There are two packages, TSLint,
https://github.com/palantir/tslint
and it's overcomer, typescript-eslint,
https://github.com/typescript-eslint/typescript-eslint
They have some same maintainer. typescript-eslint is referring to the older one in it's documentation.
Palantir is a company, that has not only with its name a twilighting taste, and I'm not sure, that this is a safe package. Their products are seen as insightful for some and as spyware for others. So it's not totally clear, if it is a benevolent contribution to the public or there might be something about it, that should be seen critical.
Especially if we have to care about personal data in our app. @typescript/eslint-plugin cannot be removed from a build environment of Create-React-App with typescript, because it is also the "parser", mentioned in ".eslintrc".
How to calm down the troubles? How to be sure, there is no leak? Or can I exclude it from the node_modules folder and be able to get a "build" from create-react-app?
The AST-scanning of a parser allows also to insert functionality to capture all content, flowing through the functions. It's easily possible to write your own rule, that can deploy a bunch of wrappers on every function call, that sends all your information to some location and needs just to be applied with eslint --fix in every file.
ESLint is not a vulnerability vector because it only touches source code. This means that in order for it to compromise your code, you have to do the following:
eslint --fix.(1) & (2) are enough of a hurdle that it's not going to happen, or if it does then someone will very quickly detect the compromise and report a security problem. (3) requires manual action by an engineer to cause. (4) can easily be caught by any peer review process before merging your code, because again; eslint operates solely on source code.
create-react-app is also properly configured such that it will ensure eslint does not run on your build code. AFAIK - it also does not run ESLint when doing a production build either.
Modern JS development (like any language development that relies upon third-party code) is built upon a chain-of-trust. You trust that the packages you install and their dependencies are safe. CRA has decided that eslint, typescript-eslint, et al are all trusted - thus they include them as dependencies.
If you trust CRA, then you must trust its dependencies as well.
If you don't trust CRA or one of its dependencies - then you don't install it, and you build your own in-house solution.
tslint is safe, and always has been. If plantir was some shady company and injected malware into their package - someone would very quickly find it and report a vulnerability - destroying the credibility of the project and the company.
typescript-eslint has no relationship to palantir or tslint. The projects are entirely separate - they have different maintainers, and typescript-eslint is owned by no company.
typescript-eslint (like tslint) is also completely open source - if you're worried about anything - you can just spend the time verifying it is safe yourself.
typescript-eslint (like tslint) is also shipped to NPM (and thus to your computer) as un-obfuscated, unminified JS. You can easily spend the time to verify that the code you've received matches the code in the OSS repo and is safe.