Rules Reference
Deslint ships with 62 rules across 11 scoring categories. Each rule can be set to "error", "warn", or "off". Rules marked fixable auto-fix when you run eslint --fix.
Deep dive: for the full story on why arbitrary Tailwind values drift — the three archetypes, how AI coding agents amplify them, and how deslint catches each — read The hidden cost of Tailwind arbitrary values.
Colors
- Disallow arbitrary color values like bg-[#FF0000] in Tailwind classes.
no-arbitrary-colors/docs/rules/no-arbitrary-colors → - Flag text/background color combinations below WCAG AA contrast.
a11y-color-contrast/docs/rules/a11y-color-contrast → - Require a dark: variant for every background color class.
dark-mode-coverage/docs/rules/dark-mode-coverage → - Cap the number of unique color families used in a single file.
consistent-color-palette/docs/rules/consistent-color-palette →
Spacing
Typography
Responsive
- Require responsive breakpoints on fixed-width layout containers.
responsive-required/docs/rules/responsive-required → - Flag interactive elements smaller than 24×24 px.
touch-target-size/docs/rules/touch-target-size → - Block outline-none unless a replacement focus indicator is present.
focus-visible-style/docs/rules/focus-visible-style →
Accessibility
- Require meaningful alt text on every <img> element.
image-alt-text/docs/rules/image-alt-text → - Every form input must have an associated label.
form-labels/docs/rules/form-labels → - Require autocomplete on identity and payment form fields.
autocomplete-attribute/docs/rules/autocomplete-attribute → - Forbid invalid ARIA roles and unknown aria-* attributes.
aria-validation/docs/rules/aria-validation → - Forbid empty anchors and generic "click here" link text.
link-text/docs/rules/link-text → - Require a valid lang attribute on the <html> element.
lang-attribute/docs/rules/lang-attribute → - Forbid disabling user scaling on the viewport meta tag.
viewport-meta/docs/rules/viewport-meta → - Prefer semantic HTML over <div onClick> and redundant ARIA roles.
prefer-semantic-html/docs/rules/prefer-semantic-html →
Consistency
- Detect inconsistent spacing patterns across similar components.
consistent-component-spacing/docs/rules/consistent-component-spacing → - Disallow arbitrary border-radius values; use the radius scale.
no-arbitrary-border-radius/docs/rules/no-arbitrary-border-radius → - Detect inconsistent border-radius across similar components.
consistent-border-radius/docs/rules/consistent-border-radius → - Flag single-file components exceeding a configurable line count.
max-component-lines/docs/rules/max-component-lines → - Detect form elements missing error, disabled, or required handling.
missing-states/docs/rules/missing-states → - Disallow arbitrary z-index values like z-[999].
no-arbitrary-zindex/docs/rules/no-arbitrary-zindex → - Disallow inline style attributes; use Tailwind utility classes.
no-inline-styles/docs/rules/no-inline-styles → - Detect contradictory Tailwind classes on the same element.
no-conflicting-classes/docs/rules/no-conflicting-classes → - Flag identical className strings repeated 3+ times in a file.
no-duplicate-class-strings/docs/rules/no-duplicate-class-strings → - Flag elements with too many Tailwind utility classes.
max-tailwind-classes/docs/rules/max-tailwind-classes →
Motion & Animation
- Require animations to respect prefers-reduced-motion.
prefers-reduced-motion/docs/rules/prefers-reduced-motion → - Require icons to carry an accessible name or be marked decorative.
icon-accessibility/docs/rules/icon-accessibility → - Detect modals and drawers that don't establish a focus trap.
focus-trap-patterns/docs/rules/focus-trap-patterns → - Flag <img> elements missing loading, width/height, or srcset.
responsive-image-optimization/docs/rules/responsive-image-optimization → - Detect stacks that mix spacing tokens from different sub-scales.
spacing-rhythm-consistency/docs/rules/spacing-rhythm-consistency →
Frontend safety
- Flag `dangerouslySetInnerHTML` — the canonical XSS path on user-supplied input.
no-dangerous-html/docs/rules/no-dangerous-html → - Require `rel="noopener noreferrer"` on `<a target="_blank">`.
safe-external-links/docs/rules/safe-external-links → - Require a `sandbox` attribute on `<iframe>` to constrain embedded content.
iframe-sandbox/docs/rules/iframe-sandbox →
Backend safety
- Flag hardcoded API keys, tokens, and private keys (AWS, GitHub, Stripe, Google, Slack, OpenAI, Anthropic, JWT, PEM).
no-hardcoded-secrets/docs/rules/no-hardcoded-secrets → - Flag SQL queries built by `+` concatenation or template-literal interpolation.
no-sql-injection/docs/rules/no-sql-injection → - Flag `child_process.exec` / `spawn({ shell: true })` with a dynamic command string.
no-shell-injection/docs/rules/no-shell-injection → - Flag `fs.readFile` / `path.join` / `res.sendFile` with request-sourced input (CWE-22).
no-path-traversal/docs/rules/no-path-traversal → - Flag outbound HTTP calls whose URL is derived from request input (CWE-918).
no-ssrf/docs/rules/no-ssrf → - Flag redirects derived from request input (open redirect / phishing path).
safe-redirect/docs/rules/safe-redirect → - Flag `eval()`, `new Function(...)`, `vm.runInNewContext`, and string-arg timers.
no-eval/docs/rules/no-eval → - Flag `cors({ origin:"*", credentials:true })` and reflect-any-origin handlers.
no-permissive-cors/docs/rules/no-permissive-cors → - Flag `rejectUnauthorized: false` and `NODE_TLS_REJECT_UNAUTHORIZED=0`.
no-disabled-tls/docs/rules/no-disabled-tls → - Require httpOnly / secure / sameSite on `res.cookie` / `reply.setCookie` / `cookies().set`.
secure-cookies/docs/rules/secure-cookies → - Require `expiresIn` on `jwt.sign(...)` and forbid `algorithm: "none"`.
require-jwt-expiry/docs/rules/require-jwt-expiry → - Flag `createHash("md5"|"sha1")`, deprecated ciphers, and `Math.random()` for security values.
no-weak-crypto/docs/rules/no-weak-crypto →
Next.js stability
- Flag non-deterministic values (`Math.random`, `Date.now`, `new Date()`) inline in JSX.
no-hydration-mismatch/docs/rules/no-hydration-mismatch → - Flag non-public `process.env.X` reads from `"use client"` or `*.client.{ts,tsx}` files.
no-leaked-env-on-client/docs/rules/no-leaked-env-on-client → - Forbid Node-core / DB-driver imports from `"use client"` and `*.client.{ts,tsx}` files.
no-server-only-in-client/docs/rules/no-server-only-in-client → - Disallow `useEffect(async () => …)` — returns a Promise instead of a cleanup.
no-async-useeffect/docs/rules/no-async-useeffect →
AI-coding hygiene
- Require try/catch (or an async wrapper) on async Express/Fastify route handlers.
no-floating-promise-handler/docs/rules/no-floating-promise-handler → - Flag `Object.assign(user, req.body)` and `{ ...model, ...req.body }` shapes.
no-unsafe-mass-assignment/docs/rules/no-unsafe-mass-assignment → - Flag `throw new Error("not implemented")` and TODO/FIXME stubs the AI left behind.
no-placeholder-code/docs/rules/no-placeholder-code → - Flag hardcoded `localhost`/`127.0.0.1`/`0.0.0.0` URLs that ship to production.
no-hardcoded-localhost/docs/rules/no-hardcoded-localhost → - Forbid empty `catch` blocks (`catch {}`, `catch (e) {}`, `catch (e) { /* TODO */ }`).
no-empty-catch/docs/rules/no-empty-catch → - Forbid `console.log`/`debug`/`info`/`dir`/`trace`/`table`/`time*` in production source.
no-prod-console/docs/rules/no-prod-console → - Forbid HTTP responses that include a stack trace or the raw caught-exception object.
no-leaked-stack-trace/docs/rules/no-leaked-stack-trace → - Flag `as T` / `satisfies T` on `req.body`, `req.query`, `req.params`, `await request.json()`, etc.
no-unvalidated-input/docs/rules/no-unvalidated-input → - Flag `mockUsers`/`fakeData`/`seedData`/`dummyConfig` arrays and placeholder emails (`john.doe@example.com`).
no-mock-data-in-prod/docs/rules/no-mock-data-in-prod →
Inline Suppression
Suppress a single violation with deslint-ignore and a mandatory reason:
{/* deslint-ignore no-arbitrary-colors -- brand gradient requires exact hex */}
<div className="bg-[#1E3A5F]" />Report a False Positive
If a rule flags code that you believe is correct, please report it so we can improve Deslint for everyone. Include the rule name, the flagged code, and why you think it's a false positive.