no-dynamic-import-unsafe-url

Disallow dynamic import() calls that load code from data:, blob:, javascript:, and direct URL.createObjectURL(...) URLs.

Targeted pattern scope

This rule targets direct import(...) expressions when the module specifier is one of the following executable URL forms:

a static data: URL
a static blob: URL
a static javascript: URL
a direct URL.createObjectURL(...) call

What this rule reports

This rule reports only direct unsafe dynamic-import specifiers. Indirect variables and broader module-resolution policies are out of scope.

Why this rule exists

Dynamic import() is an executable module-loading sink. Loading modules from inline, generated, or review-hostile URLs makes trusted code boundaries harder to audit and can undermine SDL expectations around reviewed module sources.

❌ Incorrect

await import("data:text/javascript,export default run()");

await import(URL.createObjectURL(workerBlob));

✅ Correct

await import("./feature-module.js");

Behavior and migration notes

This rule intentionally focuses on direct unsafe script URL expressions in import(...). Indirect variables, import maps, and broader policy enforcement are out of scope.

ESLint flat config example

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },
  rules: {
   "sdl/no-dynamic-import-unsafe-url": "error",
  },
 },
];

When not to use it

Disable this rule only if your project intentionally relies on these dynamic module-loading patterns and that design has been reviewed and approved.

Package documentation

Rule source

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

Behavior and migration notes​

ESLint flat config example​

When not to use it​

Package documentation​

Further reading​