Gathering detailed insights and metrics for eslint-plugin-react
Gathering detailed insights and metrics for eslint-plugin-react
React-specific linting rules for ESLint
Installations
npm install eslint-plugin-reactDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Min. Node Version
>=4
Node Version
23.5.0
NPM Version
10.9.2
Score
89.3
Supply Chain
94.6
Quality
85.2
Maintenance
100
Vulnerability
98.2
License
Releases
200
Languages
1
JavaScript
JavaScript (100%)
Developer
jsx-eslint
Download Statistics
Total Downloads
4,026,765,743
Last Day
3,853,878
Last Week
24,670,907
Last Month
99,760,718
Last Year
1,044,362,657
GitHub Statistics
MIT License
9,163 Stars
3,402 Commits
2,760 Forks
82 Watchers
11 Branches
527 Contributors
Updated on May 24, 2025
Bundle Size
507.36 kB
Minified
136.66 kB
Minified + Gzipped
Maintainers
2
Package Meta Information
Latest Version
7.37.5
Package Id
eslint-plugin-react@7.37.5
Unpacked Size
915.59 kB
Size
181.85 kB
File Count
406
NPM Version
10.9.2
Node Version
23.5.0
Published on
Apr 03, 2025
Total Downloads
Cumulative downloads
Total Downloads
4,026,765,743
Last Day
3.3%
3,853,878
Compared to previous day
Last Week
4.1%
24,670,907
Compared to previous week
Last Month
-1.9%
99,760,718
Compared to previous month
Last Year
22.5%
1,044,362,657
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
18
Peer Dependencies
1
Dev Dependencies
31
@babel/core@babel/eslint-parser@babel/plugin-syntax-decorators@babel/plugin-syntax-do-expressions@babel/plugin-syntax-function-bind@babel/preset-react@types/eslint@types/estree@types/node@typescript-eslint/parserbabel-eslinteslinteslint-config-airbnb-baseeslint-doc-generatoreslint-plugin-eslint-plugineslint-plugin-importeslint-remote-testereslint-remote-tester-repositorieseslint-scopeespreegfm-footnotesglobistanbuljackspeakls-enginesmarkdownlint-climochanpmignoresinontypescripttypescript-eslint-parser
eslint-plugin-react 
===================
React specific linting rules for eslint
Installation
1npm install eslint eslint-plugin-react --save-dev
It is also possible to install ESLint globally rather than locally (using npm install -g eslint). However, this is not recommended, and any plugins or shareable configs that you use must be installed locally in either case.
Configuration (legacy: .eslintrc*)
Use our preset to get reasonable defaults:
1 "extends": [ 2 "eslint:recommended", 3 "plugin:react/recommended" 4 ]
If you are using the new JSX transform from React 17, extend react/jsx-runtime in your eslint config (add "plugin:react/jsx-runtime" to "extends") to disable the relevant rules.
You should also specify settings that will be shared across all the plugin rules. (More about eslint shared settings)
1{ 2 "settings": { 3 "react": { 4 "createClass": "createReactClass", // Regex for Component Factory to use, 5 // default to "createReactClass" 6 "pragma": "React", // Pragma to use, default to "React" 7 "fragment": "Fragment", // Fragment to use (may be a property of <pragma>), default to "Fragment" 8 "version": "detect", // React version. "detect" automatically picks the version you have installed. 9 // You can also use `16.0`, `16.3`, etc, if you want to override the detected value. 10 // Defaults to the "defaultVersion" setting and warns if missing, and to "detect" in the future 11 "defaultVersion": "", // Default React version to use when the version you have installed cannot be detected. 12 // If not provided, defaults to the latest React version. 13 "flowVersion": "0.53" // Flow version 14 }, 15 "propWrapperFunctions": [ 16 // The names of any function used to wrap propTypes, e.g. `forbidExtraProps`. If this isn't set, any propTypes wrapped in a function will be skipped. 17 "forbidExtraProps", 18 {"property": "freeze", "object": "Object"}, 19 {"property": "myFavoriteWrapper"}, 20 // for rules that check exact prop wrappers 21 {"property": "forbidExtraProps", "exact": true} 22 ], 23 "componentWrapperFunctions": [ 24 // The name of any function used to wrap components, e.g. Mobx `observer` function. If this isn't set, components wrapped by these functions will be skipped. 25 "observer", // `property` 26 {"property": "styled"}, // `object` is optional 27 {"property": "observer", "object": "Mobx"}, 28 {"property": "observer", "object": "<pragma>"} // sets `object` to whatever value `settings.react.pragma` is set to 29 ], 30 "formComponents": [ 31 // Components used as alternatives to <form> for forms, eg. <Form endpoint={ url } /> 32 "CustomForm", 33 {"name": "SimpleForm", "formAttribute": "endpoint"}, 34 {"name": "Form", "formAttribute": ["registerEndpoint", "loginEndpoint"]}, // allows specifying multiple properties if necessary 35 ], 36 "linkComponents": [ 37 // Components used as alternatives to <a> for linking, eg. <Link to={ url } /> 38 "Hyperlink", 39 {"name": "MyLink", "linkAttribute": "to"}, 40 {"name": "Link", "linkAttribute": ["to", "href"]}, // allows specifying multiple properties if necessary 41 ] 42 } 43}
If you do not use a preset you will need to specify individual rules and add extra configuration.
Add "react" to the plugins section.
1{ 2 "plugins": [ 3 "react" 4 ] 5}
Enable JSX support.
With eslint 2+
1{ 2 "parserOptions": { 3 "ecmaFeatures": { 4 "jsx": true 5 } 6 } 7}
Enable the rules that you would like to use.
1 "rules": { 2 "react/jsx-uses-react": "error", 3 "react/jsx-uses-vars": "error", 4 }
Shareable configs
Recommended
This plugin exports a recommended configuration that enforces React good practices.
To enable this configuration use the extends property in your .eslintrc config file:
1{ 2 "extends": ["eslint:recommended", "plugin:react/recommended"] 3}
See eslint documentation for more information about extending configuration files.
All
This plugin also exports an all configuration that includes every available rule.
This pairs well with the eslint:all rule.
1{ 2 "plugins": [ 3 "react" 4 ], 5 "extends": ["eslint:all", "plugin:react/all"] 6}
Note: These configurations will import eslint-plugin-react and enable JSX in parser options.
Configuration (new: eslint.config.js)
From v8.21.0, eslint announced a new config system.
In the new system, .eslintrc* is no longer used. eslint.config.js would be the default config file name.
In eslint v8, the legacy system (.eslintrc*) would still be supported, while in eslint v9, only the new system would be supported.
And from v8.23.0, eslint CLI starts to look up eslint.config.js.
So, if your eslint is >=8.23.0, you're 100% ready to use the new config system.
You might want to check out the official blog posts,
- https://eslint.org/blog/2022/08/new-config-system-part-1/
- https://eslint.org/blog/2022/08/new-config-system-part-2/
- https://eslint.org/blog/2022/08/new-config-system-part-3/
and the official docs.
Plugin
The default export of eslint-plugin-react is a plugin object.
1const react = require('eslint-plugin-react'); 2const globals = require('globals'); 3 4module.exports = [ 5 … 6 { 7 files: ['**/*.{js,jsx,mjs,cjs,ts,tsx}'], 8 plugins: { 9 react, 10 }, 11 languageOptions: { 12 parserOptions: { 13 ecmaFeatures: { 14 jsx: true, 15 }, 16 }, 17 globals: { 18 ...globals.browser, 19 }, 20 }, 21 rules: { 22 // ... any rules you want 23 'react/jsx-uses-react': 'error', 24 'react/jsx-uses-vars': 'error', 25 }, 26 // ... others are omitted for brevity 27 }, 28 … 29];
Configuring shared settings
Refer to the official docs.
The schema of the settings.react object would be identical to that of what's already described above in the legacy config section.
Flat Configs
This plugin exports 3 flat configs:
flat.allflat.recommendedflat['jsx-runtime']
The flat configs are available via the root plugin import. They will configure the plugin under the react/ namespace and enable JSX in languageOptions.parserOptions.
1const reactPlugin = require('eslint-plugin-react'); 2 3module.exports = [ 4 … 5 reactPlugin.configs.flat.recommended, // This is not a plugin object, but a shareable config object 6 reactPlugin.configs.flat['jsx-runtime'], // Add this if you are using React 17+ 7 … 8];
You can of course add/override some properties.
Note: Our shareable configs does not preconfigure files or languageOptions.globals.
For most of the cases, you probably want to configure some properties by yourself.
1const reactPlugin = require('eslint-plugin-react'); 2const globals = require('globals'); 3 4module.exports = [ … { files: ['**/*.{js,mjs,cjs,jsx,mjsx,ts,tsx,mtsx}'], 5 ...reactPlugin.configs.flat.recommended, 6 languageOptions: { 7 ...reactPlugin.configs.flat.recommended.languageOptions, 8 globals: { 9 ...globals.serviceworker, 10 ...globals.browser, 11 }, 12 }, 13 }, 14 … 15];
The above example is same as the example below, as the new config system is based on chaining.
1const reactPlugin = require('eslint-plugin-react'); 2const globals = require('globals'); 3 4module.exports = [ … { files: ['**/*.{js,mjs,cjs,jsx,mjsx,ts,tsx,mtsx}'], 5 ...reactPlugin.configs.flat.recommended, 6 }, 7 { 8 files: ['**/*.{js,mjs,cjs,jsx,mjsx,ts,tsx,mtsx}'], 9 languageOptions: { 10 globals: { 11 ...globals.serviceworker, 12 ...globals.browser, 13 }, 14 }, 15 }, 16 … 17];
List of supported rules
💼 Configurations enabled in.
🚫 Configurations disabled in.
🏃 Set in the jsx-runtime configuration.
☑️ Set in the recommended configuration.
🔧 Automatically fixable by the --fix CLI option.
💡 Manually fixable by editor suggestions.
❌ Deprecated.
| Name | Description | 💼 | 🚫 | 🔧 | 💡 | ❌ |
|---|---|---|---|---|---|---|
| boolean-prop-naming | Enforces consistent naming for boolean props | |||||
| button-has-type | Disallow usage of button elements without an explicit type attribute | |||||
| checked-requires-onchange-or-readonly | Enforce using onChange or readonly attribute when checked is used | |||||
| default-props-match-prop-types | Enforce all defaultProps have a corresponding non-required PropType | |||||
| destructuring-assignment | Enforce consistent usage of destructuring assignment of props, state, and context | 🔧 | ||||
| display-name | Disallow missing displayName in a React component definition | ☑️ | ||||
| forbid-component-props | Disallow certain props on components | |||||
| forbid-dom-props | Disallow certain props on DOM Nodes | |||||
| forbid-elements | Disallow certain elements | |||||
| forbid-foreign-prop-types | Disallow using another component's propTypes | |||||
| forbid-prop-types | Disallow certain propTypes | |||||
| forward-ref-uses-ref | Require all forwardRef components include a ref parameter | 💡 | ||||
| function-component-definition | Enforce a specific function type for function components | 🔧 | ||||
| hook-use-state | Ensure destructuring and symmetric naming of useState hook value and setter variables | 💡 | ||||
| iframe-missing-sandbox | Enforce sandbox attribute on iframe elements | |||||
| jsx-boolean-value | Enforce boolean attributes notation in JSX | 🔧 | ||||
| jsx-child-element-spacing | Enforce or disallow spaces inside of curly braces in JSX attributes and expressions | |||||
| jsx-closing-bracket-location | Enforce closing bracket location in JSX | 🔧 | ||||
| jsx-closing-tag-location | Enforce closing tag location for multiline JSX | 🔧 | ||||
| jsx-curly-brace-presence | Disallow unnecessary JSX expressions when literals alone are sufficient or enforce JSX expressions on literals in JSX children or attributes | 🔧 | ||||
| jsx-curly-newline | Enforce consistent linebreaks in curly braces in JSX attributes and expressions | 🔧 | ||||
| jsx-curly-spacing | Enforce or disallow spaces inside of curly braces in JSX attributes and expressions | 🔧 | ||||
| jsx-equals-spacing | Enforce or disallow spaces around equal signs in JSX attributes | 🔧 | ||||
| jsx-filename-extension | Disallow file extensions that may contain JSX | |||||
| jsx-first-prop-new-line | Enforce proper position of the first property in JSX | 🔧 | ||||
| jsx-fragments | Enforce shorthand or standard form for React fragments | 🔧 | ||||
| jsx-handler-names | Enforce event handler naming conventions in JSX | |||||
| jsx-indent | Enforce JSX indentation | 🔧 | ||||
| jsx-indent-props | Enforce props indentation in JSX | 🔧 | ||||
| jsx-key | Disallow missing key props in iterators/collection literals | ☑️ | ||||
| jsx-max-depth | Enforce JSX maximum depth | |||||
| jsx-max-props-per-line | Enforce maximum of props on a single line in JSX | 🔧 | ||||
| jsx-newline | Require or prevent a new line after jsx elements and expressions. | 🔧 | ||||
| jsx-no-bind | Disallow .bind() or arrow functions in JSX props | |||||
| jsx-no-comment-textnodes | Disallow comments from being inserted as text nodes | ☑️ | ||||
| jsx-no-constructed-context-values | Disallows JSX context provider values from taking values that will cause needless rerenders | |||||
| jsx-no-duplicate-props | Disallow duplicate properties in JSX | ☑️ | ||||
| jsx-no-leaked-render | Disallow problematic leaked values from being rendered | 🔧 | ||||
| jsx-no-literals | Disallow usage of string literals in JSX | |||||
| jsx-no-script-url | Disallow usage of javascript: URLs | |||||
| jsx-no-target-blank | Disallow target="_blank" attribute without rel="noreferrer" | ☑️ | 🔧 | |||
| jsx-no-undef | Disallow undeclared variables in JSX | ☑️ | ||||
| jsx-no-useless-fragment | Disallow unnecessary fragments | 🔧 | ||||
| jsx-one-expression-per-line | Require one JSX element per line | 🔧 | ||||
| jsx-pascal-case | Enforce PascalCase for user-defined JSX components | |||||
| jsx-props-no-multi-spaces | Disallow multiple spaces between inline JSX props | 🔧 | ||||
| jsx-props-no-spread-multi | Disallow JSX prop spreading the same identifier multiple times | |||||
| jsx-props-no-spreading | Disallow JSX prop spreading | |||||
| jsx-sort-default-props | Enforce defaultProps declarations alphabetical sorting | ❌ | ||||
| jsx-sort-props | Enforce props alphabetical sorting | 🔧 | ||||
| jsx-space-before-closing | Enforce spacing before closing bracket in JSX | 🔧 | ❌ | |||
| jsx-tag-spacing | Enforce whitespace in and around the JSX opening and closing brackets | 🔧 | ||||
| jsx-uses-react | Disallow React to be incorrectly marked as unused | ☑️ | 🏃 | |||
| jsx-uses-vars | Disallow variables used in JSX to be incorrectly marked as unused | ☑️ | ||||
| jsx-wrap-multilines | Disallow missing parentheses around multiline JSX | 🔧 | ||||
| no-access-state-in-setstate | Disallow when this.state is accessed within setState | |||||
| no-adjacent-inline-elements | Disallow adjacent inline elements not separated by whitespace. | |||||
| no-array-index-key | Disallow usage of Array index in keys | |||||
| no-arrow-function-lifecycle | Lifecycle methods should be methods on the prototype, not class fields | 🔧 | ||||
| no-children-prop | Disallow passing of children as props | ☑️ | ||||
| no-danger | Disallow usage of dangerous JSX properties | |||||
| no-danger-with-children | Disallow when a DOM element is using both children and dangerouslySetInnerHTML | ☑️ | ||||
| no-deprecated | Disallow usage of deprecated methods | ☑️ | ||||
| no-did-mount-set-state | Disallow usage of setState in componentDidMount | |||||
| no-did-update-set-state | Disallow usage of setState in componentDidUpdate | |||||
| no-direct-mutation-state | Disallow direct mutation of this.state | ☑️ | ||||
| no-find-dom-node | Disallow usage of findDOMNode | ☑️ | ||||
| no-invalid-html-attribute | Disallow usage of invalid attributes | 💡 | ||||
| no-is-mounted | Disallow usage of isMounted | ☑️ | ||||
| no-multi-comp | Disallow multiple component definition per file | |||||
| no-namespace | Enforce that namespaces are not used in React elements | |||||
| no-object-type-as-default-prop | Disallow usage of referential-type variables as default param in functional component | |||||
| no-redundant-should-component-update | Disallow usage of shouldComponentUpdate when extending React.PureComponent | |||||
| no-render-return-value | Disallow usage of the return value of ReactDOM.render | ☑️ | ||||
| no-set-state | Disallow usage of setState | |||||
| no-string-refs | Disallow using string references | ☑️ | ||||
| no-this-in-sfc | Disallow this from being used in stateless functional components | |||||
| no-typos | Disallow common typos | |||||
| no-unescaped-entities | Disallow unescaped HTML entities from appearing in markup | ☑️ | 💡 | |||
| no-unknown-property | Disallow usage of unknown DOM property | ☑️ | 🔧 | |||
| no-unsafe | Disallow usage of unsafe lifecycle methods | ☑️ | ||||
| no-unstable-nested-components | Disallow creating unstable components inside components | |||||
| no-unused-class-component-methods | Disallow declaring unused methods of component class | |||||
| no-unused-prop-types | Disallow definitions of unused propTypes | |||||
| no-unused-state | Disallow definitions of unused state | |||||
| no-will-update-set-state | Disallow usage of setState in componentWillUpdate | |||||
| prefer-es6-class | Enforce ES5 or ES6 class for React Components | |||||
| prefer-exact-props | Prefer exact proptype definitions | |||||
| prefer-read-only-props | Enforce that props are read-only | 🔧 | ||||
| prefer-stateless-function | Enforce stateless components to be written as a pure function | |||||
| prop-types | Disallow missing props validation in a React component definition | ☑️ | ||||
| react-in-jsx-scope | Disallow missing React when using JSX | ☑️ | 🏃 | |||
| require-default-props | Enforce a defaultProps definition for every prop that is not a required prop | |||||
| require-optimization | Enforce React components to have a shouldComponentUpdate method | |||||
| require-render-return | Enforce ES5 or ES6 class for returning value in render function | ☑️ | ||||
| self-closing-comp | Disallow extra closing tags for components without children | 🔧 | ||||
| sort-comp | Enforce component methods order | |||||
| sort-default-props | Enforce defaultProps declarations alphabetical sorting | |||||
| sort-prop-types | Enforce propTypes declarations alphabetical sorting | 🔧 | ||||
| state-in-constructor | Enforce class component state initialization style | |||||
| static-property-placement | Enforces where React component static properties should be positioned. | |||||
| style-prop-object | Enforce style prop value is an object | |||||
| void-dom-elements-no-children | Disallow void DOM elements (e.g. <img />, <br />) from receiving children |
Other useful plugins
- Rules of Hooks: eslint-plugin-react-hooks
- JSX accessibility: eslint-plugin-jsx-a11y
- React Native: eslint-plugin-react-native
License
eslint-plugin-react is licensed under the MIT License.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
10 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
0 existing vulnerabilities detected
Reason
Found 7/30 approved changesets -- score normalized to 2
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/npm-publish.yml:97
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:15
- Warn: no topLevel permission defined: .github/workflows/node-18+.yml:1
- Warn: no topLevel permission defined: .github/workflows/node-minors.yml:1
- Warn: no topLevel permission defined: .github/workflows/node-pretest.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/npm-publish.yml:10
- Warn: no topLevel permission defined: .github/workflows/rebase.yml:1
- Warn: no topLevel permission defined: .github/workflows/release.yml:1
- Warn: no topLevel permission defined: .github/workflows/require-allow-edits.yml:1
- Warn: no topLevel permission defined: .github/workflows/smoke-test.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/type-check.yml:6
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/node-18+.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/node-18+.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-18+.yml:101: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/node-18+.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/node-18+.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/node-18+.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/node-18+.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/node-18+.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/node-minors.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/node-minors.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-minors.yml:97: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/node-minors.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/node-minors.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/node-minors.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/node-minors.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/node-minors.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-pretest.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/node-pretest.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/node-pretest.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/node-pretest.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-pretest.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/node-pretest.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/node-pretest.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/node-pretest.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-publish.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/npm-publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/npm-publish.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/npm-publish.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-publish.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/npm-publish.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-publish.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/npm-publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/npm-publish.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/npm-publish.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-publish.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/npm-publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/npm-publish.yml:114: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/npm-publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/npm-publish.yml:125: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/npm-publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/release.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/release.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/release.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/release.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/require-allow-edits.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/require-allow-edits.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/smoke-test.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/smoke-test.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/smoke-test.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/smoke-test.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/smoke-test.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/smoke-test.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/type-check.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/type-check.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/type-check.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/jsx-eslint/eslint-plugin-react/type-check.yml/master?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/type-check.yml:61
- Warn: npmCommand not pinned by hash: .github/workflows/type-check.yml:65
- Info: 0 out of 11 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 20 third-party GitHubAction dependencies pinned
- Info: 0 out of 2 npmCommand dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 7 are checked with a SAST tool
Score
5.7
/10
Last Scanned on 2025-05-19
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More