Avoid string-built paths from `__dirname` or `__filename` | Critiq Docs

#Metadata

Rule ID: ts.security.unsafe-dirname-path-concat
Severity: medium
Confidence: 0.88
Languages: javascript, typescript
Presets: recommended, security, strict
Stability: stable
Applies to: block
Tags: filesystem, rules-catalog, security

#Why it matters

String-built paths are easy to get wrong and can enable directory traversal when any segment is dynamic.

#Remediation

Use `path.join`, `path.resolve`, or `import.meta.url` with validated segments instead of string concatenation.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.unsafe-dirname-path-concat.rule.yaml.

Back to directory Open rule in repository