Security News
The Changelog Podcast: Practical Steps to Stay Safe on npm
Learn the essential steps every developer should take to stay secure on npm and reduce exposure to supply chain attacks.
By Sarah Gooding - Oct 31, 2025
🚀 DAY 5 OF LAUNCH WEEK: Introducing Socket Firewall Enterprise.Learn more →
eslint-config-liferay
Advanced tools
eslint-config-liferay
An ESLint shareable config that helps enforce the Liferay Frontend Guidelines.
Overview
| Preset | Extends | Description |
|---|---|---|
liferay | eslint:recommended, prettier | Base configuration, suitable for general projects |
react | liferay | liferay, plus rules from eslint-plugin-react and react-hooks, suitable for projects that use React |
metal | react | Like react, but turns off rules that cause false positives in Metal components |
portal | react | Default for projects inside liferay-portal itself |
Installation
$ npm install --save-dev eslint eslint-config-liferay
Usage
Once the eslint-config-liferay package is installed, you can use it by specifying liferay in the extends section of your ESLint configuration.
module.exports = {
extends: ['liferay'],
};
This preset provides a reasonable starting point for an independent open source project.
liferay-portal
In liferay-portal itself we extend the liferay/portal preset instead, which activates some rules specific to liferay-portal. This preset assumes the use of React, and also provides a set of custom rules that are described in detail in the eslint-plugin-liferay-portal section below.
This extension is applied automatically by liferay-npm-scripts, so you don't have to configure it explicitly.
An important disclaimer about the use of ESLint in liferay-portal
JavaScript code that appears inline inside JSP files and other templates is only lightly checked by ESLint, because JSP is an impoverished environment where we have to work with context-free snippets of text as opposed to fully-formed, valid JS modules. Our long-term strategy is to move as much code as possible out of JSP and into React components, but in the interim, please be aware that the level of safety provided by the linter inside JSP is greatly reduced.
React
For React projects outside of liferay-portal, you can extend liferay/react instead:
module.exports = {
extends: ['liferay/react'],
};
metal-jsx
For legacy projects inside liferay-portal that use metal-jsx, we have a "metal" preset:
module.exports = {
extends: ['liferay/metal'],
};
Use this preset to stop ESLint from spuriously warning that variables that are used as JSX components are unused.
Copyright headers
The included eslint-plugin-notice plug-in can be used to enforce the use of uniform copyright headers across a project by placing a template named copyright.js in the project root (for example, see the file defining the headers used in eslint-config-liferay itself) and configuring the rule:
const path = require('path');
module.exports = {
extends: ['liferay'],
rules: {
'notice/notice': [
'error',
{
templateFile: path.join(__dirname, 'copyright.js'),
},
],
},
};
Explicit configuration is required in order to make overrides possible; for example:
top-level/.eslintrc.jscopyright.jsmid-level/.eslintrc.jscopyright.jsbottom-level/.eslintrc.js
If we were to provide configuration by default, then if bottom-level/.eslintrc.js does an extends: ['liferay'], then the default configuration would be considered more local than the one provided by mid-level, causing the wrong copyright.js to be used.
Base rules
Custom rules
eslint-plugin-liferay
The bundled eslint-plugin-liferay plugin includes the following rules:
- liferay/array-is-array: Enforces (and autofixes) the use of
Array.isArray()overinstanceof Array. - liferay/destructure-requires: Enforces (and autofixes) that
requirestatements use destructuring. - liferay/group-imports: Enforces (and autofixes)
importandrequiregrouping. - liferay/import-extensions: Enforces consistent usage/omission of file extensions in imports.
- liferay/imports-first: Enforces that imports come first in the file.
- liferay/no-absolute-import: Enforces that imports do not use absolute paths.
- liferay/no-arrow: Bans arrow functions (for IE; not on by default).
- liferay/no-duplicate-class-names: Enforces (and autofixes) uniqueness of class names inside JSX
classNameattributes. - liferay/no-duplicate-imports: Enforces at most one
importof any given module per file. - liferay/no-dynamic-require: Enforces that
require()calls use static arguments. - liferay/no-it-should: Enforces that
it()descriptions start with a verb, not with "should". - liferay/no-require-and-call: Enforces that the result of a
require()call at the top level is not immediately called. - liferay/padded-test-blocks: Enforces blank lines between test blocks (
it()etc). - liferay/sort-class-names: Enforces (and autofixes) ordering of class names inside JSX
classNameattributes. - liferay/sort-imports: Enforces (and autofixes)
importandrequireordering. - liferay/sort-import-destructures: Enforces (and autofixes) ordering of destructured names in
importstatements. - liferay/trim-class-names: Enforces (and autofixes) that class names inside JSX
classNameattributes do not have leading or trailing whitespace.
eslint-plugin-liferay-portal
The bundled eslint-plugin-liferay-portal plugin includes the following rules:
- liferay-portal/deprecation: Enforces standard formatting of
@deprecatedannotations. - liferay-portal/no-global-fetch: Prevents usage of unwrapped fetch to avoid possible issues related to security misconfiguration.
- liferay-portal/no-explicit-extend: Prevents unnecessary extensions in ESLint and Babel configuration files.
- liferay-portal/no-loader-import-specifier: Ensures that ".scss" files imported via the loader are used only for side-effects.
- liferay-portal/no-metal-plugins: Prevents usage of deprecated
metal-*plugins and utilities. - liferay-portal/no-react-dom-render: Prevents direct usage of
ReactDOM.renderin favor of our wrapper. - liferay-portal/no-side-navigation: Guards against the use of the legacy jQuery
sideNavigationplugin.
License
MIT
FAQs
ESLint shareable config for the Liferay JavaScript Style
We found that eslint-config-liferay demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 15 open source maintainers collaborating on the project.
Package last updated on 07 May 2020
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Security Community Slams MIT-linked Report Claiming AI Powers 80% of Ransomware
Experts push back on new claims about AI-driven ransomware, warning that hype and sponsored research are distorting how the threat is understood.
By Sarah Gooding - Oct 30, 2025
Security News
Ruby Core Team Assumes Stewardship of RubyGems and Bundler, Former Maintainers Offer to Transfer All Rights to Matz
Ruby's creator Matz assumes control of RubyGems and Bundler repositories while former maintainers agree to step back and transfer all rights to end the dispute.
By Sarah Gooding - Oct 29, 2025