Philosophy
Why we built an ecosystem of specialized ESLint plugins
The Interlace Philosophy
ESLint Interlace isn't a single plugin—it's an ecosystem of 18+ specialized plugins. This is by design.
Core Belief
Security and code quality are not one-size-fits-all. Different projects have different needs, and forcing everyone to use the same monolithic ruleset creates noise and friction.
Why Many Plugins?
1. Install Only What You Need
Zero Bloat
A React Native app doesn't need PostgreSQL rules. A Node.js API doesn't need browser security rules. Install only what applies to your stack.
Faster Linting
Fewer rules = faster execution. Why parse every file against 500 rules when you only need 50?
2. Focused Expertise
Each plugin is laser-focused on one domain:
| Plugin | Domain Expertise |
|---|---|
browser-security | Client-side XSS, DOM manipulation, postMessage |
jwt | Token algorithms, expiration, secret handling |
mongodb-security | NoSQL injection, $where, aggregation attacks |
pg | SQL injection, COPY FROM, prepared statements |
vercel-ai-security | Prompt injection, tool result validation |
This focus means:
- Deeper coverage — We can go deep instead of broad
- Domain experts — Each plugin maintained by specialists
- Better errors — Context-aware messages, not generic "security issue"
3. Independent Releases
When we fix a JWT vulnerability rule, you don't need to update your entire linting setup. Independent versioning means:
- Surgical updates — Update only affected plugins
- No breaking cascades — One plugin's major version doesn't force others
- Faster iteration — We can ship fixes without coordinating 18 changelogs
The Two Pillars
ESLint Interlace organizes plugins into two main categories:
Security Plugins (11+)
Vulnerability detection with CWE/OWASP mapping. Every rule is actionable and AI-parseable.
Quality Plugins (7+)
Code architecture, conventions, and maintainability. Rules that prevent tech debt.
Design Principles
AI-Native from Day One
Every rule in Interlace includes structured metadata:
// Every error includes:
{
messageId: 'insecureJwtAlgorithm',
data: {
cwe: 'CWE-327',
owasp: 'A02:2021',
cvss: 7.5,
fix: 'Use RS256 or ES256 instead of HS256 with public keys'
}
}This enables AI assistants (Copilot, Cursor, Claude) to:
- Understand the severity of issues
- Apply the correct fix without hallucinating
- Prioritize by risk score
Performance First
We don't just add rules—we optimize them:
- 100x faster cycle detection in
import-next - Parallel rule execution where possible
- Lazy AST traversal to avoid unnecessary work
Framework-Aware
Generic rules produce false positives. Framework-aware rules understand context:
express-securityknows Express middleware patternsnestjs-securityunderstands decorators and DIlambda-securityrecognizes handler signatures
Adoption Strategies
Start Small
# Week 1: Core security
npm install eslint-plugin-browser-security eslint-plugin-secure-coding
# Week 2: Add framework-specific
npm install eslint-plugin-express-security
# Week 3: Add quality
npm install eslint-plugin-conventions eslint-plugin-reliabilityBy Stack
| Stack | Recommended Plugins |
|---|---|
| React SPA | browser-security, secure-coding |
| Next.js | browser-security, import-next, conventions |
| Express API | express-security, node-security, jwt |
| NestJS | nestjs-security, jwt, mongodb-security |
| AWS Lambda | lambda-security, node-security |
| AI Applications | vercel-ai-security, secure-coding |
Community & Contribution
Each plugin is:
- Open source (MIT licensed)
- Independently maintainable — You can fork just one plugin
- Test-covered — 85%+ coverage for security plugins
We believe security tooling should be transparent. Every rule's logic is visible, testable, and auditable.