eslint-plugin-security adds a security-focused linting layer to JavaScript and Node.js projects, catching dangerous patterns that standard ESLint misses. The guide covers installation, ESLint v9 Flat Config and legacy .eslintrc setup, and six key vulnerability categories: dynamic eval(), non-literal require(), unsafe child process execution (command injection), object injection and prototype pollution, ReDoS-prone regular expressions, and timing attack risks. It also addresses handling false positives, TypeScript integration, CI enforcement via GitHub Actions, and how the plugin compares to npm audit and full SAST tools. Recommended for Node.js APIs, Express/NestJS/Next.js backends, and CLI utilities.
Table of contents
Why Normal ESLint Rules Are Not EnoughInstalling eslint-plugin-securityESLint v9 Flat Config SetupLegacy .eslintrc ConfigurationDangerous Pattern #1 — Dynamic eval()Dangerous Pattern #2 — Non-Literal require()Dangerous Pattern #3 — Unsafe Child Process ExecutionDangerous Pattern #4 — Object InjectionDangerous Pattern #5 — Unsafe Regular ExpressionsDangerous Pattern #6 — Timing Attack RisksFalse Positives: When the Plugin Gets NoisyOption 1 — Add ValidationOption 2 — Disable a Specific RuleOption 3 — Inline SuppressionUsing eslint-plugin-security with TypeScriptNext.js, SSR, and Backend ProjectsAdding Security Linting to CISecurity Plugin vs npm audit vs SAST ToolsPractical Production RecommendationsWhen You Should Probably Use This PluginFinal ThoughtsSort: