eslint-plugin-scanjs-rules

0.2.1 verified Sat Apr 25 auth: no javascript abandoned

ESLint plugin providing supplemental security rules inspired by Mozilla's ScanJS, version 0.2.1. Last updated in 2016 with no active release cadence. Provides additional rules not found in core ESLint for detecting dangerous patterns (e.g., innerHTML, eval-like usage, constructors with HTML strings). Use with eslint-config-scanjs for full ScanJS parity. Note: unmaintained, may not work with modern ESLint versions (tested up to ESLint 3).

Common errors

error Error: Failed to load plugin 'eslint-plugin-scanjs-rules' declared in '.eslintrc.js': Cannot find module 'eslint-plugin-scanjs-rules' ↓

cause Plugin not installed or path incorrect.

fix

Run 'npm install eslint-plugin-scanjs-rules --save-dev'.

error Definition for rule 'scanjs-rules/no-eval' was not found ↓

cause Rule name typo or missing prefix.

fix

Use 'scanjs-rules/no-eval' (with prefix) in rules object, and ensure plugin is in plugins array.

error ESLint configuration in .eslintrc.js is invalid: Unexpected top-level property "extends" is an array but should be a string ↓

cause Incorrect extends format in older ESLint versions.

fix

Use string for extends: 'plugin:eslint-plugin-scanjs-rules/recommended' (not array) in ESLint <3.

Warnings

gotcha Plugin was last updated in 2016; may not work with ESLint >= 4 due to plugin API changes. ↓

fix Consider using eslint-plugin-security or @microsoft/eslint-plugin-sdl instead.

deprecated Rule 'no-eval' is deprecated in ESLint core; use 'no-eval' from plugin for supplemental checks. ↓

fix Use ESLint core 'no-eval' or scanjs-rules 'no-eval' but not both.

breaking Rule names in config use 'scanjs-rules/' prefix; omitting prefix fails. ↓

fix Use 'scanjs-rules/rule-name' in rules object.

gotcha No TypeScript definitions; plugin may not work with @typescript-eslint/parser. ↓

fix Wrap plugin in custom wrapper or use alternative security linter.

gotcha Some rules like 'no-document-write' may conflict with browser globals not present in Node.js environments. ↓

fix Set env: { browser: true } in ESLint config.

Install

npm install eslint-plugin-scanjs-rules

yarn add eslint-plugin-scanjs-rules

pnpm add eslint-plugin-scanjs-rules

Imports

rules (plugin object)
wrong
```
const plugin = require('eslint-plugin-scanjs-rules');
```
correct
```
import plugin from 'eslint-plugin-scanjs-rules';
```
ESLint plugins are typically used via plugins array in config, not direct import. If imported, use default export.

configs.recommended

wrong

const config = require('eslint-plugin-scanjs-rules').configs.recommended;

correct

import scanjs from 'eslint-plugin-scanjs-rules'; const config = scanjs.configs.recommended;

CommonJS require works but ESM is preferred for modern ESLint.

Individual rule (e.g., 'no-eval')

wrong

const rule = require('eslint-plugin-scanjs-rules/rules/no-eval');

correct

import plugin from 'eslint-plugin-scanjs-rules'; const rule = plugin.rules['no-eval'];

Rules are only accessible via plugin object, not direct file path.

Quickstart

Shows how to configure ESLint to use scanjs-rules plugin and enable recommended rules plus custom overrides.

// .eslintrc.js
module.exports = {
  plugins: ['eslint-plugin-scanjs-rules'],
  extends: ['plugin:eslint-plugin-scanjs-rules/recommended'],
  rules: {
    'scanjs-rules/no-eval': 'error',
    'scanjs-rules/no-document-write': 'warn'
  }
};