biomejs/biome @biomejs/biome@2.3.9 on GitHub

2.3.9

Patch Changes

#8232 84c9e08 Thanks @ruidosujeira! - Added the nursery rule noScriptUrl.
This rule disallows the use of javascript: URLs, which are considered a form of eval and can pose security risks such as XSS vulnerabilities.
```
<a href="javascript:alert('XSS')">Click me</a>
```
#8341 343dc4d Thanks @arendjr! - Added the nursery rule useAwaitThenable, which enforces that await is only used on Promise values.
Invalid
```
await "value";

const createValue = () => "value";
await createValue();
```
Caution

This is a first iteration of the rule, and does not yet detect generic "thenable" values.
#8034 e7e0f6c Thanks @Netail! - Added the nursery rule useRegexpExec. Enforce RegExp#exec over String#match if no global flag is provided.
#8137 d407efb Thanks @denbezrukov! - Reduced the internal memory used by the Biome formatter.
#8281 30b046f Thanks @tylersayshi! - Added the rule useRequiredScripts, which enforces presence of configurable entries in the scripts section of package.json files.

#8290 d74c8bd Thanks @dyc3! - The HTML formatter has been updated to match Prettier 3.7's behavior for handling <iframe>'s allow attribute.

- <iframe allow="layout-animations 'none'; unoptimized-images 'none'; oversized-images 'none'; sync-script 'none'; sync-xhr 'none'; unsized-media 'none';"></iframe>
+ <iframe
+ 	allow="
+ 		layout-animations 'none';
+ 		unoptimized-images 'none';
+ 		oversized-images 'none';
+ 		sync-script 'none';
+ 		sync-xhr 'none';
+ 		unsized-media 'none';
+ 	"
+ ></iframe>

#8302 d1d5014 Thanks @mlafeldt! - Fixed #8109: return statements in Astro frontmatter no longer trigger "Illegal return statement" errors when using experimentalFullSupportEnabled.

#8346 f3aee1a Thanks @arendjr! - Fixed #8292: Implement tracking
of types of TypeScript constructor parameter properties.

This resolves certain false negatives in noFloatingPromises and other typed
rules.

Example

class AsyncClass {
  async returnsPromise() {
    return "value";
  }
}

class ShouldBeReported {
  constructor(public field: AsyncClass) {}
  //          ^^^^^^^^^^^^----------------- Parameter property declaration

  async shouldBeReported() {
    // `noFloatingPromises` will now report the following usage:
    this.field.returnsPromise();
  }
}

#8326 153e3c6 Thanks @ematipico! - Improved the rule noBiomeFirstException. The rule can now inspect if extended configurations already contain the catch-all ** inside files.includes and, if so, the rule suggests removing ** from the user configuration.
#8433 397547a Thanks @dyc3! - Fixed #7920: The CSS parser, with Tailwind directives enabled, will no longer error when you use things like prefix(tw) in @import at rules.
#8378 cc2a62e Thanks @Bertie690! - Clarify diagnostic message for lint/style/useUnifiedTypeSignatures
The rule's diagnostic message now clearly states that multiple similar overload signatures are hard to read & maintain, as opposed to overload signatures in general.
#8296 9d3ef10 Thanks @dyc3! - biome rage now shows if you have experimental HTML full support enabled.
#8414 09acf2a Thanks @Bertie690! - Updated the documentation & diagnostic message for lint/nursery/noProto, mentioning the reasons for its longstanding deprecation and why more modern alternatives are preferred.
Notably, the rule clearly states that using __proto__ inside object literal definitions is still allowed, being a standard way to set the prototype of a newly created object.
#8445 c3df0e0 Thanks @tt-a1i! - Fix --changed and --staged flags throwing "No such file or directory" error when a file has been deleted or renamed in the working directory. The CLI now filters out files that no longer exist before processing.
#8459 b17d12b Thanks @ruidosujeira! - Fix #8435: resolved false positive in noUnusedVariables for generic type parameters in construct signature type members (new <T>(): T).
#8439 a78774b Thanks @tt-a1i! - Fixed #8011: useConsistentCurlyBraces no longer suggests removing curly braces from JSX expression children containing characters that would cause parsing issues or semantic changes when converted to plain JSX text ({, }, <, >, &).
#8436 a392c06 Thanks @ruidosujeira! - Fixed #8429. Formatter, linter, and assist settings now correctly inherit from global configuration when not explicitly specified in overrides.
Before this fix, when an override specified only one feature (e.g., only linter), other features would be incorrectly disabled instead of inheriting from global settings.
Example configuration that now works correctly:
```
{
  "formatter": { "enabled": true },
  "overrides": [
    {
      "includes": ["*.vue"],
      "linter": { "enabled": false }
    }
  ]
}
```
After this fix, .vue files will have the linter disabled (as specified in the override) but the formatter enabled (inherited from global settings).
#8411 9f1b3b0 Thanks @rriski! - Properly handle name, type_arguments, and attributes slots for JsxOpeningElement and JsxSelfClosingElement GritQL patterns.
The following biome search commands no longer throw errors:
```
biome search 'JsxOpeningElement(name = $elem_name) where { $elem_name <: "div" }'
biome search 'JsxSelfClosingElement(name = $elem_name) where { $elem_name <: "div" }'
```
#8441 cf37d0d Thanks @tt-a1i! - Fixed #6577: noUselessUndefined no longer reports () => undefined in arrow function expression bodies. Previously, the rule would flag this pattern and suggest replacing it with () => {}, which conflicts with the noEmptyBlockStatements rule.
#8444 8caa7a0 Thanks @tt-a1i! - Fix noUnknownMediaFeatureName false positive for prefers-reduced-transparency media feature. The feature name was misspelled as prefers-reduded-transparency in the keywords list.
#8443 c3fa5a1 Thanks @tt-a1i! - Fix useGenericFontNames false positive when a CSS variable is used as the last value in font-family or font. The rule now correctly ignores cases like font-family: "Noto Serif", var(--serif) and font: 1em Arial, var(--fallback).
#8281 30b046f Thanks @tylersayshi! - Fixed noDuplicateDependencies incorrectly triggering on files like _package.json.
#8315 c7915c4 Thanks @hirokiokada77! - Fixed #5213: The noDoneCallback rule no longer flags false positives when a method is called on a regular variable bound to identifiers such as before, after, beforeEach, and afterEach.
#8398 204844f Thanks @Bertie690! - The default value of the ignoreRestSiblings option for noUnusedVariables'
has been reverted to its prior value of true after an internal refactor accidentally changed it.
The diagnostic message has also been tweaked for readability.
#8242 9694e37 Thanks @dyc3! - Fixed bugs in the HTML parser so that it will flag invalid shorthand syntaxes instead of silently accepting them. For example, <Foo : foo="5" /> is now invalid because there is a space after the :.
#8297 efa694c Thanks @Yonom! - Added support for negative value utilities in useSortedClasses. Negative value utilities such as -ml-2 or -top-4 are now recognized and sorted correctly alongside their positive counterparts.
```
// Now detected as unsorted:
<div class="-ml-2 p-4 -mt-1" />
// Suggested fix:
<div class="-mt-1 -ml-2 p-4" />
```
#8335 3710702 Thanks @dibashthapa! - Added the new nursery rule useDestructuring. This rule helps to encourage destructuring from arrays and objects.
For example, the following code triggers because the variable name x matches the property foo.x, making it ideal for object destructuring syntax.
```
var x = foo.x;
```
#8383 59b2f9a Thanks @ematipico! - Fixed #7927: noExtraNonNullAssertion incorrectly flagged separate non-null assertions on both sides of an assignment.
The rule now correctly distinguishes between nested non-null assertions (still flagged) and separate non-null assertions on different sides of an assignment (allowed).
Examples

Valid (now allowed)
```
arr[0]! ^= arr[1]!;
```
Invalid (still flagged)
```
arr[0]!! ^= arr[1];
arr[0] ^= arr[1]!!;
```

#8401 382786b Thanks @Bertie690! - useExhaustiveDependencies now correctly validates custom hooks whose dependency arrays come before their callbacks.

Previously, a logical error caused the rule to be unable to detect dependency arrays placed before hook callbacks, producing spurious errors and blocking further diagnostics.

{
  "linter": {
    "rules": {
      "correctness": {
        "useExhaustiveDependencies": {
          "level": "error",
          "options": {
            "hooks": [
              {
                "name": "doSomething",
                "closureIndex": 2,
                "dependenciesIndex": 0
              }
            ]
          }
        }
      }
    }
  }
}

function component() {
  let thing = 5;
  // The rule will now correctly recognize `thing` as being specified
  // instead of erroring due to "missing" dependency arrays
  doSomething([thing], "blah", () => {
    console.log(thing);
  });
}

The rule documentation & diagnostic messages have also been reworked for improved clarity.

#8365 8f36051 Thanks @JacquesLeupin! - Fixed #8360: GritQL plugins defined in child configurations with extends: "//" now work correctly.
#8306 8de2774 Thanks @dibashthapa! - Fixed #8288: Fixed the issue with false positive errors
This new change will ignore attribute and only show diagnostics for JSX Expressions
For example
Valid:
```
<Something checked={isOpen && items.length} />
```
Invalid:
```
const Component = () => {
  return isOpen && items.length;
};
```
#8356 f9673fc Thanks @ematipico! - Fixed #7917, where Biome removed the styles contained in a <style lang="scss">, when experimentalFullSupportEnabled is enabled.
#8371 d71924e Thanks @ematipico! - Fixed #7343, where Biome failed to resolve extended configurations from parent directories using relative paths.
#8404 6a221f9 Thanks @fireairforce! - Fixed #7826, where a class member named async will not cause the parse error.
#8249 893e36c Thanks @cormacrelf! - Addressed #7538. Reduced the
volume of logging from the LSP server.
Use biome clean to remove large logs.

#8303 db2c65b Thanks @hirokiokada77! - Fixed #8300: noUnusedImports now detects JSDoc tags on object properties.

import type LinkOnObjectProperty from "mod";

const testLinkOnObjectProperty = {
	/**
	 * {@link LinkOnObjectProperty}
	 */
	property: 0,
};

#8328 9cf2332 Thanks @Netail! - Corrected rule source reference. biome migrate eslint should do a bit better detecting rules in your eslint configurations.
#8403 c96dcf2 Thanks @dyc3! - Fixed #8340: noUnknownProperty will no longer flag anything in @plugin when the parser option tailwindDirectives is enabled
#8284 4976d1b Thanks @denbezrukov! - Improved the performance of the Biome Formatter by enabling the internal source maps only when needed.
#8260 a226b28 Thanks @ho991217! - Fixed biome-vscode#817: Biome now updates documents when the textDocument/didSave notification is received.
#8183 b064786 Thanks @hornta! - Fixed #8179: The useConsistentArrowReturn rule now correctly handles multiline expressions in its autofix when the style option is set to "always".
Previously, the autofix would incorrectly place a newline after the return keyword, causing unexpected behavior.
Example:
```
const foo = (l) => l.split("\n");
```
Now correctly autofixes to:
```
const foo = (l) => {
-   return
-   l.split('\n');
+   return l.split('\n');
}
```
#8382 7409cba Thanks @fireairforce! - Fixed #8338: Ignored the noUnknownTypeSelector check when the root selector is used under View Transition pseudo-elements.
Example
```
::view-transition-old(root),
::view-transition-new(root) {
  z-index: 1;
}
```
#7513 e039f3b Thanks @AsherDe! - Added the nursery rule noVueSetupPropsReactivityLoss.
This new rule disallows usages that cause the reactivity of props passed to the setup function to be lost.
Invalid code example:
```
export default {
  setup({ count }) {
    // `count` is no longer reactive here.
    return () => h("div", count);
  },
};
```

What's Changed

fix(lsp): do not log full file contents twice on every keystroke by @cormacrelf in #8249
docs: be more specific with changeset guidelines by @dyc3 in #8282
fix: reload file from disk on save to fix stale diagnostics by @ho991217 in #8260
feat(js_analyze): implement useRegexpExec by @Netail in #8034
feat(cli): show html full support configuration in biome rage output by @dyc3 in #8296
ci: bundle WASM manually by @ematipico in #8271
feat(analyse/json): add useRequiredScripts rule by @tylersayshi in #8281
fix(noUnusedImports): detect JSDoc tags on object properties by @hirokiokada77 in #8303
fix(js_parser): allow return statements in Astro frontmatter by @mlafeldt in #8302
feat(useSortedClasses): add support for negative value utilities by @Yonom in #8297
fix(lint): fixed the issue with false positive errors for noLeakedRender rule by @dibashthapa in #8306
chore(deps): update github-actions by @renovate[bot] in #8319
chore(deps): update dependency @changesets/changelog-github to v0.5.2 by @renovate[bot] in #8320
chore(deps): update dependency @changesets/cli to v2.29.8 by @renovate[bot] in #8322
docs: node protocol rule reference by @Netail in #8328
feat(lint): implement vue/noSetupPropsReactivityLoss by @AsherDe in #7513
fix(lint): improve noBiomeFirstException by @ematipico in #8326
fix(noDoneCallback): avoid false positives on non-hook identifiers by @hirokiokada77 in #8315
feat(linter): implement useAwaitThenable by @arendjr in #8341
chore: move depot to platinum sponsor by @ematipico in #8337
fix(core): implement constructor parameter property tracking by @arendjr in #8346
refactor(core): document services by @ematipico in #8327
refactor(core): use boxcar by @ematipico in #8352
fix(html/formatter): style tag with lang by @ematipico in #8356
feat(format/html): handle iframe allow special formatting by @dyc3 in #8290
chore: sync html prettier tests by @dyc3 in #8291
feat(lint): implement useDestructuring by @dibashthapa in #8335
refactor(formatter): add printer option to disable source-map generation by @denbezrukov in #8284
refactor(formatter): reduce best fitting allocations by @denbezrukov in #8137
fix: resolve plugin paths relative to config file when using extends by @JacquesLeupin in #8365
fix(cli): resolve configs from parent paths by @ematipico in #8371
fix(lint): update rule diagnostic message for useUnifiedTypeSignature by @Bertie690 in #8378
feat: implement noScriptUrl rule by @ruidosujeira in #8232
fix(lint): don't flag separate non-null assertions on assignment sides by @ematipico in #8383
fix(parse/html/vue): emit diagnostics for invalid vue shorthand syntaxes by @dyc3 in #8242
chore(deps): update github-actions by @renovate[bot] in #8384
chore(deps): update rust crate libc to 0.2.178 by @renovate[bot] in #8385
fix(noUnknownTypeSelectors): allow root when under ViewTransitions pseudo elements by @fireairforce in #8382
fix(deps): update @biomejs packages by @renovate[bot] in #8386
fix(deps): update dependency prettier to v3.7.4 by @renovate[bot] in #8387
fix(core): document services by @ematipico in #8394
ci: attest build provenance for CLI binaries by @siketyan in #8379
chore(deps): update rust crate tower-lsp-server to 0.23.0 by @renovate[bot] in #8392
fix(parser): allow async as class member name by @fireairforce in #8404
fix(noUnknownProperty): don't flag anything in @plugin by @dyc3 in #8403
fix(grit): correct JSX element slot indices for GritQL patterns by @rriski in #8411
chore: speed up build of dev profile by @ematipico in #8432
feat(lint): update docs & diagnostic for lint/nursery/noProto by @Bertie690 in #8414
fix: improve rustdoc for IndentStyle by @GameRoMan in #8425
fix(lint): remove useExhaustiveDependencies spurious errors on dependency-first custom hooks; improve docs by @Bertie690 in #8401
fix: fix typo in changeset by @Bertie690 in #8438
fix(linter): prevent useConsistentCurlyBraces from suggesting invalid JSX text conversion by @tt-a1i in #8439
fix(config): inherit enabled state from global config in overrides by @ruidosujeira in #8436
fix(linter): allow () => undefined in noUselessUndefined by @tt-a1i in #8441
fix(noUnknownMediaFeatureName): fix typo in prefers-reduced-transparency by @tt-a1i in #8444
fix(useGenericFontNames): handle CSS variable as last font-family value by @tt-a1i in #8443
fix(cli): skip deleted files in --changed and --staged by @tt-a1i in #8445
fix(lint): update default value of ignoreRestSiblings for noUnusedVariables by @Bertie690 in #8398
fix(lint): correct multiline autofix in useConsistentArrowReturn by @hornta in #8183
chore: tweak changeset by @dyc3 in #8452
chore(deps): update github-actions by @renovate[bot] in #8455
chore(deps): update dependency @types/node to v24.10.3 by @renovate[bot] in #8458
chore(deps): update rust:1.91.1-bookworm docker digest to c1e5f19 by @renovate[bot] in #8456
chore(deps): update rust:1.91.1-bullseye docker digest to f02c249 by @renovate[bot] in #8457
chore(deps): update rust crate camino to 1.2.2 by @renovate[bot] in #8460
fix(deps): update @biomejs packages by @renovate[bot] in #8461
fix(semantic): track scope for TS construct signature type parameters by @ruidosujeira in #8459
fix(parse/css): skip tailwind syntax in @import by @dyc3 in #8433
ci: fix wasm artifact names for release workflow by @dyc3 in #8468
ci: fix wasm artifacts again by @dyc3 in #8470
ci: release by @github-actions[bot] in #8469

New Contributors

@ho991217 made their first contribution in #8260
@tylersayshi made their first contribution in #8281
@mlafeldt made their first contribution in #8302
@Yonom made their first contribution in #8297
@AsherDe made their first contribution in #7513
@JacquesLeupin made their first contribution in #8365
@GameRoMan made their first contribution in #8425
@tt-a1i made their first contribution in #8439
@hornta made their first contribution in #8183

Full Changelog: https://github.com/biomejs/biome/compare/@biomejs/biome@2.3.8...@biomejs/biome@2.3.9

biomejs/biome @biomejs/biome@2.3.9 Biome CLI v2.3.9 on GitHub

2.3.9

Patch Changes

Invalid

Caution

Example

Examples

Valid (now allowed)

Invalid (still flagged)

What's Changed

New Contributors

biomejs/biome @biomejs/biome@2.3.9
Biome CLI v2.3.9

on GitHub