eslint-plugin-security 4.0.0 → 4.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,3 +1,3 @@
1
1
  {
2
- ".": "4.0.0"
2
+ ".": "4.0.1"
3
3
  }
package/CHANGELOG.md CHANGED
@@ -1,5 +1,12 @@
1
1
  # Changelog
2
2
 
3
+ ## [4.0.1](https://github.com/eslint-community/eslint-plugin-security/compare/eslint-plugin-security-v4.0.0...eslint-plugin-security-v4.0.1) (2026-06-12)
4
+
5
+
6
+ ### Bug Fixes
7
+
8
+ * treat import.meta.dirname and import.meta.filename as static ([#200](https://github.com/eslint-community/eslint-plugin-security/issues/200)) ([74c97bb](https://github.com/eslint-community/eslint-plugin-security/commit/74c97bb3326a6b4fe4718b2638bb3b0492cb90fd))
9
+
3
10
  ## [4.0.0](https://github.com/eslint-community/eslint-plugin-security/compare/eslint-plugin-security-v3.0.1...eslint-plugin-security-v4.0.0) (2026-02-19)
4
11
 
5
12
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "eslint-plugin-security",
3
- "version": "4.0.0",
3
+ "version": "4.0.1",
4
4
  "description": "Security rules for eslint",
5
5
  "main": "index.js",
6
6
  "type": "commonjs",
@@ -62,6 +62,13 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
62
62
  import url from 'url';
63
63
  const dirname = path.dirname(url.fileURLToPath(import.meta.url));
64
64
  const html = fs.readFileSync(path.resolve(dirname, './index.html'), 'utf-8');`,
65
+ `
66
+ import fs from 'fs';
67
+ import path from 'path';
68
+ const html = fs.readFileSync(path.resolve(import.meta.dirname, './index.html'), 'utf-8');`,
69
+ `
70
+ import fs from 'fs';
71
+ const pkg = fs.readFileSync(import.meta.filename, 'utf-8');`,
65
72
  {
66
73
  code: `
67
74
  import fs from 'fs';
@@ -201,5 +208,12 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
201
208
  },
202
209
  errors: [{ message: 'Found readFileSync from package "fs" with non literal argument at index 0' }],
203
210
  },
211
+ {
212
+ code: `
213
+ import fs from 'fs';
214
+ import path from 'path';
215
+ const key = fs.readFileSync(path.resolve(import.meta[prop], './index.html'));`,
216
+ errors: [{ message: 'Found readFileSync from package "fs" with non literal argument at index 0' }],
217
+ },
204
218
  ],
205
219
  });
@@ -253,6 +253,20 @@ describe('isStaticExpression', () => {
253
253
  `,
254
254
  result: [true, false],
255
255
  },
256
+ {
257
+ code: `
258
+ target(import.meta.dirname);
259
+ target(import.meta.filename);
260
+ `,
261
+ result: [true, true],
262
+ },
263
+ {
264
+ code: `
265
+ target(import.meta[prop]);
266
+ target(import.meta.resolve('static'));
267
+ `,
268
+ result: [false, false],
269
+ },
256
270
  ]) {
257
271
  it(code, () => {
258
272
  deepStrictEqual(getIsStaticExpressionResult(code), result);
@@ -7,6 +7,7 @@ const PATH_PACKAGE_NAMES = ['path', 'node:path', 'path/posix', 'node:path/posix'
7
7
  const URL_PACKAGE_NAMES = ['url', 'node:url'];
8
8
  const PATH_CONSTRUCTION_METHOD_NAMES = new Set(['basename', 'dirname', 'extname', 'join', 'normalize', 'relative', 'resolve', 'toNamespacedPath']);
9
9
  const PATH_STATIC_MEMBER_NAMES = new Set(['delimiter', 'sep']);
10
+ const IMPORT_META_STATIC_PROPERTY_NAMES = new Set(['url', 'dirname', 'filename']);
10
11
 
11
12
  /**
12
13
  * @type {WeakMap<import("estree").Expression, boolean>}
@@ -83,7 +84,7 @@ function isStaticExpression({ node, scope }) {
83
84
  return false;
84
85
  }
85
86
  }
86
- return isStaticPath(node) || isStaticFileURLToPath(node) || isStaticImportMetaUrl(node) || isStaticRequireResolve(node) || isStaticCwd(node);
87
+ return isStaticPath(node) || isStaticFileURLToPath(node) || isStaticImportMetaProperty(node) || isStaticRequireResolve(node) || isStaticCwd(node);
87
88
  }
88
89
 
89
90
  /**
@@ -150,17 +151,21 @@ function isStaticExpression({ node, scope }) {
150
151
  }
151
152
 
152
153
  /**
153
- * Checks whether the given expression is an `import.meta.url`.
154
+ * Checks whether the given expression is a static `import.meta` property,
155
+ * i.e. `import.meta.url`, `import.meta.dirname`, or `import.meta.filename`.
156
+ *
157
+ * `import.meta.dirname` and `import.meta.filename` are available in Node.js
158
+ * 20.11.0+ / 21.2.0+ and resolve to constant values for a given module.
154
159
  *
155
160
  * @param {import("estree").Expression} node The node to check.
156
- * @returns {boolean} if true, the given expression is an `import.meta.url`.
161
+ * @returns {boolean} if true, the given expression is a static `import.meta` property.
157
162
  */
158
- function isStaticImportMetaUrl(node) {
163
+ function isStaticImportMetaProperty(node) {
159
164
  return (
160
165
  node.type === 'MemberExpression' &&
161
166
  !node.computed &&
162
167
  node.property.type === 'Identifier' &&
163
- node.property.name === 'url' &&
168
+ IMPORT_META_STATIC_PROPERTY_NAMES.has(node.property.name) &&
164
169
  node.object.type === 'MetaProperty' &&
165
170
  node.object.meta.name === 'import' &&
166
171
  node.object.property.name === 'meta'