Overview
Node.js security rules for fs, child_process, vm, and crypto modules
Live from GitHub
This content is fetched directly from README.md on GitHub and cached for 1 hour.
AI-Optimized Security
Every rule includes CWE, OWASP, and CVSS metadata for AI assistants to provide precise, context-aware fixes.
Rules (31)
Browse all Node.js security rules with CWE/OWASP mapping
Changelog
View version history and updates
Security-focused ESLint plugin for Node.js built-in modules (fs, child_process, vm, crypto, Buffer).
โญ If this plugin caught a real bug for you, star the repo โ it's the signal that keeps these rules maintained.
Description
This plugin provides Security rules for Node.js core modules (fs, child_process, crypto, etc).
Philosophy
Interlace fosters strength through integration. Instead of stacking isolated rules, we interlace security directly into your workflow to create a resilient fabric of code. We believe tools should guide rather than gatekeep, providing educational feedback that strengthens the developer with every interaction.
Getting Started
- To check out the guide, visit eslint.interlace.tools. ๐
- ่ฆๆฅ็ไธญๆ ๆๅ, ่ฏท่ฎฟ้ฎ eslint.interlace.tools. ๐
- ๊ฐ์ด๋ ๋ฌธ์๋ eslint.interlace.tools์์ ํ์ธํ์ค ์ ์์ต๋๋ค. ๐
- ใฌใคใใฏ eslint.interlace.toolsใงใ็ขบ่ชใใ ใใใ ๐
- Para ver la guรญa, visita eslint.interlace.tools. ๐
- ููุงุทูุงุน ุนูู ุงูุฏูููุ ูู ุจุฒูุงุฑุฉ eslint.interlace.tools. ๐
npm install eslint-plugin-node-security --save-devโ๏ธ Configuration Presets
| Preset | Description |
|---|---|
recommended | Balanced security for most Node.js projects |
strict | Maximum security enforcement (all rules as errors) |
fs-security | Focus on file system vulnerabilities (CWE-22, CWE-73) |
crypto | Cryptographic security rules only |
๐ก What You Get
- 31 security rules covering Node.js core module vulnerabilities
- Command Injection Detection for
child_process.exec,spawn, andexecFile - Path Traversal Prevention for
fsmodule operations - TOCTOU Race Condition Detection for file system operations
- Cryptographic Security for weak algorithms and key management
- LLM-optimized messages with CWE references and fix guidance
๐ฆ Compatibility
| Package | Version |
|---|---|
| ESLint | ^8.0.0 || ^9.0.0 || ^10.0.0 |
| Node.js | >=18.0.0 |
See the ESLint Version Support Policy โ current ecosystem share data, the 20% gate, and the forward-looking exception that covers v10.
Rules
Legend
| Icon | Description |
|---|---|
| ๐ผ | Recommended: Included in the recommended preset. |
| โ ๏ธ | Warns: Set to warn in recommended preset. |
| ๐ง | Auto-fixable: Automatically fixable by the --fix CLI option. |
| ๐ก | Suggestions: Providing code suggestions in IDE. |
| ๐ซ | Deprecated: This rule is deprecated. |
| ๐ข | Type-unaware: AST-only, runs in oxlint JS-plugin tier. |
| ๐ก | Type-aware (refining): pure-AST primary path; types refine precision. |
| ๐ | Type-aware (graceful): requires TS program; silent without it. |
| Rule | CWE | OWASP | CVSS | Description | ๐ง | ๐ผ | โ ๏ธ | ๐ง | ๐ก | ๐ซ |
|---|---|---|---|---|---|---|---|---|---|---|
| detect-child-process | CWE-78 | Detects instances of childprocess & non-literal exec() calls that may allow command injection | ๐ข | |||||||
| detect-eval-with-expression | CWE-95 | A03:2021 | Detects eval(variable) which can allow an attacker to run arbitrary code inside your process | ๐ข | ||||||
| detect-non-literal-fs-filename | CWE-22 | Detects variable in filename argument of fs calls, which might allow an attacker to access anything on yourโฆ | ๐ข | |||||||
| detect-suspicious-dependencies | CWE-506 | This rule detects package imports that look like typosquatting attempts on popular npm packages | ๐ข | |||||||
| lock-file | CWE-829 | CWE: CWE-829 | ๐ข | |||||||
| no-arbitrary-file-access | CWE-22 | A01:2021 | Prevents file system access with unsanitized user input to protect against path traversal attacks. | ๐ข | ||||||
| no-buffer-overread | CWE-126 | Detects buffer access beyond bounds | ๐ข | |||||||
| no-cryptojs | CWE-1104 | A06:2021 | Disallow deprecated crypto-js library (use native crypto instead) | ๐ข | ||||||
| no-cryptojs-weak-random | CWE-338 | A02:2021 | Disallow crypto-js WordArray.random() (CVE-2020-36732) | ๐ข | ||||||
| no-data-in-temp-storage | CWE-312 | Temporary directories (/tmp, /var/tmp, temp/) are often world-readable or persist longer than expected | ๐ข | |||||||
| no-deprecated-buffer | CWE-676 | Disallow the deprecated new Buffer() constructor and Buffer() factory call. | ๐ข | ๐ก | ||||||
| no-deprecated-cipher-method | CWE-327 | A02:2021 | Disallow deprecated crypto.createCipher/createDecipher methods | ๐ข | ||||||
| no-dynamic-dependency-loading | CWE-1104 | This rule detects dynamically constructed paths in require() and import() statements | ๐ข | |||||||
| no-dynamic-require | Forbid require() calls with non-literal arguments | ๐ข | ||||||||
| no-ecb-mode | CWE-327 | A02:2021 | Disallow ECB encryption mode (use GCM or CBC instead) | ๐ข | ||||||
| no-insecure-key-derivation | CWE-916 | A02:2021 | Disallow PBKDF2 with insufficient iterations (< 100,000) | ๐ข | ||||||
| no-insecure-rsa-padding | CWE-327 | A02:2021 | Disallow RSA PKCS#1 v1.5 padding (CVE-2023-46809 Marvin Attack) | ๐ข | ||||||
| no-math-random-crypto | CWE-338 | A02:2021 | Disallow Math.random() for cryptographic purposes (tokens, keys, secrets, salts, IVs) | ๐ข | ||||||
| no-self-signed-certs | CWE-295 | A07:2021 | Disallow rejectUnauthorized false in TLS options | ๐ข | ||||||
| no-sha1-hash | CWE-327 | A02:2021 | Disallow sha1() from crypto-hash package (use sha256 or sha512) | ๐ข | ||||||
| no-ssrf | CWE-918 | A10:2021 | Detect HTTP requests with user-controlled URLs (server-side request forgery). | ๐ข | ๐ก | |||||
| no-static-iv | CWE-329 | A02:2021 | Disallow static or hardcoded initialization vectors (IVs) | ๐ข | ||||||
| no-timing-unsafe-compare | CWE-208 | A02:2021 | Disallow timing-unsafe comparison of secrets | ๐ข | ||||||
| no-toctou-vulnerability | CWE-367 | A01:2021 | Detects Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerabilities in file system operations. | ๐ข | ||||||
| no-unsafe-dynamic-require | CWE-494 | Disallows dynamic require() calls with non-literal arguments that could lead to security vulnerabilities | ๐ข | |||||||
| no-weak-cipher-algorithm | CWE-327 | A02:2021 | Disallow weak cipher algorithms (DES, 3DES, RC4, Blowfish, RC2, IDEA) | ๐ข | ||||||
| no-weak-hash-algorithm | CWE-327 | A02:2021 | Disallow weak hash algorithms (MD5, MD4, SHA-1, RIPEMD) | ๐ข | ||||||
| no-zip-slip | CWE-22 | Detects zip slip/archive extraction vulnerabilities | ๐ข | |||||||
| prefer-native-crypto | CWE-1104 | A06:2021 | Prefer native crypto over third-party libraries | ๐ข | ||||||
| require-dependency-integrity | CWE-494 | CWE: CWE-494 | ๐ข | |||||||
| require-secure-credential-storage | CWE-312 | This rule detects when credentials are stored using localStorage.setItem() or fs.writeFile() without encrypโฆ | ๐ข | |||||||
| require-secure-deletion | CWE-459 | CWE: CWE-459 | ๐ข | |||||||
| require-storage-encryption | CWE-312 | CWE: CWE-312 | ๐ข |
๐ Related ESLint Plugins
Part of the Interlace ESLint Ecosystem โ AI-native security plugins with LLM-optimized error messages:
| Plugin | Downloads | Description |
|---|---|---|
eslint-plugin-secure-coding |  | General security rules & OWASP guidelines. |
eslint-plugin-pg |  | PostgreSQL security & best practices. |
eslint-plugin-node-security |  | Node.js core-module security (fs, child_process, vm, crypto, Buffer). |
eslint-plugin-jwt |  | JWT security & best practices. |
eslint-plugin-browser-security |  | Browser-specific security & XSS prevention. |
eslint-plugin-express-security |  | Express.js security hardening rules. |
eslint-plugin-lambda-security |  | AWS Lambda security best practices. |
eslint-plugin-nestjs-security |  | NestJS security rules & patterns. |
eslint-plugin-mongodb-security |  | MongoDB security best practices. |
eslint-plugin-vercel-ai-security |  | Vercel AI SDK security hardening. |
eslint-plugin-import-next |  | Next-gen import sorting & architecture. |
โญ Support & follow
If this plugin caught a real bug for you, star the repo โ stars are the signal that keeps the Interlace ESLint ecosystem maintained โ and follow the writeups on Dev.to for the benchmarks and security research behind these rules.
๐ License
MIT ยฉ Ofri Peretz
View README.md on GitHub โ