Create rule S7660: Import statements should only reference declared dependencies

rules/S7660/javascript/metadata.json

@@ -0,0 +1,29 @@
+{
+  "title": "Import statements should only reference declared dependencies",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant/Issue",
+    "constantCost": "5 min"
+  },
+  "tags": [
+    "dependency",
+    "npm",
+    "packaging"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7660",
+  "sqKey": "S7660",
+  "scope": "Main",
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "RELIABILITY": "BLOCKER",
+      "MAINTAINABILITY": "BLOCKER"
+    },
+    "attribute": "COMPLETE"
+  }
+}

rules/S7660/javascript/rule.adoc

@@ -0,0 +1,52 @@
+This rule raises an issue when an `import` statement references a module that is not listed in the project's `package.json` dependencies.
+
+== Why is this an issue?
+
+Importing modules that aren't explicitly declared as dependencies can cause your application to break when dependencies are reinstalled or deployed to different environments.
+
+While the code might work locally due to transitive dependencies (dependencies of your dependencies), this creates a fragile setup. If a dependency changes or removes one of its own dependencies that your code relies on, your application will fail at runtime.
+
+Additionally, transitive dependencies might only be available in development environments, causing production failures that are difficult to debug.
+
+=== What is the potential impact?
+
+Applications may fail to start or crash at runtime when deployed to production environments or when dependencies are updated. This can lead to service outages and difficult-to-reproduce bugs.
+
+=== How to fix?
+
+
+Add the missing dependency to your package.json file using npm install.
+
+==== Non-compliant code example
+
+[source,javascript,diff-id=1,diff-type=noncompliant]
+----
+// package.json only has "express" as dependency
+import lodash from 'lodash'; // Noncompliant - lodash not in dependencies
+import express from 'express';
+----
+
+==== Compliant code example
+
+[source,javascript,diff-id=1,diff-type=compliant]
+----
+// After running: npm install lodash
+// package.json now includes both "express" and "lodash"
+import lodash from 'lodash'; // Compliant - lodash is now declared
+import express from 'express';
+----
+
+=== Documentation
+
+ * ESLint Plugin N - no-extraneous-import - https://github.com/eslint-community/eslint-plugin-n/blob/master/docs/rules/no-extraneous-import.md[Official documentation for the no-extraneous-import rule]
+ * npm install documentation - https://docs.npmjs.com/cli/v11/commands/npm-install[Guide on how to install and manage npm dependencies]
+
+=== Standards
+
+ * Node.js Best Practices - Dependency Management - https://github.com/goldbergyoni/nodebestpractices#-6-security-best-practices[Best practices for managing Node.js dependencies securely]
+
+=== Related Rules
+
+ * n/no-extraneous-require - https://github.com/eslint-community/eslint-plugin-n/blob/master/docs/rules/no-extraneous-require.md[Similar rule for CommonJS require() statements]
+ * n/no-missing-import - https://github.com/eslint-community/eslint-plugin-n/blob/master/docs/rules/no-missing-import.md[Ensures imported modules can be resolved]
+

rules/S7660/metadata.json

@@ -0,0 +1,2 @@
+{
+}