Rules
All ESLint security rules provided by eslint-plugin-pg
13 Security Rules
Comprehensive coverage of PostgreSQL security and best practices for the pg driver.
All Rules
| Rule | 💼 | 🔧 | 💡 | ⚠️ | Docs |
|---|---|---|---|---|---|
| check-query-params Ensures the number of placeholders in SQL queries matches the provided parameters. | |||||
| no-batch-insert-loop Prevents INSERT/UPDATE/DELETE queries inside loops (N+1 query anti-pattern). | |||||
| no-floating-query Ensures query promises are awaited or handled. | |||||
| no-hardcoded-credentials Prevents hardcoded passwords and connection strings in PostgreSQL client initialization. | |||||
| no-insecure-ssl Prevents disabling SSL certificate validation in PostgreSQL connections. | |||||
| no-missing-client-release Ensures acquired pool clients are released back to the pool. | |||||
| no-select-all Discourages SELECT in favor of explicit column lists. | |||||
| no-transaction-on-pool Prevents running transaction commands directly on pool (must use dedicated client). | |||||
| no-unsafe-copy-from Prevents COPY FROM with file paths (should use STDIN for safe client-side data loading). | |||||
| no-unsafe-query SQL injection is one of the most critical security vulnerabilities | |||||
| no-unsafe-search-path Prevents dynamic SET searchpath queries that could enable schema hijacking. | |||||
| prefer-pool-query Suggests using pool.query() for single-shot queries instead of manual connect/release. | |||||
| prevent-double-release Prevents calling client.release() multiple times on the same client. |
Rule Categories
SQL Injection Prevention
Rules detecting unsafe queries and requiring parameterized queries.
Credential Security
Rules preventing hardcoded credentials and insecure SSL configurations.
Connection Management
Rules enforcing proper client release and preventing double-release issues.
Query Best Practices
Rules for efficient query patterns and preventing common mistakes.