search

salesforce / eslint-config-lwc

Opinionated ESLint configurations for LWC projects
MIT License
112 stars 35 forks source link

Imports including the .js extension #117

Closed B1naryVision closed 1 year ago

B1naryVision commented 1 year ago

Recently we had an issue with passing Salesforce Security review due to the use of an extension in an import.

LWC: Improper script load Vulnerability LWC permits only "platformResourceLoader" to load script. As a security best practices in the import statement, specify the folder to import from, not the file. Don't specify a file extension

We had import { LABELS } from './i18n.js';, we updated it and dropped the extension to import { LABELS } from './i18n'; voilà, it was fixed.

So I was wondering, with eslint-plugin-import being a dependency, is there any reason not to add something like this to the recommended.js rules?

'import/extensions': ['warning', 'ignorePackages', { js: 'never' }]
nolanlawson commented 1 year ago

Technically the standard is to require a .js extension, and many runtimes require this (e.g. Node's new native ESM support). We should look into where this error message is coming from.

B1naryVision commented 1 year ago

Guess we should've pushed back rather than go with the easy solution, is this something that can be looked at @nolanlawson or do I need to raise it with Salesforce directly?

nolanlawson commented 1 year ago

@B1naryVision Yes, since this is not strictly related to the open-source eslint-config-lwc project (this repo), I would recommend reaching out to Salesforce support. Thank you!

B1naryVision commented 1 year ago

Thanks @nolanlawson, I will.

I'll close this issue and raise it with Salesforce, should they say it is intentional on their part, I may reopen this issue.