Gathering detailed insights and metrics for import-from-esm
Gathering detailed insights and metrics for import-from-esm
Almost drop-in "import-from" replacement that supports loading both ESM & CJS modules
Installations
npm install import-from-esmDeveloper
sheerlox
Developer Guide
BETA
Module System
ESM
Min. Node Version
>=16.20
Typescript Support
Yes
Node Version
20.12.1
NPM Version
10.4.0
Statistics
2 Stars
286 Commits
2 Forks
2 Watching
21 Branches
3 Contributors
Updated on 04 Nov 2024
Languages
JavaScript (99.24%)
TypeScript (0.76%)
Total Downloads
Cumulative downloads
Total Downloads
31,447,632
Last day
-1%
157,916
Compared to previous day
Last week
4.5%
910,189
Compared to previous week
Last month
3.8%
3,800,178
Compared to previous month
Last year
4,273.8%
30,744,706
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
2
Versions
import-from-esm
Overview
Import a module like with
require()but from a given path (for ESM)
This library intends to be an almost drop-in replacement of import-from (from which it is forked), exposing the same API and behavior but also supporting ES modules (ESM). Just add await before importFrom/importFrom.silent
Motivation
The main benefit of using import-from is that it abstracts the need to resolve the path and create a require statement. Its code is really straightforward:
1(fromDirectory, moduleId) => createRequire(path.resolve(fromDirectory, "noop.js"))(moduleId);
In the case of import-from-esm, there are a few additional benefits because of the way ESM works:
- Importing a package installed along a library (in the parent application) from that library is no longer possible (which was the issue that made me work on this library). You need to use
import.meta.resolve, which is behind an experimental flag (although there's a ponyfill available at wooorm/import-meta-resolve, whichimport-from-esmuses under-the-hood). - If the file you're trying to import (whether relative, package, export map, etc ...) is a JSON file, you need to detect that and use import assertions or
require(while the former is still in experimental). - File extensions are now mandatory for relative paths.
import-from-esmre-introducesrequire's file extension discovery.
As you can see, there is quite a bit of complexity that is abstracted behind import-from-esm. The first bullet point issue affected both @semantic-release/commit-analyzer and @semantic-release/release-notes-generator. After spending hours on research to solve the issue, I realized that the work I was doing would benefit others as well, so I decided to create a package out of it.
As a proponent of ESM, I have put a lot of thought into poly-filling require features for import, but finally came to the conclusion that developing a package to facilitate the ecosystem transition to ESM by reducing friction was a good thing.
Install
$ npm install import-from-esm
Usage
1import importFrom from "import-from-esm"; 2 3// there is a file at `./foo/bar.{js,mjs,cjs,json}` 4 5await importFrom("foo", "./bar");
API
importFrom(fromDirectory, moduleId)
Like require(), throws when the module can't be found.
importFrom.silent(fromDirectory, moduleId)
Returns undefined instead of throwing when the module can't be found.
fromDirectory
Type: string
Directory to import from.
moduleId
Type: string
What you would use in require().
Tip
Create a partial using a bound function if you want to import from the same fromDir multiple times:
1const importFromFoo = importFrom.bind(null, "foo"); 2 3importFromFoo("./bar"); 4importFromFoo("./baz");
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
7 out of 7 merged PRs checked by a CI test -- score normalized to 10
Reason
20 different organizations found -- score normalized to 10
Details
- Info: contributors work for Sherlox-Services,avajs,awesome-lists,babel,chalk,concordancejs,editorconfig,feedback-assistant,gruntjs,h5bp,insurgent-lab,istanbuljs,refined-github,semantic-release,talent-ideal,talent-insights,tastejs,xojs,yargs,yeoman
Reason
no dangerous workflow patterns detected
Reason
update tool detected
Details
- Info: tool 'RenovateBot' is used: .github/renovate.json:1
Reason
project is fuzzed
Details
- Info: JavaScriptPropertyBasedTesting integration found: tests/fuzz-regression.test.js:1
- Info: JavaScriptPropertyBasedTesting integration found: tests/fuzz.test.js:1
Reason
license file detected
Details
- Info: License file found in expected location: LICENSE:1
- Info: FSF or OSI recognized license: LICENSE:1
Reason
15 commit(s) out of 30 and 0 issue activity out of 12 found in the last 90 days -- score normalized to 10
Reason
publishing workflow detected
Details
- Info: GitHub/GitLab publishing workflow used in run https://api.github.com/repos/sheerlox/import-from-esm/actions/runs/11567024384: .github/workflows/release.yml:21
Reason
all dependencies are pinned
Details
- Info: 14 out of 14 GitHub-owned GitHubAction dependencies pinned
- Info: 8 out of 8 third-party GitHubAction dependencies pinned
- Info: 2 out of 2 npmCommand dependencies pinned
Reason
SAST tool is run on all commits
Details
- Info: all commits (7) are checked with a SAST tool
- Info: SAST tool detected: CodeQL
Reason
security policy file detected
Details
- Info: security policy file detected: .github/SECURITY.md:1
- Info: Found linked content: .github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: .github/SECURITY.md:1
- Info: Found text in security policy: .github/SECURITY.md:1
Reason
GitHub workflow tokens follow principle of least privilege
Details
- Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:13
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:20
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:21
- Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yml:10
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:16
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/release.yml:17
- Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18
- Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:17
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/test.yml:90
- Info: no jobLevel write permissions found
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'force pushes' disabled on branch 'main'
- Info: 'allow deletion' disabled on branch 'main'
- Info: status checks require up-to-date branches for 'main'
- Info: 'last push approval' enabled on branch 'main'
- Info: status check found to merge onto on branch 'main'
- Warn: number of required reviewers is only 1 on branch 'main'
- Info: stale review dismissal enabled on branch 'main'
- Warn: settings do not apply to administrators on branch 'main'
- Info: codeowner review is required on branch 'main'
- Info: 'force pushes' disabled on branch 'alpha'
- Info: 'allow deletion' disabled on branch 'alpha'
- Info: status checks require up-to-date branches for 'alpha'
- Info: 'last push approval' enabled on branch 'alpha'
- Info: status check found to merge onto on branch 'alpha'
- Warn: number of required reviewers is only 1 on branch 'alpha'
- Info: stale review dismissal enabled on branch 'alpha'
- Warn: settings do not apply to administrators on branch 'alpha'
- Info: codeowner review is required on branch 'alpha'
Reason
4 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-pqhp-25j4-6hq9
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
Reason
badge detected: in_progress
Reason
found 29 unreviewed changesets out of 29 -- score normalized to 0
Score
8.6
/10
Last Scanned on 2024-11-25T23:21:05Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More