Trust and Security

Verified statements about FlagLint's identity, data handling, and release posture. Every claim is grounded in source code, repository configuration, or published package metadata.

What FlagLint is

✓ MIT-licensed developer CLI — FlagLint is an open-source command-line tool distributed under the MIT license.
✓ Local static analysis — FlagLint reads JavaScript and TypeScript source files from a directory you specify and performs AST-based analysis entirely on your machine, in-process.
✓ Flag debt audit, inventory, migration planning, and CI enforcement — FlagLint audits direct LaunchDarkly SDK usage with flaglint audit, emits structured inventory with flaglint scan, previews or applies guarded OpenFeature rewrites with flaglint migrate, and enforces the boundary in CI with flaglint validate.
✓ LaunchDarkly remains the provider — FlagLint migrates application call-site API from the LaunchDarkly SDK to OpenFeature. It does not replace LaunchDarkly as the feature flag backend or modify your LaunchDarkly configuration in any way.

Data handling

✓ No source code is uploaded by the CLI — During local CLI operation (flaglint audit, flaglint scan, flaglint migrate, flaglint validate), source code, flag keys, file paths, audit reports, and migration reports remain local unless you explicitly upload or share them elsewhere.
✓ Read-only commands are read-only — flaglint audit, flaglint scan, and flaglint validate do not modify source files. flaglint migrate --dry-run also does not modify files.
✓ Source edits require explicit apply — flaglint migrate --apply is the only source-modifying command path, and it is intended for use on a reviewable branch.
✓ No LaunchDarkly key required — flaglint audit, flaglint scan, flaglint migrate, and flaglint validate operate on source text. They do not require a LaunchDarkly API key, SDK key, or credentials.
✓ Reports stay local — Audit, scan, migration, and validation reports are written to stdout or to a file path you specify. No report data leaves your machine unless you share it manually.

Verification

The read-only and source-editing behavior above is grounded in the current command implementations and tests. Source: github.com/flaglint/flaglint

Release and CI

The release workflow publishes to npm through GitHub Actions using npm Trusted Publishing/OIDC. Every release runs the full test suite on Node.js 20 and Node.js 22 before publication. CI also runs CodeQL static analysis and Dependabot dependency updates. Runtime support: Node.js 20 or newer.

Security reporting

Report suspected vulnerabilities privately through GitHub Security Advisories. For false positives or unsupported patterns, use the unsupported-pattern issue template. See SECURITY.md for the full security policy.

Project links

Source GitHub Repository github.com/flaglint/flaglint Package npm Package npmjs.com/package/flaglint History Changelog Release history and version notes Legal MIT License Full license text Security Report a Vulnerability GitHub Security Advisories Details Full Trust Document Source-grounded trust statement