Really nice work. The async forEach bug alone has burned so many teams and it's the kind of thing that looks completely fine in code review. The fact that it runs locally with no telemetry is a big deal for teams that can't pipe source code to external services.
The hallucinated dependency detector is underrated — AI tools confidently import packages that don't exist and it's embarrassing how easily that slips through. Good to have something that catches it automatically.
ESLint focuses mostly on *syntax, style, and common JavaScript pitfalls*. It’s excellent for enforcing code quality rules (formatting, unused variables, best practices, etc.), and many teams already rely on it heavily.
CodeDrift is trying to focus on a different layer: *semantic and security-relevant patterns that often appear in AI-generated code*.
A few examples:
• *Async logic mistakes* – patterns like `array.forEach(async ...)` where promises are never awaited. ESLint can warn about some async patterns, but many variations slip through when the code still “looks” valid.
• *Authorization / IDOR patterns* – cases where user-controlled IDs are used directly in database queries without an authorization check. This usually requires looking at how request data flows into a query.
• *Hallucinated dependencies* – imports of packages that don’t exist in `package.json`, which AI assistants sometimes generate.
• *Stack traces leaking through API responses* – error handlers that expose internal paths or secrets.
So the idea isn’t to replace ESLint. In fact they work well together:
TypeScript → type safety
ESLint → style and best practices
Security scanners (like Snyk) → dependency vulnerabilities
CodeDrift → logic/security patterns often introduced by AI code generation
Right now it’s still early and rule coverage is small, but the goal is to focus specifically on that “AI-generated code safety” layer.
Really nice work. The async forEach bug alone has burned so many teams and it's the kind of thing that looks completely fine in code review. The fact that it runs locally with no telemetry is a big deal for teams that can't pipe source code to external services.
The hallucinated dependency detector is underrated — AI tools confidently import packages that don't exist and it's embarrassing how easily that slips through. Good to have something that catches it automatically.
Adding this to our dev toolchain.
[dead]
Good question.
ESLint focuses mostly on *syntax, style, and common JavaScript pitfalls*. It’s excellent for enforcing code quality rules (formatting, unused variables, best practices, etc.), and many teams already rely on it heavily.
CodeDrift is trying to focus on a different layer: *semantic and security-relevant patterns that often appear in AI-generated code*.
A few examples:
• *Async logic mistakes* – patterns like `array.forEach(async ...)` where promises are never awaited. ESLint can warn about some async patterns, but many variations slip through when the code still “looks” valid.
• *Authorization / IDOR patterns* – cases where user-controlled IDs are used directly in database queries without an authorization check. This usually requires looking at how request data flows into a query.
• *Hallucinated dependencies* – imports of packages that don’t exist in `package.json`, which AI assistants sometimes generate.
• *Stack traces leaking through API responses* – error handlers that expose internal paths or secrets.
So the idea isn’t to replace ESLint. In fact they work well together:
TypeScript → type safety ESLint → style and best practices Security scanners (like Snyk) → dependency vulnerabilities CodeDrift → logic/security patterns often introduced by AI code generation
Right now it’s still early and rule coverage is small, but the goal is to focus specifically on that “AI-generated code safety” layer.
How is this different from ESLint?
Will check and leave feedback
Sure
[dead]