Security rules for eslint
Last updated 3 years ago by adam_baldwin .
Apache-2.0 · Repository · Bugs · Original npm · Tarball · package.json
$ cnpm install eslint-plugin-security 
SYNC missed versions from official npm registry.


ESLint rules for Node Security

This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.


npm install --save-dev eslint-plugin-security


Add the following to your .eslintrc file:

"plugins": [
"extends": [

Developer guide

  • Use GitHub pull requests.
  • Conventions:
  • We use our custom ESLint setup.
  • Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
npm run-script cont-int


npm test



Locates potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.

More information:


Detects calls to buffer with noAssert flag set

From the Node.js API docs: "Setting noAssert to true skips validation of the offset. This allows the offset to be beyond the end of the Buffer."


Detects instances of child_process & non-literal exec()

More information:


Detects object.escapeMarkup = false, which can be used with some template engines to disable escaping of HTML entities. This can lead to Cross-Site Scripting (XSS) vulnerabilities.

More information:


Detects eval(variable) which can allow an attacker to run arbitary code inside your process.

More information:


Detects Express csrf middleware setup before method-override middleware. This can allow GET requests (which are not checked by csrf) to turn into POST requests later.

More information:


Detects variable in filename argument of fs calls, which might allow an attacker to access anything on your system.

More information:


Detects RegExp(variable), which might allow an attacker to DOS your server with a long-running regular expression.

More information:


Detects require(variable), which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.

More information:


Detects variable[key] as a left- or right-hand assignment operand.

More information:


Detects insecure comparisons (==, !=, !== and ===), which check input sequentially.

More information:


Detects if pseudoRandomBytes() is in use, which might not give you the randomness you need and expect.

More information:

Current Tags

  • 1.4.0                                ...           latest (3 years ago)

5 Versions

  • 1.4.0                                ...           3 years ago
  • 1.3.0                                ...           3 years ago
  • 1.2.0                                ...           4 years ago
  • 1.1.0                                ...           5 years ago
  • 1.0.0                                ...           5 years ago
Maintainers (2)
Today 34
This Week 57
This Month 336
Last Day 23
Last Week 196
Last Month 841
Dependencies (1)
Dev Dependencies (4)
Dependents (197)

Copyright 2014 - 2016 © |