Hi Jamie,
There are a few reasons why rules should be synchronous. First is, ESLint is
currently fully synchronous, because it’s a command line tool, and command line
tools are usually synchronous. ESLint also processes files in a specific order
and uses EventEmitter to notify rules about nodes in the AST. There are a lot
of rules that rely on synchronous approach (for example, they might rely on
specific nodes to be in a specific order and receiving notification out of
order will break the logic of the rule). We also don’t do any post-processing
and reordering of the errors that we receive from various rules, so async rules
might start reporting errors in files other then were they were found.
Theoretically, since rules do not return anything to the engine, you could try
to create an async rule, and it might even work, but that’s not a supported
scenario. My suggestion is to notify users of your plugin that it might take
significant amount of time to run it, and that they should enable ESLint
caching and use synchronous HTTP requests in your rules. But experience for
users who use editor integrations is still going to be pretty poor.
Thanks,
Ilya Volodin
From: eslint@googlegroups.com <eslint@googlegroups.com> On Behalf Of
davis...@vt.edu
Sent: Tuesday, April 3, 2018 10:29 PM
To: ESLint <eslint@googlegroups.com>
Subject: [ESLint] Expensive/asynchronous operations in eslint rules
Hi all,
I'm a PhD student at Virginia Tech. I'm working on a research project to detect
vulnerable regexes.
I've developed a tool that queries an ensemble of catastrophic backtracking
detectors (repo here <https://github.com/davisjam/vuln-regex-detector/> ).
Because the tool is expensive to run, I set up a server that maintains a
database of previous queries and results.
I created an npm module that asynchronously queries this server over HTTP
(module here <https://www.npmjs.com/package/vuln-regex-detector> ).
I would like to create an eslint plugin to make it easy for developers to adopt
it.
The plugin I envision is similar to this one
<https://www.npmjs.com/package/eslint-plugin-security#detect-unsafe-regex>
that uses safe-regex <https://github.com/substack/safe-regex> (which, alas,
has high rates of false positives and false negatives, and is incorrectly
implemented <https://github.com/substack/safe-regex/pull/9> to boot).
However, it looks from the eslint docs that eslint rules must be synchronous
<https://eslint.org/docs/developer-guide/architecture#rules> .
I couldn't find this discussed explicitly in the eslint issues or this mailing
list; please forgive me if I missed a discussion about this somewhere.
I am interested in thoughts on:
* Whether there's any point in making synchronous HTTP requests? (I
suspect this would lead to terrible linter performance)
* Whether there's a way to make an asynchronous eslint rule?
* If eslint is not a good way to do this, can anyone recommend an
alternative approach?
Thank you,
Jamie
--
You received this message because you are subscribed to the Google Groups
"ESLint" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to eslint+unsubscr...@googlegroups.com
<mailto:eslint+unsubscr...@googlegroups.com> .
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"ESLint" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to eslint+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
