Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]>

Git stats


Failed to load latest commit information.
Latest commit message
Commit time


NPM version

ESLint rules for Node Security

This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.


npm install --save-dev eslint-plugin-security


yarn add --dev eslint-plugin-security


Add the following to your .eslintrc file:

"extends": [

Developer guide

  • Use GitHub pull requests.
  • Conventions:
  • We use our custom ESLint setup.
  • Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
npm run-script cont-int


npm test


⚠️ Configurations set to warn in.
Set in the recommended configuration.

Name                                  Description ⚠️
detect-bidi-characters Detects trojan source attacks that employ unicode bidi attacks to inject malicious code.
detect-buffer-noassert Detects calls to "buffer" with "noAssert" flag set.
detect-child-process Detects instances of "child_process" & non-literal "exec()" calls.
detect-disable-mustache-escape Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities.
detect-eval-with-expression Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process.
detect-new-buffer Detects instances of new Buffer(argument) where argument is any non-literal value.
detect-no-csrf-before-method-override Detects Express "csrf" middleware setup before "method-override" middleware.
detect-non-literal-fs-filename Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system.
detect-non-literal-regexp Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression.
detect-non-literal-require Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.
detect-object-injection Detects "variable[key]" as a left- or right-hand assignment operand.
detect-possible-timing-attacks Detects insecure comparisons (==, !=, !== and ===), which check input sequentially.
detect-pseudoRandomBytes Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect.
detect-unsafe-regex Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.