eslint-plugin-pg

v1.3.1

Published

11 days ago

ESLint plugin with security and best practices rules for the pg Node.js driver

0High
0Medium
0Low

ofriperetz

eslint eslint-plugin pg postgres postgresql node-postgres security best-practices code-quality

Description

This plugin secures your Node.js applications by enforcing safe PostgreSQL interactions and preventing SQL injection vulnerabilities. It validates queries to ensure parameterized inputs are used, proactively flagging unsafe patterns before they reach production. By adopting these rules, you can maintain data integrity and protect your database from common exploits.

Philosophy

Interlace fosters strength through integration. Instead of stacking isolated rules, we interlace security directly into your workflow to create a resilient fabric of code. We believe tools should guide rather than gatekeep, providing educational feedback that strengthens the developer with every interaction.

Getting Started

To check out the guide, visit eslint.interlace.tools. 📚
要查看中文指南, 请访问 eslint.interlace.tools. 📚
가이드 문서는 eslint.interlace.tools에서 확인하실 수 있습니다. 📚
ガイドは eslint.interlace.toolsでご確認ください。 📚
Para ver la guía, visita eslint.interlace.tools. 📚
للاطلاع على الدليل، قم بزيارة eslint.interlace.tools. 📚

npm install eslint-plugin-pg --save-dev

💡 What You Get

PostgreSQL-specific rules: Catches pg driver anti-patterns that generic linters miss
LLM-optimized messages: Structured 2-line errors with CWE + fixes that AI assistants can apply
Connection safety: Prevents leaks, double releases, and transaction race conditions
SQL security: SQL injection, search_path hijacking, file access via COPY
Performance patterns: N+1 queries, SELECT *, bulk operation suggestions

Every rule produces a structured error message:

src/db.ts
  42:15  error  🔒 CWE-89 OWASP:A03-Injection CVSS:9.8 | Unsafe query detected | CRITICAL
                    Fix: Use parameterized query: client.query('SELECT * FROM users WHERE id = $1', [userId])

⚙️ Configuration Presets

📚 Supported Libraries

| Library | npm | Downloads | Detection | | -------------------- | ------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- | ------------------------------- | | pg (node-postgres) | | | SQL Injection, Connection Leaks |

Custom Configuration

import pg from 'eslint-plugin-pg';

export default [
  {
    plugins: { pg },
    rules: {
      'pg/no-unsafe-query': 'error',
      'pg/no-select-all': 'off', // Disable if needed
    },
  },
];

AI-Optimized Messages

This plugin is optimized for ESLint's Model Context Protocol (MCP), enabling AI assistants like Cursor, GitHub Copilot, and Claude to:

Understand the exact vulnerability type via CWE references
Apply the correct fix using structured guidance
Provide educational context to developers

// .cursor/mcp.json
{
  "mcpServers": {
    "eslint": {
      "command": "npx",
      "args": ["@eslint/mcp@latest"]
    }
  }
}

By providing this structured context (CWE, OWASP, Fix), we enable AI tools to reason about the security flaw rather than hallucinating. This allows Copilot/Cursor to suggest the exact correct fix immediately.

See AGENTS.md for agent-specific resolution strategies.

🔒 Privacy

This plugin runs 100% locally. No data ever leaves your machine.

Rules

Legend

| Icon | Description | | :--: | :----------------------------------------------------------------- | | 💼 | Recommended: Included in the recommended preset. | | ⚠️ | Warns: Set towarn in recommended preset. | | 🔧 | Auto-fixable: Automatically fixable by the --fix CLI option. | | 💡 | Suggestions: Providing code suggestions in IDE. | | 🚫 | Deprecated: This rule is deprecated. |

| Rule | CWE | OWASP | CVSS | Description | 💼 | ⚠️ | 🔧 | 💡 | 🚫 | | :-------------------------------------------------------------------------------------------------- | :-----: | :------: | :--: | :--------------------------------------------------------------------- | :-: | :-: | :-: | :-: | :-: | | no-unsafe-query | CWE-89 | A03:2025 | | no-unsafe-query | 💼 | | | 💡 | | | no-insecure-ssl | CWE-295 | A05:2025 | | no-insecure-ssl | 💼 | | | 💡 | | | no-hardcoded-credentials | CWE-798 | A05:2025 | | no-hardcoded-credentials | 💼 | | | 💡 | | | no-unsafe-search-path | CWE-426 | A01:2025 | | no-unsafe-search-path | 💼 | | | 💡 | | | no-unsafe-copy-from | CWE-22 | A03:2025 | | no-unsafe-copy-from | 💼 | | | 💡 | | | no-transaction-on-pool | CWE-362 | A04:2025 | | no-transaction-on-pool | 💼 | | | 💡 | | | no-missing-client-release | CWE-772 | A09:2025 | | no-missing-client-release | 💼 | | | 💡 | | | prevent-double-release | CWE-415 | A04:2025 | | prevent-double-release | 💼 | | | 💡 | | | no-floating-query | CWE-252 | A06:2025 | | no-floating-query | 💼 | | | 💡 | | | check-query-params | CWE-20 | A06:2025 | | check-query-params | 💼 | ⚠️ | | 💡 | | | no-select-all | CWE-400 | A04:2025 | | no-select-all | 💼 | ⚠️ | | 💡 | | | prefer-pool-query | CWE-404 | A04:2025 | | prefer-pool-query | 💼 | ⚠️ | | 💡 | | | no-batch-insert-loop | CWE-400 | A04:2025 | | no-batch-insert-loop | 💼 | ⚠️ | | 💡 | |