no-node-vm-source-text-module
Disallow node:vm SourceTextModule constructors that compile JavaScript source strings into executable modules.
Targeted pattern scopeโ
This rule targets SourceTextModule constructors imported from node:vm or
vm.
The rule covers:
- named imports like
import { SourceTextModule } from "node:vm" - namespace/default bindings like
vm.SourceTextModule - CommonJS
require(...)destructuring and namespace access
What this rule reportsโ
This rule reports new SourceTextModule(...) for the Node vm module.
Why this rule existsโ
SourceTextModule compiles JavaScript module source from a string. Like other
node:vm code-loading APIs, it is easy to mistake this for a security boundary
when it is really an executable code sink that deserves explicit SDL review.
โ Incorrectโ
import { SourceTextModule } from "node:vm";
new SourceTextModule(userSuppliedModuleCode);
โ Correctโ
await import(new URL("./module.js", import.meta.url).href);
Behavior and migration notesโ
This rule intentionally focuses on SourceTextModule construction through the
Node vm module. It does not attempt to determine whether a specific source
string is trusted.
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-node-vm-source-text-module": "error",
},
},
];
When not to use itโ
Disable this rule only if your project intentionally relies on SourceTextModule
and that design has been reviewed and approved.
Package documentationโ
Further readingโ
Rule catalog ID: R071