Getting Started with eslint-plugin-pg
Published: (December 31, 2025 at 01:45 PM EST)
2 min read
Source: Dev.to
Source: Dev.to
Quick Install
npm install --save-dev eslint-plugin-pgFlat Config
// eslint.config.js
import pg from 'eslint-plugin-pg';
export default [pg.configs.recommended];Run ESLint
npx eslint .Example output:
src/users.ts
15:3 error 🔒 CWE-89 OWASP:A03 CVSS:9.8 | Unsafe SQL query detected
Fix: Use parameterized query: client.query('SELECT * FROM users WHERE id = $1', [id])
src/orders.ts
28:5 error 🔒 CWE-772 | pool.connect() without client.release()
Fix: Add client.release() in finally blockRule Overview
| Rule | CWE | What it catches |
|---|---|---|
no-unsafe-query | CWE-89 | SQL injection via string concatenation |
no-missing-client-release | CWE-772 | Connection pool leaks |
prevent-double-release | CWE-415 | Double release crashes |
no-transaction-on-pool | CWE-362 | Transaction race conditions |
prefer-pool-query | CWE-400 | Unnecessary connect/release |
no-unsafe-copy-from | CWE-22 | Path traversal in COPY FROM |
no-unsafe-search-path | CWE-426 | search_path hijacking |
no-n-plus-one-query | Perf | N+1 query patterns |
| … | … | Plus 5 more… |
Quick Wins
Before (SQL Injection)
// ❌ SQL Injection
const query = `SELECT * FROM users WHERE id = '${userId}'`;
await pool.query(query);After (Parameterized Query)
// ✅ Parameterized Query
const query = 'SELECT * FROM users WHERE id = $1';
await pool.query(query, [userId]);Before (Connection Leak)
// ❌ Connection Leak
const client = await pool.connect();
const result = await client.query('SELECT * FROM users');
return result.rows;
// Missing client.release()!After (Guaranteed Release)
// ✅ Guaranteed Release
const client = await pool.connect();
try {
const result = await client.query('SELECT * FROM users');
return result.rows;
} finally {
client.release();
}Available Presets
// Security + best practices
pg.configs.recommended;
// All rules enabled
pg.configs.all;Customizing Rules
// eslint.config.js
import pg from 'eslint-plugin-pg';
export default [
pg.configs.recommended,
{
rules: {
// Downgrade to warning
'pg/prefer-pool-query': 'warn',
// Increase strictness
'pg/no-unsafe-query': [
'error',
{
allowLiteral: false,
},
],
},
},
];Performance
┌─────────────────────────────────────────────────────┐
│ Benchmark: 1000 files │
├─────────────────────────────────────────────────────┤
│ eslint-plugin-pg: 785ms │
│ 100% precision (0 false positives in tests) │
└─────────────────────────────────────────────────────┘Combine with Other Plugins
import pg from 'eslint-plugin-pg';
import secureCoding from 'eslint-plugin-secure-coding';
export default [pg.configs.recommended, secureCoding.configs.recommended];Quick Reference
# Install
npm install --save-dev eslint-plugin-pg
# Config (eslint.config.js)
import pg from 'eslint-plugin-pg';
export default [pg.configs.recommended];
# Run
npx eslint .Links
- npm: eslint-plugin-pg
- Full Rule List: GitHub docs
- Star on GitHub: