New
Introducing React Doctor for Enterprise
Menu
What Is React Doctor?
Quickstart
CLI to CI
How to Fix Issues
GitHub Actions Setup
Updating CI
Other CI Providers
Migrating to CI v2
Config Files
ESLint & oxlint Plugins
CLI Reference
GitHub Action Reference
Node.js API
Changelog
Terms of Service
Privacy Policy
Data Use
Security
Support
Rules reference

react-doctor/plugin-update-trust-risk

Downloading and running an update or plugin without verifying its integrity lets an attacker ship malicious code to your users.

  • Category: Security
  • Severity: warn
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: production source files plus config/CI files (package.json, Dockerfile, docker-compose.yml, .github/workflows/*.yml, vercel.json, next.config.*, netlify.toml); test/doc/generated source skipped

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires when an updater-shaped trigger (repoUrl/updateUrl/UpdateApp/InstallApp/auto-updater/installer/curl/wget, but not curl -T/--upload-file) is followed within ~250 chars by a concrete executable artifact (.zip/.exe/.dmg/.appimage/.msi/.deb/.rpm/.tar.gz) or a pipe-to-shell (| bash/| sh); for .js/.ts source files it additionally requires a real execution surface (child_process/execa/os.system/subprocess/Deno.run/autoUpdater/electron-updater, or an exec/spawn call). Comments are stripped first. FALSE POSITIVE: the download already verifies a hash/signature before use (sha256sum, --checksum, EXPECTED_SHA, gpg --verify, a .sha256 file), which suppresses the finding, or a docs/snippet component merely DISPLAYS an install command with no execution surface (skipped for source files).

Fix prompt

Use this once validation confirms the diagnostic is real.

Verify integrity before running any downloaded update or plugin: check a pinned SHA-256 (or gpg --verify a signature) and abort on mismatch. Pin the update or repository URL to a trusted host (no user-supplied repoUrl), serve it over HTTPS, and never pipe a download straight into a shell (curl … | sh). Keep custom-repository or third-party plugin installs behind an explicit user confirmation.