Philosophy
Why we built an ecosystem of specialized ESLint plugins
The Interlace Philosophy
ESLint Interlace isn't a single plugin—it's an ecosystem of 18+ specialized plugins. This is by design.
Core Belief
Security and code quality are not one-size-fits-all. Different projects have different needs, and forcing everyone to use the same monolithic ruleset creates noise and friction.
Why Many Plugins?
1. Install Only What You Need
Zero Bloat
A React Native app doesn't need PostgreSQL rules. A Node.js API doesn't need browser security rules. Install only what applies to your stack.
Faster Linting
Fewer rules = faster execution. Why parse every file against 500 rules when you only need 50?
2. Focused Expertise
Each plugin is laser-focused on one domain:
| Plugin | Domain Expertise |
|---|---|
browser-security | Client-side XSS, DOM manipulation, postMessage |
jwt | Token algorithms, expiration, secret handling |
mongodb-security | NoSQL injection, $where, aggregation attacks |
pg | SQL injection, COPY FROM, prepared statements |
vercel-ai-security | Prompt injection, tool result validation |
This focus means:
- Deeper coverage — We can go deep instead of broad
- Domain experts — Each plugin maintained by specialists
- Better errors — Context-aware messages, not generic "security issue"
3. Independent Releases
When we fix a JWT vulnerability rule, you don't need to update your entire linting setup. Independent versioning means:
- Surgical updates — Update only affected plugins
- No breaking cascades — One plugin's major version doesn't force others
- Faster iteration — We can ship fixes without coordinating 18 changelogs
The Two Pillars
ESLint Interlace organizes plugins into two main categories:
Security Plugins (11+)
Vulnerability detection with CWE/OWASP mapping. Every rule is actionable and AI-parseable.
Quality Plugins (7+)
Code architecture, conventions, and maintainability. Rules that prevent tech debt.
Design Principles
AI-Native from Day One
Every rule in Interlace includes structured metadata:
// Every error includes:
{
messageId: 'insecureJwtAlgorithm',
data: {
cwe: 'CWE-327',
owasp: 'A02:2021',
cvss: 7.5,
fix: 'Use RS256 or ES256 instead of HS256 with public keys'
}
}This enables AI assistants (Copilot, Cursor, Claude) to:
- Understand the severity of issues
- Apply the correct fix without hallucinating
- Prioritize by risk score
Performance First
We don't just add rules—we optimize them:
- 100x faster cycle detection in
import-next - Parallel rule execution where possible
- Lazy AST traversal to avoid unnecessary work
Framework-Aware
Generic rules produce false positives. Framework-aware rules understand context:
express-securityknows Express middleware patternsnestjs-securityunderstands decorators and DIlambda-securityrecognizes handler signatures
Adoption Strategies
Start Small
# Week 1: Core security
npm install eslint-plugin-browser-security eslint-plugin-secure-coding
# Week 2: Add framework-specific
npm install eslint-plugin-express-security
# Week 3: Add quality
npm install eslint-plugin-conventions eslint-plugin-reliabilityBy Stack
| Stack | Recommended Plugins |
|---|---|
| React SPA | browser-security, secure-coding |
| Next.js | browser-security, import-next, conventions |
| Express API | express-security, node-security, jwt |
| NestJS | nestjs-security, jwt, mongodb-security |
| AWS Lambda | lambda-security, node-security |
| AI Applications | vercel-ai-security, secure-coding |
Community & Contribution
Each plugin is:
- Open source (MIT licensed)
- Independently maintainable — You can fork just one plugin
- Test-covered — 85%+ coverage for security plugins
We believe security tooling should be transparent. Every rule's logic is visible, testable, and auditable.
Next Steps
Installation
Start installing plugins for your stack
Security Plugins
Explore the security plugin suite
Quality Plugins
Explore the quality plugin suite
Building secure JavaScript with Interlace? Star the repo to get new rules and CWE coverage as we ship them — or follow the AI-code-security benchmarks behind them.