Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@biomejs/wasm-nodejs
Advanced tools
1.6.0 (2024-03-08)
Add partial for .astro
files. Biome is able to sort imports inside the frontmatter of the Astro files. Contributed
by @ematipico
---
- import { getLocale } from "astro:i18n";
- import { Code } from "astro:components";
+ import { Code } from "astro:components";
+ import { getLocale } from "astro:i18n";
---
<div></div>
Add partial for .vue
files. Biome is able to sort imports inside the script block of Vue files. Contributed by
@nhedger
<script setup lang="ts">
- import Button from "./components/Button.vue";
- import * as vueUse from "vue-use";
+ import * as vueUse from "vue-use";
+ import Button from "./components/Button.vue";
</script/>
<template></template>
Add partial for .svelte
files. Biome is able to sort imports inside the script block of Svelte files. Contributed by
@ematipico
<script setup lang="ts">
- import Button from "./components/Button.svelte";
- import * as svelteUse from "svelte-use";
+ import * as svelteUse from "svelte-use";
+ import Button from "./components/Button.svelte";
</script/>
<div></div>
The analyzer now infers the correct quote from javascript.formatter.quoteStyle
, if set. This means that code fixes suggested by the analyzer will use the same quote of the formatter. Contributed by @ematipico
noUnusedVariables ignores unused rest spread siblings.
The following code is now valid:
const { a, ...rest } = { a: 0, b: 1 };
console.log(rest);
Contributed by @ah-yu
Fix #1931. Built-in React hooks such as
useEffect()
can now be validated by the
useExhaustiveDependendies
, even
when they're not being imported from the React library. To do so, simply configure them like
any other user-provided hooks.
Contributed by @arendjr
Implemented #1128. User-provided React hooks can now be configured to track stable results. For example:
"useExhaustiveDependencies": {
"level": "error",
"options": {
"hooks": [{
"name": "useMyState",
"stableResult": [
1
]
}]
}
}
This will allow the following to be validated:
const [myState, setMyState] = useMyState();
const toggleMyState = useCallback(() => {
setMyState(!myState);
}, [myState]); // Only `myState` needs to be specified here.
Contributed by @arendjr
Fix #1748. Now for the following case we won't provide an unsafe fix
for the noNonNullAssertion
rule:
x[y.z!];
Contributed by @ah-yu
Imports that contain the protocol :
are now sorted after the npm:
modules, and before the URL
modules.
Contributed by @ematipico
import express from "npm:express";
- import Component from "./component.js"
- import { sortBy } from "virtual:utils";
+ import { sortBy } from "virtual:utils";
+ import Component from "./component.js"
Fix #1081. The useAwait
rule does not report for await...of
.
Contributed by @unvalley
Fix #1827 by properly analyzing nested try-finally
statements. Contributed by @ah-yu
Fix #1924 Use the correct export name to sort in the import clause. Contributed by @ah-yu
Fix #1805 fix formatting arrow function which has conditional expression body Contributed by @mdm317
Fix #1781 by avoiding the retrieval of the entire static member expression for the reference if the static member expression does not start with the reference. Contributed by @ah-yu
Add a new command biome migrate prettier
. The command will read the file .prettierrc
/prettier.json
and .prettierignore
and map its configuration to Biome's one.
Due to the different nature of .prettierignore
globs and Biome's globs, it's highly advised to make sure that
those still work under Biome.
Now the file name printed in the diagnostics is clickable. If you run the CLI from your editor, you can <kbd>
Ctrl</kbd>/<kbd title="Cmd">⌘</kbd> + Click on the file name, and the editor will open said file. If row and columns
are specified e.g. file.js:32:7
, the editor will set the cursor right in that position. Contributed by @ematipico
Add an option --linter
to biome rage
. The option needs to check Biome linter configuration. Contributed by
@seitarof
Add an option --formatter
to biome rage
. The option needs to check Biome formatter configuration. Contributed by
@seitarof
The CLI now consistently reports the number of files tha were changed, out of the total files that were analysed. Contributed by @ematipico
The CLI now consistently shows the number of errors and warnings emitted. Contributed by @ematipico
Don't process files under an ignored directory.
Previously, Biome processed all files in the traversed hierarchy, even the files under an ignored directory. Now, it completely skips the content of ignored directories.
For now, directories cannot be ignored using files.include
in the configuration file.
This is a known limitation that we want to address in a future release.
For instance, if you have a project with a folder src
and a folder test
,
the following configuration doesn't completely ignore test
.
{
"files": {
"include": ["src"]
}
}
Biome will traverse test
,
however all files of the directory are correctly ignored.
This can result in file system errors,
if Biome encounters dangling symbolic links or files with higher permissions.
To avoid traversing the test
directory,
you should ignore the directory using ignore
:
{
"files": {
"include": ["src"],
"ignore": ["test"]
}
}
Fix #1508 by excluding deleted files from being processed. Contributed by @ematipico
Fix #1173. Fix the formatting of a single instruction with commented in a control flow body to ensure consistency. Contributed by @mdm317
Fix overriding of javascript.globals
. Contributed by @arendjr
Fix a bug where syntax rules weren't run when pulling the diagnostics. Now Biome will emit more parsing diagnostics, e.g.
check.js:1:17 parse/noDuplicatePrivateClassMembers ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
× Duplicate private class member "#foo"
> 1 │ class A { #foo; #foo }
│ ^^^^
Contributed by @ematipico
Fix #1774 by taking into account the option --no-errors-on-unmatched
when running the CLI using --changed
. Contributed by @antogyn
Removed a superfluous diagnostic that was printed during the linting/check phase of a file:
test.js check ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
× The file contains diagnostics that needs to be addressed.
Contributed by @ematipico
The command format
now emits parsing diagnostics if there are any, and it will terminate with a non-zero exit code. Contributed by @ematipico
Add the ability to resolve the configuration files defined inside extends
from the node_modules/
directory.
If you want to resolve a configuration file that matches the specifier @org/configs/biome
, then your package.json
file must look this:
{
"name": "@org/configs",
"exports": {
"./biome": "./biome.json"
}
}
And the biome.json
file that "imports" said configuration, will look like this:
{
"extends": "@org/configs/biome"
}
Read the documentation to better understand how it works, expectations and restrictions.
check.js:1:17 parse/noDuplicatePrivateClassMembers ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
× Duplicate private class member "#foo"
> 1 │ class A { #foo; #foo }
│ ^^^^
Contributed by @ematipicoBiome now allows to format the package.json
file. This is now the default behaviour and users can remove their
workarounds.
If you rely on other tools to format package.json
, you'll have to ignore it via configuration. Contributed by
@pattrickrice
New formatter option attributePosition
that have similar behavior as
Prettier singleAttributePerLine
#1706. Contributed by @octoshikari
Add partial for .astro
files. Biome is able to format the frontmatter of the Astro files. Contributed by @ematipico
---
- statement ( );
+ statement();
---
<div></div>
Add partial for .vue
files. Biome is able to format the script block of Vue files. Contributed by @nhedger
<script setup lang="ts">
- statement ( );
+ statement();
</script/>
<template></template>
Add partial for .svelte
files. Biome is able to format the script block of Svelte files. Contributed by @ematipico
<script setup lang="ts">
- statement ( );
+ statement();
</script/>
<div></div>
composer.json
, deno.json
, jsconfig.json
, package.json
and tsconfig.json
are no longer protected files.
This means that you can now format them.
If you want to ignore these files, you can use the files.ignore configuration:
{
"files": {
"ignore": [
"composer.json",
"jsconfig.json",
"package.json",
"tsconfig.json",
"typescript.json",
"deno.json",
"deno.jsonc"
]
}
}
The following files are still protected, and thus ignored:
composer.lock
npm-shrinkwrap.json
package-lock.json
yarn.lock
Contributed by @pattrickrice and @Conaclos
Fix #1039. Check unicode width instead of number of bytes when checking if regex expression is a simple argument.
This no longer breaks.
s(/🚀🚀/).s().s();
Contributed by @kalleep
Fix #1218, by correctly preserving empty lines in member chains. Contributed by @ah-yu
Fix #1659 and #1662, by correctly taking into account the leading comma inside the formatter options. Contributed by @ematipico
Fix #1934. Fix invalid formatting of long arrow function for AsNeeded arrow parens Contributed by @fireairforce
New rules are incubated in the nursery group. Once stable, we promote them to a stable group. The following rules are promoted:
Additionally, the following rules are now recommended:
Remove nursery/useGroupedTypeImport
. The rule style/useImportType covers the behavior of this rule.
Note that removing a nursery rule is not considered a breaking change according to our semantic versioning.
Contributed by @Conaclos
Add the rule noSkippedTests, to disallow skipped tests:
describe.skip("test", () => {});
it.skip("test", () => {});
Contributed by @ematipico
Add the rule noFocusedTests, to disallow skipped tests:
describe.only("test", () => {});
it.only("test", () => {});
Contributed by @ematipico
Add rule useSortedClasses, to sort CSS utility classes:
- <div class="px-2 foo p-4 bar" />
+ <div class="foo bar p-4 px-2" />
Contributed by @DaniGuardiola
Add rule noUndeclaredDependencies, to detect the use of
dependencies that aren't present in the package.json
.
The rule ignores imports using a protocol such as node:
, bun:
, jsr:
, https:
.
Contributed by @ematipico and @Conaclos
Add rule noNamespaceImport, to report namespace imports:
import * as foo from "foo";
Contributed by @unvalley
Add partial support for .astro
files. Biome is able to lint and fix the frontmatter of the Astro files. Contributed
by @ematipico
---
- delete a.b
+ a.b = undefined
---
<div></div>
Add partial support for .vue
files. Biome is able to lint and fix the script block of the Vue files.
<script setup lang="ts">
- delete a.b
+ a.b = undefined
<script>
<template></template>
Contributed by @nhedger
Add rule useNodeAssertStrict, which promotes the use
of node:assert/strict
over node:assert
. Contributed by @ematipico
Add rule noExportsInTest which disallows export
or modules.exports
in files
containing test. Contributed by @ah-yu
Add rule noSemicolonInJsx to detect possible wrong semicolons inside JSX elements.
const Component = () => {
return (
<div>
<div />;
</div>
);
}
Contributed by @fujiyamaorange
Add rule noBarrelFile, to report the usage of barrel file:
export * from "foo";
Contributed by @togami2864
Add rule noReExportAll that report export * from "mod"
.
Contributed by @mdm317
Add rule noExcessiveNestedTestSuites. Contributed by @vasucp1207
Add rule useJsxKeyInIterable. Contributed by @vohoanglong0107
noUselessFragments now rule not triggered for jsx attributes when the fragment child is simple text.
export function SomeComponent() {
return <div x-some-prop={<>Foo</>} />;
}
Also fixes code action when the fragment child is of type JsxExpressionChild
.
<>
<Hello leftIcon={<>{provider?.icon}</>} />
{<>{provider?.icon}</>}
<>{provider?.icon}</>
</>
Contributed by @vasucp1207
noUselessTernary now provides unsafe code fixes. Contributed by @vasucp1207
noApproximativeNumericConstant now provides unsafe code fixes and handle numbers without leading zero and numbers with digit separators.
The following numbers are now reported as approximated constants.
3.14_15; // PI
.4342; // LOG10E
Contributed by @Conaclos
noPrecisionLoss no longer reports number with extra zeros.
The following numbers are now valid.
.1230000000000000000000000;
1230000000000000000000000.0;
Contributed by @Conaclos
useNamingConvention now supports unicase letters (#1786).
unicase letters have a single case: they are neither uppercase nor lowercase. Previously, Biome reported names in unicase as invalid. It now accepts a name in unicase everywhere.
The following code is now accepted:
const 안녕하세요 = { 안녕하세요: 0 };
We still reject a name that mixes unicase characters with lowercase or uppercase characters: The following names are rejected:
const A안녕하세요 = { a안녕하세요: 0 };
Contributed by @Conaclos
useNamingConvention
and useFilenamingConvention now provides a new option requireAscii
to require identifiers to
be in ASCII.
To avoid any breaking change, this option is turned off by default. We intend to turn it on in the next major release of Biome (Biome 2.0).
Set the requireAscii
rule option to true
to require identifiers to be in ASCII.
{
"linter": {
"rules": {
"style": {
"useNamingConvention": { "options": { "requireAscii": false } }
},
"nursery": {
"useFilenamingConvention": { "options": { "requireAscii": false } }
}
}
}
}
Contributed by @Conaclos
noUnusedVariables no longer reports unused imports.
We now have a dedicated rule for reporting unused imports: noUnusedImports
Contributed by @Conaclos
Fix missing link in noStaticOnlyClass documentation. Contributed by @yndajas
noConfusingVoidType no longer reports valid use of the void type in conditional types (#1812).
The rule no longer reports the following code:
type Conditional<T> = T extends void ? Record<string, never> : T
Contributed by @lucasweng
noInvalidUseBeforeDeclaration no longer reports valid use of binding patterns (#1648).
The rule no longer reports the following code:
const { a = 0, b = a } = {};
Contributed by @Conaclos
noUnusedVariables no longer reports used binding patterns (#1652).
The rule no longer reports a
as unused the following code:
const { a = 0, b = a } = {};
export { b };
Contributed by @Conaclos
Fix #1651. noVar now ignores TsGlobalDeclaration. Contributed by @vasucp1207
Fix #1640. useEnumInitializers code action now generates valid code when last member has a comment but no comma. Contributed by @kalleep
Fix #1653. Handle a shorthand value in useForOf
to avoid the false-positive case. Contributed by @togami2864
Fix #1656. useOptionalChain code action now correctly handles logical and chains where methods with the same name are invoked with different arguments:
- tags && tags.includes('a') && tags.includes('b')
+ tags?.includes('a') && tags.includes('b')
Contributed by @lucasweng
Fix #1704. Convert /
to escaped slash \/
to avoid parsing error in
the result of autofix. Contributed by @togami2864
Fix#1697. Preserve leading trivia in autofix of suppression rules. Contributed by @togami2864
Fix #603. Trim trailing whitespace to avoid double insertion. Contributed by @togami2864
Fix #1765. Now the rule noDelete
doesn't trigger when deleting a
dataset:
delete element.dataset.prop;
Contributed by @ematipico
useNamingConvention and useFilenamingConvention now reject identifiers with consecutive delimiters.
The following name is now invalid because it includes two underscores:
export const MY__CONSTANT = 0;
Note that we still allow consecutive leading and consecutive trailing underscores.
Contributed by @Conaclos
Fix #1932 Allow redeclaration of type parameters in different declarations. Contributed by @keita-hino
Fix #1945 Allow constructor with default parameters in noUselessConstructor
Fix #1982 Change to iterate over the module item lists and ignore .d.ts files. Contributed by @togami2864
Fix #1728. Correctly parse the global declaration when the {
token
is on the line following the global
keyword.
Now the following code is correctly parsed:
declare global
{ }
declare module foo {
global
{ }
}
Contributed by @ah-yu
Fix #1730. Correctly parse delete
expressions with operands that are
not simple member expressions.
delete(a.b);
delete console.log(1);
delete(() => {});
Contributed by @printfn
FAQs
WebAssembly bindings to the Biome workspace API
The npm package @biomejs/wasm-nodejs receives a total of 29,643 weekly downloads. As such, @biomejs/wasm-nodejs popularity was classified as popular.
We found that @biomejs/wasm-nodejs demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.