no-dynamic-import-unsafe-url
Disallow dynamic import() calls that load code from data:, blob:, javascript:, and direct URL.createObjectURL(...) URLs.
Targeted pattern scopeโ
This rule targets direct import(...) expressions when the module specifier is
one of the following executable URL forms:
- a static
data:URL - a static
blob:URL - a static
javascript:URL - a direct
URL.createObjectURL(...)call
What this rule reportsโ
This rule reports only direct unsafe dynamic-import specifiers. Indirect variables and broader module-resolution policies are out of scope.
Why this rule existsโ
Dynamic import() is an executable module-loading sink. Loading modules from
inline, generated, or review-hostile URLs makes trusted code boundaries harder
to audit and can undermine SDL expectations around reviewed module sources.
โ Incorrectโ
await import("data:text/javascript,export default run()");
await import(URL.createObjectURL(workerBlob));
โ Correctโ
await import("./feature-module.js");
Behavior and migration notesโ
This rule intentionally focuses on direct unsafe script URL expressions in
import(...). Indirect variables, import maps, and broader policy enforcement
are out of scope.
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-dynamic-import-unsafe-url": "error",
},
},
];
When not to use itโ
Disable this rule only if your project intentionally relies on these dynamic module-loading patterns and that design has been reviewed and approved.
Package documentationโ
Further readingโ
Rule catalog ID: R070