Add wildcard pattern support for core modules#3200
Open
andymai wants to merge 10 commits intoimport-js:mainfrom
Open
Add wildcard pattern support for core modules#3200andymai wants to merge 10 commits intoimport-js:mainfrom
andymai wants to merge 10 commits intoimport-js:mainfrom
Conversation
Add support for wildcard patterns in import/core-modules setting, allowing * to match multiple modules like @my-monorepo/* or @My-*/*. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Prevent '*' pattern from matching all modules, which would disable dependency analysis and create security vulnerabilities. - Add safety check for bare wildcard patterns - Add comprehensive test coverage for security edge cases - Ensure valid wildcard patterns still work correctly
Enhance security validation to catch a broader range of dangerous wildcard patterns that could disable dependency analysis: - Block double wildcards (**) - Block overly broad patterns (*/*) - Block regex-style wildcards (.*) - Block patterns that are too short and broad (a*, *a) - Block multiple wildcards except for valid @namespace/* patterns - Add comprehensive test coverage for all dangerous patterns - Maintain support for legitimate use cases This prevents accidental or malicious disabling of ESLint's dependency analysis while preserving intended functionality.
Allow legitimate multi-wildcard patterns like @My-*/* while still blocking dangerous patterns: - Allow @namespace/* patterns (including @My-*/* style patterns) - Block dangerous patterns like *foo*, foo*bar*, */*/* - Fix regex escaping issue - Update comprehensive test coverage - All 2996 tests now pass
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3200 +/- ##
===========================================
+ Coverage 82.25% 95.49% +13.24%
===========================================
Files 94 83 -11
Lines 4283 3688 -595
Branches 1478 1331 -147
===========================================
- Hits 3523 3522 -1
+ Misses 760 166 -594 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
ljharb
requested changes
Jul 18, 2025
- Replace dangerous [\s\S]*? regex patterns with minimatch glob matching - Eliminate all dynamic regex construction in wildcard pattern matching - Use safe string operations instead of regex for wildcard counting - Maintain same functionality while preventing ReDoS vulnerabilities Addresses PR feedback about CVE security risks from dynamic regex patterns. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Add tests to verify no dynamic regex patterns like [\s\S]*? are used - Test that dangerous patterns (*, .*, **, */*) are blocked by security validation - Verify safe minimatch glob matching is used instead of regex construction - Ensure ReDoS (Regular Expression Denial of Service) prevention - Tests follow existing codebase patterns and integrate with importType tests Addresses PR feedback about CVE security risks from dynamic regex patterns. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Fix indentation to match codebase style - Remove trailing spaces - Add parentheses around arrow function parameters - Ensure consistent spacing 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
ljharb
reviewed
Jul 21, 2025
src/core/importType.js
Outdated
Comment on lines
+25
to
+27
|
|
||
| function isDangerousPattern(pattern) { |
Member
There was a problem hiding this comment.
do we need this function at all now that it's just using minimatch?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses: #1281
import/core-modulessetting*to match multiple modules like@my-monorepo/*or@my-*/*Changes
src/core/importType.jsto support wildcard pattern matchingTest plan
@my-monorepo/*)@my-*/*)