Ilya, Thank you for the detailed reply.
I opted to fill my plugin <https://www.npmjs.com/package/eslint-plugin-vuln-regex-detector> with warnings, as you suggested. I am presenting it as a CI tool that just happens to be implemented using eslint, rather than as an eslint plugin. Best, Jamie On Wednesday, April 4, 2018 at 5:16:11 PM UTC-4, Ilya Volodin wrote: > > Hi Jamie, > > > > There are a few reasons why rules should be synchronous. First is, ESLint > is currently fully synchronous, because it’s a command line tool, and > command line tools are usually synchronous. ESLint also processes files in > a specific order and uses EventEmitter to notify rules about nodes in the > AST. There are a lot of rules that rely on synchronous approach (for > example, they might rely on specific nodes to be in a specific order and > receiving notification out of order will break the logic of the rule). We > also don’t do any post-processing and reordering of the errors that we > receive from various rules, so async rules might start reporting errors in > files other then were they were found. > > Theoretically, since rules do not return anything to the engine, you could > try to create an async rule, and it might even work, but that’s not a > supported scenario. My suggestion is to notify users of your plugin that it > might take significant amount of time to run it, and that they should > enable ESLint caching and use synchronous HTTP requests in your rules. But > experience for users who use editor integrations is still going to be > pretty poor. > > > > Thanks, > > > > Ilya Volodin > > > > *From:* [email protected] <javascript:> <[email protected] > <javascript:>> *On Behalf Of *[email protected] <javascript:> > *Sent:* Tuesday, April 3, 2018 10:29 PM > *To:* ESLint <[email protected] <javascript:>> > *Subject:* [ESLint] Expensive/asynchronous operations in eslint rules > > > > Hi all, > > I'm a PhD student at Virginia Tech. I'm working on a research project to > detect vulnerable regexes. > > I've developed a tool that queries an ensemble of catastrophic > backtracking detectors (repo here > <https://github.com/davisjam/vuln-regex-detector/>). > > Because the tool is expensive to run, I set up a server that maintains a > database of previous queries and results. > I created an npm module that asynchronously queries this server over HTTP > (module here <https://www.npmjs.com/package/vuln-regex-detector>). > > I would like to create an eslint plugin to make it easy for developers to > adopt it. > The plugin I envision is similar to this one > <https://www.npmjs.com/package/eslint-plugin-security#detect-unsafe-regex> > that uses safe-regex <https://github.com/substack/safe-regex> (which, > alas, has high rates of false positives and false negatives, and is > incorrectly > implemented <https://github.com/substack/safe-regex/pull/9> to boot). > However, it looks from the eslint docs that eslint rules must be > synchronous <https://eslint.org/docs/developer-guide/architecture#rules>. > I couldn't find this discussed explicitly in the eslint issues or this > mailing list; please forgive me if I missed a discussion about this > somewhere. > > I am interested in thoughts on: > > - Whether there's any point in making *synchronous* HTTP requests? (I > suspect this would lead to terrible linter performance) > - Whether there's a way to make an asynchronous eslint rule? > - If eslint is not a good way to do this, can anyone recommend an > alternative approach? > > Thank you, > > Jamie > > -- > You received this message because you are subscribed to the Google Groups > "ESLint" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "ESLint" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
