eslint-plugin-security 4.0.0 → 4.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,12 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [4.0.1](https://github.com/eslint-community/eslint-plugin-security/compare/eslint-plugin-security-v4.0.0...eslint-plugin-security-v4.0.1) (2026-06-12)
|
|
4
|
+
|
|
5
|
+
|
|
6
|
+
### Bug Fixes
|
|
7
|
+
|
|
8
|
+
* treat import.meta.dirname and import.meta.filename as static ([#200](https://github.com/eslint-community/eslint-plugin-security/issues/200)) ([74c97bb](https://github.com/eslint-community/eslint-plugin-security/commit/74c97bb3326a6b4fe4718b2638bb3b0492cb90fd))
|
|
9
|
+
|
|
3
10
|
## [4.0.0](https://github.com/eslint-community/eslint-plugin-security/compare/eslint-plugin-security-v3.0.1...eslint-plugin-security-v4.0.0) (2026-02-19)
|
|
4
11
|
|
|
5
12
|
|
package/package.json
CHANGED
|
@@ -62,6 +62,13 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
|
|
|
62
62
|
import url from 'url';
|
|
63
63
|
const dirname = path.dirname(url.fileURLToPath(import.meta.url));
|
|
64
64
|
const html = fs.readFileSync(path.resolve(dirname, './index.html'), 'utf-8');`,
|
|
65
|
+
`
|
|
66
|
+
import fs from 'fs';
|
|
67
|
+
import path from 'path';
|
|
68
|
+
const html = fs.readFileSync(path.resolve(import.meta.dirname, './index.html'), 'utf-8');`,
|
|
69
|
+
`
|
|
70
|
+
import fs from 'fs';
|
|
71
|
+
const pkg = fs.readFileSync(import.meta.filename, 'utf-8');`,
|
|
65
72
|
{
|
|
66
73
|
code: `
|
|
67
74
|
import fs from 'fs';
|
|
@@ -201,5 +208,12 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
|
|
|
201
208
|
},
|
|
202
209
|
errors: [{ message: 'Found readFileSync from package "fs" with non literal argument at index 0' }],
|
|
203
210
|
},
|
|
211
|
+
{
|
|
212
|
+
code: `
|
|
213
|
+
import fs from 'fs';
|
|
214
|
+
import path from 'path';
|
|
215
|
+
const key = fs.readFileSync(path.resolve(import.meta[prop], './index.html'));`,
|
|
216
|
+
errors: [{ message: 'Found readFileSync from package "fs" with non literal argument at index 0' }],
|
|
217
|
+
},
|
|
204
218
|
],
|
|
205
219
|
});
|
|
@@ -253,6 +253,20 @@ describe('isStaticExpression', () => {
|
|
|
253
253
|
`,
|
|
254
254
|
result: [true, false],
|
|
255
255
|
},
|
|
256
|
+
{
|
|
257
|
+
code: `
|
|
258
|
+
target(import.meta.dirname);
|
|
259
|
+
target(import.meta.filename);
|
|
260
|
+
`,
|
|
261
|
+
result: [true, true],
|
|
262
|
+
},
|
|
263
|
+
{
|
|
264
|
+
code: `
|
|
265
|
+
target(import.meta[prop]);
|
|
266
|
+
target(import.meta.resolve('static'));
|
|
267
|
+
`,
|
|
268
|
+
result: [false, false],
|
|
269
|
+
},
|
|
256
270
|
]) {
|
|
257
271
|
it(code, () => {
|
|
258
272
|
deepStrictEqual(getIsStaticExpressionResult(code), result);
|
|
@@ -7,6 +7,7 @@ const PATH_PACKAGE_NAMES = ['path', 'node:path', 'path/posix', 'node:path/posix'
|
|
|
7
7
|
const URL_PACKAGE_NAMES = ['url', 'node:url'];
|
|
8
8
|
const PATH_CONSTRUCTION_METHOD_NAMES = new Set(['basename', 'dirname', 'extname', 'join', 'normalize', 'relative', 'resolve', 'toNamespacedPath']);
|
|
9
9
|
const PATH_STATIC_MEMBER_NAMES = new Set(['delimiter', 'sep']);
|
|
10
|
+
const IMPORT_META_STATIC_PROPERTY_NAMES = new Set(['url', 'dirname', 'filename']);
|
|
10
11
|
|
|
11
12
|
/**
|
|
12
13
|
* @type {WeakMap<import("estree").Expression, boolean>}
|
|
@@ -83,7 +84,7 @@ function isStaticExpression({ node, scope }) {
|
|
|
83
84
|
return false;
|
|
84
85
|
}
|
|
85
86
|
}
|
|
86
|
-
return isStaticPath(node) || isStaticFileURLToPath(node) ||
|
|
87
|
+
return isStaticPath(node) || isStaticFileURLToPath(node) || isStaticImportMetaProperty(node) || isStaticRequireResolve(node) || isStaticCwd(node);
|
|
87
88
|
}
|
|
88
89
|
|
|
89
90
|
/**
|
|
@@ -150,17 +151,21 @@ function isStaticExpression({ node, scope }) {
|
|
|
150
151
|
}
|
|
151
152
|
|
|
152
153
|
/**
|
|
153
|
-
* Checks whether the given expression is
|
|
154
|
+
* Checks whether the given expression is a static `import.meta` property,
|
|
155
|
+
* i.e. `import.meta.url`, `import.meta.dirname`, or `import.meta.filename`.
|
|
156
|
+
*
|
|
157
|
+
* `import.meta.dirname` and `import.meta.filename` are available in Node.js
|
|
158
|
+
* 20.11.0+ / 21.2.0+ and resolve to constant values for a given module.
|
|
154
159
|
*
|
|
155
160
|
* @param {import("estree").Expression} node The node to check.
|
|
156
|
-
* @returns {boolean} if true, the given expression is
|
|
161
|
+
* @returns {boolean} if true, the given expression is a static `import.meta` property.
|
|
157
162
|
*/
|
|
158
|
-
function
|
|
163
|
+
function isStaticImportMetaProperty(node) {
|
|
159
164
|
return (
|
|
160
165
|
node.type === 'MemberExpression' &&
|
|
161
166
|
!node.computed &&
|
|
162
167
|
node.property.type === 'Identifier' &&
|
|
163
|
-
node.property.name
|
|
168
|
+
IMPORT_META_STATIC_PROPERTY_NAMES.has(node.property.name) &&
|
|
164
169
|
node.object.type === 'MetaProperty' &&
|
|
165
170
|
node.object.meta.name === 'import' &&
|
|
166
171
|
node.object.property.name === 'meta'
|