JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 41
  • Score
    100M100P100Q54913F
  • License MIT

Security-focused ESLint plugin with 24 AI-parseable rules for cryptographic best practices. Detects weak algorithms, insecure key handling, CVE-specific vulnerabilities, and deprecated crypto patterns.

Package Exports

  • eslint-plugin-crypto
  • eslint-plugin-crypto/types

Readme

eslint-plugin-crypto

ESLint Interlace - eslint-plugin-crypto

📘 Full Documentation: https://eslint.interlace.tools/

🔐 Security-focused ESLint plugin for cryptographic best practices. Detects weak algorithms, insecure key handling, CVE vulnerabilities, and guides you to modern, secure alternatives.

npm version npm downloads License: MIT codecov Dec 2025

💡 What You Get

  • 24 security rules covering cryptographic best practices
  • CVE detection for CVE-2023-46809, CVE-2020-36732, CVE-2023-46233
  • OWASP Top 10 coverage for cryptographic vulnerabilities
  • LLM-optimized messages with CWE references and fix guidance
  • Package support for crypto-hash, crypto-random-string, crypto-js

Features

  • 🔐 24 Rules covering crypto best practices
  • 🎯 CVE Detection (CVE-2023-46809, CVE-2020-36732, CVE-2023-46233)
  • 🤖 AI-Optimized messages with CWE references
  • Auto-Fix suggestions where safe
  • 📦 Package Support for crypto-hash, crypto-random-string, crypto-js

Installation

npm install eslint-plugin-crypto --save-dev

🚀 Quick Start

ESLint Flat Config (eslint.config.js)

import crypto from 'eslint-plugin-crypto';

export default [crypto.configs.recommended];

Presets

Preset Description
recommended Balanced security defaults for most projects
strict All 24 rules as errors for maximum security
cryptojs-migration For teams migrating from crypto-js
nodejs-only Only Node.js crypto rules
cve-focused Rules targeting specific CVEs

🔐 Rules

💼 = Set in recommended | 🔧 = Auto-fixable | 💡 = Has suggestions

Core Node.js Crypto (8 rules)

Rule CWE OWASP CVSS Description 💼 ⚠️ 🔧 💡 🚫
no-weak-hash-algorithm CWE-327 A02:2021 Disallow MD5, SHA1, MD4 💼 💡
no-weak-cipher-algorithm CWE-327 A02:2021 Disallow DES, 3DES, RC4 💼 💡
no-deprecated-cipher-method CWE-327 A02:2021 Disallow createCipher() 💼 💡
no-static-iv CWE-329 A02:2021 Disallow hardcoded IVs 💼 💡
no-ecb-mode CWE-327 A02:2021 Disallow ECB encryption 💼 💡
no-insecure-key-derivation CWE-916 A02:2021 Require PBKDF2 ≥100k iterations 💼 💡
no-hardcoded-crypto-key CWE-321 A02:2021 Disallow hardcoded keys 💼 💡
require-random-iv CWE-329 A02:2021 Require IV from randomBytes() 💼 💡

CVE-Specific Rules (3 rules)

Rule CWE OWASP CVSS Description 💼 ⚠️ 🔧 💡 🚫
no-insecure-rsa-padding CWE-327 A02:2021 Marvin Attack (CVE-2023-46809) 💼 💡
no-cryptojs-weak-random CWE-338 A02:2021 Weak PRNG in crypto-js (CVE-2020-36732) 💼 💡
require-secure-pbkdf2-digest CWE-916 A02:2021 Weak PBKDF2 defaults (CVE-2023-46233) 💼 💡

Advanced Security (7 rules)

Rule CWE OWASP CVSS Description 💼 ⚠️ 🔧 💡 🚫
no-math-random-crypto CWE-338 A07:2021 Disallow Math.random() for crypto 💼 💡
no-predictable-salt CWE-331 A07:2021 Disallow empty/hardcoded salts 💼 💡
require-authenticated-encryption CWE-327 A04:2021 Require GCM instead of CBC 💼 💡
no-key-reuse CWE-323 A02:2021 Warn on key reuse 💼 💡
no-self-signed-certs CWE-295 A05:2021 Disallow rejectUnauthorized: false 💼 💡
no-timing-unsafe-compare CWE-208 A02:2021 Require timingSafeEqual() 💼 💡
require-key-length CWE-326 A02:2021 Require AES-256 💼 💡
no-web-crypto-export CWE-321 A02:2021 Warn on key export 💼 💡

Package-Specific Rules (6 rules)

Rule CWE OWASP CVSS Description 💼 ⚠️ 🔧 💡 🚫
no-sha1-hash CWE-327 A02:2021 Disallow sha1() (crypto-hash) 💼 💡
require-sufficient-length CWE-326 A02:2021 Require min 32 chars (crypto-random-string) 💼 💡
no-numeric-only-tokens CWE-330 A07:2021 Warn on numeric-only (crypto-random-string) 💼 💡
no-cryptojs CWE-327 A02:2021 Warn on deprecated crypto-js 💡
no-cryptojs-weak-random CWE-338 A02:2021 CVE-2020-36732 (crypto-js) 💼 💡
prefer-native-crypto CWE-327 A05:2021 Prefer native crypto 💡

Examples

❌ Bad

// CVE-2023-46809: Marvin Attack
crypto.privateDecrypt({ key, padding: crypto.constants.RSA_PKCS1_PADDING }, buffer);

// CWE-338: Weak random
const token = Math.random().toString(36);

// CWE-327: ECB mode leaks patterns
crypto.createCipheriv('aes-256-ecb', key, iv);

// CWE-208: Timing attack
if (userToken === storedToken) { ... }

✅ Good

// Use OAEP padding
crypto.privateDecrypt({ key, padding: crypto.constants.RSA_PKCS1_OAEP_PADDING }, buffer);

// Secure random
const token = crypto.randomBytes(32).toString('hex');

// GCM provides authentication
crypto.createCipheriv('aes-256-gcm', key, iv);

// Constant-time comparison
if (crypto.timingSafeEqual(Buffer.from(userToken), Buffer.from(storedToken))) { ... }

Peer Dependencies (Optional)

{
  "crypto-hash": ">=3.0.0",
  "crypto-random-string": ">=4.0.0",
  "crypto-js": ">=4.0.0"
}

AI-Optimized Messages

All rules include LLM-optimized error messages with:

  • CWE references for vulnerability classification
  • CVE references for known vulnerabilities
  • Severity levels (CRITICAL, HIGH, MEDIUM, LOW)
  • Direct fix suggestions with code examples
  • Documentation links

🗂️ OWASP Top 10 2021 Coverage

OWASP Category Rule CWE OWASP CVSS Description 💼 ⚠️ 🔧 💡 🚫
A02:2021 Cryptographic Failures
A03:2021 Injection
A04:2021 Insecure Design
A05:2021 Security Misconfiguration
A07:2021 Identification Failures

Part of the Interlace ESLint Ecosystem — AI-native security plugins with LLM-optimized error messages:

Plugin Downloads Description Rule CWE OWASP CVSS Description 💼 ⚠️ 🔧 💡 🚫
eslint-plugin-secure-coding
eslint-plugin-jwt
eslint-plugin-pg
eslint-plugin-express-security
eslint-plugin-nestjs-security
eslint-plugin-lambda-security
eslint-plugin-browser-security
eslint-plugin-vercel-ai-security
eslint-plugin-import-next

License

MIT © Ofri Peretz