Plugin: secure-coding
Changelog
Release history and version updates for eslint-plugin-secure-coding
Live from GitHub
This changelog is fetched directly from CHANGELOG.md on GitHub and cached for 2 hours.
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[4.0.0] - 2025-12-31
⚠️ BREAKING CHANGES
Removed 12 rules that now have dedicated, specialized plugins with enhanced functionality.
Removed Rules (use dedicated plugins instead)
| Removed Rule | Replacement Plugin | Replacement Rule(s) |
|---|---|---|
no-sql-injection | eslint-plugin-pg | pg/no-unsafe-query |
database-injection | eslint-plugin-pg | pg/no-unsafe-query |
no-insecure-jwt | eslint-plugin-jwt | 13 dedicated JWT rules |
no-weak-crypto | eslint-plugin-crypto | crypto/no-weak-hash-algorithm |
no-timing-attack | eslint-plugin-crypto | crypto/no-timing-unsafe-compare |
no-insufficient-random | eslint-plugin-crypto | crypto/no-math-random-crypto |
no-document-cookie | eslint-plugin-browser-security | browser-security/no-sensitive-cookie-js |
no-unsanitized-html | eslint-plugin-browser-security | browser-security/no-innerhtml |
no-postmessage-origin-wildcard | eslint-plugin-browser-security | browser-security/no-postmessage-wildcard-origin |
no-insecure-cookie-settings | eslint-plugin-browser-security | browser-security/require-cookie-secure-attrs |
no-insufficient-postmessage-validation | eslint-plugin-browser-security | browser-security/require-postmessage-origin-check |
no-unencrypted-local-storage | eslint-plugin-browser-security | browser-security/no-sensitive-localstorage |
no-credentials-in-storage-api | eslint-plugin-browser-security | browser-security/no-sensitive-localstorage |
Migration Guide
Install the specialized plugins for the functionality you need:
# For PostgreSQL/SQL security
npm install --save-dev eslint-plugin-pg
# For JWT security
npm install --save-dev eslint-plugin-jwt
# For cryptography security
npm install --save-dev eslint-plugin-crypto
# For browser/client-side security
npm install --save-dev eslint-plugin-browser-securityWhy This Change?
Specialized plugins provide:
- More rules: 13 JWT rules vs 1, 24 crypto rules vs 3
- Better detection: Domain-specific AST patterns
- Focused maintenance: Faster updates for each security domain
[3.0.2] - 2025-12-20
Performance
- detect-object-injection: Replaced
getText()+ regex with AST-based validation (~4x faster) - detect-non-literal-fs-filename: Replaced
getText()+ regex with AST-based validation - no-timing-attack: Set-based O(1) lookups for sensitive variables and auth patterns
- no-buffer-overread: Set-based O(1) lookups for buffer methods and user-controlled keywords
- no-missing-csrf-protection: Set-based O(1) lookups for protected HTTP methods
- detect-child-process: Set-based O(1) lookups for dangerous child_process methods
[3.0.1] - 2025-12-20
Fixed444
- detect-object-injection: Reduced false positives by detecting validation patterns:
includes()checks in enclosing if-blockshasOwnProperty()/Object.hasOwn()/inoperator checks- Preceding guard clauses with early exit (
if (!valid) throw) - Numeric index access (
items[0],items[1]) now recognized as safe
- detect-non-literal-fs-filename: Allow safe path patterns:
path.join(__dirname, ...literals)with all literal arguments- Paths validated with
startsWith()checks (both inside if-blocks and after guard clauses)
- no-timing-attack: Skip false positives in timing-safe contexts:
- Length comparisons before
crypto.timingSafeEqual() - Early returns inside functions using
timingSafeEqual - Fixed file-level sensitive variable detection to be function-scoped
- Length comparisons before
- no-unsanitized-html: Track sanitized variables:
- Variables assigned from
DOMPurify.sanitize()now recognized as safe
- Variables assigned from
- no-unlimited-resource-allocation: Allow safe static paths:
fs.readFileSync(path.join(__dirname, ...literals))patterns now recognized as safe
[3.0.0] - 2025-12-14
Added
- OWASP Mobile Top 10 Coverage: Added 40 new rules targeting mobile security risks (M1-M10).
- New Presets:
owasp-mobile-top-10: Comprehensive mobile security ruleset.
- Documentation:
- Full "Mobile Security" table in README with CVSS scores and fixable icons.
- Updated
AGENTS.mdwith complete rule catalog for AI assistants.
Changed
- Recommended Config: Now includes critical mobile security rules for hybrid web/mobile apps.
- Rule Improvements: Refined AST detection for
no-clickjackingandno-unvalidated-deeplinksto reduce false positives.
[1.0.0] - 2025-01-01
Added
- Initial release with 48 security-focused ESLint rules
- LLM-optimized error messages with CWE references and OWASP mapping
- Three preset configurations:
recommended,strict,owasp-top-10 - Full ESLint 9 flat config support
- TypeScript support
Security Rules
Injection Prevention (11 rules)
no-sql-injection- SQL injection preventiondatabase-injection- Comprehensive SQL/NoSQL/ORM injectiondetect-eval-with-expression- Dynamic eval() detectiondetect-child-process- Command injection detectionno-unsafe-dynamic-require- Dynamic require() preventionno-graphql-injection- GraphQL injection preventionno-xxe-injection- XXE injection preventionno-xpath-injection- XPath injection preventionno-ldap-injection- LDAP injection preventionno-directive-injection- Template injection preventionno-format-string-injection- Format string injection prevention
Path & File Security (3 rules)
detect-non-literal-fs-filename- Path traversal detectionno-zip-slip- Zip slip vulnerability preventionno-toctou-vulnerability- TOCTOU race condition detection
Regex Security (3 rules)
detect-non-literal-regexp- ReDoS detection in RegExpno-redos-vulnerable-regex- ReDoS pattern detectionno-unsafe-regex-construction- Unsafe regex prevention
Object & Prototype (2 rules)
detect-object-injection- Prototype pollution detectionno-unsafe-deserialization- Unsafe deserialization prevention
Cryptography (6 rules)
no-hardcoded-credentials- Hardcoded secrets detectionno-weak-crypto- Weak algorithm detectionno-insufficient-random- Weak randomness detectionno-timing-attack- Timing attack preventionno-insecure-comparison- Insecure comparison detectionno-insecure-jwt- JWT security issues detection
Input Validation & XSS (5 rules)
no-unvalidated-user-input- Input validation enforcementno-unsanitized-html- XSS via innerHTML preventionno-unescaped-url-parameter- URL parameter XSS preventionno-improper-sanitization- Output encoding enforcementno-improper-type-validation- Type confusion prevention
Authentication & Authorization (3 rules)
no-missing-authentication- Auth check enforcementno-privilege-escalation- Privilege escalation detectionno-weak-password-recovery- Secure password reset enforcement
Session & Cookies (3 rules)
no-insecure-cookie-settings- Cookie security enforcementno-missing-csrf-protection- CSRF protection enforcementno-document-cookie- Direct cookie access detection
Network & Headers (5 rules)
no-missing-cors-check- CORS validation enforcementno-missing-security-headers- Security header enforcementno-insecure-redirects- Open redirect preventionno-unencrypted-transmission- HTTPS enforcementno-clickjacking- Clickjacking prevention
Data Exposure (2 rules)
no-exposed-sensitive-data- Data exposure preventionno-sensitive-data-exposure- Log sanitization enforcement
Buffer & Memory (1 rule)
no-buffer-overread- Buffer safety enforcement
DoS & Resource (2 rules)
no-unlimited-resource-allocation- Resource limit enforcementno-unchecked-loop-condition- Infinite loop prevention
Platform-Specific (2 rules)
no-electron-security-issues- Electron security enforcementno-insufficient-postmessage-validation- postMessage validation
View on GitHub →