Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
ESLint is a static code analysis tool for identifying problematic patterns found in JavaScript code. It is primarily used for finding and fixing problems in JavaScript code, enforcing coding standards, and improving code quality.
Linting JavaScript Files
Run ESLint on all JavaScript files in the 'src' directory and its subdirectories.
eslint 'src/**/*.js'
Fixing Problems Automatically
Automatically fix problems in JavaScript files that ESLint is capable of fixing.
eslint --fix 'src/**/*.js'
Customizable Configuration
Customize ESLint rules and extend from recommended presets in the ESLint configuration file.
{ 'extends': 'eslint:recommended', 'rules': { 'eqeqeq': 'warn', 'no-unused-vars': 'error' } }
Integrating with Build Tools
Integrate ESLint with build tools like Grunt by using the corresponding plugin.
grunt.loadNpmTasks('grunt-eslint');
Using Plugins
Extend ESLint's capabilities with plugins for specific libraries or frameworks, such as React.
{ 'plugins': ['react'], 'rules': { 'react/jsx-uses-vars': 'error' } }
JSHint is a community-driven tool that detects errors and potential problems in JavaScript code. It is less configurable than ESLint and does not support custom rule creation.
JSCS is a code style linter for programmatically enforcing your style guide. It has been deprecated and merged with ESLint, which now covers its functionality.
Prettier is an opinionated code formatter that supports many languages and integrates with most editors. Unlike ESLint, it does not check for code errors but focuses on maintaining a consistent code style.
TSLint was a linter for TypeScript, providing similar functionality to ESLint but specifically for TypeScript code. It has been deprecated in favor of typescript-eslint, which allows ESLint to be used with TypeScript.
Standard is a JavaScript style guide, linter, and formatter with a set of predefined rules. It enforces a strict coding standard but is less configurable than ESLint.
Website | Configure ESLint | Rules | Contribute to ESLint | Report Bugs | Code of Conduct | Twitter | Discord | Mastodon
ESLint is a tool for identifying and reporting on patterns found in ECMAScript/JavaScript code. In many ways, it is similar to JSLint and JSHint with a few exceptions:
Prerequisites: Node.js (^18.18.0
, ^20.9.0
, or >=21.1.0
) built with SSL support. (If you are using an official Node.js distribution, SSL is always built in.)
You can install and configure ESLint using this command:
npm init @eslint/config@latest
After that, you can run ESLint on any file or directory like this:
npx eslint yourfile.js
You can configure rules in your eslint.config.js
files as in this example:
export default [
{
files: ["**/*.js", "**/*.cjs", "**/*.mjs"],
rules: {
"prefer-const": "warn",
"no-constant-binary-expression": "error"
}
}
];
The names "prefer-const"
and "no-constant-binary-expression"
are the names of rules in ESLint. The first value is the error level of the rule and can be one of these values:
"off"
or 0
- turn the rule off"warn"
or 1
- turn the rule on as a warning (doesn't affect exit code)"error"
or 2
- turn the rule on as an error (exit code will be 1)The three error levels allow you fine-grained control over how ESLint applies rules (for more configuration options and details, see the configuration docs).
The ESLint team provides ongoing support for the current version and six months of limited support for the previous version. Limited support includes critical bug fixes, security issues, and compatibility issues only.
ESLint offers commercial support for both current and previous versions through our partners, Tidelift and HeroDevs.
See Version Support for more details.
ESLint adheres to the OpenJS Foundation Code of Conduct.
Before filing an issue, please be sure to read the guidelines for what you're reporting:
Yes, ESLint natively supports parsing JSX syntax (this must be enabled in configuration). Please note that supporting JSX syntax is not the same as supporting React. React applies specific semantics to JSX syntax that ESLint doesn't recognize. We recommend using eslint-plugin-react if you are using React and want React semantics.
No, ESLint and Prettier have different jobs: ESLint is a linter (looking for problematic patterns) and Prettier is a code formatter. Using both tools is common, refer to Prettier's documentation to learn how to configure them to work well with each other.
ESLint has full support for ECMAScript 3, 5, and every year from 2015 up until the most recent stage 4 specification (the default). You can set your desired ECMAScript syntax and other settings (like global variables) through configuration.
ESLint's parser only officially supports the latest final ECMAScript standard. We will make changes to core rules in order to avoid crashes on stage 3 ECMAScript syntax proposals (as long as they are implemented using the correct experimental ESTree syntax). We may make changes to core rules to better work with language extensions (such as JSX, Flow, and TypeScript) on a case-by-case basis.
In other cases (including if rules need to warn on more or fewer cases due to new syntax, rather than just not crashing), we recommend you use other parsers and/or rule plugins. If you are using Babel, you can use @babel/eslint-parser and @babel/eslint-plugin to use any option available in Babel.
Once a language feature has been adopted into the ECMAScript standard (stage 4 according to the TC39 process), we will accept issues and pull requests related to the new feature, subject to our contributing guidelines. Until then, please use the appropriate parser and plugin(s) for your experimental feature.
ESLint updates the supported Node.js versions with each major release of ESLint. At that time, ESLint's supported Node.js versions are updated to be:
ESLint is also expected to work with Node.js versions released after the Node.js Current release.
Refer to the Quick Start Guide for the officially supported Node.js versions for a given ESLint release.
Open a discussion or stop by our Discord server.
Lock files like package-lock.json
are helpful for deployed applications. They ensure that dependencies are consistent between environments and across deployments.
Packages like eslint
that get published to the npm registry do not include lock files. npm install eslint
as a user will respect version constraints in ESLint's package.json
. ESLint and its dependencies will be included in the user's lock file if one exists, but ESLint's own lock file would not be used.
We intentionally don't lock dependency versions so that we have the latest compatible dependency versions in development and CI that our users get when installing ESLint in a project.
The Twilio blog has a deeper dive to learn more.
We have scheduled releases every two weeks on Friday or Saturday. You can follow a release issue for updates about the scheduling of any particular release.
ESLint takes security seriously. We work hard to ensure that ESLint is safe for everyone and that security issues are addressed quickly and responsibly. Read the full security policy.
ESLint follows semantic versioning. However, due to the nature of ESLint as a code quality tool, it's not always clear when a minor or major version bump occurs. To help clarify this for everyone, we've defined the following semantic versioning policy for ESLint:
eslint:recommended
is updated and will result in strictly fewer linting errors (e.g., rule removals).eslint:recommended
is updated and may result in new linting errors (e.g., rule additions, most rule option updates).According to our policy, any minor update may report more linting errors than the previous release (ex: from a bug fix). As such, we recommend using the tilde (~
) in package.json
e.g. "eslint": "~3.1.0"
to guarantee the results of your builds.
Stylistic rules are frozen according to our policy on how we evaluate new rules and rule changes. This means:
These folks keep the project moving and are resources for help.
The people who manage releases, review feature requests, and meet regularly to ensure ESLint is properly maintained.
Nicholas C. Zakas |
Francesco Trotta |
Milos Djermanovic |
The people who review and implement new features.
唯然 |
Nitin Kumar |
The people who review and fix bugs and help triage issues.
Josh Goldberg ✨ |
Tanuj Kanti |
Team members who focus specifically on eslint.org
Amaresh S M |
Strek |
Percy Ma |
The following companies, organizations, and individuals support ESLint's ongoing maintenance and development. Become a Sponsor to get your logo on our READMEs and website.
FAQs
An AST-based pattern checker for JavaScript.
The npm package eslint receives a total of 33,235,716 weekly downloads. As such, eslint popularity was classified as popular.
We found that eslint demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.