Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@biomejs/cli-darwin-x64
Advanced tools
1.5.0 (2024-01-08)
Biome now scores 97% compatibility with Prettier and features more than 180 linter rules.
Biome now shows a diagnostic when it encounters a protected file. Contributed by @ematipico
The command biome migrate
now updates the $schema
if there's an outdated version.
The CLI now takes in consideration the .gitignore
in the home directory of the user, if it exists. Contributed by
@ematipico
The biome ci
command is now able to
print GitHub Workflow Commands
when there are diagnostics in our code. Contributed by @nikeee
This might require setting the proper permissions on your GitHub action:
permissions:
pull-requests: write
The commands format
, lint
, check
and ci
now accept two new arguments: --changed
and --since
. Use these
options with the VCS integration
is enabled to process only the files that were changed. Contributed by @simonxabris
biome format --write --changed
Introduced a new command called biome explain
, which has the capability to display documentation for lint rules.
Contributed by @kalleep
You can use the command biome explain
to print the documentation of lint rules. Contributed by @kalleep
biome explain noDebugger
biome explain useAltText
You can use the command biome explain
to print the directory where daemon logs are stored. Contributed by @ematipico
biome explain daemon-logs
Removed the hard coded limit of 200 printable diagnostics. Contributed by @ematipico
Fix #1247, Biome now prints a warning diagnostic if it encounters files that can't handle. Contributed by @ematipico
You can ignore unknown file types using
the files.ignoreUnknown
configuration
in biome.json
:
{
"files": {
"ignoreUnknown": true
}
}
Or the --files-ignore-unknown
CLI option:
biome format --files-ignore-unknown=true --write .
Fix #709 and #805 by
correctly parsing .gitignore
files. Contributed by @ematipico
Fix #1117 by correctly respecting the matching. Contributed by @ematipico
Fix #691 and #1190, by
correctly apply the configuration when
computing overrides
configuration. Contributed by
@ematipico
Users can specify git ignore patterns inside ignore
and include
properties, for example it's possible to allow
list globs of files using the !
character:
{
"files": {
"ignore": [
"node_modules/**",
"!**/dist/**" // this is now accepted and allow files inside the `dist` folder
]
}
}
The LSP registers formatting without the need of using dynamic capabilities from the client.
This brings formatting services to the editors that don't support or have limited support for dynamic capabilities.
Fix #1169. Account for escaped strings when computing layout for assignments. Contributed by @kalleep
Fix #851. Allow regular function expressions to group and break as call arguments, just like arrow function expressions. #1003 Contributed by @faultyserver
Fix #914. Only parenthesize type-casted function expressions as default exports. #1023 Contributed by @faultyserver
Fix #1112. Break block bodies in case clauses onto their own lines and preserve trailing fallthrough comments. #1035 Contributed by @faultyserver
Fix RemoveSoftLinesBuffer
behavior to also removed conditional expanded content, ensuring no accidental, unused line
breaks are included #1032 Contributed by @faultyserver
Fix #1024. Allow JSX expressions to nestle in arrow chains #1033 Contributed by @faultyserver
Fix incorrect breaking on the left side of assignments by always using fluid assignment. #1021 Contributed by @faultyserver
Fix breaking strategy for nested object patterns in function parameters #1054 Contributed by @faultyserver
Fix over-indention of arrow chain expressions by simplifying the way each chain is grouped #1036, #1136, and #1162 Contributed by @faultyserver.
Fix "simple" checks for calls and member expressions to correctly handle array accesses, complex arguments to single-argument function calls, and multiple-argument function calls. #1057 Contributed by @faultyserver
Fix text wrapping and empty line handling for JSX Text elements to match Prettier's behavior. #1075 Contributed by @faultyserver
Fix leading comments in concisely-printed arrays to prevent unwanted line breaks. #1135 Contributed by @faultyserver
Fix best_fitting
and interned elements preventing expansion propagation from sibling
elements. #1141 Contributed by @faultyserver
Fix heuristic for grouping function parameters when type parameters with constraints are present. #1153. Contributed by @faultyserver.
Fix binary-ish and type annotation handling for grouping call arguments in function expressions and call signatures. #1152 and #1160 Contributed by @faultyserver
Fix handling of nestled JSDoc comments to preserve behavior for overloads. #1195 Contributed by @faultyserver
Fix #1208. Fix extraction of inner types when checking for simple type annotations in call arguments. #1195 Contributed by @faultyserver
Fix #1220. Avoid duplicating comments in type unions for mapped, empty object, and empty tuple types. #1240 Contributed by @faultyserver
Fix #1356. Ensure if_group_fits_on_line
content is always written
in RemoveSoftLinesBuffer
s. #1357 Contributed by @faultyserver
Fix #1171. Correctly format empty statement with comment inside arrow body when used as single argument in call expression. Contributed by @kalleep
Fix #1106. Fix invalid formatting of single bindings when Arrow Parentheses is set to "AsNeeded" and the expression breaks over multiple lines. #1449 Contributed by @faultyserver
New rules are incubated in the nursery group. Once stable, we promote them to a stable group. The following rules are promoted:
Add useExportType that enforces the use of type-only exports for types. Contributed by @Conaclos
interface A {}
interface B {}
class C {}
- export type { A, C }
+ export { type A, C }
- export { type B }
+ export type { B }
Add useImportType that enforces the use of type-only imports for types. Contributed by @Conaclos
- import { A, B } from "./mod.js";
+ import { type A, B } from "mod";
let a: A;
const b: B = new B();
Also, the rule groups type-only imports:
- import { type A, type B } from "./mod.js";
+ import type { A, B } from "./mod.js";
Add useFilenamingConvention, that enforces naming conventions for JavaScript and TypeScript filenames. Contributed by @Conaclos
By default, the rule requires that a filename be in camelCase
, kebab-case
, snake_case
, or matches the name of
an export
in the file.
The rule provides options to restrict the allowed cases.
Add useNodejsImportProtocol that enforces the use of
the node:
protocol when importing Node.js modules. Contributed by @2-NOW, @vasucp1207, and @Conaclos
- import fs from "fs";
+ import fs from "node:fs";
Add useNumberNamespace that enforces the use of the Number
properties instead of the global ones.
- parseInt;
+ Number.parseInt;
- - Infinity;
+ Number.NEGATIVE_INFINITY;
Add useShorthandFunctionType that enforces using function types instead of object type with call signatures. Contributed by @emab, @ImBIOS, and @seitarof
- interface Example {
- (): string;
- }
+ type Example = () => string
- Add [noNodejsModules](https://biomejs.dev/linter/rules/no-nodejs-modules), that disallows the use of _Node.js_ modules. Contributed by @anonrig, @ematipico, and @Conaclos
- Add [noInvalidUseBeforeDeclaration](https://biomejs.dev/linter/rules/no-invalid-use-before-declaration) that reports variables and function parameters used before their declaration. Contributed by @Conaclos
```js
function f() {
console.log(c); // Use of `c` before its declaration.
const c = 0;
}
Add useConsistentArrayType that enforces the use of a consistent syntax for array types. Contributed by @eryue0220
This rule will replace useShorthandArrayType. It provides an option to choose between the shorthand or the generic syntax.
Add noEmptyTypeParameters that ensures that any type parameter list has at least one type parameter. Contributed by @togami2864
This will report the following empty type parameter lists:
interface Foo<> {}
// ^^
type Bar<> = {};
// ^^
Add noGlobalEval that reports any use of the global eval
.
Contributed by @you-5805
Add noGlobalAssign that reports assignment to global variables. Contributed by @chansuke
Object = {}; // report assignment to `Object`.
Add noMisleadingCharacterClass that disallows characters made with multiple code points in character class. Contributed by @togami2864
Add noThenProperty that disallows the use of then
as property
name. Adding a then
property makes an object thenable that can lead to errors with Promises. Contributed by
@togami2864
Add noUselessTernary that disallows conditional expressions ( ternaries) when simpler alternatives exist.
var a = x ? true : true; // this could be simplified to `x`
noEmptyInterface ignores empty interfaces that extend a type. Address #959 and #1157. Contributed by @Conaclos
This allows supporting interface augmentation in external modules as demonstrated in the following example:
interface Extension {
metadata: unknown;
}
declare module "@external/module" {
// Empty interface that extends a type.
export interface ExistingInterface extends Extension {}
}
Preserve more comments in the code fix of useExponentiationOperator. Contributed by @Conaclos
The rule now preserves comments that follow the (optional) trailing comma.
For example, the rule now suggests the following code fix:
- Math.pow(
- a, // a
- 2, // 2
- );
+
+ a ** // a
+ 2 // 2
+
<svg>
element is now considered as a non-interactive HTML
element (#1095). Contributed by @chansuke
This affects the following rules:
noMultipleSpacesInRegularExpressionLiterals has a safe code fix. Contributed by @Conaclos
useArrowFunction ignores expressions that use new.target
.
Contributed by @Conaclos
noForEach now reports only calls that use a callback with 0
or 1
parameter. Address #547. Contributed by @Conaclos
Fix #1061. noRedeclare
no longer reports overloads of export default function
. Contributed by @Conaclos
The following code is no longer reported:
export default function(a: boolean): boolean;
export default function(a: number): number;
export default function(a: number | boolean): number | boolean {
return a;
}
Fix #651, useExhaustiveDependencies no longer reports out of scope dependencies. Contributed by @kalleep
The following code is no longer reported:
let outer = false;
const Component = ({}) => {
useEffect(() => {
outer = true;
}, []);
}
Fix #1191. noUselessElse
now preserve comments of the else
clause. Contributed by @Conaclos
For example, the rule suggested the following fix:
function f(x) {
if (x <0) {
return 0;
}
- // Comment
- else {
return x;
- }
}
Now the rule suggests a fix that preserves the comment of the else
clause:
function f(x) {
if (x <0) {
return 0;
}
// Comment
- else {
return x;
- }
}
Fix #1383. noConfusingVoidType
now accepts the void
type in type parameter lists.
The rule no longer reports the following code:
f<void>();
Fix #728. useSingleVarDeclarator no longer outputs invalid code. Contributed by @Conaclos
Fix #1167. useValidAriaProps
no longer reports aria-atomic
as invalid. Contributed by @unvalley
Fix #1192. useTemplate now correctly handles parenthesized expressions and respects type coercions. Contributed by @n-gude
These cases are now properly handled:
"a" + (1 + 2) // `a${1 + 2}`
1 + (2 + "a") // `${1}${2}a`
Fix #1456. useTemplate now reports expressions with an interpolated template literal and non-string expressions. Contributed by @n-gude
The following code is now reported:
`a${1}` + 2;
Fix #1436. useArrowFunction now applies a correct fix when a function expression is used in a call expression or a member access. Contributed by @Conaclos
For example, the rule proposed the following fix:
- const called = function() {}();
+ const called = () => {}();
It now proposes a fix that adds the needed parentheses:
- const called = function() {}();
+ const called = (() => {})();
Fix #696. useHookAtTopLevel now correctly detects early returns before the calls to the hook.
The code fix of noUselessTypeCOnstraint now adds a trailing comma when needed to disambiguate a type parameter list from a JSX element. COntributed by @Conaclos
Fix #578. useExhaustiveDependencies
now correctly recognizes hooks namespaced under the React
namespace. Contributed by @XiNiHa
Fix #910. noSvgWithoutTitle
now ignores <svg>
element with aria-hidden="true"
. COntributed by @vasucp1207
The representation of imports has been simplified. Contributed by @Conaclos
The new representation is closer to the ECMAScript standard.
It provides a single way of representing a namespace import such as import * as ns from ""
.
It rules out some invalid states that was previously representable.
For example, it is no longer possible to represent a combined import with a type
qualifier such
as import type D, { N } from ""
.
See #1163 for more details.
Imports and exports with both an import attribute and a type
qualifier are now reported as parse errors.
import type A from "mod" with { type: "json" };
// ^^^^ ^^^^^^^^^^^^^^^^^^^^^
// parse error
Fix #1077 where parenthesized identifiers in conditional expression were being parsed as arrow expressions. Contributed by @kalleep
These cases are now properly parsed:
JavaScript:
a ? (b) : a => {};
TypeScript:
a ? (b) : a => {};
JSX:
bar ? (foo) : (<a>{() => {}}</a>);
Allow empty type parameter lists for interfaces and type aliases (#1237). COntributed by @togami2864
TypeScript allows interface declarations and type aliases to have empty type parameter lists. Previously Biome didn't handle this edge case. Now, it correctly parses this syntax:
interface Foo<> {}
type Bar<> = {};
biome_js_unicode_table
crate
to biome_unicode_table
(#1302). COntributed by @chansukeFAQs
Unknown package
The npm package @biomejs/cli-darwin-x64 receives a total of 121,549 weekly downloads. As such, @biomejs/cli-darwin-x64 popularity was classified as popular.
We found that @biomejs/cli-darwin-x64 demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.