npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

eslint-plugin-security-rules

v0.8.0

Published

ESLint security rules to help harden your project as early as possible.

Downloads

17,747

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

lasselupe33lasselupe33tikkitikki

Keywords

eslinteslintpluginsecurity

Readme

ESLint security rules to help harden your project as early as possible.

NB: This project was written as an artefact for a master's thesis at the IT University of Copenhagen and it should still be considered a work in progress.

Installation

  • Requires Node.js >=14
  • Requires ESLint >=8
yarn add --dev eslint-plugin-security-rules

Usage

To include the recommended eslint-plugin-security-rules to your ruleset add the following to your .eslintrc configuration:

{
  "extends": [
    "plugin:security-rules/recommended"
  ],
  // Please include the environments that you use when using this plugin. Doing
  // so will enhance the tracing algorithm greatly.
  "env": { 
    "node": true,
    "browser": true,
    "es6": true
  },
  "overrides": [
    {
      "files": ["*.ts", "*.tsx"],
      "extends": ["plugin:@typescript-eslint/recommended"],
      // If you would like to improve the accuracy of the tracing algorithm
      // when using typescript, then please include the "project" configuration
      // for the @typescript-eslint/parser.
      // See more at 
      // https://github.com/typescript-eslint/typescript-eslint/tree/main/packages/parser#parseroptionsproject
      "parserOptions": {
        "project": ["./tsconfig.json"]
      }
    },
  ]
}

Rules

eslint-plugin-security-rules comes with several rulesets, scoped to the environment that they target, allowing you to only enable rules relevant to your project.

  • 'plugin:security-rules/recommended': recommended security rules, including all available rules that you can drop in without any additional configuration.
  • 'plugin:security-rules/node': rules related to vulnerabilities occuring in code that is intended to be executed in a NodeJS environment.
  • 'plugin:security-rules/browser': rules related to vulnerabilities occuring in code that is intended to be executed in a browser.
  • 'plugin:security-rules/universal': rules related to vulnerabilities that may occur regardless of which environment the code is being run.
  • 'plugin:security-rules/package': rules related to ensure safe usage of dependencies by scanning package.json-files.
  • 'plugin:security-rules/react': security related rules targeting code using the react package.
  • 'plugin:security-rules/pg': security related rules targeting code using the pg (postgres) package.
  • 'plugin:security-rules/mysql': security related rules targeting code using the mysql package.

Key:

  • ✅ = recommended,
  • 🔧 = fixable with suggestion,
  • 💭 = enchaned with TypeScript type information,
  • 🌩 = requires TypeScript type information

Browser

| Name | Description | ✅ | 🔧 | 💭 | 🌩 | |:--------|:------------|:--:|:--:|:--:|:----:| | security-rules/browser/no-xss | Detects DOM-based XSS vulnerabilities in browser sinks | ✅ | 🔧 | 💭 | |

Node

| Name | Description | ✅ | 🔧 | 💭 | 🌩 | |:--------|:------------|:--:|:--:|:--:|:----:| | security-rules/node/no-unsafe-path | Avoids usage of unsafe paths when interacting with the file-system using "fs" | ✅ | 🔧 | 💭 | | | security-rules/node/no-insecure-ciphers | Detects unsafe ciphers algorithms that should not be used | ✅ | 🔧 | 💭 | |

Universal

| Name | Description | ✅ | 🔧 | 💭 | 🌩 | |:--------|:------------|:--:|:--:|:--:|:----:| | security-rules/universal/no-hardcoded-credentials | Detects hardcoded secrets in a file | | | | | | security-rules/universal/no-vulnerable-dependencies | Determines if import statements exist in a vulnerable version | ✅ | | | |

Package.json

| Name | Description | ✅ | 🔧 | 💭 | 🌩 | |:--------|:------------|:--:|:--:|:--:|:----:| | security-rules/package/no-vulnerable-dependencies | Determines if any of the projects installed dependencies exist in a vulnerable version | ✅ | 🔧 | | |

Package specific rulesets

The following ruleset are related to specific popular packages, scanning for vulnerable usages in these.

React

| Name | Description | ✅ | 🔧 | 💭 | 🌩 | |:--------|:------------|:--:|:--:|:--:|:----:| | security-rules/react/no-xss | Detects DOM-based XSS vulnerabilities introduced in JSX | ✅ | 🔧 | 💭 | |

Postgres (pg)

| Name | Description | ✅ | 🔧 | 💭 | 🌩 | |:--------|:------------|:--:|:--:|:--:|:----:| | security-rules/pg/no-sql-injections | Detects queries vulnerable to SQL Injections | ✅ | 🔧 | 💭 | | | security-rules/pg/no-hardcoded-credentials | Detects hardcoded secrets in a file | ✅ | | 💭 | |

MySQL

| Name | Description | ✅ | 🔧 | 💭 | 🌩 | |:--------|:------------|:--:|:--:|:--:|:----:| | security-rules/mysql/no-sql-injections | Detects queries vulnerable to SQL Injections | ✅ | 🔧 | 💭 | | | security-rules/mysql/no-hardcoded-credentials | Detects hardcoded secrets in a file | ✅ | | 💭 | |