{"id":19912,"library":"eslint-plugin-redos","title":"ESLint Plugin for ReDoS Detection","description":"ESLint plugin that detects ReDoS (Regular Expression Denial of Service) vulnerabilities using the recheck engine. Currently at v4.5.0 (stable), with v4.6.0-beta series adding ESLint flat config support and Apple M1 native binaries. It uses a static analysis engine (Scala-based) to identify exponential or polynomial worst-case behavior in regex patterns, differentiating it from simple regex linting rules. Requires Node >=20 and ESLint >=3. Release cadence is irregular with beta versions addressing platform support.","status":"active","version":"4.5.0","language":"javascript","source_language":"en","source_url":"https://github.com/makenowjust-labs/recheck","tags":["javascript","eslint","eslint-plugin","eslintplugin","redos","regexp","security"],"install":[{"cmd":"npm install eslint-plugin-redos","lang":"bash","label":"npm"},{"cmd":"yarn add eslint-plugin-redos","lang":"bash","label":"yarn"},{"cmd":"pnpm add eslint-plugin-redos","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"peer dependency required as the plugin runs within ESLint","package":"eslint","optional":false}],"imports":[{"note":"Default export is the plugin object. Named export pattern is not available. In CommonJS: const plugin = require('eslint-plugin-redos').","wrong":"import { plugin } from 'eslint-plugin-redos'","symbol":"plugin","correct":"import plugin from 'eslint-plugin-redos'"},{"note":"Rules are accessed via the plugin's default export. The rule name is 'no-redos'. TypeScript users can import type definitions if bundled.","wrong":"import { rules } from 'eslint-plugin-redos'","symbol":"rule","correct":"import plugin from 'eslint-plugin-redos'; const rule = plugin.rules['no-redos'];"},{"note":"Configs are nested under the default export. Use plugin.configs.recommended to extend the recommended configuration.","wrong":"import { recommended } from 'eslint-plugin-redos'","symbol":"configs","correct":"import plugin from 'eslint-plugin-redos'; const recommended = plugin.configs.recommended;"}],"quickstart":{"code":"// .eslintrc.js (ESLint <9) or eslint.config.js (flat config)\n// Legacy config:\nmodule.exports = {\n  plugins: ['redos'],\n  rules: {\n    'redos/no-redos': 'error'\n  }\n};\n\n// Flat config (ESLint >=9, requires v4.6.0-beta or later):\nimport plugin from 'eslint-plugin-redos';\nexport default [\n  {\n    plugins: { redos: plugin },\n    rules: { 'redos/no-redos': 'error' }\n  }\n];","lang":"javascript","description":"Shows how to configure the plugin in both legacy and flat ESLint config, enabling the no-redos rule."},"warnings":[{"fix":"Upgrade Node.js to version 20 or higher.","message":"v4.x requires Node >=20. Older Node versions are incompatible.","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Use legacy .eslintrc config or upgrade to v4.6.0-beta.","message":"ESLint flat config support is only available in v4.6.0-beta and later. v4.5.0 stable does not support flat config.","severity":"deprecated","affected_versions":">=4.0.0 <4.6.0-beta"},{"fix":"If on ARM Linux, ensure platform-specific optional dependency is installed or use explicitly by installing recheck-linux-arm64.","message":"The plugin uses native binaries via 'recheck' package; on unsupported architectures (e.g., ARM Linux) it may fall back to JavaScript with degraded performance.","severity":"gotcha","affected_versions":">=4.0.0"},{"fix":"Review dynamic regex constructions separately, or use additional analysis tools.","message":"The rule 'no-redos' only checks static regex literals, not dynamically constructed regexes from variables.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Run 'npm install eslint-plugin-redos --save-dev' and ensure it's listed in package.json devDependencies.","cause":"Missing or incorrect installation of the plugin.","error":"Error: Cannot find module 'eslint-plugin-redos'"},{"fix":"Upgrade to v4.6.0-beta or later, or use legacy config where severity strings are allowed.","cause":"Using flat config with a version before v4.6.0-beta that doesn't support the 'error' severity string in flat config format.","error":"ESLintError: Configuration for rule 'no-redos' is invalid. Value \"error\" is not an allowed value."},{"fix":"Use 'import plugin from 'eslint-plugin-redos'' instead of 'import { plugin } ...' then access plugin.rules.","cause":"Trying to access rules from a named export instead of the default export.","error":"TypeError: plugin.rules is not iterable"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}