{"id":19688,"library":"eslint-plugin-anti-trojan-source","title":"eslint-plugin-anti-trojan-source","description":"ESLint plugin (v1.1.2) that detects Trojan Source attacks using Unicode bidirectional (bidi) characters in JavaScript/TypeScript code. It provides a single rule `no-bidi` that flags maliciously embedded Unicode control characters that can cause code to appear differently to humans vs compilers. The plugin includes a recommended configuration for easy adoption. Updated as recently as November 2025 but core functionality (single rule) stable since 2021. Inspired similar rule `detect-bidi-characters` in eslint-plugin-security. No dependencies. Actively maintained.","status":"active","version":"1.1.2","language":"javascript","source_language":"en","source_url":"https://github.com/lirantal/eslint-plugin-anti-trojan-source","tags":["javascript","eslint","eslint-plugin","eslintplugin","plugin","eslint plugin","rules","trojan","trojan source"],"install":[{"cmd":"npm install eslint-plugin-anti-trojan-source","lang":"bash","label":"npm"},{"cmd":"yarn add eslint-plugin-anti-trojan-source","lang":"bash","label":"yarn"},{"cmd":"pnpm add eslint-plugin-anti-trojan-source","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"The recommended config includes the plugin and sets the rule. ESLint requires both plugin and rule references.","wrong":"{\n  \"extends\": [\"plugin:anti-trojan-source/recommended\"]\n}","symbol":"Plugin config (extending recommended)","correct":"{\n  \"extends\": [\"eslint:recommended\", \"plugin:anti-trojan-source/recommended\"]\n}"},{"note":"ESLint automatically strips 'eslint-plugin-' prefix. Without prefix, the rule must be namespaced with the plugin name.","wrong":"{\n  \"plugins\": [\"eslint-plugin-anti-trojan-source\"],\n  \"rules\": {\n    \"no-bidi\": \"error\"\n  }\n}","symbol":"Plugin config (manual)","correct":"{\n  \"plugins\": [\"anti-trojan-source\"],\n  \"rules\": {\n    \"anti-trojan-source/no-bidi\": \"error\"\n  }\n}"},{"note":"The rule is namespaced under the plugin. Using just 'no-bidi' will not be found unless the plugin is loaded and scoped.","wrong":"\"no-bidi\"","symbol":"Rule name","correct":"\"anti-trojan-source/no-bidi\""}],"quickstart":{"code":"npm install --save-dev eslint eslint-plugin-anti-trojan-source\n\n# .eslintrc.json\n{\n  \"extends\": [\"eslint:recommended\", \"plugin:anti-trojan-source/recommended\"]\n}\n\n# or manually:\n# .eslintrc.json\n{\n  \"plugins\": [\"anti-trojan-source\"],\n  \"rules\": {\n    \"anti-trojan-source/no-bidi\": \"error\"\n  }\n}\n\n# Create a file with malicious Unicode\n# echo 'const isAdmin = false; // \\u202E } \\u2066if (isAdmin)\\u2069 \\u2066 begin admins only' > test.js\n# eslint test.js\n# Expected: error about trojan source attack","lang":"json","description":"Install the plugin, configure via recommended or manual setup, and run ESLint to detect Trojan Source bidi attacks in your codebase."},"warnings":[{"fix":"Switch to `eslint-plugin-security` and enable the `detect-bidi-characters` rule for broader security scope.","message":"Consider using eslint-plugin-security's `detect-bidi-characters` rule instead.","severity":"deprecated","affected_versions":">=1.0.0"},{"fix":"Use legacy config format for now, or check plugin for flat config support. For flat config: `import antiTrojan from 'eslint-plugin-anti-trojan-source';` and include `antiTrojan.flatConfigs.recommended`.","message":"ESLint flat config (v9) requires different configuration format; this plugin may not be compatible out of the box.","severity":"breaking","affected_versions":">=1.0.0"},{"fix":"Complement with other tools like `anti-trojan-source` CLI or use `eslint-plugin-security` for wider coverage.","message":"Plugin only detects bidi characters, not all Trojan Source vectors like homoglyphs or zero-width spaces.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Mark false positives with `// eslint-disable-next-line anti-trojan-source/no-bidi` (but ensure they are intentional).","message":"Rule `no-bidi` can produce false positives on legitimate Unicode characters used in comments or strings (e.g., RTL language comments).","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Run `npm install --save-dev eslint-plugin-anti-trojan-source`.","cause":"Plugin not installed or missing from node_modules.","error":"Error: Failed to load plugin 'anti-trojan-source': Cannot find module 'eslint-plugin-anti-trojan-source'"},{"fix":"Use `\"anti-trojan-source/no-bidi\"` in the rules object.","cause":"Rule namespacing omitted; the rule must be referenced as `anti-trojan-source/no-bidi`.","error":"Configuration for rule \"no-bidi\" is invalid: Rule \"no-bidi\" is not valid"},{"fix":"Ensure only one config file defines the plugin (e.g., move plugins to root .eslintrc).","cause":"Plugin loaded twice from different config files.","error":"ESLint: Plugin \"anti-trojan-source\" was conflicted between \"...\" and \"...\""}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}