Overview

Live from GitHub

This content is fetched directly from README.md on GitHub and cached for 1 hour.

AI-Optimized Security

Every rule includes CWE, OWASP, and CVSS metadata for AI assistants to provide precise, context-aware fixes.

Rules (31)

Browse all Node.js security rules with CWE/OWASP mapping

Changelog

View version history and updates

Security-focused ESLint plugin for Node.js built-in modules (fs, child_process, vm, crypto, Buffer).

This plugin provides Security rules for Node.js core modules (fs, child_process, crypto, etc). By using this plugin, you can proactively identify and mitigate security risks across your entire codebase.

Philosophy

Interlace fosters strength through integration. Instead of stacking isolated rules, we interlace security directly into your workflow to create a resilient fabric of code. We believe tools should guide rather than gatekeep, providing educational feedback that strengthens the developer with every interaction.

Getting Started

To check out the guide, visit eslint.interlace.tools. 📚
要查看中文指南, 请访问 eslint.interlace.tools. 📚
가이드 문서는 eslint.interlace.tools에서 확인하실 수 있습니다. 📚
ガイドは eslint.interlace.toolsでご確認ください。 📚
Para ver la guía, visita eslint.interlace.tools. 📚
للاطلاع على الدليل، قم بزيارة eslint.interlace.tools. 📚

npm install eslint-plugin-node-security --save-dev

💡 What You Get

31 security rules covering Node.js core module vulnerabilities
Command Injection Detection for child_process.exec, spawn, and execFile
Path Traversal Prevention for fs module operations
TOCTOU Race Condition Detection for file system operations
Cryptographic Security for weak algorithms and key management
LLM-optimized messages with CWE references and fix guidance

⚙️ Configuration Presets

Preset	Description
`recommended`	Balanced security for most Node.js projects
`strict`	Maximum security enforcement (all rules as errors)
`fs-security`	Focus on file system vulnerabilities (CWE-22, CWE-73)
`crypto`	Cryptographic security rules only

Rules

Legend

Icon	Description
💼	Recommended: Included in the recommended preset.
⚠️	Warns: Set towarn in recommended preset.
🔧	Auto-fixable: Automatically fixable by the `--fix` CLI option.
💡	Suggestions: Providing code suggestions in IDE.
🚫	Deprecated: This rule is deprecated.

Rule	CWE	CVSS	Description	💼	⚠️	💡
detect-child-process	CWE-78	9.8	ESLint rule documentation for detect-child-process	💼		💡
detect-eval-with-expression	CWE-95	9.8	ESLint rule documentation for detect-eval-with-expression	💼
detect-non-literal-fs-filename	CWE-22	7.5	ESLint rule documentation for detect-non-literal-fs-filename	💼		💡
detect-suspicious-dependencies	CWE-829	8.2	ESLint rule documentation for detect-suspicious-dependencies	💼
lock-file	CWE-829	7.5	ESLint rule documentation for lock-file	💼
no-arbitrary-file-access	CWE-22	7.5	ESLint rule documentation for no-arbitrary-file-access	💼
no-buffer-overread	CWE-126	7.5	ESLint rule documentation for no-buffer-overread	💼
no-cryptojs	CWE-327	5.0	ESLint rule documentation for no-cryptojs	💼	⚠️	💡
no-cryptojs-weak-random	CWE-338	5.3	ESLint rule documentation for no-cryptojs-weak-random	💼		💡
no-data-in-temp-storage	CWE-312	7.5	ESLint rule documentation for no-data-in-temp-storage		⚠️
no-deprecated-cipher-method	CWE-327	5.0	ESLint rule documentation for no-deprecated-cipher-method	💼		💡
no-dynamic-dependency-loading	CWE-829	7.5	ESLint rule documentation for no-dynamic-dependency-loading		⚠️
no-dynamic-require	CWE-706	7.5	ESLint rule documentation for no-dynamic-require		⚠️
no-ecb-mode	CWE-327	7.5	ESLint rule documentation for no-ecb-mode	💼		💡
no-insecure-key-derivation	CWE-916	7.5	ESLint rule documentation for no-insecure-key-derivation	💼		💡
no-insecure-rsa-padding	CWE-327	7.4	ESLint rule documentation for no-insecure-rsa-padding	💼		💡
no-pii-in-logs	CWE-532	7.5	ESLint rule documentation for no-pii-in-logs		⚠️
no-self-signed-certs	CWE-295	7.5	ESLint rule documentation for no-self-signed-certs	💼		💡
no-sha1-hash	CWE-327	7.5	ESLint rule documentation for no-sha1-hash	💼		💡
no-static-iv	CWE-329	7.5	ESLint rule documentation for no-static-iv	💼		💡
no-timing-unsafe-compare	CWE-208	5.9	ESLint rule documentation for no-timing-unsafe-compare	💼	⚠️	💡
no-toctou-vulnerability	CWE-367	7.0	ESLint rule documentation for no-toctou-vulnerability	💼		💡
no-unsafe-dynamic-require	CWE-706	7.5	ESLint rule documentation for no-unsafe-dynamic-require	💼		💡
no-weak-cipher-algorithm	CWE-327	7.5	ESLint rule documentation for no-weak-cipher-algorithm	💼		💡
no-weak-hash-algorithm	CWE-327	7.5	ESLint rule documentation for no-weak-hash-algorithm	💼		💡
no-zip-slip	CWE-22	8.1	ESLint rule documentation for no-zip-slip	💼
prefer-native-crypto	CWE-327	5.0	ESLint rule documentation for prefer-native-crypto	💼	⚠️	💡
require-dependency-integrity	CWE-494	7.5	ESLint rule documentation for require-dependency-integrity
require-secure-credential-storage	CWE-522	7.5	ESLint rule documentation for require-secure-credential-storage
require-secure-deletion	CWE-459	7.5	ESLint rule documentation for require-secure-deletion
require-storage-encryption	CWE-311	7.5	ESLint rule documentation for require-storage-encryption

Part of the Interlace ESLint Ecosystem — AI-native security plugins with LLM-optimized error messages:

Plugin	Downloads	Description
`eslint-plugin-secure-coding`		General security rules & OWASP guidelines.
`eslint-plugin-pg`		PostgreSQL security & best practices.
`eslint-plugin-crypto`		NodeJS Cryptography security rules.
`eslint-plugin-jwt`		JWT security & best practices.
`eslint-plugin-browser-security`		Browser-specific security & XSS prevention.
`eslint-plugin-express-security`		Express.js security hardening rules.
`eslint-plugin-lambda-security`		AWS Lambda security best practices.
`eslint-plugin-nestjs-security`		NestJS security rules & patterns.
`eslint-plugin-mongodb-security`		MongoDB security best practices.
`eslint-plugin-vercel-ai-security`		Vercel AI SDK security hardening.
`eslint-plugin-import-next`		Next-gen import sorting & architecture.

📄 License

View README.md on GitHub →

Rules (31)

Changelog

On this page