eslint-plugin-knex

0.2.2 verified Sat Apr 25 auth: no javascript maintenance

ESLint plugin that enforces safe SQL query practices when using Knex.js, particularly preventing SQL injection by disallowing plain string arguments in raw queries. The current stable version is 0.2.2, released with no recent active development (last update years ago). It offers a single rule, `avoid-injections`, and allows configuration of expected Knex builder variable names. Unlike generic SQL injection linting, this plugin is tailored specifically to Knex's `knex.raw()` method, filling a niche for projects heavily relying on raw queries.

Common errors

error Error: Failed to load plugin 'knex' declared in '.eslintrc': Cannot find module 'eslint-plugin-knex' ↓

cause Plugin not installed as a devDependency.

fix

npm install -D eslint-plugin-knex

error Rule 'knex/avoid-injections' was not found. Did you mean to use 'avoid-injections'? ↓

cause Rule referenced without the plugin namespace prefix.

fix

Use 'knex/avoid-injections' instead of 'avoid-injections'.

error Configuration for rule 'knex/avoid-injections' is invalid: Value should be string (error/warn/off). ↓

cause Rule severity configured incorrectly, e.g., as a number or object.

fix

Set rule value to 'error', 'warn', or 'off'.

Warnings

gotcha The plugin only provides a single rule; other potential Knex linting needs (e.g., using .where with raw) are not covered. ↓

fix Supplement with additional ESLint rules or custom linting as needed.

deprecated Plugin has not been updated since 2018; may not support newer ESLint versions or Knex features. ↓

fix Consider alternatives or test compatibility with your ESLint/Knex versions.

gotcha The rule 'avoid-injections' flags any plain string argument to raw(), including legitimate cases (e.g., simple constant queries). ↓

fix Ensure all raw queries use template literals or parameterized syntax, or suppress the rule with inline comments where appropriate.

Install

npm install eslint-plugin-knex

yarn add eslint-plugin-knex

pnpm add eslint-plugin-knex

Imports

plugin

wrong

const plugin = require('eslint-plugin-knex')

correct

{
  "plugins": ["knex"],
  "rules": { "knex/avoid-injections": "error" }
}

ESLint plugins are not imported directly in code; they are referenced by name in the ESLint config.

avoid-injections rule
wrong
```
"avoid-injections": "error"
```
correct
```
"knex/avoid-injections": "error"
```
Rule must be prefixed with the plugin namespace 'knex/'.

Quickstart

Configures ESLint to use the knex plugin and enforce the avoid-injections rule with custom builder name pattern.

// .eslintrc.js
module.exports = {
  plugins: ['knex'],
  rules: {
    'knex/avoid-injections': 'error'
  },
  settings: {
    knex: {
      builderName: '^(knex|trx)$'
    }
  }
};