no-electron-node-integration

Disallow enabling Electron Node.js integration for renderers with remote content.

Targeted pattern scope

This rule targets Electron BrowserWindow and webPreferences configurations that enable nodeIntegration where remote content is loaded.

What this rule reports

This rule reports renderer configurations that combine untrusted content with Node.js APIs.

Why this rule exists

Enabling Node.js integration for remote content increases remote code execution risk in Electron apps.

❌ Incorrect

new BrowserWindow({
 webPreferences: {
  nodeIntegration: true,
 },
});

✅ Correct

new BrowserWindow({
 webPreferences: {
  nodeIntegration: false,
  contextIsolation: true,
 },
});

ESLint flat config example

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },
  rules: {
   "sdl/no-electron-node-integration": "error",
  },
 },
];

When not to use it

Disable only for offline renderers with no untrusted input and compensating controls.

Package documentation

Rule source

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

ESLint flat config example​

When not to use it​

Package documentation​

Further reading​