This specification addresses how modules should be written in order to be interoperable among a class of module systems that can be both client and server side, secure or insecure, implemented today or supported by future systems with syntax extensions. These modules are offered privacy of their top scope, facility for importing singleton objects from other modules, and exporting their own API.
- A module receives a "require" function. The "require" function accepts a module identifier. "require" returns an object containing the exported API of the foreign module. If there is a dependency cycle, the foreign module may not have finished executing at the time it is required by one of its transitive dependencies; in this case, the object returned by "require" must contain at least the exports that the foreign module has prepared before the call to require that led to the current module's execution. If the requested module cannot be returned, "require" throws an error.
- A module receives an "exports" object that it may add its exported API to as it executes.
- An implementation may restrict the exports object as the only means of exporting and so standard libraries must use the exports object as the only means of exporting.
To be interoperable with secure environments, a module must satisfy the following additional constraints:
- A module must not have any free variables apart from primordials ("Object", "Array", etc.), "require", and "exports".
- A module must not tamper with (assign to, or assign to members of) the transitive primordials, the "require" object, or any object returned by "require".
This specification leaves the following important points of interoperability unspecified:
- The domain of module identifiers.
- Whether relative module identifiers are supported.
- Whether a PATH is supported by the module loader for resolving module identifiers.