Merge branch 'main' into feat/anti-trojan-charset

.eslint-doc-generatorrc.js

@@ -0,0 +1,9 @@
+const { format } = require('prettier');
+const { prettier: prettierRC } = require('./.prettierrc.json');
+
+/** @type {import('eslint-doc-generator').GenerateOptions} */
+const config = {
+  postprocess: (doc) => format(doc, { ...prettierRC, parser: 'markdown' }),
+};
+
+module.exports = config;

.eslintrc

@@ -13,11 +13,12 @@
   },
   "rules": {
     "eslint-plugin/prefer-message-ids": "off", // TODO: enable
+    "eslint-plugin/require-meta-docs-description": ["error", { "pattern": "^(Detects|Enforces|Requires|Disallows) .+\\.$" }],
     "eslint-plugin/require-meta-docs-url": [
       "error",
       {
         "pattern":
-          "https://github.com/nodesecurity/eslint-plugin-security#{{name}}",
+          "https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/{{name}}.md",
       },
     ],
     "eslint-plugin/require-meta-schema": "off", // TODO: enable

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -0,0 +1,85 @@
+name: "\U0001F41E Report a problem"
+description: 'Report an issue with a rule'
+title: 'Bug: (fill in)'
+labels:
+  - bug
+  - 'repro:needed'
+body:
+  - type: markdown
+    attributes:
+      value: By opening an issue, you agree to abide by the [Open JS Foundation Code of Conduct](https://eslint.org/conduct).
+  - type: input
+    attributes:
+      label: What version of eslint-plugin-security are you using?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: ESLint Environment
+      description: |
+        Please tell us about how you're running ESLint (Run `npx eslint --env-info`.)
+      value: |
+        Node version: 
+        npm version: 
+        Local ESLint version: 
+        Global ESLint version: 
+        Operating System:
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: What parser are you using?
+      description: |
+        Please keep in mind that some problems are parser-specific.
+      options:
+        - 'Default (Espree)'
+        - '@typescript-eslint/parser'
+        - '@babel/eslint-parser'
+        - 'vue-eslint-parser'
+        - '@angular-eslint/template-parser'
+        - Other
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What did you do?
+      description: |
+        Please include a *minimal* reproduction case. If possible, include a link to a reproduction of the problem in the [ESLint demo](https://eslint.org/demo). Otherwise, include source code, configuration file(s), and any other information about how you're using ESLint. You can use Markdown in this field.
+      value: |
+        <details>
+        <summary>Configuration</summary>
+
+        ```
+        <!-- Paste your configuration here -->
+        ```
+        </details>
+
+        ```js
+        <!-- Paste your code here -->
+        ```
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What did you expect to happen?
+      description: |
+        You can use Markdown in this field.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What actually happened?
+      description: |
+        Please copy-paste the actual ESLint output. You can use Markdown in this field.
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Participation
+      options:
+        - label: I am willing to submit a pull request for this issue.
+          required: false
+  - type: textarea
+    attributes:
+      label: Additional comments
+      description: Is there anything else that's important for the team to know?

.github/ISSUE_TEMPLATE/new-rule.yml

@@ -0,0 +1,39 @@
+name: "\U0001F680 Propose a new  rule"
+description: 'Propose a new rule to be added to the plugin'
+title: 'New Rule: (fill in)'
+labels:
+  - rule
+  - feature
+body:
+  - type: markdown
+    attributes:
+      value: By opening an issue, you agree to abide by the [Open JS Foundation Code of Conduct](https://eslint.org/conduct).
+  - type: input
+    attributes:
+      label: Rule details
+      description: What should the new rule do?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Related CVE
+      description: We only accept new rules that have a published [CVE](https://www.redhat.com/en/topics/security/what-is-cve).
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Example code
+      description: Please provide some example JavaScript code that this rule will warn about. This field will render as JavaScript.
+      render: js
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Participation
+      options:
+        - label: I am willing to submit a pull request to implement this rule.
+          required: false
+  - type: textarea
+    attributes:
+      label: Additional comments
+      description: Is there anything else that's important for the team to know?

.github/ISSUE_TEMPLATE/rule-change.yml

@@ -0,0 +1,61 @@
+name: "\U0001F4DD Request a rule change"
+description: 'Request a change to an existing rule'
+title: 'Rule Change: (fill in)'
+labels:
+  - enhancement
+  - rule
+body:
+  - type: markdown
+    attributes:
+      value: By opening an issue, you agree to abide by the [Open JS Foundation Code of Conduct](https://eslint.org/conduct).
+  - type: input
+    attributes:
+      label: What rule do you want to change?
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: What change to do you want to make?
+      options:
+        - Generate more warnings
+        - Generate fewer warnings
+        - Implement autofix
+        - Implement suggestions
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: How do you think the change should be implemented?
+      options:
+        - A new option
+        - A new default behavior
+        - Other
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Example code
+      description: Please provide some example code that this change will affect. This field will render as JavaScript.
+      render: js
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What does the rule currently do for this code?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What will the rule do after it's changed?
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Participation
+      options:
+        - label: I am willing to submit a pull request to implement this change.
+          required: false
+  - type: textarea
+    attributes:
+      label: Additional comments
+      description: Is there anything else that's important for the team to know?

.github/workflows/ci.yml

@@ -9,9 +9,13 @@ jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@v3
         with:
           node-version: '16.x'
 
@@ -26,17 +30,21 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest]
-        node: [17.x, 16.x, 14.x, 12.x, '12.22.0']
+        node: [18.x, 16.x, 14.x, 12.x, '12.22.0']
         include:
           - os: windows-latest
             node: '16.x'
           - os: macOS-latest
             node: '16.x'
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node }}
 

.github/workflows/pr.yml

@@ -5,9 +5,13 @@ jobs:
   conventional:
     name: Conventional PR
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@v3
       - uses: beemojs/conventional-pr-action@v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.markdownlint.json

@@ -0,0 +1,4 @@
+{
+  "line-length": false,
+  "no-inline-html": { "allowed_elements": ["kbd"]}
+}

.markdownlintignore

@@ -0,0 +1,3 @@
+CHANGELOG.md
+LICENSE
+node_modules