',
+    'security/detect-non-literal-fs-filename': 'warn',
+    'security/detect-non-literal-regexp': 'warn',
+    'security/detect-non-literal-require': 'warn',
+    'security/detect-object-injection': 'warn',
+    'security/detect-possible-timing-attacks': 'warn',
+    'security/detect-pseudoRandomBytes': 'warn',
+    'security/detect-unsafe-regex': 'warn',
+    'security/detect-bidi-characters': 'warn',
   },
 };
+const recommendedLegacy = {
+  plugins: ['security'],
+  rules: recommended.rules,
+};
+Object.assign(plugin.configs, {
+  recommended,
+  'recommended-legacy': recommendedLegacy
+});
+module.exports = plugin;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "eslint-plugin-security",
-  "version": "1.7.1",
+  "version": "2.1.0",
   "description": "Security rules for eslint",
   "main": "index.js",
   "scripts": {
@@ -46,12 +46,13 @@
     "safe-regex": "^2.1.1"
   },
   "devDependencies": {
+    "@eslint/js": "^8.51.0",
     "changelog": "1.3.0",
-    "eslint": "^8.11.0",
+    "eslint": "^8.51.0",
     "eslint-config-nodesecurity": "^1.3.1",
     "eslint-config-prettier": "^8.5.0",
     "eslint-doc-generator": "^1.0.2",
-    "eslint-plugin-eslint-plugin": "^5.0.2",
+    "eslint-plugin-eslint-plugin": "^5.1.1",
     "lint-staged": "^12.3.7",
     "markdownlint-cli": "^0.32.2",
     "mocha": "^9.2.2",

package/test/configs/index.js ADDED Viewed

@@ -0,0 +1,16 @@
+'use strict';
+const plugin = require('../../index.js');
+const assert = require('assert').strict;
+describe('export plugin object', () => {
+  it('should export rules', () => {
+    assert(plugin.rules);
+    assert(typeof plugin.rules['detect-unsafe-regex'] === 'object');
+  });
+  it('should export configs', () => {
+    assert(plugin.configs);
+    assert(plugin.configs['recommended']);
+    assert(plugin.configs['recommended-legacy']);
+  });
+});

package/test/{detect-bidi-characters.js → rules/detect-bidi-characters.js} RENAMED Viewed

@@ -4,7 +4,7 @@ const RuleTester = require('eslint').RuleTester;
 const tester = new RuleTester();
 const ruleName = 'detect-bidi-characters';
-const Rule = require(`../rules/${ruleName}`);
+const Rule = require(`../../rules/${ruleName}`);
 tester.run(ruleName, Rule, {
   valid: [
@@ -54,7 +54,7 @@ tester.run(`${ruleName} in comment-line`, Rule, {
           console.log("You are an admin.");
       /* end admins only ‮
 ⁦*/
-      /* end admins only ‮
+      /* end admins only ‮
  { ⁦*/
         `,
       errors: [

package/test/{detect-buffer-noassert.js → rules/detect-buffer-noassert.js} RENAMED Viewed

@@ -4,7 +4,7 @@ const RuleTester = require('eslint').RuleTester;
 const tester = new RuleTester();
 const ruleName = 'detect-buffer-noassert';
-const rule = require(`../rules/${ruleName}`);
+const rule = require(`../../rules/${ruleName}`);
 const allMethodNames = [...rule.meta.__methodsToCheck.read, ...rule.meta.__methodsToCheck.write];

package/test/{detect-child-process.js → rules/detect-child-process.js} RENAMED Viewed

@@ -9,7 +9,7 @@ const tester = new RuleTester({
 });
 const ruleName = 'detect-child-process';
-const rule = require(`../rules/${ruleName}`);
+const rule = require(`../../rules/${ruleName}`);
 tester.run(ruleName, rule, {
   valid: [

package/test/{detect-disable-mustache-escape.js → rules/detect-disable-mustache-escape.js} RENAMED Viewed

@@ -5,7 +5,7 @@ const tester = new RuleTester();
 const ruleName = 'detect-disable-mustache-escape';
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
   valid: [{ code: 'escapeMarkup = false' }],
   invalid: [
     {

package/test/{detect-eval-with-expression.js → rules/detect-eval-with-expression.js} RENAMED Viewed

@@ -5,7 +5,7 @@ const tester = new RuleTester();
 const ruleName = 'detect-eval-with-expression';
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
   valid: [{ code: "eval('alert()')" }],
   invalid: [
     {

package/test/{detect-new-buffer.js → rules/detect-new-buffer.js} RENAMED Viewed

@@ -6,7 +6,7 @@ const tester = new RuleTester();
 const ruleName = 'detect-new-buffer';
 const invalid = 'var a = new Buffer(c)';
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
   valid: [{ code: "var a = new Buffer('test')" }],
   invalid: [
     {

package/test/{detect-no-csrf-before-method-override.js → rules/detect-no-csrf-before-method-override.js} RENAMED Viewed

@@ -5,7 +5,7 @@ const tester = new RuleTester();
 const ruleName = 'detect-no-csrf-before-method-override';
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
   valid: [{ code: 'express.methodOverride();express.csrf()' }],
   invalid: [
     {

package/test/{detect-non-literal-fs-filename.js → rules/detect-non-literal-fs-filename.js} RENAMED Viewed

@@ -10,7 +10,7 @@ const tester = new RuleTester({
 const ruleName = 'detect-non-literal-fs-filename';
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
   valid: [
     {
       code: `var fs = require('fs');
@@ -29,7 +29,7 @@ tester.run(ruleName, require(`../rules/${ruleName}`), {
             import { promises as fsp } from 'fs';
             import fs from 'fs';
             import path from 'path';
             const index = await fsp.readFile(path.resolve(__dirname, './index.html'), 'utf-8');
             const key = fs.readFileSync(path.join(__dirname, './ssl.key'));
             await fsp.writeFile(path.resolve(__dirname, './sitemap.xml'), sitemap);`,

package/test/{detect-non-literal-regexp.js → rules/detect-non-literal-regexp.js} RENAMED Viewed

@@ -6,7 +6,7 @@ const tester = new RuleTester();
 const ruleName = 'detect-non-literal-regexp';
 const invalid = "var a = new RegExp(c, 'i')";
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
   valid: [
     { code: "var a = new RegExp('ab+c', 'i')" },
     {

package/test/{detect-non-literal-require.js → rules/detect-non-literal-require.js} RENAMED Viewed

@@ -6,7 +6,7 @@ const tester = new RuleTester({ parserOptions: { ecmaVersion: 6 } });
 const ruleName = 'detect-non-literal-require';
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
   valid: [
     { code: "var a = require('b')" },
     { code: 'var a = require(`b`)' },

package/test/{detect-object-injection.js → rules/detect-object-injection.js} RENAMED Viewed

@@ -5,7 +5,7 @@ const tester = new RuleTester();
 const ruleName = 'detect-object-injection';
-const Rule = require(`../rules/${ruleName}`);
+const Rule = require(`../../rules/${ruleName}`);
 const valid = 'var a = {};';
 // const invalidVariable = "TODO";

package/test/{detect-possible-timing-attacks.js → rules/detect-possible-timing-attacks.js} RENAMED Viewed

@@ -4,7 +4,7 @@ const RuleTester = require('eslint').RuleTester;
 const tester = new RuleTester();
 const ruleName = 'detect-possible-timing-attacks';
-const Rule = require(`../rules/${ruleName}`);
+const Rule = require(`../../rules/${ruleName}`);
 const valid = 'if (age === 5) {}';
 const invalidLeft = "if (password === 'mypass') {}";

package/test/{detect-pseudoRandomBytes.js → rules/detect-pseudoRandomBytes.js} RENAMED Viewed

@@ -6,7 +6,7 @@ const tester = new RuleTester();
 const ruleName = 'detect-pseudoRandomBytes';
 const invalid = 'crypto.pseudoRandomBytes';
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
   valid: [{ code: 'crypto.randomBytes' }],
   invalid: [
     {

package/test/{detect-unsafe-regexp.js → rules/detect-unsafe-regexp.js} RENAMED Viewed

@@ -4,7 +4,7 @@ const RuleTester = require('eslint').RuleTester;
 const tester = new RuleTester();
 const ruleName = 'detect-unsafe-regex';
-const Rule = require(`../rules/${ruleName}`);
+const Rule = require(`../../rules/${ruleName}`);
 tester.run(ruleName, Rule, {
   valid: [{ code: '/^d+1337d+$/' }],

package/.eslintrc DELETED Viewed

@@ -1,31 +0,0 @@
-{
-  "extends": ["eslint:recommended", "prettier", "plugin:eslint-plugin/recommended"],
-  "parserOptions": {
-    "ecmaVersion": "latest"
-  },
-  "env": {
-    "node": true,
-    "es2020": true
-  },
-  "rules": {
-    "eslint-plugin/prefer-message-ids": "off", // TODO: enable
-    "eslint-plugin/require-meta-docs-description": ["error", { "pattern": "^(Detects|Enforces|Requires|Disallows) .+\\.$" }],
-    "eslint-plugin/require-meta-docs-url": [
-      "error",
-      {
-        "pattern": "https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/{{name}}.md"
-      }
-    ],
-    "eslint-plugin/require-meta-schema": "off", // TODO: enable
-    "eslint-plugin/require-meta-type": "off" // TODO: enable
-  },
-  "overrides": [
-    {
-      "files": ["test/**/*.js"],
-      "globals": {
-        "describe": "readonly",
-        "it": "readonly"
-      }
-    }
-  ]
-}