ESLint Plugin for ReDoS Detection

4.5.0 verified Sat Apr 25 auth: no javascript

ESLint plugin that detects ReDoS (Regular Expression Denial of Service) vulnerabilities using the recheck engine. Currently at v4.5.0 (stable), with v4.6.0-beta series adding ESLint flat config support and Apple M1 native binaries. It uses a static analysis engine (Scala-based) to identify exponential or polynomial worst-case behavior in regex patterns, differentiating it from simple regex linting rules. Requires Node >=20 and ESLint >=3. Release cadence is irregular with beta versions addressing platform support.

Common errors

error Error: Cannot find module 'eslint-plugin-redos' ↓

cause Missing or incorrect installation of the plugin.

fix

Run 'npm install eslint-plugin-redos --save-dev' and ensure it's listed in package.json devDependencies.

error ESLintError: Configuration for rule 'no-redos' is invalid. Value "error" is not an allowed value. ↓

cause Using flat config with a version before v4.6.0-beta that doesn't support the 'error' severity string in flat config format.

fix

Upgrade to v4.6.0-beta or later, or use legacy config where severity strings are allowed.

error TypeError: plugin.rules is not iterable ↓

cause Trying to access rules from a named export instead of the default export.

fix

Use 'import plugin from 'eslint-plugin-redos'' instead of 'import { plugin } ...' then access plugin.rules.

Warnings

breaking v4.x requires Node >=20. Older Node versions are incompatible. ↓

fix Upgrade Node.js to version 20 or higher.

deprecated ESLint flat config support is only available in v4.6.0-beta and later. v4.5.0 stable does not support flat config. ↓

fix Use legacy .eslintrc config or upgrade to v4.6.0-beta.

gotcha The plugin uses native binaries via 'recheck' package; on unsupported architectures (e.g., ARM Linux) it may fall back to JavaScript with degraded performance. ↓

fix If on ARM Linux, ensure platform-specific optional dependency is installed or use explicitly by installing recheck-linux-arm64.

gotcha The rule 'no-redos' only checks static regex literals, not dynamically constructed regexes from variables. ↓

fix Review dynamic regex constructions separately, or use additional analysis tools.

Install

npm install eslint-plugin-redos

yarn add eslint-plugin-redos

pnpm add eslint-plugin-redos

Imports

plugin
wrong
```
import { plugin } from 'eslint-plugin-redos'
```
correct
```
import plugin from 'eslint-plugin-redos'
```
Default export is the plugin object. Named export pattern is not available. In CommonJS: const plugin = require('eslint-plugin-redos').
rule
wrong
```
import { rules } from 'eslint-plugin-redos'
```
correct
```
import plugin from 'eslint-plugin-redos'; const rule = plugin.rules['no-redos'];
```
Rules are accessed via the plugin's default export. The rule name is 'no-redos'. TypeScript users can import type definitions if bundled.

configs

wrong

import { recommended } from 'eslint-plugin-redos'

correct

import plugin from 'eslint-plugin-redos'; const recommended = plugin.configs.recommended;

Configs are nested under the default export. Use plugin.configs.recommended to extend the recommended configuration.

Quickstart

Shows how to configure the plugin in both legacy and flat ESLint config, enabling the no-redos rule.

// .eslintrc.js (ESLint <9) or eslint.config.js (flat config)
// Legacy config:
module.exports = {
  plugins: ['redos'],
  rules: {
    'redos/no-redos': 'error'
  }
};

// Flat config (ESLint >=9, requires v4.6.0-beta or later):
import plugin from 'eslint-plugin-redos';
export default [
  {
    plugins: { redos: plugin },
    rules: { 'redos/no-redos': 'error' }
  }
];