I created an ESLint plugin to warn developers when they import vulnerable dependencies in a project. It is smart enough to detect vulnerable methods rather than flagging entire import. For example, if only a few methods in a library are vulnerable, the ESLint plugin only throws an error if these methods are imported. What do you think about this?
$npm audit usually warns the developers at install time and is often ignored. Having an ESLint plugin gives active warnings related to the issues and also blocks pipelines wherever necessary.
More than blocking pipelines, This plugin doesn't throw errors for an entire package if only certain methods are vulnerable. For example, in `lodash` only 3 methods are vulnerable. So, it would be wrong to flag the entire package as vulnerable, instead only throw errors if the vulnerable methods are imported/used.
That's why my ESLint plugin comes into picture and feels much better than many other tools available
Yes. I have tried this in multiple production apps (including legacy monoliths). As a result, the team was able to identify and fix about 1000 vulnerabilities in the projects.
7 comments
[ 2.2 ms ] story [ 27.3 ms ] threadMore than blocking pipelines, This plugin doesn't throw errors for an entire package if only certain methods are vulnerable. For example, in `lodash` only 3 methods are vulnerable. So, it would be wrong to flag the entire package as vulnerable, instead only throw errors if the vulnerable methods are imported/used.
That's why my ESLint plugin comes into picture and feels much better than many other tools available