feat: add config recommended-legacy

it also moves rule tests to `./test/rules`, and adds a test for the configs.

fixes #131

Signed-off-by: 唯然 <weiran.zsd@outlook.com>

.eslint-doc-generatorrc.js

@@ -3,6 +3,7 @@ const prettierRC = require('./.prettierrc.json');
 
 /** @type {import('eslint-doc-generator').GenerateOptions} */
 const config = {
+  ignoreConfig: ['recommended-legacy'],
   postprocess: (doc) => format(doc, { ...prettierRC, parser: 'markdown' }),
 };
 

README.md

@@ -20,6 +20,8 @@ yarn add --dev eslint-plugin-security
 
 ## Usage
 
+### Flat config (requires eslint >= v8.23.0)
+
 Add the following to your `eslint.config.js` file:
 
 ```js
@@ -28,6 +30,17 @@ const pluginSecurity = require('eslint-plugin-security');
 module.exports = [pluginSecurity.configs.recommended];
 ```
 
+### eslintrc config (deprecated)
+
+Add the following to your `.eslintrc` file:
+
+````js
+module.exports = {
+  "extends": [
+    "plugin:security/recommended-legacy"
+  ]
+}
+
 ## Developer guide
 
 - Use [GitHub pull requests](https://help.github.com/articles/using-pull-requests).
@@ -52,8 +65,8 @@ npm test
 ⚠️ Configurations set to warn in.\
 ✅ Set in the `recommended` configuration.
 
-| Name                                                                                         | Description                                                                                                                   | ⚠️  |
-| :------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------- | :-- |
+| Name                                                                                         | Description                                                                                                                   | ⚠️ |
+| :------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------- | :- |
 | [detect-bidi-characters](docs/rules/detect-bidi-characters.md)                               | Detects trojan source attacks that employ unicode bidi attacks to inject malicious code.                                      | ✅  |
 | [detect-buffer-noassert](docs/rules/detect-buffer-noassert.md)                               | Detects calls to "buffer" with "noAssert" flag set.                                                                           | ✅  |
 | [detect-child-process](docs/rules/detect-child-process.md)                                   | Detects instances of "child_process" & non-literal "exec()" calls.                                                            | ✅  |
@@ -70,3 +83,4 @@ npm test
 | [detect-unsafe-regex](docs/rules/detect-unsafe-regex.md)                                     | Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.              | ✅  |
 
 <!-- end auto-generated rules list -->
+````

index.js

@@ -66,6 +66,14 @@ const recommended = {
   },
 };
 
-Object.assign(plugin.configs, { recommended });
+const recommendedLegacy = {
+  plugins: ['security'],
+  rules: recommended.rules,
+};
+
+Object.assign(plugin.configs, {
+  recommended,
+  'recommended-legacy': recommendedLegacy
+});
 
 module.exports = plugin;

test/configs/index.js

@@ -0,0 +1,16 @@
+'use strict';
+const plugin = require('../../index.js');
+const assert = require('assert').strict;
+
+describe('export plugin object', () => {
+  it('should export rules', () => {
+    assert(plugin.rules);
+    assert(typeof plugin.rules['detect-unsafe-regex'] === 'object');
+  });
+
+  it('should export configs', () => {
+    assert(plugin.configs);
+    assert(plugin.configs['recommended']);
+    assert(plugin.configs['recommended-legacy']);
+  });
+});

test/detect-bidi-characters.js → test/rules/detect-bidi-characters.js

@@ -4,7 +4,7 @@ const RuleTester = require('eslint').RuleTester;
 const tester = new RuleTester();
 
 const ruleName = 'detect-bidi-characters';
-const Rule = require(`../rules/${ruleName}`);
+const Rule = require(`../../rules/${ruleName}`);
 
 tester.run(ruleName, Rule, {
   valid: [
@@ -54,7 +54,7 @@ tester.run(`${ruleName} in comment-line`, Rule, {
           console.log("You are an admin.");
       /* end admins only ‮
 ⁦*/
-      /* end admins only ‮ 
+      /* end admins only ‮
  { ⁦*/
         `,
       errors: [

test/detect-buffer-noassert.js → test/rules/detect-buffer-noassert.js

@@ -4,7 +4,7 @@ const RuleTester = require('eslint').RuleTester;
 const tester = new RuleTester();
 
 const ruleName = 'detect-buffer-noassert';
-const rule = require(`../rules/${ruleName}`);
+const rule = require(`../../rules/${ruleName}`);
 
 const allMethodNames = [...rule.meta.__methodsToCheck.read, ...rule.meta.__methodsToCheck.write];
 

test/detect-child-process.js → test/rules/detect-child-process.js

@@ -9,7 +9,7 @@ const tester = new RuleTester({
 });
 
 const ruleName = 'detect-child-process';
-const rule = require(`../rules/${ruleName}`);
+const rule = require(`../../rules/${ruleName}`);
 
 tester.run(ruleName, rule, {
   valid: [

test/detect-disable-mustache-escape.js → test/rules/detect-disable-mustache-escape.js

@@ -5,7 +5,7 @@ const tester = new RuleTester();
 
 const ruleName = 'detect-disable-mustache-escape';
 
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
   valid: [{ code: 'escapeMarkup = false' }],
   invalid: [
     {

test/detect-eval-with-expression.js → test/rules/detect-eval-with-expression.js

@@ -5,7 +5,7 @@ const tester = new RuleTester();
 
 const ruleName = 'detect-eval-with-expression';
 
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
   valid: [{ code: "eval('alert()')" }],
   invalid: [
     {

test/detect-new-buffer.js → test/rules/detect-new-buffer.js

@@ -6,7 +6,7 @@ const tester = new RuleTester();
 const ruleName = 'detect-new-buffer';
 const invalid = 'var a = new Buffer(c)';
 
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
   valid: [{ code: "var a = new Buffer('test')" }],
   invalid: [
     {

test/detect-no-csrf-before-method-override.js → test/rules/detect-no-csrf-before-method-override.js

@@ -5,7 +5,7 @@ const tester = new RuleTester();
 
 const ruleName = 'detect-no-csrf-before-method-override';
 
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
   valid: [{ code: 'express.methodOverride();express.csrf()' }],
   invalid: [
     {

test/detect-non-literal-fs-filename.js → test/rules/detect-non-literal-fs-filename.js

@@ -10,7 +10,7 @@ const tester = new RuleTester({
 
 const ruleName = 'detect-non-literal-fs-filename';
 
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
   valid: [
     {
       code: `var fs = require('fs');
@@ -29,7 +29,7 @@ tester.run(ruleName, require(`../rules/${ruleName}`), {
             import { promises as fsp } from 'fs';
             import fs from 'fs';
             import path from 'path';
-            
+
             const index = await fsp.readFile(path.resolve(__dirname, './index.html'), 'utf-8');
             const key = fs.readFileSync(path.join(__dirname, './ssl.key'));
             await fsp.writeFile(path.resolve(__dirname, './sitemap.xml'), sitemap);`,

test/detect-non-literal-regexp.js → test/rules/detect-non-literal-regexp.js

@@ -6,7 +6,7 @@ const tester = new RuleTester();
 const ruleName = 'detect-non-literal-regexp';
 const invalid = "var a = new RegExp(c, 'i')";
 
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
   valid: [
     { code: "var a = new RegExp('ab+c', 'i')" },
     {

test/detect-non-literal-require.js → test/rules/detect-non-literal-require.js

@@ -6,7 +6,7 @@ const tester = new RuleTester({ parserOptions: { ecmaVersion: 6 } });
 
 const ruleName = 'detect-non-literal-require';
 
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
   valid: [
     { code: "var a = require('b')" },
     { code: 'var a = require(`b`)' },

test/detect-object-injection.js → test/rules/detect-object-injection.js

@@ -5,7 +5,7 @@ const tester = new RuleTester();
 
 const ruleName = 'detect-object-injection';
 
-const Rule = require(`../rules/${ruleName}`);
+const Rule = require(`../../rules/${ruleName}`);
 
 const valid = 'var a = {};';
 // const invalidVariable = "TODO";

test/detect-possible-timing-attacks.js → test/rules/detect-possible-timing-attacks.js

@@ -4,7 +4,7 @@ const RuleTester = require('eslint').RuleTester;
 const tester = new RuleTester();
 
 const ruleName = 'detect-possible-timing-attacks';
-const Rule = require(`../rules/${ruleName}`);
+const Rule = require(`../../rules/${ruleName}`);
 
 const valid = 'if (age === 5) {}';
 const invalidLeft = "if (password === 'mypass') {}";

test/detect-pseudoRandomBytes.js → test/rules/detect-pseudoRandomBytes.js

@@ -6,7 +6,7 @@ const tester = new RuleTester();
 const ruleName = 'detect-pseudoRandomBytes';
 const invalid = 'crypto.pseudoRandomBytes';
 
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
   valid: [{ code: 'crypto.randomBytes' }],
   invalid: [
     {

test/detect-unsafe-regexp.js → test/rules/detect-unsafe-regexp.js

@@ -4,7 +4,7 @@ const RuleTester = require('eslint').RuleTester;
 const tester = new RuleTester();
 
 const ruleName = 'detect-unsafe-regex';
-const Rule = require(`../rules/${ruleName}`);
+const Rule = require(`../../rules/${ruleName}`);
 
 tester.run(ruleName, Rule, {
   valid: [{ code: '/^d+1337d+$/' }],