{"id":21995344,"url":"https://github.com/polymerlabs/koa-importmap","last_synced_at":"2026-04-14T06:33:37.025Z","repository":{"id":66263328,"uuid":"180449553","full_name":"PolymerLabs/koa-importmap","owner":"PolymerLabs","description":"A Koa middleware module that can rewrite import specifiers for JavaScript modules based on the reference/presence of an importmap in the HTML document originating the request.","archived":false,"fork":false,"pushed_at":"2019-04-30T22:59:26.000Z","size":81,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":12,"default_branch":"master","last_synced_at":"2025-08-02T10:16:55.965Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PolymerLabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-04-09T21:07:17.000Z","updated_at":"2020-02-27T23:10:59.000Z","dependencies_parsed_at":"2023-02-21T21:46:15.645Z","dependency_job_id":null,"html_url":"https://github.com/PolymerLabs/koa-importmap","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/PolymerLabs/koa-importmap","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PolymerLabs%2Fkoa-importmap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PolymerLabs%2Fkoa-importmap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PolymerLabs%2Fkoa-importmap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PolymerLabs%2Fkoa-importmap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PolymerLabs","download_url":"https://codeload.github.com/PolymerLabs/koa-importmap/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PolymerLabs%2Fkoa-importmap/sbom","scorecard":{"id":111342,"data":{"date":"2025-08-11","repo":{"name":"github.com/PolymerLabs/koa-importmap","commit":"a0bd75a78bcdcad3535c18d621c037a0b05092be"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.6,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Code-Review","score":0,"reason":"Found 0/2 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":0,"reason":"license file not detected","details":["Warn: project does not have a license file"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}}]},"last_synced_at":"2025-08-15T12:18:42.912Z","repository_id":66263328,"created_at":"2025-08-15T12:18:42.912Z","updated_at":"2025-08-15T12:18:42.912Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31785677,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T02:24:21.117Z","status":"ssl_error","status_checked_at":"2026-04-14T02:24:20.627Z","response_time":153,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-29T21:14:20.226Z","updated_at":"2026-04-14T06:33:37.009Z","avatar_url":"https://github.com/PolymerLabs.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# koa-importmap\n\nA [Koa](https://koajs.com/) middleware module that can rewrite import specifiers for JavaScript modules based on the reference/presence of an [importmap](https://github.com/WICG/import-maps) in the HTML document originating the request.  \n\nThe middleware persists a reference to the importmap to requests for all transitive imports in the graph by use of a query parameter which is appended and consumed by the middleware.\n\n## Usage\n\nHere's a quick Koa server which serves static files and rewrites import specifiers based on import maps.\n\n`./server.js`\n```js\nconst app = new require('koa')\nconst root = __dirname\napp.use(require('koa-importmap')(root))\napp.use(require('koa-static')(root))\napp.listen(3000)\n```\n\n## Example\n\nConsider a project folder with the following contents.\n```\nimportmap.json\nindex.html\nnode_modules/mod-a/index.js\nnode_modules/mod-a/node_modules/mod-b/index.js\nnode_modules/mod-b/index.js\n```\n\nThe `importmap.json` file contains both \"imports\" and \"scopes\" to demonstrate the behavior of each:\n```json\n{\n  \"imports\": {\n    \"mod-a\": \"/node_modules/mod-a/index.js\",\n    \"mod-b\": \"/node_modules/mod-b/index.js\"\n  },\n  \"scopes\": {\n    \"/node_modules/mod-a/\": {\n      \"mod-b\": \"/node_modules/mod-a/node_modules/mod-b/index.js\"\n    }\n  }\n}\n```\n\nThe JavaScript modules are simple.  Top-level `mod-a` simply re-exports the default export of its nested `mod-b`.  The nested `mod-b` exports a function that single-quotes its string argument.  Top-level `mod-b` exports a function the double-quotes its string argument:\n\n```js\n// node_modules/mod-a/index.js\nimport b from 'mod-b'\nexport default b\n```\n\n```js\n// node_modules/mod-a/node_modules/mod-b/index.js\nexport default (text) =\u003e `'${text}'`\n```\n\n```js\n// node_modules/mod-b/index.js\nexport default (text) =\u003e `\"${text}\"`\n```\n\nThe main HTML file `./index.html` references the import map and contains module script which uses bare name specifiers.\n```html\n\u003cscript type=\"importmap\" src=\"importmap.json\"\u003e\u003c/script\u003e\n\n\u003cscript type=\"module\"\u003e\n  import a from 'mod-a'\n  import b from 'mod-b'\n  console.log(a('singlequoted'))\n  console.log(b('doublequoted'))\n\u003c/script\u003e\n```\n\nThe expected console output when loading `/index.html` in a browser which supports import maps natively would be:\n```\n'singlequoted'\n\"doublequoted\"\n```\n\nWhen requested and processed through the `koa-importmap` middleware, the import map is fetched/cached or read-from-cache, processed and HTML is rewritten:\n```html\n\u003cscript type=\"module\"\u003e\n  import a from '/node_modules/mod-a/index.js?koa-importmap=6a83b08a'\n  import b from '/node_modules/mod-b/index.js?koa-importmap=6a83b08a'\n  console.log(a('singlequoted'))\n  console.log(b('doublequoted'))\n\u003c/script\u003e\n```\n\nJavaScript requested with the `koa-importmap=6a83b08a` is then processed using the cached import map referenced and is rewritten as well.  For example, request for `/node_modules/mod-a/index.js?koa-importmap=6a83b08a` returns:\n```js\nimport b from './node_modules/mod-b/index.js?koa-importmap=6a83b08a'\nexport default b\n```\n\n## Gotchas\n\nInitially, this middleware is intended primarily for use in a development context and has shortcomings in production scenarios.  It can be quite expensive in terms of memory and processing to parse every HTML and JavaScript document returned through the middleware.\n\nAdditionally, the `koa-importmap` query parameter is a digest of the content of a processed import map.  The digest is used as a key for the default in-memory LRU cache that stores the parsed importmap.  If this middleware was to be used in a production environment running multiple instances of the server, it would need to either use a shared cache or ensure that requests were bound to same server.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpolymerlabs%2Fkoa-importmap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpolymerlabs%2Fkoa-importmap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpolymerlabs%2Fkoa-importmap/lists"}