AI-coding hygiene

no-leaked-stack-trace

Forbid HTTP responses that include a stack trace or the raw caught-exception object.

AI-generated error handlers default to `res.status(500).send(err.stack)` or `res.json({ error: err })`, leaking file paths, library versions, embedded secrets, and the internal call graph. Covers Express, Koa, Fastify, Web Response/`NextResponse.json` shapes, plus chained `res.status(...).json(...)`.

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

app.use((err, req, res, next) => res.status(500).send(err.stack));

Good:

app.use((err, req, res, next) => { logger.error(err); res.status(500).json({ error: "internal_error" }); });

Related rules

• no-empty-catchForbid empty `catch` blocks (`catch {}`, `catch (e) {}`, `catch (e) { /* TODO */ }`).
• no-floating-promise-handlerRequire try/catch (or an async wrapper) on async Express/Fastify route handlers.
• no-hardcoded-secretsFlag hardcoded API keys, tokens, and private keys (AWS, GitHub, Stripe, Google, Slack, OpenAI, Anthropic, JWT, PEM).

Use it

Enable no-leaked-stack-trace in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/no-leaked-stack-trace': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules