Plugin: secure-coding
Changelog
Release history and version updates for eslint-plugin-secure-coding
Live from GitHub
This changelog is fetched directly from CHANGELOG.md on GitHub and cached for 2 hours.
3.1.3 (2026-02-09)
This was a version bump only for eslint-plugin-secure-coding to align it with other projects, there were no code changes.
Changelog
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[3.1.1] - 2026-02-09
This was a version bump only for eslint-plugin-secure-coding to align it with other projects, there were no code changes.
[3.1.0] - 2026-02-09
This was a version bump only for eslint-plugin-secure-coding to align it with other projects, there were no code changes.
[3.0.3] - 2026-02-09
This was a version bump only for eslint-plugin-secure-coding to align it with other projects, there were no code changes.
[3.0.2] - 2025-12-20
Performance
- detect-object-injection: Replaced
getText()+ regex with AST-based validation (~4x faster) - detect-non-literal-fs-filename: Replaced
getText()+ regex with AST-based validation - no-timing-attack: Set-based O(1) lookups for sensitive variables and auth patterns
- no-buffer-overread: Set-based O(1) lookups for buffer methods and user-controlled keywords
- no-missing-csrf-protection: Set-based O(1) lookups for protected HTTP methods
- detect-child-process: Set-based O(1) lookups for dangerous child_process methods
[3.0.1] - 2025-12-20
Fixed444
- detect-object-injection: Reduced false positives by detecting validation patterns:
includes()checks in enclosing if-blockshasOwnProperty()/Object.hasOwn()/inoperator checks- Preceding guard clauses with early exit (
if (!valid) throw) - Numeric index access (
items[0],items[1]) now recognized as safe
- detect-non-literal-fs-filename: Allow safe path patterns:
path.join(__dirname, ...literals)with all literal arguments- Paths validated with
startsWith()checks (both inside if-blocks and after guard clauses)
- no-timing-attack: Skip false positives in timing-safe contexts:
- Length comparisons before
crypto.timingSafeEqual() - Early returns inside functions using
timingSafeEqual - Fixed file-level sensitive variable detection to be function-scoped
- Length comparisons before
- no-unsanitized-html: Track sanitized variables:
- Variables assigned from
DOMPurify.sanitize()now recognized as safe
- Variables assigned from
- no-unlimited-resource-allocation: Allow safe static paths:
fs.readFileSync(path.join(__dirname, ...literals))patterns now recognized as safe
[3.0.0] - 2025-12-14
Added
- OWASP Mobile Top 10 Coverage: Added 40 new rules targeting mobile security risks (M1-M10).
- New Presets:
owasp-mobile-top-10: Comprehensive mobile security ruleset.
- Documentation:
- Full "Mobile Security" table in README with CVSS scores and fixable icons.
- Updated
AGENTS.mdwith complete rule catalog for AI assistants.
Changed
- Recommended Config: Now includes critical mobile security rules for hybrid web/mobile apps.
- Rule Improvements: Refined AST detection for
no-clickjackingandno-unvalidated-deeplinksto reduce false positives.
[1.0.0] - 2025-01-01
Added
- Initial release with 48 security-focused ESLint rules
- LLM-optimized error messages with CWE references and OWASP mapping
- Three preset configurations:
recommended,strict,owasp-top-10 - Full ESLint 9 flat config support
- TypeScript support
Security Rules
Injection Prevention (11 rules)
no-sql-injection- SQL injection preventiondatabase-injection- Comprehensive SQL/NoSQL/ORM injectiondetect-eval-with-expression- Dynamic eval() detectiondetect-child-process- Command injection detectionno-unsafe-dynamic-require- Dynamic require() preventionno-graphql-injection- GraphQL injection preventionno-xxe-injection- XXE injection preventionno-xpath-injection- XPath injection preventionno-ldap-injection- LDAP injection preventionno-directive-injection- Template injection preventionno-format-string-injection- Format string injection prevention
Path & File Security (3 rules)
detect-non-literal-fs-filename- Path traversal detectionno-zip-slip- Zip slip vulnerability preventionno-toctou-vulnerability- TOCTOU race condition detection
Regex Security (3 rules)
detect-non-literal-regexp- ReDoS detection in RegExpno-redos-vulnerable-regex- ReDoS pattern detectionno-unsafe-regex-construction- Unsafe regex prevention
Object & Prototype (2 rules)
detect-object-injection- Prototype pollution detectionno-unsafe-deserialization- Unsafe deserialization prevention
Cryptography (6 rules)
no-hardcoded-credentials- Hardcoded secrets detectionno-weak-crypto- Weak algorithm detectionno-insufficient-random- Weak randomness detectionno-timing-attack- Timing attack preventionno-insecure-comparison- Insecure comparison detectionno-insecure-jwt- JWT security issues detection
Input Validation & XSS (5 rules)
no-unvalidated-user-input- Input validation enforcementno-unsanitized-html- XSS via innerHTML preventionno-unescaped-url-parameter- URL parameter XSS preventionno-improper-sanitization- Output encoding enforcementno-improper-type-validation- Type confusion prevention
Authentication & Authorization (3 rules)
no-missing-authentication- Auth check enforcementno-privilege-escalation- Privilege escalation detectionno-weak-password-recovery- Secure password reset enforcement
Session & Cookies (3 rules)
no-insecure-cookie-settings- Cookie security enforcementno-missing-csrf-protection- CSRF protection enforcementno-document-cookie- Direct cookie access detection
Network & Headers (5 rules)
no-missing-cors-check- CORS validation enforcementno-missing-security-headers- Security header enforcementno-insecure-redirects- Open redirect preventionno-unencrypted-transmission- HTTPS enforcementno-clickjacking- Clickjacking prevention
Data Exposure (2 rules)
no-exposed-sensitive-data- Data exposure preventionno-sensitive-data-exposure- Log sanitization enforcement
Buffer & Memory (1 rule)
no-buffer-overread- Buffer safety enforcement
DoS & Resource (2 rules)
no-unlimited-resource-allocation- Resource limit enforcementno-unchecked-loop-condition- Infinite loop prevention
Platform-Specific (2 rules)
no-electron-security-issues- Electron security enforcementno-insufficient-postmessage-validation- postMessage validation
View on GitHub →