A Must-Have Tool for Secure JavaScript Development: ESLint Plugin to detect vulnerabilities

4 min readDec 8, 2022

As JavaScript developers, we all want to write secure, reliable, and maintainable code. But with the vast ecosystem of packages and libraries available, it can be difficult to keep track of which ones are trustworthy and which ones may introduce security vulnerabilities into our projects.

This is where the ESLint Plugin from PrivJs comes into play. Developed by the team at PrivJs and based on the popular ESLint tool, this plugin alerts developers whenever they import an insecure package into their code, providing a quick and easy way to avoid potential security risks and supply-chain attacks.

ESLint plugin to detect Javascript vulnerabilities by PrivJs.com

The Problem with Insecure Packages: Why they are dangerous and how they can compromise your code

In the world of JavaScript, new packages and libraries are being released every day, providing valuable tools and functionality that can help us develop better and faster. But with so many options available, it can be hard to know which ones are safe to use and which ones may introduce vulnerabilities into our code.

Insecure packages can have a number of negative consequences for your project, including:

Introducing security vulnerabilities that can be exploited by attackers causing errors, and bugs and also could result in the app being hacked altogether.
Leading to maintainability issues and a lack of support from the community, or could be an impersonated package too.
NPM Packages could also install malware into your developer machines leading to confidential information theft and other security lapses. The code you run has access to your device, hence a malicious node.js package could easily steal project source code, steal access keys or even execute malicious scripts like malware or a trojan horse. It could get pretty scary!

All of these problems can have a major impact on the quality and security of your code, which is why it is so important to be aware of the packages you are using and to avoid importing insecure ones whenever possible.

ESLint Plugin @privjs/eslint-plugin-safe: How it works and why you need it

The ESLint Plugin from PrivJs: @privjs/eslint-plugin-safe is a tool that can help you avoid the problems caused by insecure packages. Based on the popular ESLint tool, it works by scanning your code for imports of potentially insecure packages and alerting you whenever it finds one.

The best part of this plugin is that it also checks for vulnerable methods — so in case only a few methods are vulnerable in a package — only those imports would be flagged. This is pretty cool in my opinion.

This is the best security tool a Javascript developer could have: Here’s why

It catches vulnerable imports in a smart way. @privjs/eslint-plugin-safe can detect whether the imported method is vulnerable rather than flagging the entire package. Look at the example below, the camelCase method from lodash is completely safe but the insecure merge function gets a red underline because of the underlying “Prototype Pollution” vulnerability.

Eslint plugin to detect Javascript vulnerabilities: @privjs/eslint-plugin-safe

2. It can block a pipeline if your project contains any vulnerable imports. This could be an invaluable tool with such an easy integration into the developers’ fingertips. This plugin puts developers first while considering the security of your application.

3. You can always silence warnings for low-severity errors. For example, admin-only pages or dev-server related files might need a “relaxed” security check. So, just like any other ESLint plugin, the issues flagged by @privjs/eslint-plugin-safe could be silenced by adding this comment above the import:

// eslint-disable-next-line privjs-safe/vulnerabilities-scan

How to Install and use @privjs/eslint-plugin safe

This is so far my favorite ESLint plugin. It is published to the PrivJs Marketplace — the same marketplace where Module Federation for NextJs was distributed.

Get a free license to the plugin from PrivJs Javascript package marketplace. If you’re purchasing for an organization, you have to pay a small fee for the maintenance of the plugin.
Install the plugin into your project by running these commands in your terminal:

npm config set @privjs:registry https://r.privjs.com
npm install -D @privjs/eslint-plugin-safe

Configure ESLint to use the plugin by adding the following lines to your .eslintrc file:

plugins: ['@privjs/safe'],
rules: {
  '@privjs/safe/vulnerabilities-scan': [2],
}

Run ESLint on your code as usual and let the plugin do its magic. Whenever it finds an import of an insecure package, it will raise an error and provide a description of the potential security risks.
With @privjs/eslint-plugin-safe, you can easily avoid the vulnerabilities induced by insecure packages and keep your code secure and reliable.

Conclusion: Why you should use ESLint plugin @privjs/eslint-plugin-safe in all of your projects

In today’s fast-paced JavaScript ecosystem, it can be hard to keep track of which packages are safe to use and which ones may introduce vulnerabilities into your code. The ESLint Plugin from PrivJs makes it easy to avoid these problems by alerting you whenever you import an insecure package, providing a quick and easy way to maintain the security and reliability of your code.

Don’t wait until it’s too late — get the ESLint plugin @privjs/eslint-plugin-safe today and start writing secure JavaScript code with confidence.