SEC010warningPro

csv-formula-injection

CSV export without formula injection protection

Applies to: JavaScript, Python, TypeScript

Why this matters

CSV cells starting with =, +, -, or @ are interpreted as formulas by spreadsheet applications. Attackers can inject formulas that exfiltrate data or execute code when the CSV is opened.

Catch it before it ships

pip install stablestack # or: npx stablestackstablestack # scans your project, SEC010 includedstablestack explain SEC010

SEC010 is part of the Pro rule set. See pricing — the free tier ships 24 checks with no signup.

False positive in your codebase? Suppress a single line with # noqa: SEC010