TypeScript passed it clean. The code reviewer approved it. It shipped to production. Three months...
TypeScript passed it clean. The code reviewer approved it. It shipped to production. Three months later, a penetration tester sent a report.
The vulnerable line:
const result = await pool.query(
"SELECT * FROM orders WHERE user_id = " + req.query.userId
);
The codebase had 2 years of feature PRs and zero security audits. In 30 minutes, a fresh ESLint run surfaced 6 distinct…
Supply chain attacks on the npm ecosystem have quietly become one of the most effective ways...
When building a personal finance tracker, data integrity and system reliability are non-negotiable....
Mahdi Shamlou here. Mahdi, okay fine — you got me with NoSQL injection last time ( read that story...
How to prevent MongoDB NoSQL injection, operator injection, and hardcoded connection strings with the only ESLint plugin built…
If you've spent most of your career building beautiful UIs, managing state, and wrestling with CSS,...
