tsec - Trusted TypeScript Compiler

0.2.9 verified Fri May 01 auth: no javascript

tsec is a static analysis tool built on the TypeScript compiler that validates code against Trusted Types compliance. At version 0.2.9, it provides extended compiler checks to enforce Trusted Types, a browser security primitive that mitigates DOM XSS attacks. Unlike runtime polyfills, tsec catches violations at compile time, integrating into the build pipeline without runtime overhead. It requires Bazel build system (with @bazel/bazelisk and @bazel/concatjs) and TypeScript >=3.9.2. Its key differentiator is compile-time enforcement, making it suitable for large codebases where runtime approaches are insufficient.

Common errors

error Error: Cannot find module 'tsec' ↓

cause Package not installed or missing dependencies.

fix

Run 'npm install tsec' and ensure peer dependencies are installed.

error TypeError: tsec is not a function ↓

cause Using require() instead of import (ESM-only).

fix

Change to 'import tsec from "tsec"' and ensure package.json has 'type':'module'.

error Error: Unsupported config property 'disallowed' in tsec config ↓

cause Config key renamed in newer version.

fix

Replace 'disallowed' with 'blocked' in your tsec configuration.

error Error: Bazel build failed: no such attribute 'tsec_test' in rule ↓

cause Bazel rules not loaded correctly.

fix

Add 'load("@npm//tsec:index.bzl", "tsec_test")' to your BUILD file.

Warnings

breaking tsec only supports Bazel build system. Non-Bazel users must adapt their build pipeline. ↓

fix Integrate Bazel or consider alternative trust-checking tools.

deprecated The 'disallowed' config property is deprecated in favor of 'blocked'. ↓

fix Rename 'disallowed' to 'blocked' in your tsec config.

gotcha tsec requires @bazel/bazelisk >=1.7.5 and @bazel/concatjs >=5.3.0, which may conflict with older Bazel setups. ↓

fix Upgrade Bazel dependencies to minimum versions.

gotcha tsec checks only TypeScript source files; JavaScript or declaration files are not analyzed. ↓

fix Ensure all relevant code is in .ts files.

gotcha ESM-only package; require() will fail. Ensure Node.js project uses ESM or bundler that supports ESM. ↓

fix Use import syntax or upgrade to ESM-compatible runtime.

Install

npm install tsec

yarn add tsec

pnpm add tsec

Imports

default
wrong
```
const tsec = require('tsec')
```
correct
```
import tsec from 'tsec'
```
ESM-only since v0.2.0, no CommonJS support.

TSECConfig

wrong

const { TSECConfig } = require('tsec')

correct

import { TSECConfig } from 'tsec'

Named export for TypeScript config type.

runTsec
wrong
```
import { runTsec } from 'tsec/run'
```
correct
```
import { runTsec } from 'tsec'
```
No subpath exports; all exports are at the package root.

Quickstart

Demonstrates tsec usage as a Bazel test rule, enforcing that no code uses .innerHTML without Trusted Types approval.

// tsec configuration in BUILD.bazel
load("@npm//tsec:index.bzl", "tsec_test")

tsec_test(
    name = "tsec_test",
    srcs = glob(["src/**/*.ts"]),
    tsconfig = ":tsconfig.json",
    tsec_config = {
        "disallowed": ["innerHTML"],
        "allowed": {
            "https://trusted.example.com/script.js": ["*"],
        },
    },
)

// Then run: bazel test //:tsec_test