eslint-plugin-vercel-ai-security

v1.3.6

Published

5 hours ago

Security-focused ESLint plugin for Vercel AI SDK. SDK-aware rules for generateText, streamText, tools, and streaming patterns with full type knowledge.

⭐ If this plugin caught a real bug for you, star the repo — it's the signal that keeps these rules maintained.

Description

This plugin provides Security rules for Vercel AI SDK usage (prompt injection, data handling).

Philosophy

Interlace fosters strength through integration. Instead of stacking isolated rules, we interlace security directly into your workflow to create a resilient fabric of code. We believe tools should guide rather than gatekeep, providing educational feedback that strengthens the developer with every interaction.

Getting Started

To check out the guide, visit eslint.interlace.tools. 📚
要查看中文指南, 请访问 eslint.interlace.tools. 📚
가이드 문서는 eslint.interlace.tools에서 확인하실 수 있습니다. 📚
ガイドは eslint.interlace.toolsでご確認ください。 📚
Para ver la guía, visita eslint.interlace.tools. 📚
للاطلاع على الدليل، قم بزيارة eslint.interlace.tools. 📚

npm install eslint-plugin-vercel-ai-security --save-dev

⚙️ Configuration Presets

📚 Supported Libraries

| Library | npm | Downloads | Detection | | -------------------- | ------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- | ------------------------------ | | ai (Vercel AI SDK) | | | Prompt Injection, Data Leakage |

🤖 AI-Agent Optimized Messages

All rule messages follow a structured format optimized for AI coding assistants:

🔒 CWE-74 OWASP:A03-Injection CVSS:9 | Unsafe Prompt | CRITICAL [SOC2,GDPR]
   Fix: Validate input before use | https://owasp.org/...

By providing this structured context (CWE, OWASP, Fix), we enable AI tools to reason about the security flaw rather than hallucinating. This allows Copilot/Cursor to suggest the exact correct fix immediately.

🔧 Supported AI SDK Functions

| Function | Full Coverage | | ---------------------- | ------------------------------ | | generateText | ✅ All 19 rules | | streamText | ✅ All 19 rules + abort signal | | generateObject | ✅ All 19 rules | | streamObject | ✅ All 19 rules + abort signal | | tool() helper | ✅ Schema validation | | embed() / embeddings | ✅ Embedding validation |

📊 Test Coverage

| Metric | Coverage | | ------------- | -------- | | Rules | 19 | | Tests | 200 | | Lines | 98%+ | | Functions | 100% |

🙋 FAQ

What's the difference between this and generic AI security linters?

Generic linters guess at patterns. This plugin knows the exact Vercel AI SDK API.

Does this work with ESLint 9 Flat Config?

Yes! Designed specifically for ESLint Flat Config — works on ESLint 8 (with flat config), 9, and 10. See the ESLint Version Support Policy for the full matrix.

How do I suppress a rule for a specific line?

// eslint-disable-next-line vercel-ai-security/require-validated-prompt
await generateText({ prompt: internalPrompt });

Why is ASI06 (Memory Corruption) not covered?

TypeScript/JavaScript are memory-safe languages. Memory corruption vulnerabilities (buffer overflows, use-after-free, etc.) are not possible in these environments.

📦 Compatibility

| Package | Version | | -------------------- | --------------------------------------------------------------------------------------------------------- | | ai (Vercel AI SDK) | | | ESLint | | | Node.js | |

See the ESLint Version Support Policy for the full matrix.

Rules

Legend

| Icon | Description | | :---: | :--- | | 💼 | Recommended: Included in the recommended preset. | | ⚠️ | Warns: Set to warn in recommended preset. | | 🔧 | Auto-fixable: Automatically fixable by the --fix CLI option. | | 💡 | Suggestions: Providing code suggestions in IDE. | | 🚫 | Deprecated: This rule is deprecated. | | 🟢 | Type-unaware: AST-only, runs in oxlint JS-plugin tier. | | 🟡 | Type-aware (refining): pure-AST primary path; types refine precision. | | 🟠 | Type-aware (graceful): requires TS program; silent without it. |

| Rule | CWE | OWASP | CVSS | Description | 🧠 | 💼 | ⚠️ | 🔧 | 💡 | 🚫 | | :--- | :---: | :---: | :---: | :--- | :---: | :---: | :---: | :---: | :---: | :---: | | no-dynamic-system-prompt | CWE-74 | | | This rule identifies code patterns where system prompts contain dynamic or user-controlled content | 🟢 | | | | | | | no-hardcoded-api-keys | CWE-798 | | | This rule identifies hardcoded API keys, tokens, and secrets in your codebase that are used with AI SDK pro… | 🟢 | | | | | | | no-sensitive-in-prompt | CWE-200 | | | This rule identifies code patterns where sensitive data like passwords, API keys, tokens, or personally ide… | 🟢 | | | | | | | no-system-prompt-leak | CWE-200 | | | This rule identifies code patterns where system prompts or AI instructions are returned in API responses, l… | 🟢 | | | | | | | no-training-data-exposure | CWE-359 | | | This rule identifies code patterns where user data might be sent to LLM training endpoints or when training… | 🟢 | | | | | | | no-unsafe-output-handling | CWE-94 | | | This rule identifies code patterns where AI-generated output is passed directly to dangerous functions that… | 🟢 | | | | | | | require-abort-signal | CWE-404 | | | This rule identifies streaming AI SDK calls (streamText, streamObject) that don't include an AbortSignal fo… | 🟢 | | | | | | | require-audit-logging | CWE-778 | | | This rule identifies AI SDK calls that aren't preceded by logging statements | 🟢 | | | | | | | require-embedding-validation | CWE-20 | | | This rule identifies code patterns where embeddings are stored in vector databases without validation. | 🟢 | | | | | | | require-error-handling | CWE-755 | | | This rule identifies AI SDK calls that aren't wrapped in try-catch blocks | 🟢 | | | | | | | require-max-steps | CWE-834 | | | This rule identifies AI SDK calls that use tools but don't specify a maxSteps limit | 🟢 | | | | | | | require-max-tokens | CWE-770 | | | This rule identifies AI SDK calls that don't specify a maxTokens limit | 🟢 | | | | | | | require-output-filtering | CWE-200 | | | This rule identifies tool execute functions that return raw data from data sources (databases, APIs, file s… | 🟢 | | | | | | | require-output-validation | CWE-707 | | | This rule identifies code patterns where AI-generated output is displayed to users without validation or fa… | 🟢 | | | | | | | require-rag-content-validation | CWE-74 | | | This rule identifies code patterns where content retrieved from vector stores or document retrieval systems… | 🟢 | | | | | | | require-request-timeout | CWE-400 | | | This rule identifies AI SDK calls that don't have timeout or abort signal configuration. | 🟢 | | | | | | | require-tool-confirmation | CWE-862 | | | This rule identifies destructive tools (delete, transfer, execute, etc.) that don't require human confirmat… | 🟢 | | | | | | | require-tool-schema | CWE-20 | | | Get weather | 🟢 | | | | | | | require-validated-prompt | CWE-74 | | | This rule identifies code patterns where user-controlled input is passed directly to AI prompts without val… | 🟢 | | | | | |

🔗 Related ESLint Plugins

Part of the Interlace ESLint Ecosystem — AI-native security plugins with LLM-optimized error messages:

⭐ Support & follow

If this plugin caught a real bug for you, star the repo — stars are the signal that keeps the Interlace ESLint ecosystem maintained — and follow the writeups on Dev.to for the benchmarks and security research behind these rules.