Backend safety
no-weak-crypto
Flag `createHash("md5"|"sha1")`, deprecated ciphers, and `Math.random()` for security values.
AI coding tools default to whichever algorithm shows up first in their training data — that is frequently MD5/SHA-1, neither of which are collision-resistant for any modern threat model. The `Math.random()` arm only fires when the value is bound to a security-sensitive identifier (`token`, `csrf`, `nonce`, …) so jitter/animation use stays quiet.
Behavior
- Fixable: No.
- Suggestions: No.
Examples
Bad:
crypto.createHash("md5").update(pw).digest("hex");Good:
crypto.createHash("sha256").update(pw).digest("hex");Related rules
require-jwt-expiryRequire `expiresIn` on `jwt.sign(...)` and forbid `algorithm: "none"`.no-disabled-tlsFlag `rejectUnauthorized: false` and `NODE_TLS_REJECT_UNAUTHORIZED=0`.no-hardcoded-secretsFlag hardcoded API keys, tokens, and private keys (AWS, GitHub, Stripe, Google, Slack, OpenAI, Anthropic, JWT, PEM).
Use it
Enable no-weak-crypto in your eslint.config.js:
import deslint from '@deslint/eslint-plugin';
export default [
{
plugins: { deslint },
rules: {
'deslint/no-weak-crypto': 'error',
},
},
];Found a false positive? Report it on GitHub →