Solium Security Plugin

0.1.1 verified Fri May 01 auth: no javascript maintenance

Official security lint plugin for Solium (Solidity linter). Version 0.1.1, last updated in 2018. Provides ~20 security-focused rules derived from Consensys Smart Contract Best Practices and community wishlist. Key differentiators: pre-installed with Solium v1.0.1+, includes rules like no-throw, no-tx-origin, enforce-explicit-visibility, and no-inline-assembly. Rule severities adjustable, some disabled by default (e.g., no-var, enforce-loop-bounds in 0.1.1). Automatic fixing available for no-throw and enforce-explicit-visibility. Designed for Solium v1.0.x ecosystem only.

Common errors

error Plugin 'security' not found. Make sure solium-plugin-security is installed. ↓

cause Plugin not installed or installed locally instead of globally.

fix

Run npm install -g solium-plugin-security and ensure Solium is also installed globally.

error Rule 'security/no-throw' is not defined in any plugin. ↓

cause Missing 'security' plugin in soliumrc.json plugins array.

fix

Add "plugins": ["security"] to soliumrc.json.

error Cannot find module 'solium-plugin-security' ↓

cause Plugin is not installed or Node cannot resolve it.

fix

Global install: npm install -g solium-plugin-security. For local project, use npm install --save-dev solium-plugin-security (but prefer global).

Warnings

breaking Plugin requires Solium v1.0.x and is incompatible with Solium v0.x or v2.x ↓

fix Use Solium v1.0.0 to v1.0.9. For newer Solium versions, use a different security plugin.

deprecated Solium project itself is deprecated since 2020; no further updates expected ↓

fix Migrate to solhint or slither for Solidity linting and security analysis.

gotcha Rules without explicit prefix 'security/' are shared with core Solium rules, causing potential conflicts ↓

fix Always prefix plugin rules with 'security/' (e.g., 'security/no-throw').

breaking In v0.1.1, rules 'no-var' and 'enforce-loop-bounds' are disabled by default due to disruption ↓

fix Explicitly enable them in .soliumrc.json if needed: 'security/no-var': 'warning'

gotcha Plugin must be installed globally with -g flag; local install fails silently ↓

fix Install with `npm install -g solium-plugin-security`

Install

npm install solium-plugin-security

yarn add solium-plugin-security

pnpm add solium-plugin-security

Imports

soliumPluginSecurity (npm package)
```
Install as global dependency: npm install -g solium-plugin-security
```
This is an npm package, not a JavaScript module. It extends Solium's .soliumrc.json config.
soliumrc.json configuration
wrong
```
"plugin": "security" (singular, not array)
```
correct
```
"plugins": ["security"]
```
Add 'security' to plugins array in soliumrc.json. No ESM/CJS import.
Enable specific rule
wrong
```
"rules": { "no-throw": "warning" } (missing plugin prefix)
```
correct
```
"rules": { "security/no-throw": "warning" }
```
Rules must be prefixed with 'security/' to avoid conflicts with core Solium rules.

Quickstart

Example soliumrc.json configuration enabling 10 security rules with recommended severities, disabling two disruptive rules.

{
    "extends": "solium:all",
    "plugins": ["security"],
    "rules": {
        "security/no-throw": "warning",
        "security/no-tx-origin": "error",
        "security/enforce-explicit-visibility": "error",
        "security/no-block-members": ["warning", ["blockhash", "timestamp"]],
        "security/no-call-value": "warning",
        "security/no-assign-params": "error",
        "security/no-fixed": "error",
        "security/no-inline-assembly": "warning",
        "security/no-low-level-calls": ["warning", ["call", "callcode", "delegatecall"]],
        "security/no-modify-for-iter-var": "warning",
        "security/enforce-loop-bounds": "off",
        "security/no-var": "off"
    }
}