The False Positive Tax: a 1:1 TP:FP analysis of eslint-plugin-security

May 25, 2026 · 2:46 PM UTC ·11 min read · 0 reactions · 0 comments · 13 views

#security #eslint #javascript #benchmark

The False Positive Tax: a 1:1 TP:FP analysis of eslint-plugin-security

⚡ TL;DR · AI summary

The article analyzes the performance of various ESLint security plugins in detecting vulnerabilities. It highlights that eslint-plugin-security has a concerning 1:1 ratio of true positives to false positives, indicating significant alert fatigue. The benchmark reveals that other plugins, like eslint-plugin-sonarjs, also struggle with low detection rates for actual vulnerabilities.

Key facts

▪eslint-plugin-security has a 1:1 true positive to false positive ratio.
▪eslint-plugin-sonarjs detects only 35% of vulnerabilities despite having 269 rules.
▪The Interlace ecosystem achieved a perfect score with 40 detections and zero false positives.

Original article

DEV.to (Top)

Read full at DEV.to (Top) →

Opening excerpt (first ~120 words) tap to expand

try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3669992) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Ofri Peretz Posted on May 25 • Originally published at ofriperetz.dev The False Positive Tax: a 1:1 TP:FP analysis of eslint-plugin-security #security #eslint #javascript #benchmark ESLint Security Benchmark Series (2 Part Series) 1 I Benchmarked 17 ESLint Security Plugins. Only One Found Every Vulnerability.

…

Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).

Anonymous · no account needed

Discussion

0 comments

The False Positive Tax: a 1:1 TP:FP analysis of eslint-plugin-security

Discussion

More from DEV.to (Top)