eslint-plugin-import
Import with sanity.
15
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
benmosherljharbjfmengels
Keywords
eslinteslintplugineslint-plugines6jsnextmodulesimportexport
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:lib/rules/group-exports.js | AI (source-diff): Standard Babel-transpiled ESLint rule with _interopRequireDefault helpers; not obfuscated. | ai | |
| source-diff | obfuscated-file:lib/rules/no-useless-path-segments.js | AI (source-diff): Standard Babel-transpiled ESLint rule code; long lines from build tooling, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/rules/no-default-export.js | AI (source-diff): Readable ESLint rule with inline base64 source map from Babel; standard build output, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/rules/no-cycle.js | AI (source-diff): Babel-transpiled output with _slicedToArray helper; long lines are standard Babel compilation artifacts, not obfuscation. | ai | |
| dependencies | unvetted-dep:lodash.find | AI (dependencies): lodash.find is a standard, well-known utility module. Its use in this long-established ESLint plugin is routine and poses no meaningful risk. | ai | |
| source-diff | obfuscated-file:lib/rules/no-relative-packages.js | AI (source-diff): Babel-transpiled ESLint rule file; long lines are Babel CommonJS interop output, not obfuscation. Content is legitimate rule logic consistent with the package's purpose. | ai | |
| source-diff | obfuscated-file:lib/rules/no-import-module-exports.js | AI (source-diff): Babel-transpiled ESLint rule file; long lines are Babel CommonJS interop output, not obfuscation. Content is legitimate rule logic consistent with the package's purpose. | ai | |
| source-diff | obfuscated-file:lib/rules/dynamic-import-chunkname.js | AI (source-diff): Long lines are Babel CommonJS interop output from the package's documented build process, not obfuscation. Code is clearly a legitimate ESLint rule implementation. | ai | |
| source-diff | obfuscated-file:lib/rules/no-relative-parent-imports.js | AI (source-diff): Long lines are Babel CommonJS interop output from the package's documented build process, not obfuscation. Code is clearly a legitimate ESLint rule implementation. | ai | |
| provenance | publisher-changed | AI (provenance): benmosher→ljharb is a documented, legitimate maintainer transition. ljharb is a highly trusted npm ecosystem maintainer with thousands of approved packages. | ai | |
| source-diff | obfuscated-file:lib/rules/no-unused-modules.js | AI (source-diff): Long lines are Babel CommonJS interop output from the package's documented build process, not obfuscation. Code is clearly a legitimate ESLint rule implementation. | ai | |
| phantom-deps | phantom-dep:babylon | AI (phantom-deps): babylon is the Babel parser referenced as a default string in config; used as a configurable parser name, not a missing dependency concern. | ai | |
| source-diff | obfuscated-file:lib/rules/export.js | AI (source-diff): File is Babel-transpiled ES6 using babel-runtime helpers — a standard pattern for this era. Long lines are from transpiler output, not obfuscation. Logic is readable and benign. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large file count increase is consistent with a known refactoring (extracting eslint-import-core); not indicative of injected/bundled malicious code for this established plugin. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in eslint-plugin-import is used to resolve ESLint's own module path — a well-understood, intentional pattern for this plugin. | ai | |
| source-diff | obfuscated-file:lib/rules/no-anonymous-default-export.js | AI (source-diff): File contains readable, well-structured ESLint rule code. Long lines are due to dense object literals with string values, not obfuscation. False positive for this package. | ai | |
| dependencies | unvetted-dep:lodash.cond | AI (dependencies): lodash.cond is a standard lodash utility module; its use in an ESLint plugin is benign and expected across all versions of this package. | ai | |
| dependencies | unvetted-dep:contains-path | AI (dependencies): contains-path is a small, benign path-checking utility appropriate for an ESLint import plugin; no security concern across versions. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance by years; absence of attestation is expected and not a risk signal for this package. | ai | |
| source-diff | obfuscated-file:lib/core/fsWalk.js | AI (source-diff): File is Babel-compiled CJS output (standard _interopRequireDefault pattern), not malicious obfuscation. This package builds src/ to lib/ via Babel as part of prepublishOnly. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @rtsao/scc is used for SCC graph algorithm (circular dep detection) and string.prototype.trimend is a standard ES polyfill; both are legitimate additions by a trusted maintainer. | ai | |
| source-diff | obfuscated-file:lib/exportMap/visitor.js | AI (source-diff): Babel 6 transpiled output. Long lines are build artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/exportMap/typescript.js | AI (source-diff): Babel 6 transpiled output. Long lines are build artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/exportMap/specifier.js | AI (source-diff): Babel 6 transpiled output. Long lines are build artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/scc.js | AI (source-diff): Babel 6 transpiled output. Code is semantically readable StronglyConnectedComponents implementation with no malicious indicators. | ai | |
| source-diff | obfuscated-file:lib/exportMap/namespace.js | AI (source-diff): Babel 6 transpiled output. Code is semantically readable Namespace class implementation with no malicious indicators. | ai | |
| source-diff | obfuscated-file:lib/exportMap/index.js | AI (source-diff): Babel 6 transpiled output. Code is semantically readable ExportMap class implementation with no malicious indicators. | ai | |
| source-diff | obfuscated-file:lib/rules/enforce-node-protocol-usage.js | AI (source-diff): Babel 6 transpiled output. Code is semantically readable ESLint rule logic with no malicious indicators. | ai | |
| source-diff | obfuscated-file:lib/exportMap/doc.js | AI (source-diff): Babel 6 transpiled output. Code is semantically readable ESLint plugin logic with no malicious indicators. | ai | |
| source-diff | obfuscated-file:lib/exportMap/childContext.js | AI (source-diff): Babel 6 transpiled output. Code is semantically readable ESLint plugin logic with no malicious indicators. | ai | |
| source-diff | obfuscated-file:lib/exportMap/captureDependency.js | AI (source-diff): Babel 6 transpiled output. Code is semantically readable ESLint plugin logic with no malicious indicators. | ai | |
| source-diff | obfuscated-file:lib/exportMap/builder.js | AI (source-diff): lib/ is Babel 6 transpiled output (classic _createClass/_interopRequireDefault pattern). Long lines are an artifact of the build process, not obfuscation. | ai | |
| dependencies | unvetted-dep:has | AI (dependencies): has is a well-known, legitimate utility package. Its use in eslint-plugin-import is benign and stable across versions. | ai | |
| phantom-deps | phantom-dep:resolve | AI (phantom-deps): resolve is a declared runtime dependency used in resolver config files, not directly imported in JS. This is expected behavior for an ESLint plugin and stable across versions. | ai | |
| phantom-deps | phantom-dep:eslint-import-resolver-node | AI (phantom-deps): eslint-import-resolver-node is referenced in config files as the default resolver; this is expected behavior for this plugin, not a phantom dependency issue. | ai | |
| dependencies | unvetted-dep:@rtsao/scc | AI (dependencies): @rtsao/scc is a small utility for strongly connected components, used by eslint-plugin-import for cycle detection. Legitimate and stable. | ai | |
| dependencies | unvetted-dep:array.prototype.findlastindex | AI (dependencies): array.prototype.findlastindex is a standard ES shim maintained by ljharb. Legitimate polyfill dependency. | ai | |
| dependencies | unvetted-dep:object.groupby | AI (dependencies): object.groupby is a standard ES shim maintained by ljharb (same publisher). No malicious history. | ai | |
| dependencies | unvetted-dep:eslint-import-resolver-node | AI (dependencies): eslint-import-resolver-node is the default resolver for eslint-plugin-import, a well-known companion package. Legitimate dependency. | ai | |
| dependencies | unvetted-dep:eslint-module-utils | AI (dependencies): eslint-module-utils is a companion package to eslint-plugin-import, maintained by the same org. Stable legitimate dependency. | ai |
Versions (showing 15 of 115)
| Version | Deps | Published |
|---|---|---|
| 0.4.2 | 5 / 6 | |
| 0.4.1 | 6 / 6 | |
| 0.4.0 | 6 / 6 | |
| 0.3.13 | 6 / 6 | |
| 0.3.12 | 6 / 6 | |
| 0.3.11 | 6 / 5 | |
| 0.3.10 | 6 / 5 | |
| 0.3.9 | 6 / 5 | |
| 0.3.8 | 6 / 5 | |
| 0.3.6 | 6 / 5 | |
| 0.3.5 | 6 / 5 | |
| 0.3.4 | 5 / 5 | |
| 0.3.3 | 5 / 5 | |
| 0.3.2 | 5 / 5 | |
| 0.3.0 | 4 / 5 |
v0.4.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.13
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.12
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.11
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.10
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.9
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.8
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.6
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.5
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.4
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.3
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.