Node.js runtime security requires more than just dependencies updates. Here is the automated standard for hardening Node.js core—from crypto safety to process isolation—using 31 deep static analysis rules.
npm install --save-dev eslint-plugin-node-security
// eslint.config.js
import nodeSecurity from "eslint-plugin-node-security";
export default [nodeSecurity.configs.recommended];
npx eslint .
You'll see output like:
src/auth/hash.ts
15:27 error 🔒 CWE-328 CVSS:7.5 | Weak hash algorithm: MD5
[node-security/no-weak-hash-algorithm] Use crypto.createHash('sha256')
src/api/exec.ts
10:5 error 🔒 CWE-78 | Detected child process execution
[node-security/detect-child-process] Avoid exec(), use spawn() or execFile()
| Category | Rules | Examples |
|---|---|---|
| Cryptography | 12 | Weak hashes, static IVs, ECB mode |
| System & Process | 5 | exec(), eval(), unsafe require |
| File System | 6 | Zip Slip, TOCTOU, path injection |
| Best Practices | 8 | PII in logs, insecure temp storage |
// ❌ Weak hash
crypto.createHash("md5").update(data);
// ✅ Strong hash
crypto.createHash("sha256").update(data);
// ❌ Shell injection risk
require("child_process").exec(`ls ${userInput}`);
// ✅ Safer execution
require("child_process").execFile("ls", [userInput]);
// ❌ Path traversal risk
fs.readFile(`/data/${userInput}`, cb);
// ✅ Validated path
if (isValid(userInput)) fs.readFile(path.join(ROOT, userInput), cb);
import nodeSecurity from "eslint-plugin-node-security";
export default [
// Recommended (Low false positives, High impact)
nodeSecurity.configs.recommended,
// All Rules (Stricter auditing)
nodeSecurity.configs.all,
];
# Install
npm install --save-dev eslint-plugin-node-security
# Config (eslint.config.js)
import nodeSecurity from 'eslint-plugin-node-security';
export default [nodeSecurity.configs.recommended];
# Run
npx eslint .
The Interlace ESLint Ecosystem Interlace is a high-fidelity suite of static code analyzers designed to automate security, performance, and reliability for the modern Node.js stack. With over 330 rules across 18 specialized plugins, it provides 100% coverage for OWASP Top 10, LLM Security, and Database Hardening.
Explore the full Documentation
© 2026 Ofri Peretz. All rights reserved.
Build Securely. I'm Ofri Peretz, a Security Engineering Leader and the architect of the Interlace Ecosystem. I build static analysis standards that automate security and performance for Node.js fleets at scale.
