importmap-rails

JavaScript import maps for Rails — enables ES module imports without a JavaScript bundler (no webpack, esbuild, or rollup). importmap-rails features: config/importmap.rb for pin declarations (pin 'stimulus', to: 'stimulus.min.js'), CDN pinning (pin_all_from, to CDN URLs), local JavaScript file serving via Sprockets/Propshaft, importmap:pin generator for adding packages from JSPM CDN, Rails 7+ default for new apps, Stimulus and Turbo integration, and asset cache busting via content-hash fingerprinting. Eliminates Node.js and npm as build requirements for agent web interfaces.

Evaluated Mar 06, 2026 (0d ago) v2.x

Homepage ↗ Repo ↗ Developer Tools ruby rails importmap javascript esm no-bundler sprockets propshaft

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

Rate Limits

🔒 Security

TLS Enforcement

Auth Strength

Scope Granularity

Dep. Hygiene

Secret Handling

CDN-pinned JavaScript is a supply chain risk — use Subresource Integrity (integrity: option) for all CDN pins. bin/importmap audit checks for known vulnerabilities in pinned packages. Consider --download for security-sensitive agent deployments to eliminate CDN dependency entirely.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

Your Rails agent app uses Hotwire (Turbo + Stimulus) and wants JavaScript without a Node.js build step — importmap is the Rails 7/8 default for server-rendered apps with progressive JavaScript enhancement.

Avoid When

You need React, Vue, TypeScript, JSX, npm packages with CommonJS format, or production JS optimization (tree-shaking, code splitting).

Use Cases

• Agent dashboard without Node.js — Rails 7/8 new app uses importmap by default; agent web dashboard adds Stimulus controllers via bin/importmap pin stimulus; no npm install, no webpack config, no node_modules; JavaScript served directly from CDN or local files
• CDN-pinned agent libraries — pin 'chart.js', to: 'https://cdn.jsdelivr.net/npm/chart.js@4/dist/chart.umd.min.js' in config/importmap.rb; agent dashboard gets chart.js from CDN with integrity hash; no npm install step in CI/CD pipeline
• Stimulus controllers for agent UI — app/javascript/controllers/agent_status_controller.js with import { Controller } from '@hotwired/stimulus'; importmap pins stimulus; agent interactive UI without React/Vue complexity
• Incremental JavaScript addition — agent apps starting server-side rendered (Hotwire/Turbo) add JavaScript progressively; pin individual ES modules as needed; no upfront bundler configuration tax for simple agent UIs
• Local ES module development — bin/importmap pin alpinejs --download downloads to vendor/javascript/; served locally without CDN dependency; agent intranet apps with no internet access serve all JS locally via importmap

Not For

• JSX/TypeScript — importmap serves plain ES modules; for React, Vue, or TypeScript agent frontends use jsbundling-rails (esbuild) or Vite Rails
• npm package ecosystem with CJS modules — many npm packages are CommonJS not ESM; importmap only works with ES modules; for CJS packages use jsbundling-rails with esbuild to bundle
• Complex build pipelines — importmap has no tree-shaking, minification, or bundling; for production-optimized agent frontends with large JS payloads use Vite or webpack

Interface

REST API

GraphQL

gRPC

MCP Server

SDK

Webhooks

Authentication

Methods: none

OAuth: No Scopes: No

No auth — local asset serving tool. CDN-pinned packages served from public CDNs (JSPM, jsdelivr). Local pins served via Rails asset pipeline.

Pricing

Model: open_source

Free tier: Yes

Requires CC: No

importmap-rails is MIT licensed, maintained by the Rails core team. Free for all use.

Agent Metadata

Pagination

none

Idempotent

Full

Retry Guidance

Not documented

Known Gotchas

⚠ Browser must support import maps — import maps require modern browser (Chrome 89+, Firefox 108+, Safari 16.4+); older browsers need shim (es-module-shims); agent dashboards targeting older enterprise browsers need es-module-shims pin; Rails includes shim check but not automatic polyfill
⚠ CDN pins break in offline/intranet environments — pin 'chart.js', to CDN URL fails for agent intranet deployments without internet access; use --download flag to vendor all dependencies locally; agent enterprise deployments should pin_all_from vendor/javascript/ not CDN
⚠ No TypeScript or JSX support — importmap serves .js files only; agent frontend requiring TypeScript type safety or React JSX must switch to jsbundling-rails (esbuild); mixing importmap for some JS and esbuild for TypeScript files is unsupported; commit to one approach
⚠ package.json version management not available — importmap versions are URLs or JSPM lookups; no lockfile equivalent to package-lock.json; bin/importmap pin chart.js pins to current latest; future pin commands may pick up breaking versions; use explicit version URLs in config/importmap.rb for stability
⚠ Subresource Integrity required for CDN security — CDN-pinned packages without integrity: option allow CDN compromise to inject malicious JS; run bin/importmap audit to check; pin 'moment', to: 'https://cdn.example.com/moment.js', integrity: 'sha384-...' prevents agent XSS via CDN tampering
⚠ Asset pipeline must be configured for JavaScript serving — importmap requires Sprockets or Propshaft to serve app/javascript files; removing asset pipeline gem breaks local importmap pins; agent apps removing Sprockets for performance must switch to Propshaft (not remove pipeline entirely)

Alternatives

jsbundling-rails-api vite-rails-api shakapacker-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for importmap-rails.

$99

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.