ESLint rules that AI assistants can actually fix - error messages optimized for both human developers and Large Language Models
npm install eslint-plugin-llm-optimizedESLint rules that AI assistants can actually understand and fix.
> Keywords: ESLint plugin, LLM-optimized, AI assistant, auto-fix, ESLint MCP, Model Context Protocol, code quality, security rules, TypeScript ESLint, automated code fixes, GitHub Copilot, Cursor AI, Claude AI, structured error messages, CWE references, deterministic fixes
---
Traditional ESLint plugins tell developers what's wrong but leave them guessing how to fix it. This becomes critical when:
- Non-fixable rules leave AI assistants without guidance on how to resolve issues
- Generic error messages force LLMs to hallucinate solutions, leading to inconsistent fixes
- Multiple plugins are needed to cover security, architecture, React, and code quality
- No MCP optimization means AI tools can't leverage ESLint's Model Context Protocol effectively
---
This plugin provides 137 ESLint rules where every error message is structured to guide both humans and AI assistants toward the correct fixβeven for rules that can't be auto-fixed.
``bash
src/api.ts
42:15 error π CWE-89 | SQL Injection detected | CRITICAL
Fix: Use parameterized query: db.query("SELECT * FROM users WHERE id = ?", [userId]) | https://owasp.org/www-community/attacks/SQL_Injection
58:3 warning β οΈ CWE-532 | console.log found in production code | MEDIUM
Fix: Use logger.debug() or remove statement | https://eslint.org/docs/latest/rules/no-console
`
Core principle: Every error message should teach, not just warn.
---
eslint-plugin-security (standard):
`
src/api.ts:42:15
error Detected possible SQL injection security/detect-sql-injection
This plugin (LLM-optimized):
`
src/api.ts:42:15
π CWE-89 OWASP:A03-Injection | SQL Injection | CRITICAL [SOC2,PCI-DSS]
Fix: Use parameterized query: db.query("SELECT * FROM users WHERE id = ?", [userId])
Docs: https://owasp.org/www-community/attacks/SQL_Injection
eslint-plugin-security (standard):
`
error Variable used as key in object access security/detect-object-injection
This plugin (LLM-optimized):
`
π CWE-915 | Prototype Pollution via dynamic property access | HIGH
Fix: Validate key against allowlist: if (ALLOWED_KEYS.includes(key)) obj[key]
Docs: https://portswigger.net/web-security/prototype-pollution
| Aspect | Standard Plugins | This Plugin |
| ------------------- | ------------------ | ----------------------------- |
| Error format | "what's wrong" | "what's wrong + how to fix" |
| CWE reference | β None | β
Auto-enriched |
| OWASP mapping | β None | β
2021 & 2025 |
| Compliance tags | β None | β
SOC2, HIPAA, PCI-DSS |
| Fix instruction | β Generic or none | β
Specific with code example |
| Documentation | β οΈ Sometimes | β
Always linked |
| AI success rate | ~50% | 94% |
---
The biggest differentiator. Traditional ESLint plugins with non-fixable rules just say "this is wrong." Our structured messages tell AI assistants exactly how to solve it.
| Rule Type | Traditional Plugin | This Plugin |
| ---------------- | --------------------------- | --------------------------------------------------------- |
| Auto-fixable | β
ESLint applies fix | β
ESLint applies fix |
| Non-fixable | β "SQL injection detected" | β
"Use parameterized query: db.query("...", [userId])" |
Why this matters for organizations:
- Spread guidelines easily - Complex conventions that can't be auto-fixed (architecture patterns, security practices) become enforceable
- Consistent AI fixes - Same violation = same fix suggestion = deterministic results
- Self-documenting standards - Every error teaches the correct pattern with documentation links
This plugin is specifically optimized for ESLint's Model Context Protocol (MCP), the official bridge between ESLint and AI assistants.
`json`
// .cursor/mcp.json or .vscode/mcp.json
{
"mcpServers": {
"eslint": {
"command": "npx",
"args": ["@eslint/mcp@latest"]
}
}
}
MCP + LLM-Optimized Messages = Maximum AI Capability
- AI reads structured errors in real-time
- Understands severity, CWE references, and fix instructions
- Applies consistent fixes automatically
- Provides context-aware suggestions even for complex refactors
Stop juggling multiple plugins. One install covers:
| Category | Rules | Examples |
| ------------------ | ----- | ---------------------------------------------- |
| Security | 29 | SQL injection, XSS, CSRF, credentials, crypto |
| Architecture | 28 | Circular deps, module boundaries, imports |
| React | 41 | Keys, hooks, state management, best practices |
| Code Quality | 9 | Complexity, null checks, ternary expressions |
| Development | 7 | Console logs, module formats, dependencies |
| Performance | 7 | Memory leaks, N+1 queries, render optimization |
| Error Handling | 4 | Unhandled promises, silent errors, context |
| Accessibility | 3 | Alt text, ARIA labels, keyboard navigation |
| Other | 9 | Complexity, DDD, migration, deprecation, API |
---
`bash1. Install
npm install --save-dev eslint-plugin-llm-optimized
export default [
js.configs.recommended,
llmOptimized.configs.recommended,
];
That's it! AI assistants now receive structured, actionable guidance for every violation.
---
π Why Choose This Plugin?
| Feature | This Plugin | Standard ESLint Plugins |
| ----------------------------- | ---------------------------------------- | ------------------------------ |
| Non-Fixable Rule Guidance | β
Structured fix instructions for AI | β Generic "what's wrong" only |
| ESLint MCP Optimization | β
Built for MCP integration | β No MCP consideration |
| All-in-One Coverage | β
137 rules across 10+ categories | β οΈ Multiple plugins needed |
| AI Auto-Fix Rate | β
60-80% (including guided non-fixable) | β οΈ 20-30% (auto-fix only) |
| Security Rules | β
29 rules with CWE references | β οΈ Limited coverage |
| Deterministic Fixes | β
Same violation = same fix | β οΈ Inconsistent AI suggestions |
| Documentation Links | β
Every error includes docs | β Rarely included |
| Package Name | β
Descriptive, self-explanatory | β οΈ Generic names |
---
π Benchmarks
| Metric | This Plugin | eslint-plugin-security | eslint-plugin-import |
| -------------------------- | ----------- | ---------------------- | -------------------- |
| Security Rules | 29 rules | 6 rules | 0 rules |
| False Positive Rate | 7.1% | 24.9% | N/A |
| AI Fix Success Rate | 94% | 67% | 78% |
| Circular Dep Detection | 100% | N/A | 73% |
| Capability | Our Implementation | Industry Standard |
| ---------------------- | ------------------------------- | ----------------- |
| LLM Message Format | β
Structured 2-line with CWE | β Plain text |
| Compliance Mapping | β
SOC2, HIPAA, PCI-DSS auto | β None |
| SARIF Export | β
Full GitHub Security support | β οΈ Basic |
> π Full Benchmarks β
---
π Available Presets
| Preset | Rules | Best For |
| ----------------- | ------------------------ | ------------------------------------ |
|
| Core rules (balanced) | Most projects - balanced enforcement |
| strict | All 137 rules as errors | Maximum code quality |
| security | 29 security rules | Security-critical applications |
| react | 40+ React-specific rules | React/Next.js projects |
| sonarqube | SonarQube-inspired rules | Teams using SonarQube |`javascript
// Use multiple presets
export default [
llmOptimized.configs.recommended,
llmOptimized.configs.security,
];
`---
π’ For Organizations
Scaling Code Standards Across Teams
This plugin enables organizations to enforce conventions that traditional static analysis can't handle:
| Challenge | Traditional Approach | LLM-Optimized Approach |
| ----------------------------- | -------------------------- | ---------------------------------- |
| Complex architecture patterns | Code reviews catch some | AI guided by structured rules |
| Security best practices | Training + manual review | Every violation teaches the fix |
| Domain-specific naming | Documentation nobody reads | Errors include correct terminology |
| Migration patterns | Manual tracking | AI applies consistent migrations |
---
π¦ Package Information
> This package (
) re-exports @forge-js/eslint-plugin-llm-optimized with a descriptive, unscoped name.All these packages are functionally identical:
-
eslint-plugin-llm-optimized (this package - descriptive)
- @forge-js/eslint-plugin-llm-optimized (scoped, original)
- eslint-plugin-llm (shortest name)
- eslint-plugin-mcp (MCP-focused)
- eslint-plugin-mcp-optimized (MCP-optimized)
- eslint-plugin-code-mode (Code Mode-focused)Choose based on naming preferenceβthey all work the same way!
---
β FAQ
Q: How is this different from standard ESLint plugins?
A: Standard plugins tell you "what's wrong." This plugin tells AI assistants "how to fix it" with structured messagesβeven for rules that can't be auto-fixed.
Q: Do I need ESLint MCP?
A: No, but it's recommended. This plugin works standalone but is specifically optimized for MCP integration.
Q: Will this slow down linting?
A: No. <10ms overhead per file. Rules use efficient AST traversal with caching.
Q: Can I use this without AI assistants?
A: Yes. The structured messages help human developers tooβevery error teaches the correct pattern.
---
π Rules Reference (137 Rules)
πΌ Set in
recommended | β οΈ Warns in recommended` | π§ Auto-fixable | π‘ Editor suggestions> π Full documentation: github.com/ofri-peretz/forge-js/packages/eslint-plugin/docs
| Name | Description | πΌ | β οΈ | π§ | π‘ |
| ------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | --- | --- | --- | --- |
| no-sql-injection | Prevent SQL injection with string concatenation detection | πΌ | | | |
| database-injection | Comprehensive injection detection (SQL, NoSQL, ORM) | πΌ | | | |
| detect-eval-with-expression | Detect eval() with dynamic expressions (RCE prevention) | πΌ | | | |
| detect-child-process | Detect command injection in child_process calls | πΌ | | | |
| detect-non-literal-fs-filename | Detect path traversal in fs operations | πΌ | | | |
| detect-non-literal-regexp | Detect ReDoS vulnerabilities in RegExp construction | πΌ | | | |
| detect-object-injection | Detect prototype pollution in object property access | πΌ | | | |
| no-unsafe-dynamic-require | Forbid dynamic require() with non-literal arguments | πΌ | | | |
| no-hardcoded-credentials | Detect hardcoded passwords, API keys, tokens | πΌ | | | |
| no-weak-crypto | Detect weak cryptography (MD5, SHA1, DES) | πΌ | | | |
| no-insufficient-random | Detect weak random (Math.random()) | πΌ | | | |
| no-unvalidated-user-input | Detect unvalidated user input | πΌ | | | |
| no-unsanitized-html | Detect XSS via unsanitized HTML | πΌ | | | |
| no-unescaped-url-parameter | Detect unescaped URL parameters | πΌ | | | |
| no-missing-cors-check | Detect missing CORS validation | πΌ | | | |
| no-insecure-comparison | Detect insecure == and != | πΌ | | π§ | |
| no-missing-authentication | Detect missing auth checks | πΌ | | | |
| no-privilege-escalation | Detect privilege escalation | πΌ | | | |
| no-insecure-cookie-settings | Detect insecure cookie configs | πΌ | | | |
| no-missing-csrf-protection | Detect missing CSRF protection | πΌ | | | |
| no-exposed-sensitive-data | Detect PII exposure in logs | πΌ | | | |
| no-unencrypted-transmission | Detect HTTP vs HTTPS issues | πΌ | | | |
| no-redos-vulnerable-regex | Detect ReDoS patterns | πΌ | | | π‘ |
| no-unsafe-regex-construction | Detect unsafe RegExp | πΌ | | | π‘ |
| no-sensitive-data-exposure | Detect sensitive data exposure | πΌ | | | π‘ |
| no-toctou-vulnerability | Detect TOCTOU race conditions | πΌ | | | π‘ |
| no-missing-security-headers | Detect missing security headers | πΌ | | | π‘ |
| no-insecure-redirects | Detect open redirects | πΌ | | | π‘ |
| no-document-cookie | Detect document.cookie usage | πΌ | | | π‘ |
| Name | Description | πΌ | β οΈ | π§ | π‘ |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | --- | --- | --- | --- |
| no-circular-dependencies | Detect circular dependencies with chain analysis | | | | |
| no-internal-modules | Forbid importing internal/deep paths | | | | |
| no-cross-domain-imports | Prevent cross-domain imports | | | | π‘ |
| enforce-dependency-direction | Enforce dependency direction | | | | π‘ |
| no-external-api-calls-in-utils | No API calls in utils | | | | π‘ |
| prefer-node-protocol | Enforce node: protocol | | β οΈ | π§ | |
| consistent-existence-index-check | Consistent property checks | | β οΈ | π§ | |
| prefer-event-target | Prefer EventTarget | | β οΈ | | π‘ |
| prefer-at | Prefer .at() method | | β οΈ | π§ | |
| no-unreadable-iife | Prevent unreadable IIFEs | | β οΈ | | π‘ |
| no-await-in-loop | Disallow await in loops | | β οΈ | | π‘ |
| no-self-import | Prevent self-imports | | β οΈ | | π‘ |
| no-unused-modules | Find unused exports | | β οΈ | | π‘ |
| no-extraneous-dependencies | Detect extraneous dependencies | | β οΈ | | π‘ |
| max-dependencies | Limit module dependencies | | β οΈ | | π‘ |
| no-anonymous-default-export | Forbid anonymous exports | | β οΈ | | π‘ |
| no-restricted-paths | Restrict import paths | | β οΈ | | π‘ |
| no-deprecated | Detect deprecated imports | | β οΈ | | π‘ |
| no-mutable-exports | Forbid mutable exports | | β οΈ | | π‘ |
| prefer-default-export | Prefer default export | | β οΈ | | π‘ |
| no-unresolved | Detect unresolved imports | | | | π‘ |
| no-relative-parent-imports | Forbid relative parent imports | | β οΈ | | π‘ |
| no-default-export | Forbid default exports | | β οΈ | | π‘ |
| no-named-export | Forbid named exports | | β οΈ | | π‘ |
| no-unassigned-import | Forbid unassigned imports | | β οΈ | | π‘ |
| enforce-import-order | Enforce specific import order | | β οΈ | π§ | π‘ |
| consistent-function-scoping | Consistent function scoping | | β οΈ | | π‘ |
| filename-case | Enforce filename conventions | | β οΈ | | π‘ |
| no-instanceof-array | Forbid instanceof Array | | β οΈ | π§ | |
| Name | Description | πΌ | β οΈ | π§ | π‘ |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | --- | --- | --- | --- |
| hooks-exhaustive-deps | Enforce exhaustive hook dependencies | | β οΈ | | π‘ |
| required-attributes | Enforce required attributes | | | π§ | |
| jsx-key | Detect missing React keys | | | | π‘ |
| no-direct-mutation-state | Prevent direct state mutation | | | | π‘ |
| require-optimization | Require React optimizations | | β οΈ | | π‘ |
| no-set-state | Disallow setState in components | | | | π‘ |
| no-this-in-sfc | Disallow this in stateless components | | | | π‘ |
| no-access-state-in-setstate | Disallow this.state in setState | | | | π‘ |
| no-children-prop | Disallow passing children as props | | | | π‘ |
| no-danger | Disallow dangerouslySetInnerHTML | | | | π‘ |
| no-string-refs | Disallow string refs | | | | π‘ |
| no-unknown-property | Disallow unknown DOM properties | | | | π‘ |
| checked-requires-onchange-or-readonly | Require onChange or readOnly with checked | | | | π‘ |
| default-props-match-prop-types | Enforce defaultProps match propTypes | | | | π‘ |
| display-name | Require displayName in components | | | | π‘ |
| jsx-handler-names | Enforce handler naming conventions | | | | π‘ |
| jsx-max-depth | Limit JSX nesting depth | | | | π‘ |
| jsx-no-bind | Disallow bind() in JSX props | | | | π‘ |
| jsx-no-literals | Disallow string literals in JSX | | | | π‘ |
| no-adjacent-inline-elements | Disallow adjacent inline elements | | | | π‘ |
| no-arrow-function-lifecycle | Disallow arrow functions in lifecycle | | | | π‘ |
| no-did-mount-set-state | Disallow setState in componentDidMount | | | | π‘ |
| no-did-update-set-state | Disallow setState in componentDidUpdate | | | | π‘ |
| no-invalid-html-attribute | Disallow invalid HTML attributes | | | | π‘ |
| no-is-mounted | Disallow isMounted | | | | π‘ |
| no-multi-comp | One component per file | | | | π‘ |
| no-namespace | Disallow namespace imports for React | | | | π‘ |
| no-object-type-as-default-prop | Disallow object as default prop | | | | π‘ |
| no-redundant-should-component-update | Disallow redundant shouldComponentUpdate | | | | π‘ |
| no-render-return-value | Disallow render() return value | | | | π‘ |
| no-typos | Detect common typos in React | | | | π‘ |
| no-unescaped-entities | Disallow unescaped entities in JSX | | | | π‘ |
| prefer-es6-class | Prefer ES6 class syntax | | | | π‘ |
| prefer-stateless-function | Prefer stateless functional components | | | | π‘ |
| prop-types | Require propTypes declarations | | | | π‘ |
| react-in-jsx-scope | Require React in JSX scope | | | | π‘ |
| require-default-props | Require defaultProps for optional props | | | | π‘ |
| require-render-return | Require return in render | | | | π‘ |
| sort-comp | Enforce component method order | | | | π‘ |
| state-in-constructor | Enforce state initialization style | | | | π‘ |
| static-property-placement | Enforce static property placement | | | | π‘ |
| Name | Description | πΌ | β οΈ | π§ | π‘ |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | --- | --- | --- | --- |
| no-console-log | Disallow console.log with strategies | | β οΈ | π§ | |
| prefer-dependency-version-strategy | Enforce version strategy | | β οΈ | π§ | |
| no-amd | Disallow AMD imports | | β οΈ | | π‘ |
| no-commonjs | Disallow CommonJS imports | | β οΈ | | π‘ |
| no-nodejs-modules | Disallow Node.js modules | | | | π‘ |
| no-process-exit | Disallow process.exit() | | β οΈ | | π‘ |
| no-console-spaces | Detect console.log spacing issues | | β οΈ | π§ | |
| Name | Description | πΌ | β οΈ | π§ | π‘ |
| --------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | --- | --- | --- | --- |
| react-no-inline-functions | Prevent inline functions in renders | | β οΈ | | |
| no-unnecessary-rerenders | Detect unnecessary rerenders | | β οΈ | | π‘ |
| no-memory-leak-listeners | Detect memory leak listeners | | β οΈ | | π‘ |
| no-blocking-operations | Detect blocking operations | | β οΈ | | π‘ |
| no-unbounded-cache | Detect unbounded caches | | β οΈ | | π‘ |
| detect-n-plus-one-queries | Detect N+1 queries | | β οΈ | | |
| react-render-optimization | React render optimization | | β οΈ | | π‘ |
| Name | Description | πΌ | β οΈ | π§ | π‘ |
| --------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- | --- | --- | --- | --- |
| no-commented-code | Remove commented code | | β οΈ | | π‘ |
| max-parameters | Limit function parameters | | β οΈ | | π‘ |
| no-missing-null-checks | Enforce null checks | | β οΈ | | π‘ |
| no-unsafe-type-narrowing | Safe type narrowing | | β οΈ | | π‘ |
| expiring-todo-comments | Detect expired TODO comments | | β οΈ | | π‘ |
| no-lonely-if | Detect lonely if statements | | β οΈ | π§ | |
| no-nested-ternary | Forbid nested ternary expressions | | β οΈ | | π‘ |
| prefer-code-point | Prefer codePointAt over charCodeAt | | β οΈ | π§ | |
| prefer-dom-node-text-content | Prefer textContent over innerText | | β οΈ | π§ | |
| Name | Description | πΌ | β οΈ | π§ | π‘ |
| ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | --- | --- | --- | --- |
| no-unhandled-promise | Handle promise rejections | | | | π‘ |
| no-silent-errors | No silent error swallowing | | | | π‘ |
| no-missing-error-context | Error context required | | | | π‘ |
| error-message | Require error messages | | β οΈ | | π‘ |
| Name | Description | πΌ | β οΈ | π§ | π‘ |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | --- | --- | --- | --- |
| img-requires-alt | Enforce alt text on images | | β οΈ | | |
| no-keyboard-inaccessible-elements | Keyboard accessibility | | β οΈ | | π‘ |
| no-missing-aria-labels | Enforce ARIA labels | | β οΈ | | π‘ |
| Name | Description | πΌ | β οΈ | π§ | π‘ |
| ----------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | --- | --- | --- | --- |
| cognitive-complexity | Limit cognitive complexity | | | | |
| nested-complexity-hotspots | Detect complexity hotspots | | | | π‘ |
| Name | Description | πΌ | β οΈ | π§ | π‘ |
| ----------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | --- | --- | --- | --- |
| ddd-anemic-domain-model | Detect anemic models | | | | π‘ |
| ddd-value-object-immutability | Value object immutability | | | | π‘ |
| Name | Description | πΌ | β οΈ | π§ | π‘ |
| ----------------------------------------------------------------------------------------------------------------------------------- | ------------------ | --- | --- | --- | --- |
| react-class-to-hooks | Migration to hooks | | | | |
| Name | Description | πΌ | β οΈ | π§ | π‘ |
| ----------------------------------------------------------------------------------------------------------------------------- | ----------------------- | --- | --- | --- | --- |
| no-deprecated-api | Prevent deprecated APIs | | | | |
| Name | Description | πΌ | β οΈ | π§ | π‘ |
| ----------------------------------------------------------------------------------------------------------------------- | ---------------------- | --- | --- | --- | --- |
| enforce-naming | Domain-specific naming | | | | |
| Name | Description | πΌ | β οΈ | π§ | π‘ |
| --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | --- | --- | --- | --- |
| identical-functions | Detect duplicate functions | | | | |
| Name | Description | πΌ | β οΈ | π§ | π‘ |
| ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | --- | --- | --- | --- |
| enforce-rest-conventions | REST API conventions | | | | π‘ |
---
MIT Β© Ofri Peretz