Description

This plugin provides Security rules for Node.js core modules (fs, child_process, crypto, etc).

Philosophy

Interlace fosters strength through integration. Instead of stacking isolated rules, we interlace security directly into your workflow to create a resilient fabric of code. We believe tools should guide rather than gatekeep, providing educational feedback that strengthens the developer with every interaction.

Getting Started

• To check out the guide, visit eslint.interlace.tools. 📚
• 要查看中文 指南, 请访问 eslint.interlace.tools. 📚
• 가이드 문서는 eslint.interlace.tools에서 확인하실 수 있습니다. 📚
• ガイドは eslint.interlace.toolsでご確認ください。 📚
• Para ver la guía, visita eslint.interlace.tools. 📚
• للاطلاع على الدليل، قم بزيارة eslint.interlace.tools. 📚

npm install eslint-plugin-node-security --save-dev

⚙️ Configuration Presets

| Preset | Description | | :------------ | :---------------------------------------------------- | | recommended | Balanced security for most Node.js projects | | strict | Maximum security enforcement (all rules as errors) | | fs-security | Focus on file system vulnerabilities (CWE-22, CWE-73) | | crypto | Cryptographic security rules only |

💡 What You Get

• 31 security rules covering Node.js core module vulnerabilities
• Command Injection Detection for child_process.exec, spawn, and execFile
• Path Traversal Prevention for fs module operations
• TOCTOU Race Condition Detection for file system operations
• Cryptographic Security for weak algorithms and key management
• LLM-optimized messages with CWE references and fix guidance

📦 Compatibility

| Package | Version | | :--- | :--- | | ESLint | ^8.0.0 \|\| ^9.0.0 \|\| ^10.0.0 | | Node.js | >=18.0.0 |

See the ESLint Version Support Policy — current ecosystem share data, the 20% gate, and the forward-looking exception that covers v10.

Rules

Legend

| Icon | Description | | :---: | :--- | | 💼 | Recommended: Included in the recommended preset. | | ⚠️ | Warns: Set to warn in recommended preset. | | 🔧 | Auto-fixable: Automatically fixable by the --fix CLI option. | | 💡 | Suggestions: Providing code suggestions in IDE. | | 🚫 | Deprecated: This rule is deprecated. | | 🟢 | Type-unaware: AST-only, runs in oxlint JS-plugin tier. | | 🟡 | Type-aware (refining): pure-AST primary path; types refine precision. | | 🟠 | Type-aware (graceful): requires TS program; silent without it. |

| Rule | CWE | OWASP | CVSS | Description | 🧠 | 💼 | ⚠️ | 🔧 | 💡 | 🚫 | | :--- | :---: | :---: | :---: | :--- | :---: | :---: | :---: | :---: | :---: | :---: | | detect-child-process | CWE-78 | | | Detects instances of childprocess & non-literal exec() calls that may allow command injection | 🟢 | | | | | | | detect-eval-with-expression | CWE-95 | A03:2021 | | Detects eval(variable) which can allow an attacker to run arbitrary code inside your process | 🟢 | | | | | | | detect-non-literal-fs-filename | CWE-22 | | | Detects variable in filename argument of fs calls, which might allow an attacker to access anything on your… | 🟢 | | | | | | | detect-suspicious-dependencies | CWE-506 | | | This rule detects package imports that look like typosquatting attempts on popular npm packages | 🟢 | | | | | | | lock-file | CWE-829 | | | CWE: CWE-829 | 🟢 | | | | | | | no-arbitrary-file-access | CWE-22 | A01:2021 | | Prevents file system access with unsanitized user input to protect against path traversal attacks. | 🟢 | | | | | | | no-buffer-overread | CWE-126 | | | Detects buffer access beyond bounds | 🟢 | | | | | | | no-cryptojs | CWE-1104 | A06:2021 | | Disallow deprecated crypto-js library (use native crypto instead) | 🟢 | | | | | | | no-cryptojs-weak-random | CWE-338 | A02:2021 | | Disallow crypto-js WordArray.random() (CVE-2020-36732) | 🟢 | | | | | | | no-data-in-temp-storage | CWE-312 | | | Temporary directories (/tmp, /var/tmp, temp/) are often world-readable or persist longer than expected | 🟢 | | | | | | | no-deprecated-buffer | CWE-676 | | | Disallow the deprecated new Buffer() constructor and Buffer() factory call. | 🟢 | | | | 💡 | | | no-deprecated-cipher-method | CWE-327 | A02:2021 | | Disallow deprecated crypto.createCipher/createDecipher methods | 🟢 | | | | | | | no-dynamic-dependency-loading | CWE-1104 | | | This rule detects dynamically constructed paths in require() and import() statements | 🟢 | | | | | | | no-dynamic-require | | | | Forbid require() calls with non-literal arguments | 🟢 | | | | | | | no-ecb-mode | CWE-327 | A02:2021 | | Disallow ECB encryption mode (use GCM or CBC instead) | 🟢 | | | | | | | no-insecure-key-derivation | CWE-916 | A02:2021 | | Disallow PBKDF2 with insufficient iterations (< 100,000) | 🟢 | | | | | | | no-insecure-rsa-padding | CWE-327 | A02:2021 | | Disallow RSA PKCS#1 v1.5 padding (CVE-2023-46809 Marvin Attack) | 🟢 | | | | | | | no-pii-in-logs | CWE-532 | | | CWE: CWE-532 | 🟢 | | | | | | | no-self-signed-certs | CWE-295 | A07:2021 | | Disallow rejectUnauthorized false in TLS options | 🟢 | | | | | | | no-sha1-hash | CWE-327 | A02:2021 | | Disallow sha1() from crypto-hash package (use sha256 or sha512) | 🟢 | | | | | | | no-ssrf | CWE-918 | A10:2021 | | Detect HTTP requests with user-controlled URLs (server-side request forgery). | 🟢 | | | | 💡 | | | no-static-iv | CWE-329 | A02:2021 | | Disallow static or hardcoded initialization vectors (IVs) | 🟢 | | | | | | | no-timing-unsafe-compare | CWE-208 | A02:2021 | | Disallow timing-unsafe comparison of secrets | 🟢 | | | | | | | no-toctou-vulnerability | CWE-367 | A01:2021 | | Detects Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerabilities in file system operations. | 🟢 | | | | | | | no-unsafe-dynamic-require | CWE-494 | | | Disallows dynamic require() calls with non-literal arguments that could lead to security vulnerabilities | 🟢 | | | | | | | no-weak-cipher-algorithm | CWE-327 | A02:2021 | | Disallow weak cipher algorithms (DES, 3DES, RC4, Blowfish, RC2, IDEA) | 🟢 | | | | | | | no-weak-hash-algorithm | CWE-327 | A02:2021 | | Disallow weak hash algorithms (MD5, MD4, SHA-1, RIPEMD) | 🟢 | | | | | | | no-zip-slip | CWE-22 | | | Detects zip slip/archive extraction vulnerabilities | 🟢 | | | | | | | prefer-native-crypto | CWE-1104 | A06:2021 | | Prefer native crypto over third-party libraries | 🟢 | | | | | | | require-dependency-integrity | CWE-494 | | | CWE: CWE-494 | 🟢 | | | | | | | require-secure-credential-storage | CWE-312 | | | This rule detects when credentials are stored using localStorage.setItem() or fs.writeFile() without encryp… | 🟢 | | | | | | | require-secure-deletion | CWE-459 | | | CWE: CWE-459 | 🟢 | | | | | | | require-storage-encryption | CWE-312 | | | CWE: CWE-312 | 🟢 | | | | | |

🔗 Related ESLint Plugins

Part of the Interlace ESLint Ecosystem — AI-native security plugins with LLM-optimized error messages:

| Plugin | Downloads | Description | | :--- | :---: | :--- | | eslint-plugin-secure-coding | | General security rules & OWASP guidelines. | | eslint-plugin-pg | | PostgreSQL security & best practices. | | eslint-plugin-node-security | | Node.js core-module security (fs, child_process, vm, crypto, Buffer). | | eslint-plugin-jwt | | JWT security & best practices. | | eslint-plugin-browser-security | | Browser-specific security & XSS prevention. | | eslint-plugin-express-security | | Express.js security hardening rules. | | eslint-plugin-lambda-security | | AWS Lambda security best practices. | | eslint-plugin-nestjs-security | | NestJS security rules & patterns. | | eslint-plugin-mongodb-security | | MongoDB security best practices. | | eslint-plugin-vercel-ai-security | | Vercel AI SDK security hardening. | | eslint-plugin-import-next | | Next-gen import sorting & architecture. |

📄 License

MIT © Ofri Peretz