eslint-plugin-sonarjs
SonarJS rules for ESLint
48
Versions
LGPL-3.0-only
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
saberduckelena-vilchikandrea-guarino-sonarsourceyassin-kammoun-sonarsourcesonartech
Keywords
sonarjseslinteslintplugin
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads rule modules from a fixed local subdirectory using an internal rule list — not user-controlled input. Standard ESLint plugin pattern; stable false positive for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher changed from sonartech to GitHub Actions, consistent with SonarSource migrating to automated CI/CD publishing. SLSA provenance attestation confirms the release integrity via Sigstore. | ai | |
| phantom-deps | phantom-dep:@types/eslint | AI (phantom-deps): Type definitions for ESLint are framework-scoped and loaded by convention in TypeScript projects; stable for this package. | ai | |
| provenance | no-provenance | AI (provenance): Lack of Sigstore provenance is common (~12% adoption) and not a security concern for established packages from known publishers like SonarSource. | ai | |
| license | weak-copyleft-license:LGPL-3.0-only | AI (license): LGPL-3.0-only is the declared license for this SonarSource project; stable across versions. | ai | |
| phantom-deps | phantom-dep:@babel/preset-flow | AI (phantom-deps): Babel preset loaded by convention for ESLint parser configuration; stable pattern for this plugin. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-decorators | AI (phantom-deps): Babel plugin loaded by convention for ESLint parser configuration; stable pattern for this plugin. | ai | |
| phantom-deps | phantom-dep:@babel/preset-react | AI (phantom-deps): Babel preset loaded by convention for ESLint parser configuration; stable pattern for this plugin. | ai | |
| dependencies | unvetted-dep:vue-eslint-parser | AI (dependencies): vue-eslint-parser is a legitimate dependency for an ESLint plugin supporting Vue syntax; already marked as accepted risk. | ai | |
| phantom-deps | phantom-dep:@babel/preset-env | AI (phantom-deps): Babel preset loaded by convention for ESLint parser configuration; stable pattern for this plugin. | ai | |
| phantom-deps | phantom-dep:eslint-scope | AI (phantom-deps): Referenced in ESLint plugin configuration files; stable for this package. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Babel core is loaded by convention when Babel presets are used; stable for this ESLint plugin. | ai | |
| phantom-deps | phantom-dep:vue-eslint-parser | AI (phantom-deps): Referenced in config files but not directly imported; expected for plugin supporting Vue syntax. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-import | AI (phantom-deps): Referenced in config files as part of ESLint plugin's bundled rule configurations; standard ESLint plugin pattern. | ai | |
| provenance | slsa-provenance | AI (provenance): SonarSource publishes via CI/CD with Sigstore SLSA attestation; this is expected and stable for this package. | ai |
Versions (showing 48 of 48)
| Version | Deps | Published |
|---|---|---|
| 4.0.3 | 12 / 0 | |
| 4.0.2 | 12 / 0 | |
| 4.0.1 | 12 / 0 | |
| 4.0.0 | 12 / 0 | |
| 3.0.7 | 10 / 0 | |
| 3.0.6 | 10 / 0 | |
| 3.0.5 | 10 / 0 | |
| 3.0.4 | 10 / 0 | |
| 3.0.3 | 9 / 0 | |
| 3.0.2 | 9 / 0 | |
| 3.0.1 | 15 / 0 | |
| 3.0.0 | 15 / 0 | |
| 2.0.4 | 23 / 0 | |
| 2.0.3 | 23 / 12 | |
| 2.0.2 | 23 / 9 | |
| 2.0.1 | 24 / 8 | |
| 2.0.0 | 19 / 9 | |
| 1.0.4 | 0 / 34 | |
| 1.0.3 | 0 / 34 | |
| 1.0.2 | 0 / 34 | |
| 1.0.0 | 0 / 33 | |
| 0.25.1 | 0 / 30 | |
| 0.25.0 | 0 / 30 | |
| 0.24.0 | 0 / 30 | |
| 0.23.0 | 0 / 29 | |
| 0.22.0 | 0 / 29 | |
| 0.21.0 | 0 / 29 | |
| 0.20.0 | 0 / 29 | |
| 0.19.0 | 0 / 29 | |
| 0.18.0 | 0 / 29 | |
| 0.17.0 | 0 / 29 | |
| 0.16.0 | 0 / 29 | |
| 0.15.0 | 0 / 29 | |
| 0.14.0 | 0 / 29 | |
| 0.13.0 | 0 / 23 | |
| 0.12.0 | 0 / 23 | |
| 0.11.0 | 0 / 23 | |
| 0.10.0 | 0 / 22 | |
| 0.9.1 | 0 / 22 | |
| 0.9.0 | 0 / 22 | |
| 0.7.0 | 0 / 24 | |
| 0.6.0 | 0 / 24 | |
| 0.5.0 | 0 / 24 | |
| 0.4.0 | 0 / 23 | |
| 0.3.0 | 0 / 23 | |
| 0.2.0 | 0 / 23 | |
| 0.1.1 | 0 / 23 | |
| 0.1.0 | 0 / 22 |
v2.0.4
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.