Ilya,

Thank you for the detailed reply.

I opted to fill my plugin 
<https://www.npmjs.com/package/eslint-plugin-vuln-regex-detector> with 
warnings, as you suggested.
I am presenting it as a CI tool that just happens to be implemented using 
eslint, rather than as an eslint plugin.

Best,

Jamie

On Wednesday, April 4, 2018 at 5:16:11 PM UTC-4, Ilya Volodin wrote:
>
> Hi Jamie,
>
>  
>
> There are a few reasons why rules should be synchronous. First is, ESLint 
> is currently fully synchronous, because it’s a command line tool, and 
> command line tools are usually synchronous. ESLint also processes files in 
> a specific order and uses EventEmitter to notify rules about nodes in the 
> AST. There are a lot of rules that rely on synchronous approach (for 
> example, they might rely on specific nodes to be in a specific order and 
> receiving notification out of order will break the logic of the rule). We 
> also don’t do any post-processing and reordering of the errors that we 
> receive from various rules, so async rules might start reporting errors in 
> files other then were they were found.
>
> Theoretically, since rules do not return anything to the engine, you could 
> try to create an async rule, and it might even work, but that’s not a 
> supported scenario. My suggestion is to notify users of your plugin that it 
> might take significant amount of time to run it, and that they should 
> enable ESLint caching and use synchronous HTTP requests in your rules. But 
> experience for users who use editor integrations is still going to be 
> pretty poor.
>
>  
>
> Thanks,
>
>  
>
>                 Ilya Volodin
>
>  
>
> *From:* esl...@googlegroups.com <javascript:> <esl...@googlegroups.com 
> <javascript:>> *On Behalf Of *davi...@vt.edu <javascript:>
> *Sent:* Tuesday, April 3, 2018 10:29 PM
> *To:* ESLint <esl...@googlegroups.com <javascript:>>
> *Subject:* [ESLint] Expensive/asynchronous operations in eslint rules
>
>  
>
> Hi all,
>
> I'm a PhD student at Virginia Tech. I'm working on a research project to 
> detect vulnerable regexes.
>
> I've developed a tool that queries an ensemble of catastrophic 
> backtracking detectors (repo here 
> <https://github.com/davisjam/vuln-regex-detector/>).
>
> Because the tool is expensive to run, I set up a server that maintains a 
> database of previous queries and results.
> I created an npm module that asynchronously queries this server over HTTP 
> (module here <https://www.npmjs.com/package/vuln-regex-detector>).
>
> I would like to create an eslint plugin to make it easy for developers to 
> adopt it.
> The plugin I envision is similar to this one 
> <https://www.npmjs.com/package/eslint-plugin-security#detect-unsafe-regex> 
> that uses safe-regex <https://github.com/substack/safe-regex> (which, 
> alas, has high rates of false positives and false negatives, and is 
> incorrectly 
> implemented <https://github.com/substack/safe-regex/pull/9> to boot).
> However, it looks from the eslint docs that eslint rules must be 
> synchronous <https://eslint.org/docs/developer-guide/architecture#rules>.
> I couldn't find this discussed explicitly in the eslint issues or this 
> mailing list; please forgive me if I missed a discussion about this 
> somewhere.
>
> I am interested in thoughts on:
>
>    - Whether there's any point in making *synchronous* HTTP requests? (I 
>    suspect this would lead to terrible linter performance)
>    - Whether there's a way to make an asynchronous eslint rule?
>    - If eslint is not a good way to do this, can anyone recommend an 
>    alternative approach?
>
> Thank you,
>
> Jamie
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "ESLint" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to eslint+un...@googlegroups.com <javascript:>.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"ESLint" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to eslint+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to