Gathering detailed insights and metrics for import-from-esm
Gathering detailed insights and metrics for import-from-esm
Almost drop-in "import-from" replacement that supports loading both ESM & CJS modules
Installations
npm install import-from-esmDeveloper Guide
BETA
Typescript
Yes
Module System
ESM
Min. Node Version
>=18.20
Node Version
22.12.0
NPM Version
10.9.2
Releases
19
Languages
2
JavaScript
TypeScript
JavaScript (98.68%)
TypeScript (1.32%)
Developer
sheerlox
Download Statistics
Total Downloads
61,922,025
Last Day
66,256
Last Week
1,386,759
Last Month
6,012,095
Last Year
49,709,733
GitHub Statistics
MIT License
2 Stars
340 Commits
3 Forks
2 Watchers
17 Branches
3 Contributors
Updated on Mar 03, 2025
Maintainers
1
Package Meta Information
Latest Version
2.0.0
Package Id
import-from-esm@2.0.0
Unpacked Size
12.99 kB
Size
4.97 kB
File Count
5
NPM Version
10.9.2
Node Version
22.12.0
Published on
Dec 31, 2024
Total Downloads
Cumulative downloads
Total Downloads
61,922,025
Last Day
-17%
66,256
Compared to previous day
Last Week
-9.9%
1,386,759
Compared to previous week
Last Month
5.6%
6,012,095
Compared to previous month
Last Year
307%
49,709,733
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
2
import-from-esm
Overview
Import a module like with
require()but from a given path (for ESM)
This library intends to be an almost drop-in replacement of import-from (from which it is forked), exposing the same API and behavior but also supporting ES modules (ESM). Just add await before importFrom/importFrom.silent
Motivation
The main benefit of using import-from is that it abstracts the need to resolve the path and create a require statement. Its code is really straightforward:
1(fromDirectory, moduleId) => createRequire(path.resolve(fromDirectory, "noop.js"))(moduleId);
In the case of import-from-esm, there are a few additional benefits because of the way ESM works:
- Importing a package installed along a library (in the parent application) from that library is no longer possible (which was the issue that made me work on this library). You need to use
import.meta.resolve, which is behind an experimental flag (although there's a ponyfill available at wooorm/import-meta-resolve, whichimport-from-esmuses under-the-hood). - If the file you're trying to import (whether relative, package, export map, etc ...) is a JSON file, you need to detect that and use import assertions or
require(while the former is still in experimental). - File extensions are now mandatory for relative paths.
import-from-esmre-introducesrequire's file extension discovery.
As you can see, there is quite a bit of complexity that is abstracted behind import-from-esm. The first bullet point issue affected both @semantic-release/commit-analyzer and @semantic-release/release-notes-generator. After spending hours on research to solve the issue, I realized that the work I was doing would benefit others as well, so I decided to create a package out of it.
As a proponent of ESM, I have put a lot of thought into poly-filling require features for import, but finally came to the conclusion that developing a package to facilitate the ecosystem transition to ESM by reducing friction was a good thing.
Install
$ npm install import-from-esm
Usage
1import importFrom from "import-from-esm"; 2 3// there is a file at `./foo/bar.{js,mjs,cjs,json}` 4 5await importFrom("foo", "./bar");
API
importFrom(fromDirectory, moduleId)
Like require(), throws when the module can't be found.
importFrom.silent(fromDirectory, moduleId)
Returns undefined instead of throwing when the module can't be found.
fromDirectory
Type: string
Directory to import from.
moduleId
Type: string
What you would use in require().
Tip
Create a partial using a bound function if you want to import from the same fromDir multiple times:
1const importFromFoo = importFrom.bind(null, "foo"); 2 3importFromFoo("./bar"); 4importFromFoo("./baz");
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
all dependencies are pinned
Details
- Info: 14 out of 14 GitHub-owned GitHubAction dependencies pinned
- Info: 8 out of 8 third-party GitHubAction dependencies pinned
- Info: 2 out of 2 npmCommand dependencies pinned
Reason
update tool detected
Details
- Info: detected update tool: RenovateBot: .github/renovate.json5:1
Reason
security policy file detected
Details
- Info: security policy file detected: .github/SECURITY.md:1
- Info: Found linked content: .github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: .github/SECURITY.md:1
- Info: Found text in security policy: .github/SECURITY.md:1
Reason
no dangerous workflow patterns detected
Reason
GitHub workflow tokens follow principle of least privilege
Details
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:21
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:20
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:17
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/release.yml:18
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/test.yml:103
- Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:13
- Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yml:10
- Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18
- Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:17
- Info: no jobLevel write permissions found
Reason
SAST tool is run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Info: all commits (6) are checked with a SAST tool
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:22
Reason
project is fuzzed
Details
- Info: JavaScriptPropertyBasedTesting integration found: tests/fuzz-regression.test.js:1
- Info: JavaScriptPropertyBasedTesting integration found: tests/fuzz.test.js:1
Reason
6 out of 6 merged PRs checked by a CI test -- score normalized to 10
Reason
project has 19 contributing companies or organizations
Details
- Info: found contributions from: Sherlox-Services, avajs, awesome-lists, babel, chalk, concordancejs, editorconfig, feedback-assistant, gruntjs, h5bp, insurgent-lab, istanbuljs, refined-github, semantic-release, tastejs, unill-io, xojs, yargs, yeoman
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'main'
- Info: 'allow deletion' disabled on branch 'alpha'
- Info: 'force pushes' disabled on branch 'main'
- Info: 'force pushes' disabled on branch 'alpha'
- Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'
- Warn: 'branch protection settings apply to administrators' is disabled on branch 'alpha'
- Info: 'stale review dismissal' is required to merge on branch 'main'
- Info: 'stale review dismissal' is required to merge on branch 'alpha'
- Warn: required approving review count is 1 on branch 'main'
- Warn: required approving review count is 1 on branch 'alpha'
- Info: codeowner review is required on branch 'main'
- Info: codeowner review is required on branch 'alpha'
- Info: 'last push approval' is required to merge on branch 'main'
- Info: 'last push approval' is required to merge on branch 'alpha'
- Info: 'up-to-date branches' is required to merge on branch 'main'
- Info: 'up-to-date branches' is required to merge on branch 'alpha'
- Info: status check found to merge onto on branch 'main'
- Info: status check found to merge onto on branch 'alpha'
- Info: PRs are required in order to make changes on branch 'main'
- Info: PRs are required in order to make changes on branch 'alpha'
Reason
2 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
Reason
badge detected: InProgress
Reason
2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Reason
Found 0/26 approved changesets -- score normalized to 0
Score
8
/10
Last Scanned on 2025-05-26T23:20:44Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More