Addresses #10 / Update semver to the latest to fix CVE / Remove unnecessary dependencies

[SukkaW]

The PR does the following things:

• Set the target to Node.js 12+
  • Removes all unnecessary polyfills, close Drop all those unnecessary polyfills #10
• Replace is-core-module with require('module').Module.builtinModules, replace has with Object.prototype.hasOwnProperty.call
  • Why fewer dependencies is better: Addresses #10 / Update semver to the latest to fix CVE / Remove unnecessary dependencies #11 (comment)
• Update semver to the latest version
  • This fixes the following issue:
    • Please fix semver security issue. import-js/eslint-plugin-import#2803
    • Semver metavuln import-js/eslint-plugin-import#2804
    • Update semver version import-js/eslint-plugin-import#2805
    • Upgrade semver to fix vulnerability import-js/eslint-plugin-import#2806
    • semver vulnerable to Regular Expression Denial of Service import-js/eslint-plugin-import#2807
    • Upgrade to semver v7 import-js/eslint-plugin-import#2808
    • Update semver version ">=7.5.2" import-js/eslint-plugin-import#2809
    • npm audit security vulnerability in semver <= 7.5.2 import-js/eslint-plugin-import#2814
  • This also addresses the following PRs:
    • [Deps] update semver import-js/eslint-plugin-import#2810
    • Update package.json import-js/eslint-plugin-import#2812

---

eslint-plugin-i is a fork of eslint-plugin-import that replaces the tsconfig-paths with the faster and more lightweight get-tsconfig, which also addresses the following issues:

• [Deps] upgrade tsconfig-paths to ^4.0.0 import-js/eslint-plugin-import#2447
• CVE With JSON5 v1.0.1 import-js/eslint-plugin-import#2770
• Update the tsconfig-paths dependency to remove transitive CVE import-js/eslint-plugin-import#2771
• Update tsconfig-paths dependency version import-js/eslint-plugin-import#2782
• High Vulnerability found import-js/eslint-plugin-import#2783

If you want to replace eslint-plugin-import with eslint-plugin-i, just run following command in your projects:

# npm
npm install -D eslint-plugin-import@npm:eslint-plugin-i@latest
# yarn
yarn add -D eslint-plugin-import@npm:eslint-plugin-i@latest
# pnpm
pnpm add -D eslint-plugin-import@npm:eslint-plugin-i@latest

[changeset-bot]

⚠️ No Changeset found

Latest commit: efb9326

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[NWYLZW]

Good job!

[codecov]

Codecov Report

Patch coverage: 100.00% and project coverage change: -0.26 ⚠️

Comparison is base (616ac75) 95.02% compared to head (efb9326) 94.76%.

Additional details and impacted files

@@               Coverage Diff                @@
##           fork-release      #11      +/-   ##
================================================
- Coverage         95.02%   94.76%   -0.26%     
================================================
  Files                68       68              
  Lines              2977     2982       +5     
  Branches           1028     1028              
================================================
- Hits               2829     2826       -3     
- Misses              148      156       +8     

Impacted Files	Coverage Δ
src/ExportMap.js	89.47% <ø> (ø)
src/core/importType.js	100.00% <ø> (ø)
src/rules/no-unused-modules.js	96.00% <ø> (-1.65%)	⬇️
resolvers/webpack/index.js	62.62% <100.00%> (ø)
src/rules/export.js	100.00% <100.00%> (ø)
src/rules/group-exports.js	100.00% <100.00%> (ø)
src/rules/no-anonymous-default-export.js	100.00% <100.00%> (ø)
src/rules/order.js	99.18% <100.00%> (+<0.01%)	⬆️

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[SukkaW]

Ops, it seems that I forgot to remove those outdated Node.js versions from the CI matrix!

[JounQin]

What benefits would we get from this do you think?

[SukkaW]

What benefits would we get from this do you think?

• Less disk occupation due to smaller node_modules and smaller ~/.npm
• Faster npm i / yarn / pnpm i due to fewer packages needing to be installed
• Faster eslint . since polyfills are (and always will be) slower than native methods
• Less dependencies may reduce possible supply-chain attacks, pointed out by @g-plane

[so1ve]

Can we drop is-core-module as well?

---

UPD:

Maybe we can't :(

[SukkaW]

Can we drop is-core-module as well?

UPD:

Maybe we can't :(

@so1ve Actually maybe we can! The module.builtinModules is definitely available in Node.js 12.0.0+!

https://nodejs.org/dist/latest-v18.x/docs/api/module.html#modulebuiltinmodules

[JounQin]

I'm not so sure for these, actually I was thinking to maintain this package separately from the upstream.

As you said, such changes make rebasing a bit complicated, if we do so it would mean we're really start "forking", but it would mean a lot of extra efforts and hurt the community I think.

But of course, I would like to listen from the community, I was trying to support the same node versions as upstream but it's also boring and "ridiculous". So I like such changes personally, but also I'm in awe of this impactful project.

Let's wait for some more feedback for a while.

[nonzzz]

LGTM

[g-plane]

Additionally, less dependencies may reduce possible supply-chain attacks.

[pionxzh]

I support the idea of reducing unnecessary dependencies.

[bakkot]

You can replace has with {}.hasOwnProperty.call, also.

[SukkaW]

@JounQin

Although ljharb hasn't been actively maintaining eslint-plugin-import for literally months while he is basically held that open-source project as a hostage, we should still try our best to stay close to the upstream.

I have rebased the PR and minimized the affected lines to ensure that there will be least merging conflicts in the future.

---

Update

I also move is-core-module to devDeps (even less dependency to be installed!). I still retain the is-core-module in the tests, to make sure the behavior doesn't change.

[SukkaW]

I have bumped the semver to the latest version in the latest commit, which basically fixes all these issues and PRs:

• Please fix semver security issue. import-js/eslint-plugin-import#2803
• Semver metavuln import-js/eslint-plugin-import#2804
• Update semver version import-js/eslint-plugin-import#2805
• Upgrade semver to fix vulnerability import-js/eslint-plugin-import#2806
• semver vulnerable to Regular Expression Denial of Service import-js/eslint-plugin-import#2807
• Upgrade to semver v7 import-js/eslint-plugin-import#2808
• Update semver version ">=7.5.2" import-js/eslint-plugin-import#2809
• [Deps] update semver import-js/eslint-plugin-import#2810
• Update package.json import-js/eslint-plugin-import#2812

All test cases pass on my machine, waiting for the CI.

[JounQin]

Thanks, lets make it happen.

[SukkaW]

GitHub Action broke again.

[so1ve]

Let's drop node 13 15 17 19

[pionxzh]

We also need to update the Node.js versions in appveyor config.

https://github.com/un-es/eslint-plugin-i/blob/616ac75b11731f41a3786bdbe2c7620d65df9ded/appveyor.yml#L8-L14

[so1ve]

I guess we can delete that file because we don't use appveyor at all

[SukkaW]

We also need to update the Node.js versions in appveyor config.

https://github.com/un-es/eslint-plugin-i/blob/616ac75b11731f41a3786bdbe2c7620d65df9ded/appveyor.yml#L8-L14

I guess we can delete that file because we don't use appveyor at all

I don't know. IMHO the PR has contained enough changes. @JounQin What do you think?

[JounQin]

I don't know. IMHO the PR has contained enough changes. @JounQin What do you think?

It's not used, then no change is needed.

[JounQin]

For anyone may be interested, I just upgraded debug to v4 and removed unused resolve dependencies at v2.29.1. And I tried to upgrade minimatch to v9 but it fails on some cases like

import-js#2900 (comment)

and

https://github.com/import-js/eslint-plugin-import/blob/ee5fadeffff68f2300bed7f67a310496cb969d61/tests/src/rules/no-internal-modules.js

I don't have enough time to work on this replacement, anyone interested can help to raise a PR which will be appreciated.

---

For import-js#2900 (comment), I think it should be changed to invalid cases instead.

---

Tracking this replacement at #22