Open-source Solidity linter providing both style-guide and security validations, configurable per-rule via `.solhint.json`. Maintained by Protofire; integrates with VS Code, ESLint-style CI, and pre-commit hooks.
- 01Solidity style enforcement
- 02pre-commit lint hooks
- 03CI quality gates
- 04security best-practice rules
- 05team-wide code conventions
- pnpm add -D solhint
- pnpm solhint --init
- pnpm solhint 'contracts/**/*.sol'
Install Solhint as a dev dependency, run `pnpm solhint --init` to scaffold `.solhint.json` (extends `solhint:recommended`), then lint with `pnpm solhint 'contracts/**/*.sol'`. Tune rules in `.solhint.json` — common ones: `compiler-version`, `func-visibility`, `not-rely-on-time`, `reentrancy`, `no-inline-assembly`, `max-line-length`. Add `--max-warnings 0` in CI and use `--cache` for speed on large repos. Use `// solhint-disable-next-line <rule>` to scope-silence a rule with a comment justification.
- ⚑`solhint:recommended` and `solhint:all` shift between major versions — pinning Solhint to `^4` and `^5` produces different lint output on identical code. Pin an exact version in CI.
- ⚑Solhint understands a subset of recent Solidity syntax; very new language features (transient storage, custom errors in unusual positions, named-args edge cases) can produce false-positive parse errors until the parser is updated.
- ⚑It is a linter, not an analyzer — security rules catch obvious patterns (`tx.origin`, `block.timestamp` use) but miss reentrancy, arithmetic, and access-control bugs. Pair with Slither/Halmos.
- ⚑Globbing differs across shells; quote patterns (`'contracts/**/*.sol'`) or Solhint will only see the first match expanded by the shell.
- ⚑Plugin ecosystem is small; custom rules must be authored as Solhint plugins (Node modules) — there's no JS-config-style inline rule like ESLint.