Skip to main content
ESLint Interlace

Philosophy

Why we built an ecosystem of specialized ESLint plugins

The Interlace Philosophy

ESLint Interlace isn't a single plugin—it's an ecosystem of 18+ specialized plugins. This is by design.

Core Belief

Security and code quality are not one-size-fits-all. Different projects have different needs, and forcing everyone to use the same monolithic ruleset creates noise and friction.


Why Many Plugins?

1. Install Only What You Need

Zero Bloat

A React Native app doesn't need PostgreSQL rules. A Node.js API doesn't need browser security rules. Install only what applies to your stack.

Faster Linting

Fewer rules = faster execution. Why parse every file against 500 rules when you only need 50?

2. Focused Expertise

Each plugin is laser-focused on one domain:

PluginDomain Expertise
browser-securityClient-side XSS, DOM manipulation, postMessage
jwtToken algorithms, expiration, secret handling
mongodb-securityNoSQL injection, $where, aggregation attacks
pgSQL injection, COPY FROM, prepared statements
vercel-ai-securityPrompt injection, tool result validation

This focus means:

  • Deeper coverage — We can go deep instead of broad
  • Domain experts — Each plugin maintained by specialists
  • Better errors — Context-aware messages, not generic "security issue"

3. Independent Releases

When we fix a JWT vulnerability rule, you don't need to update your entire linting setup. Independent versioning means:

  • Surgical updates — Update only affected plugins
  • No breaking cascades — One plugin's major version doesn't force others
  • Faster iteration — We can ship fixes without coordinating 18 changelogs

The Two Pillars

ESLint Interlace organizes plugins into two main categories:

Security Plugins (11+)

Vulnerability detection with CWE/OWASP mapping. Every rule is actionable and AI-parseable.

Quality Plugins (7+)

Code architecture, conventions, and maintainability. Rules that prevent tech debt.


Design Principles

AI-Native from Day One

Every rule in Interlace includes structured metadata:

// Every error includes:
{
  messageId: 'insecureJwtAlgorithm',
  data: {
    cwe: 'CWE-327',
    owasp: 'A02:2021',
    cvss: 7.5,
    fix: 'Use RS256 or ES256 instead of HS256 with public keys'
  }
}

This enables AI assistants (Copilot, Cursor, Claude) to:

  • Understand the severity of issues
  • Apply the correct fix without hallucinating
  • Prioritize by risk score

Performance First

We don't just add rules—we optimize them:

  • 100x faster cycle detection in import-next
  • Parallel rule execution where possible
  • Lazy AST traversal to avoid unnecessary work

Framework-Aware

Generic rules produce false positives. Framework-aware rules understand context:

  • express-security knows Express middleware patterns
  • nestjs-security understands decorators and DI
  • lambda-security recognizes handler signatures

Adoption Strategies

Start Small

# Week 1: Core security
npm install eslint-plugin-browser-security eslint-plugin-secure-coding

# Week 2: Add framework-specific
npm install eslint-plugin-express-security

# Week 3: Add quality
npm install eslint-plugin-conventions eslint-plugin-reliability

By Stack

StackRecommended Plugins
React SPAbrowser-security, secure-coding
Next.jsbrowser-security, import-next, conventions
Express APIexpress-security, node-security, jwt
NestJSnestjs-security, jwt, mongodb-security
AWS Lambdalambda-security, node-security
AI Applicationsvercel-ai-security, secure-coding

Community & Contribution

Each plugin is:

  • Open source (MIT licensed)
  • Independently maintainable — You can fork just one plugin
  • Test-covered — 85%+ coverage for security plugins

We believe security tooling should be transparent. Every rule's logic is visible, testable, and auditable.


Next Steps

Building secure JavaScript with Interlace? Star the repo to get new rules and CWE coverage as we ship them — or follow the AI-code-security benchmarks behind them.