Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
eslint-plugin-small-import
Advanced tools
eslint-plugin-small-import
ESLint rule for preventing the full import of big libraries when just a part of it can be imported.
eslint-plugin-small-import
ESLint rule for preventing the full import of big libraries when just a part of it can be imported.
Installation
npm i eslint-plugin-small-import
Add this to your .eslintrc or your config::
"plugins": ["small-import"],
"rules": {
"small-import/no-full-import": "error"
}
Disallow full import (no-full-import)
Some JavaScript libraries are a vast collection of independent helpers functions which are combined in one package, such as lodash or date-fns. If you import one of their functions, you usually import the full suite of functions, causing higher memory consumption, startup time and bundle sizes.
The solution for this problem is to import each function directly from it's location in the package rather than the index file of the package. However, it is more tedious since more code has to be written.
Rule details
This rule will automatically detect these cases and convert the imports. It supports lodash, date-fns and rambda
out of the box, but can be configured to support more libraries as well.
Options
A map of packages can be supplied, where the keys are the names of the libraries and the values are the location of the distinct functions within the package. More practically, the values determine what gets put inbetween the package name and the function name. The default configuration is:
["error", {
"packages": {
"lodash": "/",
"date-fns": "/",
"rambda": "/src/"
}
}]
Examples
Examples of correct code for this rule:
import sortBy from 'lodash/sortBy'
import groupBy from 'lodash/groupBy'
import format from 'date-fns/format'
import append from 'rambda/src/append'
Examples of incorrect code for this rule:
import {sortBy, groupBy} from 'lodash'
import {format} from 'date-fns'
import {append} from 'rambda'
When Not To Use It
If your application is not sensitive to memory consumption, startup time or bundle size, e.g. in a script, then you can disable this rule.
If you are not using the import syntax yet, it's not supported by this rule.
If you don't use packages which would cause this problem, you can disable this rule.
Related rules
License
MIT
Author
FAQs
ESLint rule for preventing the full import of big libraries when just a part of it can be imported.
We found that eslint-plugin-small-import demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 14 Dec 2019
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025