oauthlint 0.2.2 → 0.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +1 -1
- package/README.md +19 -26
- package/package.json +3 -3
package/LICENSE
CHANGED
package/README.md
CHANGED
|
@@ -1,17 +1,14 @@
|
|
|
1
1
|
<div align="center">
|
|
2
2
|
|
|
3
|
-
<img src="https://raw.githubusercontent.com/Auspeo/oauthlint/main/docs/public/logo.svg" width="76" alt="oauthlint logo" />
|
|
4
|
-
|
|
5
3
|
# oauthlint
|
|
6
4
|
|
|
7
5
|
**Catch the OAuth / OIDC / JWT anti-patterns AI coding tools systematically produce.**
|
|
8
6
|
|
|
9
|
-
|
|
7
|
+
A curated, multi-language Semgrep rule pack · JS/TS · Python · Go · Java · Rust (and growing) · CLI + GitHub Action + VS Code · free & MIT
|
|
10
8
|
|
|
11
9
|
[](https://www.npmjs.com/package/oauthlint)
|
|
12
10
|
[](https://www.npmjs.com/package/oauthlint)
|
|
13
|
-
[](https://github.com/Auspeo/oauthlint/blob/main/LICENSE)
|
|
11
|
+
[](https://opensource.org/licenses/MIT)
|
|
15
12
|
[](https://oauthlint.dev)
|
|
16
13
|
|
|
17
14
|
</div>
|
|
@@ -44,12 +41,6 @@ oauthlint is the layer between generic SAST and an enterprise IAM program:
|
|
|
44
41
|
**free, focused, developer-first.** Every finding names the rule, the exact
|
|
45
42
|
`file:line`, *why* it's dangerous, and *how* to fix it — with CWE/OWASP mappings.
|
|
46
43
|
|
|
47
|
-
<div align="center">
|
|
48
|
-
|
|
49
|
-

|
|
50
|
-
|
|
51
|
-
</div>
|
|
52
|
-
|
|
53
44
|
## Why oauthlint, and not just Semgrep?
|
|
54
45
|
|
|
55
46
|
Honest answer: nothing stops you from writing these rules yourself. Semgrep is
|
|
@@ -60,9 +51,10 @@ oauthlint gives you is the work most people never do:
|
|
|
60
51
|
- **Low false positives, validated against real auth libraries.** The rules are
|
|
61
52
|
run against `jose`, NextAuth, PyJWT, Authlib, `golang/oauth2`, `oauth2-rs`,
|
|
62
53
|
Spring Security and more. Anything that fires on mature library source goes to
|
|
63
|
-
a triage queue, not to you —
|
|
64
|
-
on the clean
|
|
65
|
-
|
|
54
|
+
a triage queue, not to you — validated across thousands of files of real
|
|
55
|
+
auth-library source, with **zero false positives** on the clean libraries
|
|
56
|
+
([validation report](https://oauthlint.dev/VALIDATION)).
|
|
57
|
+
- **One coherent product across every language it covers.** Same concepts, same ID scheme,
|
|
66
58
|
same docs — not a patchwork of community rules with mismatched styles.
|
|
67
59
|
- **Every finding teaches.** All 90 rules link to a fix page with CWE and OWASP
|
|
68
60
|
mappings. It's a lesson, not a grep hit.
|
|
@@ -134,18 +126,19 @@ Or just fail the build on HIGH findings: `npx oauthlint scan ./src --fail-on HIG
|
|
|
134
126
|
|
|
135
127
|
## What it catches
|
|
136
128
|
|
|
137
|
-
|
|
138
|
-
|
|
129
|
+
Rules across OAuth 2.0, OIDC, JWT, cookies, CORS, secrets and session hygiene —
|
|
130
|
+
each mapped to CWE & OWASP, each with a documentation page. Languages covered
|
|
131
|
+
today (more on the way):
|
|
139
132
|
|
|
140
|
-
| Language |
|
|
141
|
-
|
|
142
|
-
| JavaScript / TypeScript |
|
|
143
|
-
| Python
|
|
144
|
-
| Java
|
|
145
|
-
| Go
|
|
146
|
-
| Rust
|
|
133
|
+
| Language | Libraries |
|
|
134
|
+
|----------|-----------|
|
|
135
|
+
| JavaScript / TypeScript | jose, jsonwebtoken, NextAuth, express, … |
|
|
136
|
+
| Python | PyJWT, Authlib, requests, Flask, Django |
|
|
137
|
+
| Java | Spring Security, jjwt, nimbus-jose-jwt |
|
|
138
|
+
| Go | golang-jwt, crypto/tls, net/http |
|
|
139
|
+
| Rust | jsonwebtoken, reqwest, actix/tower |
|
|
147
140
|
|
|
148
|
-
👉 **Browse the full catalogue at [oauthlint.dev/rules](https://oauthlint.dev/rules/).**
|
|
141
|
+
👉 **Browse the full, always-current catalogue at [oauthlint.dev/rules](https://oauthlint.dev/rules/).**
|
|
149
142
|
|
|
150
143
|
## Configuration
|
|
151
144
|
|
|
@@ -184,5 +177,5 @@ the next reviewer needs to see exactly which lines opted out, and why.
|
|
|
184
177
|
|
|
185
178
|
## License
|
|
186
179
|
|
|
187
|
-
MIT — see [LICENSE](https://github.com/Auspeo/oauthlint/blob/main/LICENSE).
|
|
188
|
-
by [
|
|
180
|
+
MIT — see [LICENSE](https://github.com/Auspeo/oauthlint/blob/main/LICENSE).
|
|
181
|
+
Built and maintained by [Auspeo](https://github.com/Auspeo).
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "oauthlint",
|
|
3
|
-
"version": "0.2.
|
|
3
|
+
"version": "0.2.3",
|
|
4
4
|
"description": "Catch the OAuth/OIDC/JWT anti-patterns AI coding tools systematically produce. CLI wrapper around the oauthlint-rules Semgrep rule pack.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/index.js",
|
|
@@ -47,7 +47,7 @@
|
|
|
47
47
|
"picocolors": "1.1.1",
|
|
48
48
|
"yaml": "2.9.0",
|
|
49
49
|
"zod": "3.24.1",
|
|
50
|
-
"oauthlint-rules": "0.2.
|
|
50
|
+
"oauthlint-rules": "0.2.2"
|
|
51
51
|
},
|
|
52
52
|
"devDependencies": {
|
|
53
53
|
"@types/node": "22.10.5",
|
|
@@ -65,7 +65,7 @@
|
|
|
65
65
|
"homepage": "https://oauthlint.dev",
|
|
66
66
|
"bugs": "https://github.com/Auspeo/oauthlint/issues",
|
|
67
67
|
"license": "MIT",
|
|
68
|
-
"author": "
|
|
68
|
+
"author": "Auspeo (https://github.com/Auspeo)",
|
|
69
69
|
"engines": {
|
|
70
70
|
"node": ">=20.0.0"
|
|
71
71
|
},
|