Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@biomejs/wasm-nodejs
Advanced tools
v1.8.2 (2024-06-20)
biome migrate
and thus choke the parser. Contributed by @Sec-antReword the reporter message No fixes needed
to No fixes applied
.
The former message is misleading when there're still errors or warnings in the files that should be taken care of manually. For example:
Checked 2 files in <TIME>. No fixes needed.
Found 2 errors.
The new message suits better in these cases.
Contributed by @Sec-ant
Don't conceal previous overrides (#3176).
Previously, each override inherited the unset configuration of the base configuration. This means that setting a configuration in an override can be concealed by a subsequent override that inherits of the value from the base configuration.
For example, in the next example, noDebugger
was disabled for the index.js
file.
{
"linter": {
"rules": {
"suspicious": { "noDebugger": "off" }
}
},
"overrides": [
{
"include": ["index.js"],
"linter": {
"rules": {
"suspicious": { "noDebugger": "warn" }
}
}
}, {
"include": ["index.js"],
"linter": {
"rules": {
"suspicious": { "noDoubleEquals": "off" }
}
}
}
]
}
The rule is now correctly enabled for the index.js
file.
Contributed by @Conaclos
v1.8.0
Add nursery/noSubstr. Contributed by @chansuke
Add nursery/useConsistentCurlyBraces. Contributed by @dyc3
Add nursery/useValidAutocomplete. Contributed by @unvalley
Add nursery/noShorthandPropertyOverrides. #2958 Contributed by @neokidev
Fix [#3084] false positive by correctly recognize parenthesized return statement. Contributed by @unvalley
useImportExtensions now suggests a correct fix for import '.'
and import './.'
. Contributed by @minht11
Fix useDateNow false positive when new Date object has arguments new Date(0).getTime()
. Contributed by @minht11.
The noUnmatchableAnbSelector
rule is now able to catch unmatchable an+b
selectors like 0n+0
or -0n+0
. Contributed by @Sec-ant.
The useHookAtTopLevel
rule now recognizes properties named as hooks like foo.useFoo()
. Contributed by @ksnyder9801
Fix #3092, prevent warning for Custom properties (--*)
. Contributed by @chansuke
Fix a false positive in the useLiteralKeys
rule. (#3160)
This rule now ignores the following kind of computed member name:
const a = {
[`line1
line2`]: true,
};
Contributed by @Sec-ant
The noUnknownProperty rule now ignores the composes
property often used in css modules. #3000 Contributed by @chansuke
Fix false positives of the useExhaustiveDependencies rule.
The component itself is considered stable when it is used recursively inside a hook closure defined inside of it:
import { useMemo } from "react";
function MyRecursiveComponent() {
// MyRecursiveComponent is stable, we don't need to add it to the dependencies list.
const children = useMemo(() => <MyRecursiveComponent />, []);
return <div>{children}</div>;
}
Also, export default function
and export default class
are considered stable now because they can only appear at the top level of a module.
Contributed by @Sec-ant
Fix missing withDefaults
macro in vue files for globals variables. Contributed by @Shyam-Chen
FAQs
WebAssembly bindings to the Biome workspace API
The npm package @biomejs/wasm-nodejs receives a total of 29,643 weekly downloads. As such, @biomejs/wasm-nodejs popularity was classified as popular.
We found that @biomejs/wasm-nodejs demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.