Security News
The Risks of Misguided Research in Supply Chain Security
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.
eslint-plugin-n
Advanced tools
forked from eslint-plugin-node v11.1.0. as the original repository seems no longer maintained.
Additional ESLint rules for Node.js
npm install --save-dev eslint eslint-plugin-n
Version | Supported Node.js | Supported ESLint Version | Status |
---|---|---|---|
17.x | ^18.18.0 || ^20.9.0 || >=21.1.0 | >=8.23.0 | 🏃♂️actively maintained |
16.x | >=16.0.0 | >=7.0.0 | ⚠️EOL |
15.x | >=12.22.0 | >=7.0.0 | ⚠️EOL |
Note: It recommends a use of the "engines" field of package.json. The "engines" field is used by n/no-unsupported-features/*
rules.
eslint.config.js
(requires eslint>=v8.23.0)const nodePlugin = require("eslint-plugin-n")
module.exports = [
nodePlugin.configs["flat/recommended-script"],
{
rules: {
"n/exports-style": ["error", "module.exports"]
}
}
]
To setup without the recommended configs, you'll need to add the plugin:
const nodePlugin = require("eslint-plugin-n")
module.exports = [
{
plugins: {n: nodePlugin},
rules: {
"n/exports-style": ["error", "module.exports"]
}
}
]
{
"extends": ["eslint:recommended", "plugin:n/recommended"],
"parserOptions": {
"ecmaVersion": 2021
},
"rules": {
"n/exports-style": ["error", "module.exports"]
}
}
To setup without the recommended rules you'll need to add the plugin:
{
"parserOptions": {
"ecmaVersion": 2021
},
"plugins": ["n"],
"rules": {
"n/exports-style": ["error", "module.exports"]
}
}
package.json (An example)
{
"name": "your-module",
"version": "1.0.0",
"type": "commonjs",
"engines": {
"node": ">=8.10.0"
}
}
The rules get the supported Node.js version range from the following, falling back to the next if unspecified:
version
node.version
package.json
[engines
] field>=16.0.0
If you omit the [engines] field, this rule chooses >=16.0.0
as the configured Node.js version since 16
is the maintained lts (see also Node.js Release Working Group).
For Node.js packages, using the [engines
] field is recommended because it's the official way to indicate support:
{
"name": "your-module",
"version": "1.0.0",
"engines": {
"node": ">=16.0.0"
}
}
For Shareable Configs or packages with a different development environment (e.g. pre-compiled, web package, etc.), you can configure ESLint with settings.node.version
to specify support.
💼 Configurations enabled in.
🟢 Set in the recommended-module
configuration.
✅ Set in the recommended-script
configuration.
🔧 Automatically fixable by the --fix
CLI option.
❌ Deprecated.
Name | Description | 💼 | 🔧 | ❌ |
---|---|---|---|---|
callback-return | require return statements after callbacks | |||
exports-style | enforce either module.exports or exports | 🔧 | ||
file-extension-in-import | enforce the style of file extensions in import declarations | 🔧 | ||
global-require | require require() calls to be placed at top-level module scope | |||
handle-callback-err | require error handling in callbacks | |||
hashbang | require correct usage of hashbang | 🟢 ✅ | 🔧 | |
no-callback-literal | enforce Node.js-style error-first callback pattern is followed | |||
no-deprecated-api | disallow deprecated APIs | 🟢 ✅ | ||
no-exports-assign | disallow the assignment to exports | 🟢 ✅ | ||
no-extraneous-import | disallow import declarations which import extraneous modules | 🟢 ✅ | ||
no-extraneous-require | disallow require() expressions which import extraneous modules | 🟢 ✅ | ||
no-hide-core-modules | disallow third-party modules which are hiding core modules | ❌ | ||
no-missing-import | disallow import declarations which import non-existence modules | 🟢 ✅ | ||
no-missing-require | disallow require() expressions which import non-existence modules | 🟢 ✅ | ||
no-mixed-requires | disallow require calls to be mixed with regular variable declarations | |||
no-new-require | disallow new operators with calls to require | |||
no-path-concat | disallow string concatenation with __dirname and __filename | |||
no-process-env | disallow the use of process.env | |||
no-process-exit | disallow the use of process.exit() | 🟢 ✅ | ||
no-restricted-import | disallow specified modules when loaded by import declarations | |||
no-restricted-require | disallow specified modules when loaded by require | |||
no-sync | disallow synchronous methods | |||
no-unpublished-bin | disallow bin files that npm ignores | 🟢 ✅ | ||
no-unpublished-import | disallow import declarations which import private modules | 🟢 ✅ | ||
no-unpublished-require | disallow require() expressions which import private modules | 🟢 ✅ | ||
no-unsupported-features/es-builtins | disallow unsupported ECMAScript built-ins on the specified version | 🟢 ✅ | ||
no-unsupported-features/es-syntax | disallow unsupported ECMAScript syntax on the specified version | 🟢 ✅ | ||
no-unsupported-features/node-builtins | disallow unsupported Node.js built-in APIs on the specified version | 🟢 ✅ | ||
prefer-global/buffer | enforce either Buffer or require("buffer").Buffer | |||
prefer-global/console | enforce either console or require("console") | |||
prefer-global/process | enforce either process or require("process") | |||
prefer-global/text-decoder | enforce either TextDecoder or require("util").TextDecoder | |||
prefer-global/text-encoder | enforce either TextEncoder or require("util").TextEncoder | |||
prefer-global/url | enforce either URL or require("url").URL | |||
prefer-global/url-search-params | enforce either URLSearchParams or require("url").URLSearchParams | |||
prefer-node-protocol | enforce using the node: protocol when importing Node.js builtin modules. | 🔧 | ||
prefer-promises/dns | enforce require("dns").promises | |||
prefer-promises/fs | enforce require("fs").promises | |||
process-exit-as-throw | require that process.exit() expressions use the same code path as throw | 🟢 ✅ | ||
shebang | require correct usage of hashbang | 🔧 | ❌ |
Name | |
---|---|
🟢 | recommended-module |
✅ | recommended-script |
About each config:
recommended
: Considers both CommonJS and ES Modules. If "type":"module"
field existed in package.json then it considers files as ES Modules. Otherwise it considers files as CommonJS. In addition, it considers *.mjs
files as ES Modules and *.cjs
files as CommonJS.recommended-module
: Considers all files as ES Modules.recommended-script
: Considers all files as CommonJS.These preset configs:
process.exit()
.{ecmaVersion: 2021}
and etc into parserOptions
.globals
.plugins
.Q: The no-missing-import
/ no-missing-require
rules don't work with nested folders in SublimeLinter-eslint
A: See context.getFilename() in rule returns relative path in the SublimeLinter-eslint FAQ.
Q: How to use the flat eslint config with mixed commonjs and es modules?
A: You can use the new exported flat config flat/mixed-esm-and-cjs
, an example:
const nodePlugin = require("eslint-plugin-n");
module.exports = [
...nodePlugin.configs["flat/mixed-esm-and-cjs"],
{
rules: {
"n/exports-style": ["error", "module.exports"],
},
},
]
eslint-plugin-n
follows semantic versioning and ESLint's Semantic Versioning Policy.
Deprecated rules follow ESLint's deprecation policy.
Welcome contributing!
Please use GitHub's Issues/PRs.
npm test
runs tests and measures coverage.npm run coverage
shows the coverage result of npm test
command.npm run clean
removes the coverage result of npm test
command.FAQs
Additional ESLint's rules for Node.js
The npm package eslint-plugin-n receives a total of 1,884,856 weekly downloads. As such, eslint-plugin-n popularity was classified as popular.
We found that eslint-plugin-n demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.