eslint-plugin-security

4.0.0 verified Sat Apr 25 auth: no javascript

ESLint plugin providing security-focused lint rules for Node.js applications, maintained by eslint-community. Current stable version is 4.0.0 (released 2026-02-19), with a slower release cadence of major versions every ~2 years. Key differentiators: it identifies potential security hotspots like eval() with expressions, unsafe Buffer usage, and child_process exec() calls; integrates as a recommended flat config for ESLint 9+; replaced the legacy eslintrc config with flat config (breaking change), and has dropped support for older Node versions. Currently in active development.

Common errors

error Error: Could not find 'eslint-plugin-security' config 'recommended' after loading. ↓

cause Using deprecated extends string with plugin version that doesn't support it (v4 flat config).

fix

Switch to flat config: use pluginSecurity.configs.recommended or install v3 (but prefer migrating).

error TypeError: Cannot read properties of undefined (reading 'recommended') ↓

cause Incorrect import of the plugin in ESM context (trying to destructure a namespace).

fix

Use import pluginSecurity from 'eslint-plugin-security' (default import) or require().

error Warning: Rule 'security/detect-non-literal-fs-filename' was triggered, but the file path is static. ↓

cause False positive: the rule flags non-literal looking arguments even if they are safely constructed.

fix

Manually inspect the flagged code; if it's safe, add an eslint-disable comment with explanation.

Warnings

breaking v4 switched the recommended config to flat format. The old eslintrc config (extends: plugin:security/recommended) no longer works. ↓

fix Use pluginSecurity.configs.recommended in a flat config file. For eslintrc, use 'extends: plugin:security/recommended-legacy'.

breaking v4 requires Node.js ^18.18.0, ^20.9.0, or >=21.1.0. Older Node versions are no longer supported. ↓

fix Upgrade Node.js to a supported version (18.18+, 20.9+, or 21.1+).

gotcha The plugin detects potential security hotspots but produces many false positives that require manual triage. ↓

fix Do not rely solely on this plugin; combine with manual review and other security tools.

deprecated The legacy eslintrc config (extends: plugin:security/recommended) is deprecated in v3 and removed in v4. ↓

fix Migrate to flat config using pluginSecurity.configs.recommended, or use recommended-legacy config.

Install

npm install eslint-plugin-security

yarn add eslint-plugin-security

pnpm add eslint-plugin-security

Imports

pluginSecurity
```
const pluginSecurity = require('eslint-plugin-security');
```
CommonJS require is the primary method for loading the plugin in flat config files; ESM is also supported via import.
recommended (flat config)
wrong
```
module.exports = { extends: ['plugin:security/recommended'] };
```
correct
```
module.exports = [...pluginSecurity.configs.recommended];
```
v4 switched recommended config to flat format; the legacy extends pattern only works with recommended-legacy.
rules
```
const { rules } = require('eslint-plugin-security');
```
Access individual rule definitions for custom configuration.

Quickstart

Shows how to set up eslint-plugin-security v4 with flat config in eslint.config.js, both using recommended config and custom rules.

// eslint.config.js
const pluginSecurity = require('eslint-plugin-security');
module.exports = [
  {
    files: ['**/*.js'],
    ...pluginSecurity.configs.recommended
  }
];

// Or with customize
/*
module.exports = [
  {
    files: ['**/*.js'],
    plugins: { security: pluginSecurity },
    rules: {
      'security/detect-eval-with-expression': 'warn',
      'security/detect-child-process': 'error'
    }
  }
];
*/