JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 108
  • Score
    100M100P100Q79425F
  • License MIT

Security-focused ESLint plugin for JWT operations. Detects algorithm confusion (CVE-2022-23540), weak secrets, missing validation, and library-specific vulnerabilities across jsonwebtoken, jose, express-jwt, @nestjs/jwt, jwks-rsa, and jwt-decode.

Package Exports

  • eslint-plugin-jwt
  • eslint-plugin-jwt/types

Readme

ESLint Interlace Logo

Security validation for JSON Web Tokens (JWT) implementation (signing, verification).

NPM Version NPM Downloads Package License Codecov Since Dec 2025

Description

Secure your JWT implementation with precision. This plugin enforces critical security best practices, including algorithm whitelisting, expiration validation, and protection against common attacks like algorithm confusion and 'none' algorithm bypasses. Designed for modern stacks, it provides AI-optimized error messages that guide developers to the correct fix instantly, ensuring your authentication layer remains robust against evolving threats.

Philosophy

Interlace fosters strength through integration. Instead of stacking isolated rules, we interlace security directly into your workflow to create a resilient fabric of code. We believe tools should guide rather than gatekeep, providing educational feedback that strengthens the developer with every interaction.

Getting Started

npm install eslint-plugin-jwt --save-dev

๐Ÿ’ก What You Get

  • 13 Security Rules - Algorithm attacks, replay prevention, claim validation
  • 6 JWT Libraries - jsonwebtoken, jose, express-jwt, @nestjs/jwt, jwks-rsa, jwt-decode
  • 2025 Research - "Back to the Future" replay attack prevention (LightSEC 2025)
  • AI-Optimized - Structured messages for GitHub Copilot, Cursor, Claude assistance
  • CWE References - Every rule maps to Common Weakness Enumeration

โš™๏ธ Configuration Presets

Preset Description
recommended Recommended preset - balanced security
strict Strict preset - maximum security (includes 2025 research)
legacy Legacy preset - migration mode
all All rules preset

๐Ÿ“š Supported Libraries

Library npm Downloads Detection
jsonwebtoken npm downloads Signing, Verification, Decoding
jose npm downloads Verification (Fix Suggestion)
jwt-decode npm downloads Unsafe Decoding

๐Ÿค– AI-Optimized Messages

Every rule uses formatLLMMessage for structured output:

๐Ÿ”’ CWE-347 OWASP:A02-Crypto CVSS:9.8 | Using alg:"none" bypasses signature verification
   Fix: Remove "none" and use RS256, ES256, or other secure algorithms
   https://nvd.nist.gov/vuln/detail/CVE-2022-23540

By providing this structured context (CWE, OWASP, Fix), we enable AI tools to reason about the security flaw rather than hallucinating. This allows Copilot/Cursor to suggest the exact correct fix immediately.

By structuring errors with specific CWE codes, OWASP categories, and direct fix suggestions, this format allows AI coding assistants to autonomously identify, explain, and resolve security vulnerabilities with high confidence.

Rules

Legend

Icon Description
๐Ÿ’ผ Recommended: Included in the recommended preset.
โš ๏ธ Warns: Set towarn in recommended preset.
๐Ÿ”ง Auto-fixable: Automatically fixable by the --fix CLI option.
๐Ÿ’ก Suggestions: Providing code suggestions in IDE.
๐Ÿšซ Deprecated: This rule is deprecated.
Rule CWE OWASP CVSS Description ๐Ÿ’ผ โš ๏ธ ๐Ÿ”ง ๐Ÿ’ก ๐Ÿšซ
no-algorithm-none CWE-347 A02:2025 9.8 no-algorithm-none ๐Ÿ’ผ ๐Ÿ’ก
no-algorithm-confusion CWE-347 A02:2025 9.8 no-algorithm-confusion ๐Ÿ’ผ ๐Ÿ’ก
require-algorithm-whitelist CWE-757 A02:2025 7.5 require-algorithm-whitelist ๐Ÿ’ผ โš ๏ธ ๐Ÿ’ก
no-decode-without-verify CWE-345 A08:2025 7.5 no-decode-without-verify ๐Ÿ’ผ โš ๏ธ ๐Ÿ’ก
no-weak-secret CWE-326 A02:2025 7.5 no-weak-secret ๐Ÿ’ผ ๐Ÿ’ก
no-hardcoded-secret CWE-798 A05:2025 7.9 no-hardcoded-secret ๐Ÿ’ผ ๐Ÿ’ก
no-timestamp-manipulation CWE-294 A05:2025 7.5 no-timestamp-manipulation ๐Ÿ’ผ ๐Ÿ’ก
require-expiration CWE-613 A04:2025 5.3 require-expiration ๐Ÿ’ผ โš ๏ธ ๐Ÿ’ก
require-issued-at CWE-294 A04:2025 5.3 require-issued-at ๐Ÿ’ก
require-issuer-validation CWE-287 A07:2025 5.3 require-issuer-validation ๐Ÿ’ก
require-audience-validation CWE-287 A07:2025 5.3 require-audience-validation ๐Ÿ’ก
require-max-age CWE-294 A04:2025 5.3 require-max-age ๐Ÿ’ก
no-sensitive-payload CWE-359 A01:2025 5.3 no-sensitive-payload ๐Ÿ’ผ โš ๏ธ ๐Ÿ’ก

Part of the Interlace ESLint Ecosystem โ€” AI-native security plugins with LLM-optimized error messages:

Plugin Downloads Description
eslint-plugin-secure-coding downloads General security rules & OWASP guidelines.
eslint-plugin-pg downloads PostgreSQL security & best practices.
eslint-plugin-crypto downloads NodeJS Cryptography security rules.
eslint-plugin-jwt downloads JWT security & best practices.
eslint-plugin-browser-security downloads Browser-specific security & XSS prevention.
eslint-plugin-express-security downloads Express.js security hardening rules.
eslint-plugin-lambda-security downloads AWS Lambda security best practices.
eslint-plugin-nestjs-security downloads NestJS security rules & patterns.
eslint-plugin-mongodb-security downloads MongoDB security best practices.
eslint-plugin-vercel-ai-security downloads Vercel AI SDK security hardening.
eslint-plugin-import-next downloads Next-gen import sorting & architecture.

๐Ÿ“„ License

MIT ยฉ Ofri Peretz

ESLint Interlace Plugin