Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
eslint-plugin-import
Advanced tools
The eslint-plugin-import npm package is a plugin for ESLint that provides linting functionality for ES2015+ (ES6+) import/export syntax, and helps prevent issues with misspelling of file paths and import names, as well as other common mistakes in import declaration.
Static analysis
This feature checks for modules that are imported but cannot be resolved to a file in the file system. It helps in catching typos or incorrect paths in import statements.
"rules": { "import/no-unresolved": "error" }
Helpful warnings
This feature ensures that named imports correspond to a named export in the remote file. It prevents importing names that do not exist in the exported module.
"rules": { "import/named": "error" }
Style guide enforcement
This feature enforces a convention in module import order, making the code more readable and organized by ensuring a consistent order of imports.
"rules": { "import/order": "error" }
Preventing issues
This feature prevents exporting mutable bindings which can create hard to follow bugs due to their values being changed by other modules.
"rules": { "import/no-mutable-exports": "error" }
Forbidding certain imports
This feature allows you to restrict which files can be imported in a given folder, helping to enforce separation of concerns within your codebase.
"rules": { "import/no-restricted-paths": "error" }
This package provides similar linting rules for Node.js specific features and best practices. It includes rules that prevent issues related to file paths and imports, but is more focused on Node.js environment compatibility.
This is another plugin that focuses on linting ECMAScript 2015+ module syntax. However, it is not as widely used or as comprehensive as eslint-plugin-import.
This plugin is designed for linting RequireJS import syntax. It is similar in that it helps with module import issues, but it is specific to the RequireJS AMD module loader, whereas eslint-plugin-import is for ES2015+ module syntax.
This plugin intends to support linting of ES2015+ (ES6+) import/export syntax, and prevent issues with misspelling of file paths and import names. All the goodness that the ES2015+ static module syntax intends to provide, marked up in your editor.
IF YOU ARE USING THIS WITH SUBLIME: see the bottom section for important info.
💼 Configurations enabled in.
⚠️ Configurations set to warn in.
🚫 Configurations disabled in.
❗ Set in the errors
configuration.
☑️ Set in the recommended
configuration.
⌨️ Set in the typescript
configuration.
🚸 Set in the warnings
configuration.
🔧 Automatically fixable by the --fix
CLI option.
💡 Manually fixable by editor suggestions.
❌ Deprecated.
Name | Description | 💼 | ⚠️ | 🚫 | 🔧 | 💡 | ❌ |
---|---|---|---|---|---|---|---|
export | Forbid any invalid exports, i.e. re-export of the same name. | ❗ ☑️ | |||||
no-deprecated | Forbid imported names marked with @deprecated documentation tag. | ||||||
no-empty-named-blocks | Forbid empty named import blocks. | 🔧 | 💡 | ||||
no-extraneous-dependencies | Forbid the use of extraneous packages. | ||||||
no-mutable-exports | Forbid the use of mutable exports with var or let . | ||||||
no-named-as-default | Forbid use of exported name as identifier of default export. | ☑️ 🚸 | |||||
no-named-as-default-member | Forbid use of exported name as property of default export. | ☑️ 🚸 | |||||
no-unused-modules | Forbid modules without exports, or exports without matching import in another module. |
Name | Description | 💼 | ⚠️ | 🚫 | 🔧 | 💡 | ❌ |
---|---|---|---|---|---|---|---|
no-amd | Forbid AMD require and define calls. | ||||||
no-commonjs | Forbid CommonJS require calls and module.exports or exports.* . | ||||||
no-import-module-exports | Forbid import statements with CommonJS module.exports. | 🔧 | |||||
no-nodejs-modules | Forbid Node.js builtin modules. | ||||||
unambiguous | Forbid potentially ambiguous parse goal (script vs. module ). |
Name | Description | 💼 | ⚠️ | 🚫 | 🔧 | 💡 | ❌ |
---|---|---|---|---|---|---|---|
default | Ensure a default export is present, given a default import. | ❗ ☑️ | |||||
named | Ensure named imports correspond to a named export in the remote file. | ❗ ☑️ | ⌨️ | ||||
namespace | Ensure imported namespaces contain dereferenced properties as they are dereferenced. | ❗ ☑️ | |||||
no-absolute-path | Forbid import of modules using absolute paths. | 🔧 | |||||
no-cycle | Forbid a module from importing a module with a dependency path back to itself. | ||||||
no-dynamic-require | Forbid require() calls with expressions. | ||||||
no-internal-modules | Forbid importing the submodules of other modules. | ||||||
no-relative-packages | Forbid importing packages through relative paths. | 🔧 | |||||
no-relative-parent-imports | Forbid importing modules from parent directories. | ||||||
no-restricted-paths | Enforce which files can be imported in a given folder. | ||||||
no-self-import | Forbid a module from importing itself. | ||||||
no-unresolved | Ensure imports point to a file/module that can be resolved. | ❗ ☑️ | |||||
no-useless-path-segments | Forbid unnecessary path segments in import and require statements. | 🔧 | |||||
no-webpack-loader-syntax | Forbid webpack loader syntax in imports. |
Name | Description | 💼 | ⚠️ | 🚫 | 🔧 | 💡 | ❌ |
---|---|---|---|---|---|---|---|
consistent-type-specifier-style | Enforce or ban the use of inline type-only markers for named imports. | 🔧 | |||||
dynamic-import-chunkname | Enforce a leading comment with the webpackChunkName for dynamic imports. | 💡 | |||||
exports-last | Ensure all exports appear after other statements. | ||||||
extensions | Ensure consistent use of file extension within the import path. | ||||||
first | Ensure all imports appear before other statements. | 🔧 | |||||
group-exports | Prefer named exports to be grouped together in a single export declaration | ||||||
imports-first | Replaced by import/first . | 🔧 | ❌ | ||||
max-dependencies | Enforce the maximum number of dependencies a module can have. | ||||||
newline-after-import | Enforce a newline after import statements. | 🔧 | |||||
no-anonymous-default-export | Forbid anonymous values as default exports. | ||||||
no-default-export | Forbid default exports. | ||||||
no-duplicates | Forbid repeated import of the same module in multiple places. | ☑️ 🚸 | 🔧 | ||||
no-named-default | Forbid named default exports. | ||||||
no-named-export | Forbid named exports. | ||||||
no-namespace | Forbid namespace (a.k.a. "wildcard" * ) imports. | 🔧 | |||||
no-unassigned-import | Forbid unassigned imports | ||||||
order | Enforce a convention in module import order. | 🔧 | |||||
prefer-default-export | Prefer a default export if module exports a single name or multiple names. |
eslint-plugin-import
for enterpriseAvailable as part of the Tidelift Subscription.
The maintainers of eslint-plugin-import
and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. Learn more.
# inside your project's working tree
npm install eslint-plugin-import --save-dev
.eslintrc
)All rules are off by default. However, you may extend one of the preset configs, or configure them manually in your .eslintrc.(yml|json|js)
.
{
"extends": [
"eslint:recommended",
"plugin:import/recommended",
],
}
{
"rules": {
"import/no-unresolved": ["error", { "commonjs": true, "amd": true }]
"import/named": "error",
"import/namespace": "error",
"import/default": "error",
"import/export": "error",
// etc...
},
},
eslint.config.js
)All rules are off by default. However, you may configure them manually in your eslint.config.(js|cjs|mjs)
, or extend one of the preset configs:
import importPlugin from 'eslint-plugin-import';
import js from '@eslint/js';
export default [
js.configs.recommended,
importPlugin.flatConfigs.recommended,
{
files: ['**/*.{js,mjs,cjs}'],
languageOptions: {
ecmaVersion: 'latest',
sourceType: 'module',
},
rules: {
'no-unused-vars': 'off',
'import/no-dynamic-require': 'warn',
'import/no-nodejs-modules': 'warn',
},
},
];
You may use the following snippet or assemble your own config using the granular settings described below it.
Make sure you have installed @typescript-eslint/parser
and eslint-import-resolver-typescript
which are used in the following configuration.
{
"extends": [
"eslint:recommended",
"plugin:import/recommended",
// the following lines do the trick
"plugin:import/typescript",
],
"settings": {
"import/resolver": {
// You will also need to install and configure the TypeScript resolver
// See also https://github.com/import-js/eslint-import-resolver-typescript#configuration
"typescript": true,
"node": true,
},
},
}
With the advent of module bundlers and the current state of modules and module
syntax specs, it's not always obvious where import x from 'module'
should look
to find the file behind module
.
Up through v0.10ish, this plugin has directly used substack's resolve
plugin,
which implements Node's import behavior. This works pretty well in most cases.
However, webpack allows a number of things in import module source strings that
Node does not, such as loaders (import 'file!./whatever'
) and a number of
aliasing schemes, such as externals
: mapping a module id to a global name at
runtime (allowing some modules to be included more traditionally via script tags).
In the interest of supporting both of these, v0.11 introduces resolvers.
Currently Node and webpack resolution have been implemented, but the resolvers are just npm packages, so third party packages are supported (and encouraged!).
You can reference resolvers in several ways (in order of precedence):
eslint-import-resolver
name, like eslint-import-resolver-foo
:// .eslintrc
{
"settings": {
// uses 'eslint-import-resolver-foo':
"import/resolver": "foo",
},
}
# .eslintrc.yml
settings:
# uses 'eslint-import-resolver-foo':
import/resolver: foo
// .eslintrc.js
module.exports = {
settings: {
'import/resolver': {
foo: { someConfig: value }
}
}
}
my-awesome-npm-module
:// .eslintrc
{
"settings": {
"import/resolver": "my-awesome-npm-module",
},
}
# .eslintrc.yml
settings:
import/resolver: 'my-awesome-npm-module'
// .eslintrc.js
module.exports = {
settings: {
'import/resolver': {
'my-awesome-npm-module': { someConfig: value }
}
}
}
computed property
name:// .eslintrc.js
module.exports = {
settings: {
'import/resolver': {
[path.resolve('../../../my-resolver')]: { someConfig: value }
}
}
}
Relative paths will be resolved relative to the source's nearest package.json
or
the process's current working directory if no package.json
is found.
If you are interesting in writing a resolver, see the spec for more details.
You may set the following settings in your .eslintrc
:
import/extensions
A list of file extensions that will be parsed as modules and inspected for
export
s.
This defaults to ['.js']
, unless you are using the react
shared config,
in which case it is specified as ['.js', '.jsx']
. Despite the default,
if you are using TypeScript (without the plugin:import/typescript
config
described above) you must specify the new extensions (.ts
, and also .tsx
if using React).
"settings": {
"import/extensions": [
".js",
".jsx"
]
}
If you require more granular extension definitions, you can use:
"settings": {
"import/resolver": {
"node": {
"extensions": [
".js",
".jsx"
]
}
}
}
Note that this is different from (and likely a subset of) any import/resolver
extensions settings, which may include .json
, .coffee
, etc. which will still
factor into the no-unresolved
rule.
Also, the following import/ignore
patterns will overrule this list.
import/ignore
A list of regex strings that, if matched by a path, will
not report the matching module if no export
s are found.
In practice, this means rules other than no-unresolved
will not report on any
import
s with (absolute filesystem) paths matching this pattern.
no-unresolved
has its own ignore
setting.
{
"settings": {
"import/ignore": [
"\.coffee$", // fraught with parse errors
"\.(scss|less|css)$", // can't parse unprocessed CSS modules, either
],
},
}
import/core-modules
An array of additional modules to consider as "core" modules--modules that should
be considered resolved but have no path on the filesystem. Your resolver may
already define some of these (for example, the Node resolver knows about fs
and
path
), so you need not redefine those.
For example, Electron exposes an electron
module:
import 'electron' // without extra config, will be flagged as unresolved!
that would otherwise be unresolved. To avoid this, you may provide electron
as a
core module:
// .eslintrc
{
"settings": {
"import/core-modules": ["electron"],
},
}
In Electron's specific case, there is a shared config named electron
that specifies this for you.
Contribution of more such shared configs for other platforms are welcome!
import/external-module-folders
An array of folders. Resolved modules only from those folders will be considered as "external". By default - ["node_modules"]
. Makes sense if you have configured your path or webpack to handle your internal paths differently and want to consider modules from some folders, for example bower_components
or jspm_modules
, as "external".
This option is also useful in a monorepo setup: list here all directories that contain monorepo's packages and they will be treated as external ones no matter which resolver is used.
If you are using yarn
PnP as your package manager, add the .yarn
folder and all your installed dependencies will be considered as external
, instead of internal
.
Each item in this array is either a folder's name, its subpath, or its absolute prefix path:
jspm_modules
will match any file or folder named jspm_modules
or which has a direct or non-direct parent named jspm_modules
, e.g. /home/me/project/jspm_modules
or /home/me/project/jspm_modules/some-pkg/index.js
.
packages/core
will match any path that contains these two segments, for example /home/me/project/packages/core/src/utils.js
.
/home/me/project/packages
will only match files and directories inside this directory, and the directory itself.
Please note that incomplete names are not allowed here so components
won't match bower_components
and packages/ui
won't match packages/ui-utils
(but will match packages/ui/utils
).
import/parsers
A map from parsers to file extension arrays. If a file extension is matched, the dependency parser will require and use the map key as the parser instead of the configured ESLint parser. This is useful if you're inter-op-ing with TypeScript directly using webpack, for example:
// .eslintrc
{
"settings": {
"import/parsers": {
"@typescript-eslint/parser": [".ts", ".tsx"],
},
},
}
In this case, @typescript-eslint/parser
must be installed and require-able from the running eslint
module's location
(i.e., install it as a peer of ESLint).
This is currently only tested with @typescript-eslint/parser
(and its predecessor,
typescript-eslint-parser
) but should theoretically work with any moderately
ESTree-compliant parser.
It's difficult to say how well various plugin features will be supported, too,
depending on how far down the rabbit hole goes. Submit an issue if you find strange
behavior beyond here, but steel your heart against the likely outcome of closing
with wontfix
.
import/resolver
See resolvers.
import/cache
Settings for cache behavior. Memoization is used at various levels to avoid the copious amount of fs.statSync
/module parse calls required to correctly report errors.
For normal eslint
console runs, the cache lifetime is irrelevant, as we can strongly assume that files should not be changing during the lifetime of the linter process (and thus, the cache in memory)
For long-lasting processes, like eslint_d
or eslint-loader
, however, it's important that there be some notion of staleness.
If you never use eslint_d
or eslint-loader
, you may set the cache lifetime to Infinity
and everything should be fine:
// .eslintrc
{
"settings": {
"import/cache": {
"lifetime": "∞", // or Infinity, in a JS config
},
},
}
Otherwise, set some integer, and cache entries will be evicted after that many seconds have elapsed:
// .eslintrc
{
"settings": {
"import/cache": {
"lifetime": 5, // 30 is the default
},
},
}
import/internal-regex
A regex for packages should be treated as internal. Useful when you are utilizing a monorepo setup or developing a set of packages that depend on each other.
By default, any package referenced from import/external-module-folders
will be considered as "external", including packages in a monorepo like yarn workspace or lerna environment. If you want to mark these packages as "internal" this will be useful.
For example, if your packages in a monorepo are all in @scope
, you can configure import/internal-regex
like this
// .eslintrc
{
"settings": {
"import/internal-regex": "^@scope/",
},
}
SublimeLinter-eslint introduced a change to support .eslintignore
files
which altered the way file paths are passed to ESLint when linting during editing.
This change sends a relative path instead of the absolute path to the file (as ESLint
normally provides), which can make it impossible for this plugin to resolve dependencies
on the filesystem.
This workaround should no longer be necessary with the release of ESLint 2.0, when
.eslintignore
will be updated to work more like a .gitignore
, which should
support proper ignoring of absolute paths via --stdin-filename
.
In the meantime, see roadhump/SublimeLinter-eslint#58
for more details and discussion, but essentially, you may find you need to add the following
SublimeLinter
config to your Sublime project file:
{
"folders":
[
{
"path": "code"
}
],
"SublimeLinter":
{
"linters":
{
"eslint":
{
"chdir": "${project}/code"
}
}
}
}
Note that ${project}/code
matches the code
provided at folders[0].path
.
The purpose of the chdir
setting, in this case, is to set the working directory
from which ESLint is executed to be the same as the directory on which SublimeLinter-eslint
bases the relative path it provides.
See the SublimeLinter docs on chdir
for more information, in case this does not work with your project.
If you are not using .eslintignore
, or don't have a Sublime project file, you can also
do the following via a .sublimelinterrc
file in some ancestor directory of your
code:
{
"linters": {
"eslint": {
"args": ["--stdin-filename", "@"]
}
}
}
I also found that I needed to set rc_search_limit
to null
, which removes the file
hierarchy search limit when looking up the directory tree for .sublimelinterrc
:
In Package Settings / SublimeLinter / User Settings:
{
"user": {
"rc_search_limit": null
}
}
I believe this defaults to 3
, so you may not need to alter it depending on your
project folder max depth.
[2.31.0] - 2024-10-03
order
]: allow validating named imports ([#3043], thanks [@manuth])extensions
]: add the checkTypeImports
option ([#2817], thanks [@phryneas])ExportMap
/ flat config: include languageOptions
in context ([#3052], thanks [@michaelfaith])no-named-as-default
]: Allow using an identifier if the export is both a named and a default export ([#3032], thanks [@akwodkiewicz])export
]: False positive for exported overloaded functions in TS ([#3065], thanks [@liuxingbaoyu])exportMap
: export map cache is tainted by unreliable parse results ([#3062], thanks [@michaelfaith])exportMap
: improve cacheKey when using flat config ([#3072], thanks [@michaelfaith])no-relative-packages
]: fix typo ([#3066], thanks [@joshuaobrien])no-cycle
]: dont scc for each linted file ([#3068], thanks [@soryy708])no-cycle
]: add disableScc
to docs ([#3070], thanks [@soryy708])RuleTester
([#3071], thanks [@G-Rath])no-restricted-paths
]: fix grammar ([#3073], thanks [@unbeauvoyage])no-default-export
], [no-named-export
]: add test case (thanks [@G-Rath])FAQs
Import with sanity.
We found that eslint-plugin-import demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.