eslint-plugin-security: v4.0.0

4.0.0 (2026-02-19)

⚠ BREAKING CHANGES

• requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146)
• switch the recommended config to flat (#118)

Features

• add config recommended-legacy (#132) (13d3f2f)
• Add meta object documentation for all rules (#79) (fb1d9ef)
• detect-bidi-characters rule (#95) (4294d29)
• detect-non-literal-fs-filename: change to track non-top-level require() as well (#105) (d3b1543)
• extend detect non literal fs filename (#92) (08ba476)
• improve detect-child-process rule (#108) (64ae529)
• non-literal-require: support template literals (#81) (208019b)
• requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146) (df1b606)
• switch the recommended config to flat (#118) (e20a366)

Bug Fixes

• Add ESLint 10 compatibility for context.sourceCode API change (#186) (7f9ee77)
• add name to recommended flat config (#161) (aa1c8c5)
• Avoid crash when exec() is passed no arguments (7f97815), closes #82 #23
• Avoid TypeError when exec stub is used with no arguments (#97) (9c18f16)
• detect-child-process: false positive for destructuring with exec (#102) (657921a)
• detect-child-process: false positives for destructuring spawn (#103) (fdfe37d)
• Ensure empty eval() doesn't crash detect-eval-with-expression (#139) (8a7c7db)
• Ensure everything works with ESLint v9 (#145) (ac50ab4)
• false positives for static expressions in detect-non-literal-fs-filename, detect-child-process, detect-non-literal-regexp, and detect-non-literal-require (#109) (56102b5)
• generate provenance statement for release (#168) (eb3ee9c)
• Incorrect method name in detect-buffer-noassert. (313c0c6), closes #63 #80
• release-please config (#189) (2443d10)

eslint-plugin-security v3.0.1

Bug Fixes

• add name to recommended flat config (#161) (aa1c8c5)

eslint-plugin-security v3.0.0

⚠ BREAKING CHANGES

• requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146)

Features

• requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146) (df1b606)

Bug Fixes

• Ensure everything works with ESLint v9 (#145) (ac50ab4)

eslint-plugin-security v2.1.1

Bug Fixes

• Ensure empty eval() doesn't crash detect-eval-with-expression (#139) (8a7c7db)

eslint-plugin-security v2.1.0

Features

• add config recommended-legacy (#132) (13d3f2f)

eslint-plugin-security v2.0.0

⚠ BREAKING CHANGES

• switch the recommended config to flat (#118)

Features

• switch the recommended config to flat (#118) (e20a366)

eslint-plugin-security v1.7.1

Bug Fixes

• false positives for static expressions in detect-non-literal-fs-filename, detect-child-process, detect-non-literal-regexp, and detect-non-literal-require (#109) (56102b5)

eslint-plugin-security v1.7.0

Features

• improve detect-child-process rule (#108) (64ae529)

eslint-plugin-security v1.6.0

Features

• Add meta object documentation for all rules (#79) (fb1d9ef)
• detect-bidi-characters rule (#95) (4294d29)
• detect-non-literal-fs-filename: change to track non-top-level require() as well (#105) (d3b1543)
• extend detect non literal fs filename (#92) (08ba476)
• non-literal-require: support template literals (#81) (208019b)

Bug Fixes

• Avoid crash when exec() is passed no arguments (7f97815), closes #82 #23
• Avoid TypeError when exec stub is used with no arguments (#97) (9c18f16)
• detect-child-process: false positive for destructuring with exec (#102) (657921a)
• detect-child-process: false positives for destructuring spawn (#103) (fdfe37d)
• Incorrect method name in detect-buffer-noassert. (313c0c6), closes #63 #80