Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
ESLint is a static code analysis tool for identifying problematic patterns found in JavaScript code. It is primarily used for finding and fixing problems in JavaScript code, enforcing coding standards, and improving code quality.
Linting JavaScript Files
Run ESLint on all JavaScript files in the 'src' directory and its subdirectories.
eslint 'src/**/*.js'
Fixing Problems Automatically
Automatically fix problems in JavaScript files that ESLint is capable of fixing.
eslint --fix 'src/**/*.js'
Customizable Configuration
Customize ESLint rules and extend from recommended presets in the ESLint configuration file.
{ 'extends': 'eslint:recommended', 'rules': { 'eqeqeq': 'warn', 'no-unused-vars': 'error' } }
Integrating with Build Tools
Integrate ESLint with build tools like Grunt by using the corresponding plugin.
grunt.loadNpmTasks('grunt-eslint');
Using Plugins
Extend ESLint's capabilities with plugins for specific libraries or frameworks, such as React.
{ 'plugins': ['react'], 'rules': { 'react/jsx-uses-vars': 'error' } }
JSHint is a community-driven tool that detects errors and potential problems in JavaScript code. It is less configurable than ESLint and does not support custom rule creation.
JSCS is a code style linter for programmatically enforcing your style guide. It has been deprecated and merged with ESLint, which now covers its functionality.
Prettier is an opinionated code formatter that supports many languages and integrates with most editors. Unlike ESLint, it does not check for code errors but focuses on maintaining a consistent code style.
TSLint was a linter for TypeScript, providing similar functionality to ESLint but specifically for TypeScript code. It has been deprecated in favor of typescript-eslint, which allows ESLint to be used with TypeScript.
Standard is a JavaScript style guide, linter, and formatter with a set of predefined rules. It enforces a strict coding standard but is less configurable than ESLint.
Website | Configuring | Rules | Contributing | Reporting Bugs | Code of Conduct | Twitter | Mailing List | Chat Room
ESLint is a tool for identifying and reporting on patterns found in ECMAScript/JavaScript code. In many ways, it is similar to JSLint and JSHint with a few exceptions:
Prerequisites: Node.js (^10.12.0
, or >=12.0.0
) built with SSL support. (If you are using an official Node.js distribution, SSL is always built in.)
You can install ESLint using npm:
$ npm install eslint --save-dev
You should then set up a configuration file:
$ ./node_modules/.bin/eslint --init
After that, you can run ESLint on any file or directory like this:
$ ./node_modules/.bin/eslint yourfile.js
After running eslint --init
, you'll have a .eslintrc
file in your directory. In it, you'll see some rules configured like this:
{
"rules": {
"semi": ["error", "always"],
"quotes": ["error", "double"]
}
}
The names "semi"
and "quotes"
are the names of rules in ESLint. The first value is the error level of the rule and can be one of these values:
"off"
or 0
- turn the rule off"warn"
or 1
- turn the rule on as a warning (doesn't affect exit code)"error"
or 2
- turn the rule on as an error (exit code will be 1)The three error levels allow you fine-grained control over how ESLint applies rules (for more configuration options and details, see the configuration docs).
ESLint adheres to the JS Foundation Code of Conduct.
Before filing an issue, please be sure to read the guidelines for what you're reporting:
Yes. JSCS has reached end of life and is no longer supported.
We have prepared a migration guide to help you convert your JSCS settings to an ESLint configuration.
We are now at or near 100% compatibility with JSCS. If you try ESLint and believe we are not yet compatible with a JSCS rule/configuration, please create an issue (mentioning that it is a JSCS compatibility issue) and we will evaluate it as per our normal process.
No, ESLint does both traditional linting (looking for problematic patterns) and style checking (enforcement of conventions). You can use ESLint for everything, or you can combine both using Prettier to format your code and ESLint to catch possible errors.
package.json
as devDependencies (or dependencies, if your project uses ESLint at runtime).npm install
and all your dependencies are installed.npm view eslint-plugin-myplugin peerDependencies
to see what peer dependencies eslint-plugin-myplugin
has.Yes, ESLint natively supports parsing JSX syntax (this must be enabled in configuration). Please note that supporting JSX syntax is not the same as supporting React. React applies specific semantics to JSX syntax that ESLint doesn't recognize. We recommend using eslint-plugin-react if you are using React and want React semantics.
ESLint has full support for ECMAScript 3, 5 (default), 2015, 2016, 2017, 2018, 2019, and 2020. You can set your desired ECMAScript syntax (and other settings, like global variables or your target environments) through configuration.
ESLint's parser only officially supports the latest final ECMAScript standard. We will make changes to core rules in order to avoid crashes on stage 3 ECMAScript syntax proposals (as long as they are implemented using the correct experimental ESTree syntax). We may make changes to core rules to better work with language extensions (such as JSX, Flow, and TypeScript) on a case-by-case basis.
In other cases (including if rules need to warn on more or fewer cases due to new syntax, rather than just not crashing), we recommend you use other parsers and/or rule plugins. If you are using Babel, you can use the babel-eslint parser and eslint-plugin-babel to use any option available in Babel.
Once a language feature has been adopted into the ECMAScript standard (stage 4 according to the TC39 process), we will accept issues and pull requests related to the new feature, subject to our contributing guidelines. Until then, please use the appropriate parser and plugin(s) for your experimental feature.
Join our Mailing List or Chatroom.
Lock files like package-lock.json
are helpful for deployed applications. They ensure that dependencies are consistent between environments and across deployments.
Packages like eslint
that get published to the npm registry do not include lock files. npm install eslint
as a user will respect version constraints in ESLint's package.json
. ESLint and its dependencies will be included in the user's lock file if one exists, but ESLint's own lock file would not be used.
We intentionally don't lock dependency versions so that we have the latest compatible dependency versions in development and CI that our users get when installing ESLint in a project.
The Twilio blog has a deeper dive to learn more.
We have scheduled releases every two weeks on Friday or Saturday. You can follow a release issue for updates about the scheduling of any particular release.
ESLint takes security seriously. We work hard to ensure that ESLint is safe for everyone and that security issues are addressed quickly and responsibly. Read the full security policy.
ESLint follows semantic versioning. However, due to the nature of ESLint as a code quality tool, it's not always clear when a minor or major version bump occurs. To help clarify this for everyone, we've defined the following semantic versioning policy for ESLint:
eslint:recommended
is updated and will result in strictly fewer linting errors (e.g., rule removals).eslint:recommended
is updated and may result in new linting errors (e.g., rule additions, most rule option updates).According to our policy, any minor update may report more linting errors than the previous release (ex: from a bug fix). As such, we recommend using the tilde (~
) in package.json
e.g. "eslint": "~3.1.0"
to guarantee the results of your builds.
Stylistic rules are frozen according to our policy on how we evaluate new rules and rule changes. This means:
These folks keep the project moving and are resources for help.
The people who manage releases, review feature requests, and meet regularly to ensure ESLint is properly maintained.
Nicholas C. Zakas |
Brandon Mills |
Milos Djermanovic |
The people who review and implement new features.
Toru Nagashima |
薛定谔的猫 |
The people who review and fix bugs and help triage issues.
Brett Zamir |
Bryan Mishkin |
Pig Fang |
Anix |
YeonJuan |
Nitin Kumar |
The following companies, organizations, and individuals support ESLint's ongoing maintenance and development. Become a Sponsor to get your logo on our README and website.
FAQs
An AST-based pattern checker for JavaScript.
The npm package eslint receives a total of 33,235,716 weekly downloads. As such, eslint popularity was classified as popular.
We found that eslint demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.