Describe the bug
When installing eslint-plugin-sdl and eslint ^8.0.0 is present in package.json you'll see the below warning

warning "@vue-storefront/eslint-config > @microsoft/eslint-plugin-sdl > [email protected]" has incorrect peer dependency "eslint@^3 || ^4 || ^5 || ^6 || ^7".

This package has a hardcoded dependency on eslint-plugin-react 7.24.0
https://github.com/microsoft/eslint-plugin-sdl/blob/main/package.json#L25

7.24.0 of eslint-plugin-react requires eslint as a peerDependency, but eslint v8 is not included in the supported version range
7.27.0 enables support for ESLint v8

Please update

To Reproduce
Steps to reproduce the behavior:

1. Run yarn add eslint@^8.0.0 then yarn add eslint-plugin-sdl
2. See warning about wrong peerDependency version

Expected behavior
Warning about wrong eslint version should not appear.

When plugin:@microsoft/sdl/recommended is added to eslint configuration errors are generated for all files not listed in tsconfig.json file - not just typescript files.

Example error:

  0:0  error  Parsing error: "parserOptions.project" has been set for @typescript-eslint/parser.
The file does not match your project config: packages\foo\gulpfile.js.
The file must be included in at least one of the projects provided

Expected behavior
@typescript-eslint/parser is only applied to **/*.{ts,tsx} files as listed in the overrides and thus no Parsing errors.

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Use typescript & eslint-plugin-sdl
2. Write code such as

const el: HTMLDivElement;
el.innerHTML = '';

3. Not marked as error in eslint

Expected behavior
Error should show for all HTML(type)Element

Additional context
Example extended HTMLElement type: https://github.com/microsoft/TypeScript/blob/main/lib/lib.dom.d.ts#L6353

We typically mandate plenty of crypto requirements, we need a rule that will be aligned and ban certain modules, functions, calls with unwanted arguments and so on.

This area is quite complex, let's focus on getting initial rule out and then plan a follow-up task.

Candidates for detection:

• Weak hashing algorithms (MD2, MD4, MD5, SHA1, ...).
• Weak encryption (DES, 3DES, RC4, ...)
• Weak SSL protocol (SSLv2, SSLv23, SSLv3, ...)
• RSA with < 2048 bit keys
• ECDSA with < 256b keys
• Weak cipher modes (CBC, OFB, CFB, ...)
• Hard-coded IV
• Empty/null encryption key?
• Disabling SSL certificate validation

The LICENSE file, file headers and github repository are currently all declaring the MIT license.

However, package.json is declaring ICT.

Is MIT the preferred license? If so, please could you update package.json and publish a new version to npm, so that it is displayed correctly on there as well?

Is your feature request related to a problem? Please describe.
Firefox is currently on a fork of this package.

Describe the solution you'd like
With #39 merged, it would be great for us if this package would create a new release

Describe alternatives you've considered
Of course, we could always stay on our fork.... 🙄

Describe the bug
The rule no-insecure-random is requiring ESLint.
const eslint = require("eslint/lib/eslint");
If ESLint is installed in a different directory from the plugin this will lead to an error.

To Reproduce
Steps to reproduce the behavior:

1. Create a code with insecure random algorithm. E.x. crypo.pseudoRandomBytes
2. Install ESLint in a different directory from the plugins.
3. Add the resolve-plugin-relative-to command to load those plugins.

Expected behavior
The rule should run properly without any crashes and not requiring ESLint.

Describe the bug

Angular 1.8.1 deprecated $compileProvider.aHrefSanitizationWhitelist and $compileProvider.imgSrcSanitizationWhitelist and replaced them with new methods.

To Reproduce

1. Inspect source code of the rule
2. There are no references to aHrefSanitizationTrustedUrlList nor imgSrcSanitizationTrustedUrlList

Expected behavior

Rule is renamed (as per style guide) and supports both old and new method names.

Is your feature request related to a problem? Please describe.
When scanning React apps, I would like to be warned about external links or forms without noreferrer or noopener in their rel attribute. This is quite common security requirement (see https://web.dev/external-anchors-use-rel-noopener/ and other public sources).

Describe the solution you'd like
I think react/jsx-no-target-blank does a good job of detecting most common scenarios, I would suggest adding it to SDL Required ruleset for React apps (./config/react.js).

I would also consider rule config that is slightly more strict that the defaults, such as:

{
  allowReferrer: false,
  enforceDynamicLinks: 'always',
  warnOnSpreadAttributes: true,
  links: true,
  forms: true
}

Describe alternatives you've considered
I don't think it makes sense to implement and maintain custom rule in this case.

Additional context
This check was implemented in tslint via react-anchor-blank-noopener but for some reason was omitted during migration of SDL rules to eslint.

Is your feature request related to a problem? Please describe.
We at Mozilla would like to make more use of the no-insecure-url rule of this plugin.. For this to work best, we'd prefer if the rule had the --fix functionality.

Describe the solution you'd like
We actually have a prototype patch that works for Literals and would be easy to adapt to TemplateLiterals and (obviously) takes the exceptions and blocklists into account.

Describe alternatives you've considered
N/A

Additional context
Not sure, but feel free to ask. We'd really like to make this work.

http://localhost is common for some testing scenarios and situations where communication does not leave the OS are not a risk.

To Reproduce
Steps to reproduce the behavior:

1. Add 'http://localhost' use in code.
2. Enable recommended configuration.
3. Run eslint
4. See report similar to:

Error @microsoft/sdl/no-insecure-url: Insecure protocols such as [HTTP](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) or [FTP](https://en.wikipedia.org/wiki/File_Transfer_Protocol) should be replaced by their encrypted counterparts ([HTTPS](https://en.wikipedia.org/wiki/HTTPS), [FTPS](https://en.wikipedia.org/wiki/FTPS)) to avoid sending (potentially sensitive) data over untrusted network in plaintext.: Do not use insecure URLs

Related
See tslint no-http issue where localhost was resolved to be allowed.

Expected behavior
http://localhost should be allowed.

Describe the bug

ESLint validation for rule "react/jsx-no-target-blank" is always invalid with error "Schema error: should NOT have additional properties" because new configuration properties are not aligned with "eslint-plugin-react"

The new configuration:

It has been updated in an enhancement PR #26

CC @A-Katopodis @Vflouirac

But version "7.24.0" of "eslint-plugin-react" in the PR above only has 3 properties:

To Reproduce
Steps to reproduce the behavior:

1. Open any Javascript or Typescript project using ESLint with Webstorm IDE
2. Install dependency "@microsoft/eslint-plugin-sdl"
3. Add "plugin:@microsoft/sdl/react" to "extends" of ".eslintrc.js" or ".eslintrc.json"
4. Open any Javascript or Typescript file and see error "Schema error: should NOT have additional properties"

Expected behavior
ESLint is executed without any error.

Screenshots

Eslint 7.X.X is a dependency of this package, and it uses a vulnerable version of glob-parent (5.1.2).
Vulnerability is resolved in Eslint 8.X.X.

👋 Hi! I'm one of the maintainers of typescript-eslint. We're getting ready to release a new v6 major version of the tooling, which includes some small breaking changes.

Coming over from typescript-eslint/typescript-eslint#7124: I see this repo contains references to hasFullTypeInformation. That property is something we've never recommended using (see that issue & typescript-eslint/typescript-eslint#7158). We recommend instead using ESLintUtils.getParserServices per https://typescript-eslint.io/developers/custom-rules#typed-rules.

If you really want to "progressively enhance" lint rules, parserServices.program will be null if type information isn't available. But we definitely recommend against that kind of rule behavior changing.

Overall, I'd suggest trying out typescript-eslint@v6 and making sure internal builds & downstream repos still compile & lint nicely with all the changes. Let me know if there's anything we can do to help with the v6 upgrade! 💖

Describe the bug

The upcoming major release of ESLint includes several breaking changes for rule authors: https://eslint.org/blog/2023/09/preparing-custom-rules-eslint-v9/

To Reproduce

n/a

Expected behavior

n/a

Screenshots

n/a

Desktop (please complete the following information):

• OS: any
• Browser: any
• Version: any

Smartphone (please complete the following information):

• Device: any
• OS: any
• Browser: any
• Version: any

Additional context

Intro to ESLint's new config format: https://eslint.org/blog/2022/08/new-config-system-part-2/

Is your feature request related to a problem? Please describe.
[email protected] now includes rule react/iframe-missing-sandbox which is slightly improved version of @microsoft/sdl/react-iframe-missing-sandbox.

Unless there is a good reason to keep maintaining two versions of essentially identical rule I would suggest to deprecate @microsoft/sdl/react-iframe-missing-sandbox in favor of react/iframe-missing-sandbox.

Describe the solution you'd like

• Update config/react.js and switch from @microsoft/sdl/react-iframe-missing-sandbox to react/iframe-missing-sandbox
• Update version of eslint-plugin-react in package.json
• This is potentially breaking change, consider increasing minor package version, releasing in multiple stages, publishing release notes, etc.

Describe alternatives you've considered
Backport changes from react/iframe-missing-sandbox to @microsoft/sdl/react-iframe-missing-sandbox and continue maintaining two versions

Describe the bug

Consider migrating from eslint-plugin-node to eslint-plugin-n as the former is no longer maintained: mysticatea/eslint-plugin-node#300

To Reproduce

n/a

Expected behavior

n/a

Screenshots

n/a

Desktop (please complete the following information):

• OS: any
• Browser: any
• Version: any

Smartphone (please complete the following information):

• Device: any
• OS: any
• Browser: any
• Version: any

Additional context

For additional context, see mysticatea/eslint-plugin-node#300

We're integrating sdl/recommended to our repo and we're seeing false flags on our SVGs due to the xmlns attribute being set to a valid http:// based namespace. We're working around this currently but are there plans to fix this?

For those not familiar with plugin setup and eslint config setup, could you please write in the readme how to configure eslint to be able to use your plugin? Some lines with the settings (I assume it isn't much) would be sufficient and for some people (like me), very helpful.