{"id":19930,"library":"eslint-plugin-security","title":"eslint-plugin-security","description":"ESLint plugin providing security-focused lint rules for Node.js applications, maintained by eslint-community. Current stable version is 4.0.0 (released 2026-02-19), with a slower release cadence of major versions every ~2 years. Key differentiators: it identifies potential security hotspots like eval() with expressions, unsafe Buffer usage, and child_process exec() calls; integrates as a recommended flat config for ESLint 9+; replaced the legacy eslintrc config with flat config (breaking change), and has dropped support for older Node versions. Currently in active development.","status":"active","version":"4.0.0","language":"javascript","source_language":"en","source_url":"https://github.com/eslint-community/eslint-plugin-security","tags":["javascript","eslint","security","nodesecurity"],"install":[{"cmd":"npm install eslint-plugin-security","lang":"bash","label":"npm"},{"cmd":"yarn add eslint-plugin-security","lang":"bash","label":"yarn"},{"cmd":"pnpm add eslint-plugin-security","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"CommonJS require is the primary method for loading the plugin in flat config files; ESM is also supported via import.","symbol":"pluginSecurity","correct":"const pluginSecurity = require('eslint-plugin-security');"},{"note":"v4 switched recommended config to flat format; the legacy extends pattern only works with recommended-legacy.","wrong":"module.exports = { extends: ['plugin:security/recommended'] };","symbol":"recommended (flat config)","correct":"module.exports = [...pluginSecurity.configs.recommended];"},{"note":"Access individual rule definitions for custom configuration.","symbol":"rules","correct":"const { rules } = require('eslint-plugin-security');"}],"quickstart":{"code":"// eslint.config.js\nconst pluginSecurity = require('eslint-plugin-security');\nmodule.exports = [\n  {\n    files: ['**/*.js'],\n    ...pluginSecurity.configs.recommended\n  }\n];\n\n// Or with customize\n/*\nmodule.exports = [\n  {\n    files: ['**/*.js'],\n    plugins: { security: pluginSecurity },\n    rules: {\n      'security/detect-eval-with-expression': 'warn',\n      'security/detect-child-process': 'error'\n    }\n  }\n];\n*/","lang":"javascript","description":"Shows how to set up eslint-plugin-security v4 with flat config in eslint.config.js, both using recommended config and custom rules."},"warnings":[{"fix":"Use pluginSecurity.configs.recommended in a flat config file. For eslintrc, use 'extends: plugin:security/recommended-legacy'.","message":"v4 switched the recommended config to flat format. The old eslintrc config (extends: plugin:security/recommended) no longer works.","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Upgrade Node.js to a supported version (18.18+, 20.9+, or 21.1+).","message":"v4 requires Node.js ^18.18.0, ^20.9.0, or >=21.1.0. Older Node versions are no longer supported.","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Do not rely solely on this plugin; combine with manual review and other security tools.","message":"The plugin detects potential security hotspots but produces many false positives that require manual triage.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Migrate to flat config using pluginSecurity.configs.recommended, or use recommended-legacy config.","message":"The legacy eslintrc config (extends: plugin:security/recommended) is deprecated in v3 and removed in v4.","severity":"deprecated","affected_versions":">=3.0.0 <4.0.0"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Switch to flat config: use pluginSecurity.configs.recommended or install v3 (but prefer migrating).","cause":"Using deprecated extends string with plugin version that doesn't support it (v4 flat config).","error":"Error: Could not find 'eslint-plugin-security' config 'recommended' after loading."},{"fix":"Use import pluginSecurity from 'eslint-plugin-security' (default import) or require().","cause":"Incorrect import of the plugin in ESM context (trying to destructure a namespace).","error":"TypeError: Cannot read properties of undefined (reading 'recommended')"},{"fix":"Manually inspect the flagged code; if it's safe, add an eslint-disable comment with explanation.","cause":"False positive: the rule flags non-literal looking arguments even if they are safely constructed.","error":"Warning: Rule 'security/detect-non-literal-fs-filename' was triggered, but the file path is static."}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}