Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@biomejs/cli-linux-arm64-musl
Advanced tools
1.7.0 (2024-04-15)
Now Biome can detect the script language in Svelte and Vue script blocks more reliably (#2245). Contributed by @Sec-ant
useExhaustiveDependencies
no longer reports recursive calls as missing
dependencies (#2361).
Contributed by @arendjr
useExhaustiveDependencies
correctly reports missing dependencies declared
using function declarations (#2362).
Contributed by @arendjr
Biome now can handle .svelte
and .vue
files with CRLF
as the end-of-line sequence. Contributed by @Sec-ant
noMisplacedAssertion
no longer reports method calls by describe
, test
, it
objects (e.g. test.each([])()
) (#2443). Contributed by @unvalley.
Biome now can handle .vue
files with generic components (#2456).
<script generic="T extends Record<string, any>" lang="ts" setup>
//...
</script>
Contributed by @Sec-ant
Complete the well-known file lists for JSON-like files. Trailing commas are allowed in .jsonc
files by default. Some well-known files like tsconfig.json
and .babelrc
don't use the .jsonc
extension but still allow comments and trailing commas. While others, such as .eslintrc.json
, only allow comments. Biome is able to identify these files and adjusts the json.parser.allowTrailingCommas
option accordingly to ensure they are correctly parsed. Contributed by @Sec-ant
Fix dedent logic inconsistent with prettier where the indent-style is space and the indent-width is not 2. Contributed by @mdm317
Add a command to migrate from ESLint
biome migrate eslint
allows you to migrate an ESLint configuration to Biome.
The command supports legacy ESLint configurations and new flat ESLint configurations.
Legacy ESLint configurations using the YAML format are not supported.
When loading a legacy ESLint configuration, Biome resolves the extends
field.
It resolves both shared configurations and plugin presets!
To do this, it invokes Node.js.
Biome relies on the metadata of its rules to determine the equivalent rule of an ESLint rule.
A Biome rule is either inspired or roughly identical to an ESLint rules.
By default, inspired and nursery rules are excluded from the migration.
You can use the CLI flags --include-inspired
and --include-nursery
to migrate them as well.
Note that this is a best-effort approach. You are not guaranteed to get the same behavior as ESLint.
Given the following ESLint configuration:
{
"ignore_patterns": ["**/*.test.js"],
"globals": { "var2": "readonly" },
"rules": {
"eqeqeq": "error"
},
"overrides": [{
"files": ["lib/*.js"],
"rules": {
"default-param-last": "off"
}
}]
}
biome migrate eslint --write
changes the Biome configuration as follows:
{
"linter": {
"rules": {
"recommended": false,
"suspicious": {
"noDoubleEquals": "error"
}
}
},
"javascript": { "globals": ["var2"] },
"overrides": [{
"include": ["lib/*.js"],
"linter": {
"rules": {
"style": {
"useDefaultParameterLast": "off"
}
}
}
}]
}
Also, if the working directory contains .eslintignore
, then Biome migrates the glob patterns.
Nested .eslintignore
in subdirectories and negated glob patterns are not supported.
If you find any issue, please don't hesitate to report them.
Contributed by @Conaclos
Added two new options to customise the emitted output of the CLI: --reporter=json
and --reporter=json-pretty
. With --reporter=json
, the diagnostics and the
summary will be printed in the terminal in JSON format. With --reporter=json-pretty
, you can print the same information, but formatted using the same options of your configuration.
NOTE: the shape of the JSON is considered experimental, and the shape of the JSON might change in the future.
<details> <summary>Example of output when running `biome format` command</summary> ```json { "summary": { "changed": 0, "unchanged": 1, "errors": 1, "warnings": 0, "skipped": 0, "suggestedFixesSkipped": 0, "diagnosticsNotPrinted": 0 }, "diagnostics": [ { "category": "format", "severity": "error", "description": "Formatter would have printed the following content:", "message": [ { "elements": [], "content": "Formatter would have printed the following content:" } ], "advices": { "advices": [ { "diff": { "dictionary": " statement();\n", "ops": [ { "diffOp": { "delete": { "range": [0, 2] } } }, { "diffOp": { "equal": { "range": [2, 12] } } }, { "diffOp": { "delete": { "range": [0, 2] } } }, { "diffOp": { "equal": { "range": [12, 13] } } }, { "diffOp": { "delete": { "range": [0, 2] } } }, { "diffOp": { "insert": { "range": [13, 15] } } } ] } } ] }, "verboseAdvices": { "advices": [] }, "location": { "path": { "file": "format.js" }, "span": null, "sourceCode": null }, "tags": [], "source": null } ], "command": "format" } ``` </details>Added new --staged
flag to the check
, format
and lint
subcommands.
This new option allows users to apply the command only to the files that are staged (the
ones that will be committed), which can be very useful to simplify writing git hook scripts
such as pre-commit
. Contributed by @castarco
Improve support of .prettierignore
when migrating from Prettier
Now, Biome translates most of the glob patterns in .prettierignore
to the equivalent Biome ignore pattern.
Only negated glob patterns are not supported.
Contributed by @Conaclos
Support JavaScript configuration files when migrating from Prettier
biome migrate prettier
is now able to migrate Prettier configuration files
ending with js
, mjs
, or cjs
extensions.
To do this, Biome invokes Node.js.
Also, embedded Prettier configurations in package.json
are now supported.
Contributed by @Conaclos
Support overrides
field in Prettier configuration files when migrating from Prettier.
Contributed by @Conaclos
Support passing a file path to the --config-path
flag or the BIOME_CONFIG_PATH
environment variable.
Now you can pass a .json
/.jsonc
file path with any filename to the --config-path
flag or the
BIOME_CONFIG_PATH
environment variable. This will disable the configuration auto-resolution and Biome
will try to read the configuration from the said file path (#2265).
biome format --config-path=../biome.json ./src
Contributed by @Sec-ant
Biome now tags the diagnostics emitted by organizeImports
and formatter
with correct severity levels, so they will be properly filtered by the flag --diagnostic-level
(#2288). Contributed by @Sec-ant
Biome now correctly filters out files that are not present in the current directory when using the --changed
flag #1996. Contributed by @castarco
Biome now skips traversing fifo
or socket
files (#2311). Contributed by @Sec-ant
Biome now resolves configuration files exported from external libraries in extends
from the working directory (CLI) or project root (LSP). This is the documented behavior and previous resolution behavior is considered as a bug (#2231). Contributed by @Sec-ant
Now setting group level all
to false
can disable recommended rules from that group when top level recommended
is true
or unset. Contributed by @Sec-ant
Biome configuration files can correctly extends .jsonc
configuration files now (#2279). Contributed by @Sec-ant
Fixed the JSON schema for React hooks configuration (#2396). Contributed by @arendjr
Biome now displays the location of a parsing error for its configuration file (#1627).
Previously, when Biome encountered a parsing error in its configuration file, it didn't indicate the location of the error. It now displays the name of the configuration file and the range where the error occurred.
Contributed by @Conaclos
options
is no longer required for rules without any options (#2313).
Previously, the JSON schema required to set options
to null
when an object is used to set the diagnostic level of a rule without any option.
However, if options
is set to null
, Biome emits an error.
The schema is now fixed and it no longer requires specifying options
.
This makes the following configuration valid:
{
"linter": {
"rules": {
"style": {
"noDefaultExport": {
"level": "off"
}
}
}
}
}
Contributed by @Conaclos
javascript
language identifier. This is an ad hoc fix, because in the React world, .js
files are allowed to include JSX syntax, and these files are often associated with the javascript
language identifier in most of the editors. Plus, some editor extensions will also associate .jsx
files with the javascript
language identifier. Relative links: discussion, #2085. Contributed by @Sec-antNew rules are incubated in the nursery group. Once stable, we promote them to a stable group. The following rules are promoted:
Add a new option jsxRuntime
to the javascript
configuration. When set to reactClassic
, the noUnusedImports and useImportType rules use this information to make exceptions for the React global that is required by the React Classic JSX transform.
This is only necessary for React users who haven't upgraded to the new JSX transform.
Contributed by @Conaclos and @arendjr
Implement #2043: The React rule useExhaustiveDependencies
is now also compatible with Preact hooks imported from preact/hooks
or preact/compat
. Contributed by @arendjr
Add rule noFlatMapIdentity to disallow unnecessary callback use on flatMap
. Contributed by @isnakode
Add rule noConstantMathMinMaxClamp, which disallows using Math.min
and Math.max
to clamp a value where the result itself is constant. Contributed by @mgomulak
style/useFilenamingConvention now allows prefixing a filename with +
(#2341).
This is a convention used by Sveltekit and Vike.
Contributed by @Conaclos
style/useNamingConvention now accepts PascalCase
for local and top-level variables.
This allows supporting local variables that hold a component or a regular class. The following code is now accepted:
function loadComponent() {
const Component = getComponent();
return <Component />;
}
Contributed by @Conaclos
complexity/useLiteralKeys no longer report computed properties named __proto__
(#2430).
In JavaScript, {["__proto__"]: null}
and {__proto__: null}
have not the same semantic.
The first code set a regular property to null
.
The second one set the prototype of the object to null
.
See the MDN Docs for more details.
The rule now ignores computed properties named __proto__
.
Contributed by @Conaclos
Lint rules useNodejsImportProtocol
, useNodeAssertStrict
, noRestrictedImports
, noNodejsModules
will no longer check declare module
statements anymore. Contributed by @Sec-ant
style/useNamingConvention now accepts any case for variables from object destructuring (#2332).
The following name is now ignored:
const { Strange_Style } = obj;
Previously, the rule renamed this variable. This led to a runtime error.
Contributed by @Conaclos
FAQs
Unknown package
The npm package @biomejs/cli-linux-arm64-musl receives a total of 134,757 weekly downloads. As such, @biomejs/cli-linux-arm64-musl popularity was classified as popular.
We found that @biomejs/cli-linux-arm64-musl demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.