Possibly replace eslint-plugin-security with eslint-plugin-security-node

[manovotny]

eslint-plugin-security has a handful of open issues asking about the livelihood of the plugin that have gone unanswered / unresolved for 3.5 years now (since 06/2018).

More recently, the author of ESLint itself has asked if they can take over as maintainer of the project.

We'll see where that leads, but if it winds up deadening or stalling again, we'll likely switch to actively maintained alternative, eslint-plugin-security-node.

[gkouziik]

@manovotny im looking for people to develop and maintain eslint-plugin-security-node

[manovotny]

@gkouziik I'd recommend chiming in on the latest thread. There seems to be some traction and I'd love to see all of this come into some long-term ownership.

[benkiefer]

I can open up a separate issue for this, but any interest in moving the existing eslint security config options to the recommended ruleset by default so that we can pick up new rules automatically and then make choices about which rules we want to suppress?

Happy to submit a PR.

[manovotny]

any interest in moving the existing eslint security config options to the recommended ruleset by default

@benkiefer I don't think so... None of the other GOML plugins and configs just straight pull a recommend rule set. In fact, several recommend rules from ESLint aren't enabled on purpose. I think we'd prefer to continue to hand select and evaluate which rules are enabled. Tangentially related... I have had another idea on the back burner of my mind for a less opinionated set of plugins and configs where this idea would fit in better than here.