[New] import/order: add support for named imports

[manuth]

import/order: add support for named imports

Changes made in this PR change the import/order rule to allow configuring the order of named specifiers in import, export and require statements.

This will report errors and automatically fix expressions as shown in this example:
Reports error:

import { Bravo, Alpha } from 'foo';
const { Delta, Charlie } = require('foo');
export { Foxtrot, Echo } from 'foo';
export { Alpha as Hotel, India, Alpha as Golf };

Fixed code:

import { Alpha, Bravo } from 'foo';
const { Charlie, Delta } = require('foo');
export { Echo, Foxtrot } from 'foo';
export { Alpha as Golf, Alpha as Hotel, India } from 'foo';

This feature heavily uses the pre-existing functions used for re-ordering import/export statements and thus does not require a lot of changes.

To address the requirement brought forward by @ronparkdev, there are 3 options named.import, named.export and named.require for individually forcing ordering of named items for the specified category.

Furthermore, in response to the comment written by @JensDll, there is an option types which allows to specify the order of the specifiers based on their category:

• mixed: all specifiers are ordered alphabetically
• types-first: type imports must occur first
• types-last: value imports must occur first

With this option, one could force type imports to occur last by setting the options of the order rule to the following:

{
  "named": {
    "enabled": true,
    "types": "types-last"
  },
  "alphabetize": { "order": "asc" }
}

Things to consider

• Following tiny bit of code makes use of RegExp:
  

  eslint-plugin-import/src/rules/order.js

  Line 239 in 60b0493

  const gapCode = sourceCode.text.substring(firstRootEnd, secondRootStart).replace(/,$/, '');

  
  

  eslint-plugin-import/src/rules/order.js

  Line 250 in 60b0493

  const gapCode = sourceCode.text.substring(secondRootEnd, firstRootStart).replace(/^,/, '');

• The lines between the default and the type/value groups are a little blurred as a default re-export technically still is either a value or a type export. default will take highest priority which means that both export { type default as Readline } from 'foo' and export { default as Readline } from 'foo' will have their group set to default.
• named specifiers are not only sorted by their source name, but also by their alias
• When two specifiers have the same source name (like, say, const { Alpha: Bravo, Alpha } = require('foo');), error messages will contain both the original name and the alilas for preventing confusion:
  `Alpha` import should occur before import of `Alpha as Bravo`
• For enabling forced ordering for all kinds of expressions, the named or the named.enabled option can be set to true. However, named.all might be a more suitable option name (?)

Related

• [Suggestion]: import/named-order : Enforce to sort specifiers of import, export, require #2553, the original proposal
• Allow enforcement of import-specifiers #1787 (tagging @andrewbranch, bc this PR might be interesting to you)

Merging this PR will fix #2553 and fix #1787

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 95.46%. Comparing base (a9018a8) to head (95849c8).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3043      +/-   ##
==========================================
+ Coverage   95.31%   95.46%   +0.14%     
==========================================
  Files          82       82              
  Lines        3438     3549     +111     
  Branches     1186     1244      +58     
==========================================
+ Hits         3277     3388     +111     
  Misses        161      161              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ljharb]

There's a number of lines not covered by tests (see the annotations in the diff tab)

[manuth]

Alright! I guess I'm ready
What can I do about the tests of package versions seemingly unable to detect type exports?

[ljharb]

I'll take a look at whatever tests fail.

[manuth]

I had to switch to draft for an instant here, because I have noticed that the named ordering did not work if they are spreaded across multiple lines.

I was able to fix this now - thus switching back to Ready for review

[ljharb]

@manuth any reason for the custom trimEnd function instead of the standard one?

[manuth]

The trimEnd function doesn't seem to exist in older Node.js versions.

[ljharb]

That's what the string.prototype.trimend package is for.

[manuth]

Ooh weird - I felt like the checks once didn't run through cause of it
Maybe I'm mistaken

I'll try to change it back, then! Thanks 😄

[ljharb]

oh no, what i mean is, add that package as a dependency and import it instead of rolling your own

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher

🚮 Removed packages: npm/eslint@2.13.1), npm/find-up@1.1.2), npm/glob@1.0.0), npm/jackspeak@=2.1.1), npm/jquery@3.7.1), npm/jsonc-parser@=3.2.0), npm/linklocal@2.8.2), npm/lodash.cond@4.5.2), npm/lodash.isarray@4.0.0), npm/markdownlint-cli@0.35.0), npm/npm-which@3.0.1), npm/object.fromentries@2.0.8), npm/object.groupby@1.0.3), npm/object.values@1.2.0), npm/react@16.14.0), npm/semver@6.3.1), npm/tsconfig-paths@3.15.0)

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Critical CVE	npm/babel-traverse@6.26.0	CVE: GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code (CRITICAL) Affected versions: < 7.23.2 Patched version: No patched versions	package.json	⚠︎

View full report↗︎

Next steps

What is a critical CVE?

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/babel-traverse@6.26.0

[ljharb]

k, i've rebased this and i think it's ready to land, but i'm going to wait til i get a patch release out first.

[manuth]

Awesome, thank you so much 😄
Looking forward to it!

[manuth]

Just saw a little inelegance in the JSON schema I have written
Will force push the change