fix(deps): update all dependencies#20
Conversation
61f06bc to
4c58bf8
Compare
52aba09 to
16d549f
Compare
f240877 to
3c2e51f
Compare
9456c54 to
0ff8d9f
Compare
6ff8486 to
4c77644
Compare
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughBump CI action versions, pin pnpm to 11.1.2 in root and app, and update Changesets plus many app dependencies/devDependencies (Effect stack, TypeScript tooling, linting, testing, and build tools). ChangesToolchain and dependency upgrades
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related issues
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/actions/setup/action.yml:
- Line 13: The workflow currently uses a mutable tag "pnpm/action-setup@v6";
replace that with an immutable full commit SHA (40-hex) for pnpm/action-setup to
pin the action (e.g., "pnpm/action-setup@<full-commit-sha>"). Locate the "uses:
pnpm/action-setup@v6" entry in the action.yml and update it to the exact commit
SHA from the pnpm/action-setup repository, verify the SHA is full-length (40
characters) and that the workflow still runs correctly after the change.
In @.github/workflows/checking-dependencies.yml:
- Line 15: Replace the mutable tag reference "uses: pnpm/action-setup@v6" with
an immutable pin to the full commit SHA for the pnpm/action-setup action (e.g.,
"uses: pnpm/action-setup@<full-commit-sha>"); locate the occurrences of
"pnpm/action-setup@v6" in the workflow and update them to the corresponding
release commit SHA from the action's repository, then verify the workflow runs
successfully.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 4cd2e52a-a23f-4849-8bc7-20b25e799703
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (5)
.github/actions/setup/action.yml.github/workflows/checking-dependencies.yml.github/workflows/snapshot.ymlpackage.jsonpackages/app/package.json
| steps: | ||
| - name: Install pnpm | ||
| uses: pnpm/action-setup@v3 | ||
| uses: pnpm/action-setup@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify mutable action refs under .github (tag-based refs like `@v1/`@v6).
# Expected: no matches after SHA pinning.
rg -n --iglob '*.yml' --iglob '*.yaml' 'uses:\s*[^@[:space:]]+@v[0-9]+(\.[0-9]+){0,2}\b' .githubRepository: ProverCoderAI/openapi-effect
Length of output: 1009
Pin pnpm/action-setup to an immutable commit SHA.
Line 13 uses a mutable tag (@v6). Please pin to a full-length commit SHA to reduce supply-chain risk and avoid policy breaks in hardened org settings.
🔒 Suggested change
- uses: pnpm/action-setup@v6
+ uses: pnpm/action-setup@<full-length-commit-sha> # v6.xReference: https://docs.github.com/actions/security-guides/security-hardening-for-github-actions
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/actions/setup/action.yml at line 13, The workflow currently uses a
mutable tag "pnpm/action-setup@v6"; replace that with an immutable full commit
SHA (40-hex) for pnpm/action-setup to pin the action (e.g.,
"pnpm/action-setup@<full-commit-sha>"). Locate the "uses: pnpm/action-setup@v6"
entry in the action.yml and update it to the exact commit SHA from the
pnpm/action-setup repository, verify the SHA is full-length (40 characters) and
that the workflow still runs correctly after the change.
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: pnpm/action-setup@v4 | ||
| - uses: pnpm/action-setup@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify mutable action refs under .github (tag-based refs like `@v1/`@v6).
# Expected: no matches after SHA pinning.
rg -n --iglob '*.yml' --iglob '*.yaml' 'uses:\s*[^@[:space:]]+@v[0-9]+(\.[0-9]+){0,2}\b' .githubRepository: ProverCoderAI/openapi-effect
Length of output: 1009
Pin pnpm/action-setup to a commit SHA instead of a mutable tag.
Line 15 uses @v6, which is a mutable tag reference. Per GitHub's security hardening guidelines, action references should be pinned to full commit SHAs to ensure immutability and prevent unintended updates from tag rewrites.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/checking-dependencies.yml at line 15, Replace the mutable
tag reference "uses: pnpm/action-setup@v6" with an immutable pin to the full
commit SHA for the pnpm/action-setup action (e.g., "uses:
pnpm/action-setup@<full-commit-sha>"); locate the occurrences of
"pnpm/action-setup@v6" in the workflow and update them to the corresponding
release commit SHA from the action's repository, then verify the workflow runs
successfully.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 6: The package.json currently sets "packageManager": "pnpm@11.1.2" but
pnpm v11 requires config and environment changes; run the recommended codemod
(pnpx codemod run pnpm-v10-to-v11) and then: move any settings under the
package.json "pnpm" field into pnpm-workspace.yaml, strip .npmrc to only
auth/registry entries, update .nvmrc and CI to Node.js 22+ to match pnpm v11,
rename any environment variables from npm_config_* to pnpm_config_ and manually
review remaining envs, and rename or invoke scripts named
clean/setup/deploy/rebuild using pnpm pm to avoid shadowing built-ins.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 78ded05a-1811-4eac-8349-84f29cb8618e
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (5)
.github/actions/setup/action.yml.github/workflows/checking-dependencies.yml.github/workflows/snapshot.ymlpackage.jsonpackages/app/package.json
🚧 Files skipped from review as they are similar to previous changes (4)
- .github/actions/setup/action.yml
- .github/workflows/checking-dependencies.yml
- .github/workflows/snapshot.yml
- packages/app/package.json
| "private": true, | ||
| "description": "Monorepo workspace for effect-template", | ||
| "packageManager": "pnpm@10.30.1", | ||
| "packageManager": "pnpm@11.1.2", |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
pnpm 11 breaking changes and migration guide
💡 Result:
pnpm 11 is a major release that introduces significant breaking changes, security-first defaults, and architectural improvements [1]. The official migration guide is available at https://pnpm.io/11.x/migration [2]. Key Breaking Changes and Migration Steps Configuration Changes pnpm 11 significantly changes how configuration is handled [3][1]: - Configuration is no longer read from the pnpm field in package.json; move these settings to pnpm-workspace.yaml [3][2]. -.npmrc files are now restricted to auth and registry settings only [3][1]. All other settings (e.g., hoist-pattern, node-linker) must be moved to pnpm-workspace.yaml using camelCase keys [3][2]. - npm_config_* environment variables are no longer supported; rename them to pnpm_config_* [3][1]. - pnpm no longer reads npm's global config at $PREFIX/etc/npmrc [1]. Dependency and Script Management - Build-dependency settings (onlyBuiltDependencies, neverBuiltDependencies, etc.) are consolidated into a single allowBuilds map in pnpm-workspace.yaml [3][1]. - Package manager strictness settings are collapsed into a single pmOnFail setting [3][2]. - Script names now shadow built-in commands [3]. If you have scripts named clean, setup, deploy, or rebuild, pnpm will execute your script instead of the built-in command; use pnpm pm to access the built-in version [3]. - pnpm install -g (with no arguments) is no longer supported; use pnpm add -g instead [3][1]. Environment and Infrastructure - Node.js 18, 19, 20, and 21 are no longer supported; Node.js 22+ is required [1]. - pnpm is now distributed as pure ESM [1]. - Global installs are now isolated using a global-virtual-store, preventing interference between global packages [1]. Security and New Features - Minimum Release Age: By default, pnpm 11 blocks the installation of package versions published within the last 24 hours to mitigate supply chain attacks [4][5][6]. - Exotic Subdependencies: pnpm 11 blocks dependencies resolved from non-standard sources (e.g., Git repositories or direct tarball URLs) by default [4][6]. - Native Publish: The npm CLI fallback for publishing has been removed in favor of a native implementation [1]. - Store Index: The store index has been migrated from a JSON-per-package format to a single SQLite database for improved performance [1][5]. Migration Tooling The pnpm team provides a codemod to automate many of these changes [2]. You can run it in your project directory: pnpx codemod run pnpm-v10-to-v11 [2] For changes that cannot be automated, such as environment variable updates, manual review is required [3][2].
Citations:
- 1: https://pnpm.io/blog/releases/11.0
- 2: https://pnpm.io/11.x/migration
- 3: https://pnpm.io/migration
- 4: https://gbhackers.com/pnpm-11-enables-default-release-age-guard/
- 5: https://cyberpress.org/pnpm-blocks-supply-attacks/
- 6: https://undercodenews.com/pnpm-11-reinvents-javascript-security-a-new-era-for-dependency-protection/
🌐 Web query:
pnpm 11.1.2 release notes and security advisories
💡 Result:
As of May 17, 2026, pnpm version 11.1.2 is the latest release [1]. Release Notes for pnpm 11.1.2 Specific release notes for version 11.1.2 were not explicitly detailed in the provided search results, as it is a very recent patch release [1]. However, it follows the major 11.1.0 and 11.1.1 releases, which introduced several significant features and fixes [2][3][4]: - New Commands: Added pnpm audit signatures (to verify ECDSA registry signatures), pnpm bugs (to open package bug trackers), and pnpm owner (to manage package owners) [3][4]. - Named Registries: Added support for installing packages from arbitrary named registries, including a built-in gh: prefix for the GitHub Packages npm registry [3][4]. - CI Improvements: Introduced the --no-runtime flag (config: runtime=false) to skip installing runtime entries (e.g., Node.js) in CI environments [3][4]. - Fixes: Version 11.1.1 included fixes for installability validation in workspace projects, resolved issues with pnpm add for named registries, and updated @zkochan/cmd-shim to improve compatibility with Git Bash on Windows [2]. Security Advisories There are no specific security advisories listed for version 11.1.2. Users should monitor the official pnpm GitHub Security Advisories page for any future disclosures [5]. Recent security-related updates in the pnpm 11 series include: - Minimum Release Age: pnpm 11 introduced a default Minimum Release Age of 24 hours (1440 minutes), which prevents the installation of newly published package versions to mitigate supply chain attacks [6][7][8]. - Enhanced Auditing: pnpm audit now queries the registry's bulk security advisories endpoint and filters by GitHub Advisory ID (GHSA) rather than CVE identifiers [9]. - Security Hardening: pnpm 11 requires Node.js 22+ and is distributed as pure ESM [10][11]. It also includes improved control over lifecycle scripts via the allowBuilds model [7][8]. For the most up-to-date information, always check the official pnpm releases page on GitHub and the security advisories section [12][5].
Citations:
- 1: https://www.npmjs.com/package/pnpm?activeTab=versions
- 2: https://github.com/pnpm/pnpm/releases/tag/v11.1.1
- 3: https://pnpm.io/blog/releases/11.1
- 4: https://newreleases.io/project/npm/pnpm/release/11.1.0
- 5: https://github.com/pnpm/pnpm/security/advisories
- 6: https://gbhackers.com/pnpm-11-enables-default-release-age-guard/
- 7: https://undercodenews.com/pnpm-11-reinvents-javascript-security-a-new-era-for-dependency-protection/
- 8: https://pnpm.io/supply-chain-security
- 9: https://pnpm.io/cli/audit
- 10: https://github.com/pnpm/pnpm/releases/tag/v11.0.0
- 11: https://pnpm.io/blog/releases/11.0
- 12: https://github.com/pnpm/pnpm/releases
Review pnpm 11 migration requirements before merging.
This major version upgrade introduces breaking changes that require configuration updates and environment adjustments:
- Configuration files: Settings in
package.json'spnpmfield must move topnpm-workspace.yaml. Update.npmrcto contain only auth and registry settings. - Node.js requirement: pnpm 11 requires Node.js 22+. Verify your project's
.nvmrcand CI configuration specify a compatible version. - Environment variables: Any
npm_config_*variables must be renamed topnpm_config_*. - Script behavior: Scripts named
clean,setup,deploy, orrebuildnow shadow built-in commands; usepnpm pmto access built-in versions.
Run the migration codemod to automate configuration changes:
pnpx codemod run pnpm-v10-to-v11
Refer to https://pnpm.io/11.x/migration for the complete migration guide. Manual review is needed for environment variable updates that the codemod cannot automate.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` at line 6, The package.json currently sets "packageManager":
"pnpm@11.1.2" but pnpm v11 requires config and environment changes; run the
recommended codemod (pnpx codemod run pnpm-v10-to-v11) and then: move any
settings under the package.json "pnpm" field into pnpm-workspace.yaml, strip
.npmrc to only auth/registry entries, update .nvmrc and CI to Node.js 22+ to
match pnpm v11, rename any environment variables from npm_config_* to
pnpm_config_ and manually review remaining envs, and rename or invoke scripts
named clean/setup/deploy/rebuild using pnpm pm to avoid shadowing built-ins.
|
Надо смержить сюда main ветку и исправить все ошибки в CI/CD что бы код был с актуальными библиотеками |
|
🤖 AI Work Session Started Starting automated work session at 2026-06-19T19:17:51.406Z The PR has been converted to draft mode while work is in progress. This comment marks the beginning of an AI work session. Please wait for the session to finish, and provide your feedback. |
|
Update: the CI/CD fix is implemented and verified, but I cannot push it directly to this PR head branch. Blocker:
Prepared fix:
What the fix covers:
Verification:
Needed human action: either grant/push access to |
🤖 Solution Draft LogThis log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
📊 Context and tokens usage:
Total: (508.9K + 13.1M cached) input tokens, 68.4K output tokens, $21.304392 cost 🤖 Models used:
📎 Log file uploaded as Repository (75696KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
🔄 Auto-restart triggered (iteration 1)Reason: CI failures detected Starting new session to address the issues. Auto-restart-until-mergeable mode is active. This run will stop after 5 restart iterations. |
|
Rechecked the failing CI/CD status in this restart session. Findings:
Verification repeated locally with Node
Fork CI also has successful runs for Remaining blocker is repository permissions, not code: |
🔄 Auto-restart-until-mergeable Log (iteration 1)This log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
🤖 Models used:
📎 Log file uploaded as Repository (96784KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
🔄 Auto-restart triggered (iteration 2)Reason: CI failures detected Starting new session to address the issues. Auto-restart-until-mergeable mode is active. This run will stop after 5 restart iterations. |
|
Rechecked and updated the prepared fix in this restart session. Current prepared commit:
Root causes confirmed from upstream CI logs for old SHA
Verification on current SHA
Remaining blocker is repository permission, not code. Needed maintainer action: push/cherry-pick |
🔄 Auto-restart-until-mergeable Log (iteration 2)This log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
🤖 Models used:
📎 Log file uploaded as Repository (2 chunks) (116514KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
🔄 Auto-restart triggered (iteration 3)Reason: CI failures detected Starting new session to address the issues. Auto-restart-until-mergeable mode is active. This run will stop after 5 restart iterations. |
|
Restart iteration 3 rechecked the prepared CI fix. Current verified head:
Fresh upstream CI logs downloaded in this session confirm old-head root causes:
Verification repeated on
Push blocker remains external: Needed maintainer action: push or cherry-pick |
🔄 Auto-restart-until-mergeable Log (iteration 3)This log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
🤖 Models used:
📎 Log file uploaded as Repository (2 chunks) (139990KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
🔄 Auto-restart triggered (iteration 4)Reason: CI failures detected Starting new session to address the issues. Auto-restart-until-mergeable mode is active. This run will stop after 5 restart iterations. |
|
Restart iteration 4 rechecked the CI/CD fix. Current verified head:
Fresh upstream logs downloaded in this session confirm the old-head failures:
Verification repeated locally on
Push status:
Needed maintainer action: push or cherry-pick |
🔄 Auto-restart-until-mergeable Log (iteration 4)This log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
🤖 Models used:
📎 Log file uploaded as Repository (2 chunks) (154923KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
🔄 Auto-restart triggered (iteration 5)Reason: CI failures detected Starting new session to address the issues. Auto-restart-until-mergeable mode is active. This run will stop after 5 restart iterations. |
|
Restart iteration 5 rechecked the CI/CD failures and the prepared fix. Current verified fix:
Fresh upstream CI status:
Root causes confirmed from downloaded upstream logs:
Verification repeated locally on
Fork CI on
Push status:
Needed maintainer action: push or cherry-pick |
🔄 Auto-restart-until-mergeable Log (iteration 5)This log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
🤖 Models used:
📎 Log file uploaded as Repository (2 chunks) (177139KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
|
|
🤖 AI Work Session Completed Work session ended at 2026-06-19T20:58:19.771Z The PR will be converted back to ready for review. This comment marks the end of an AI work session. New comments after this time will be considered as feedback. |
This PR contains the following updates:
^2.4.4→^2.5.2^0.5.2→^0.7.0^2.29.8→^2.31.0^4.6.0→^4.7.22.0.2→2.1.03.3.3→3.3.5^24.10.13→^24.13.2^8.56.0→^8.62.1^8.56.0→^8.62.1^4.0.18→^4.1.9^1.6.9→^1.6.20v6→v7v6→v7^3.19.18→^3.21.4^10.0.1→^10.6.0^4.4.4→^4.4.5^12.1.1→^13.0.0^4.0.0→^4.1.0^63.0.0→^70.0.0^17.3.0→^17.7.0^4.0.8→^5.0.1124.13.1→24.18.010.30.1→11.9.0v4→v6v3→v6^5.9.3→^6.0.3^8.56.0→^8.62.1^7.3.1→^8.1.3^4.0.18→^4.1.9cc @skulidropek
Release Notes
biomejs/biome (@biomejs/biome)
v2.5.2Compare Source
Patch Changes
#10595
f458028Thanks @pkallos! - Added the optionignoreBooleanCoercionto useNullishCoalescing. When enabled, Biome ignores||and||=used inside aBoolean()call, where coalescing on falsy values is intentional.#10798
4a32b63Thanks @pkallos! - Added the optionignorePrimitivesto useNullishCoalescing. When enabled, Biome ignores||,||=, and ternary expressions whose non-nullish operands are all primitives the option opts out of. Usetrueto ignore all primitives, or an object selectingstring,number,boolean, orbigint.#10545
f3d4c00Thanks @Mokto! - Added the new nursery rulenoSvelteUnnecessaryStateWrap, which reports unnecessary$state()wrapping of classes fromsvelte/reactivitythat are already reactive.#10752
f62fb8bThanks @ematipico! - Fixed #10739. Now the ruleuseValidAutocompletecorrectly flags theautoCompleteattribute.#10796
f1b3ab2Thanks @ematipico! - Fixed #10768. Improved the performance of the Biome Language Server by cancelling certain in-flight operations when there are fast updates.#10719
aa649b5Thanks @minseong0324! - FixednoMisleadingReturnTypefalse positive on returns that use a widening type assertion:"a" as stringis no longer reported as misleading. The rule now also reports a literal-pinning assertion such asfalse as false, matching the existingas constbehavior.#10678
8f073a7Thanks @PranavAchar01! - Fixed #7718: Biome now correctly parses CSS nesting selectors when&appears as a trailing sub-selector after a type selector, e.g.h1& { color: red; }.#10756
5ec965aThanks @denbezrukov! - Fixed CSS formatter output for selector lists withallowWrongLineCommentsand//comments after a selector comma. Biome now keeps the selector before the line comment inline instead of breaking it across descendant combinators.#10757
6232fcdThanks @PranavAchar01! - Fixed #8269: the CSS parser now accepts Tailwind@variantand@utilitynames that start with a digit, such as the2xlbreakpoint.#10777
575ced6Thanks @WaterWhisperer! - Fixed an issue reported in #10708: the GitLab reporter now handles--verbosediagnostics filtering correctly.#10281
0efe244Thanks @Zelys-DFKH! - Fixed a bug where GritQL patterns rejected positional (unkeyed) arguments.#10758
e36fd8aThanks @henrybrewer00-dotcom! - Fixed #10697: The formatter no longer removes the parentheses around anawaitoryieldexpression used as the target of a TypeScript instantiation expression. For example,(await makeFactory)<Value>is no longer reformatted toawait makeFactory<Value>, which would change the meaning of the code.#10586
3617094Thanks @IxxyDev! - Fixed #9568:noFloatingPromisesno longer reports a false positive when calling an overloaded function and the selected overload does not return a promise.#10766
7aff4c1Thanks @JamBalaya56562! - Fixed #2862:noInteractiveElementToNoninteractiveRoleno longer reports custom elements (a tag name containing a dash, e.g.<my-button role="img" />). Per the W3C HTML-ARIA specification, a custom element may be given any role or none.#10680
771daa4Thanks @WaterWhisperer! - Fixed #10635: Biome now recognizes chainedtable tests such as
test.concurrent.each()andit.concurrent.each()as test calls, fixingnoMisplacedAssertionfalse positives and improving formatting for those test declarations.#10759
34570b5Thanks @henrybrewer00-dotcom! - Fixed #10636: noStaticElementInteractions no longer reports a false positive for event handlers on Svelte special elements such as<svelte:window>,<svelte:document>, and<svelte:body>. These are not real DOM elements, so they are now ignored by the rule.#10741
bd2364eThanks @JamBalaya56562! - Fixed #6686: theragecommand now respects the--config-pathoption and theBIOME_CONFIG_PATHenvironment variable when loading the Biome configuration. Previously it always used the default configuration resolution and reported the configuration asNot setwhen nobiome.jsonexisted in the working directory.#10763
2c3e82dThanks @Aqu1bp! - Fixed #10742:noSolidDestructuredPropsnow reports destructured props in Solid function components and JSX children.#10606
a4cc4abThanks @Mokto! - Fixed false positives innoUnusedImports,noUnusedVariables, anduseImportTypefor Svelte components that use both a<script module>and a<script>block. The two blocks compile to a single module and share a top-level scope, so a binding (import, function, or variable) declared in one block and used only in the other is no longer reported as unused.#10767
36d5aa7Thanks @otkrickey! - Fixed #10754:useVueValidVBindno longer reports the Vue 3.4+ same-name shorthand as missing a value.:fooandv-bind:fooare now accepted as equivalent to:foo="foo", whilev-bind,v-bind:[dynamicArg], and:[dynamicArg]without a value continue to be reported.#10775
a918af0Thanks @WaterWhisperer! - Fixed an issue reported in #10708:biome ragedidn't detect running Biome daemon pipes on Windows.#10730
5a2e65bThanks @dinocosta! - Fixed an issue where Biome was resolving the well-known Zed settings file from the wrong location on macOS and Windows.#10807
d97fffeThanks @ematipico! - Fixed an issue where.scssfiles were incorrectly analyzed when runningbiome check.#10672
53c6efcThanks @ematipico! - Fixed a bug where Biome incorrectly formatted snippets that have parsing errors.#10719
aa649b5Thanks @minseong0324! - FixeduseAwaitThenablefalse positive when awaiting a custom thenable that is not the globalPromise. A value with a callablethenmember is now recognized as awaitable.#10734
4396496Thanks @BangDori! - Fixed #10708:biome migratenow preserves trivia when migrating the deprecatedrecommendedoption topreset.#10683
ae31a00Thanks @Netail! - Fixed #10657 #10671 #10661 #10637 #10718: HTML rules now correctly handle dynamic attributes.#10746
54e8239Thanks @ematipico! - Fixed an issue wherenoUndeclaredClassesdidn't correctly detect styles defined inside the Astro directiveis:global.#10770
dd1429cThanks @ematipico! - Improved the Biome Language Server DX by orchestrating certain operations, so that they won't block the editor during typing. This improvement is more visible in large documents.#10473
d9b5133Thanks @Mokto! - ImprovednoUnusedImports,noUnusedVariables,noUnusedFunctionParameters, anduseImportTypefor Svelte, Vue, and Astro files (withhtml.experimentalFullSupportEnabled). Bindings used only in the template — including component tags, attribute interpolations, directives,bind:shorthand, and snippet parameters — are no longer reported as unused, while genuinely unused ones still are.#10796
f1b3ab2Thanks @ematipico! - Fixed an issue where the Biome Language Server didn't enable project or type-aware lint rules, even when they were explicitly enabled.#10746
54e8239Thanks @ematipico! - Fixed an issue wherenoUndeclaredClassesdidn't detect styles declared inside HTML documents.#10774
bde945bThanks @pattrickrice! - Fixed #10268 where a race condition resulted in internal errors such as:The file biome.json does not exist in the workspace.v2.5.1Compare Source
Patch Changes
#10722
f8a303dThanks @denbezrukov! - Fixed CSS formatter output for comments between import media queries.#10738
9fdc560Thanks @JamBalaya56562! - Fixed #9899: thejsonandjson-prettyreporters now escape backslashes in a diagnostic'slocation.path. Previously, paths containing backslashes (such as Windows-style paths) were emitted unescaped, producing invalid JSON.#10626
5f837dfThanks @tom-groves! - Fixed #10625:biome migrateno longer emits an invalid trailing comma when a renamed rule (such asnoConsoleLog→noConsole) is the last member of its rule group. Previously this produced malformed output that aborted the migration of a strict-JSONbiome.jsonwith a parsing error.#10535
c245f9dThanks @Mokto! - Fixed a false positive innoUnusedVariablesfor Svelte files where variables referenced inside{@​html expr}blocks were incorrectly reported as unused.#10668
a0f197eThanks @Netail! - Thebiome initcommand has been updated to include a more up-to-date URL to the first-party extensions page.#10667
d8c3e87Thanks @Netail! - Fixed #10664: useErrorCause now correctly detects a shorthand property.#10696
ef2373fThanks @ematipico! - Fixed #9566. Improved how the Biome Language Server loads multiple configuration files inside a workspace.#10705
4ccb410Thanks @ematipico! - Fixed #10652. Biome plugins are now properly filtered when using--onlyand--skipflags.#10669
aa0a6ebThanks @Netail! - Fixed #10651: useInlineScriptId now correctly trims trivia to detect if an id attribute has been set.#10689
844b1beThanks @ematipico! - Fixed #10658. The issue was caused by the "Go-to definition" editor feature, which was enabled by default. The feature is now disabled by default. To work, the feature triggers the scanner to build the module graph. This caused memory leak issues in cases where Biome starts in the home directory to modify files.If you relied on this new feature, you must now turn on using the [editor settings] of the extension e.g. Zed and VSCode.
#10695
043fbb5Thanks @ematipico! - Fixed #10674. Biome now throws an error when the fieldlevelis missing from a rule option.#10712
5941df2Thanks @Conaclos! - Improved the diagnostic and the documentation ofuseFlatMap.#10615
23814f1Thanks @qwertycxz! - Improved the DX the JSON schema when it's used by certain code editors like VSCode.#10688
ec69489Thanks @ematipico! - Fixed a bug where the Biome Daemon did not correctly shut down when the editor was closed during an in-progress operation, especially while scanning.#10701
6c2e0d7Thanks @ematipico! - Fixed #10694. The Biome Language Server no longer prints an error when the user hovers a variable imported from node_modules.#10681
888515bThanks @Conaclos! - FixeduseExportTypethat reported useless details in some diagnostics.#10220
3694a13Thanks @theBGuy! - FixeduseAnchorContentfalse positive for<a>elements used as render prop values (e.g.render={<a href="..." />}), a pattern where the receiving component renders its children inside the anchor element.#10702
98823fbThanks @ematipico! - Fixed #10612. The Biome parser now correctly parses processing instructions. The following SVG doesn't throw errors anymore:v2.5.0Compare Source
Minor Changes
#9539
f0615fdThanks @ematipico! - Added a new reporter calledconcise. When--reporter=conciseis passed the commandsformat,lint,checkandci, the diagnostics are printed in a compact manner:#9495
2056b23Thanks @aviraldua93! - Added theuseKeyWithClickEventsa11y lint rule for HTML files (.html,.vue,.svelte,.astro). This is a port of the existing JSX rule. The rule enforces that elements with anonclickhandler also have at least one keyboard event handler (onkeydown,onkeyup, oronkeypress) to ensure keyboard accessibility.Inherently keyboard-accessible elements (
<a>,<button>,<input>,<select>,<textarea>,<option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or withrole="presentation"/role="none".#9152
9ec8500Thanks @ematipico! - Added new nursery lint rulenoUndeclaredClassesfor HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used inclass="..."(orclassName) attributes that are not defined in any<style>block or linked stylesheet reachable from the file.#9152
9ec8500Thanks @ematipico! - Added new nursery lint rulenoUnusedClassesfor CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.#9546
6567efaThanks @nhedger! - Added abiome upgradecommand for standalone installations. It upgrades Homebrew installs withbrew upgrade biome, updates manually installed binaries from the latest GitHub release, and tells npm users to upgrade with their package manager instead.#9716
701767aThanks @faizkhairi! - Added the HTML version of theuseHeadingContentrule. The rule now enforces that heading elements (h1-h6) have content accessible to screen readers in HTML, Vue, Svelte, and Astro files.#9582
f437ef8Thanks @rahuld109! - Added the HTML version of theuseKeyWithMouseEventsrule. The rule now enforces thatonmouseoveris accompanied byonfocusandonmouseoutis accompanied byonblurin HTML, Vue, Svelte, and Astro files.#9275
1fdbceeThanks @ff1451! - Added the new assist actionuseSortedTypeFields, which sorts the fields of GraphQL object types, interface types and input object types alphabetically, e.g.name, age, idbecomesage, id, name.#10561
78075b7Thanks @Conaclos! - Added a newstyleoption to useExportType,which enforces a style for exporting types.
This is the same option as the one provided by
useImportType.#8987
d16e32bThanks @DerTimonius! - Ported theuseValidAnchorrule to HTML. This rule enforces that all anchors are valid and that they are navigable elements.#9533
4d251d4Thanks @ematipico! - Theinitcommand now prints the Biome logo.#10069
0eb9310Thanks @Netail! - Added the HTML lint rulenoStaticElementInteractions, which enforces that static, visible elements (such as<div>) that have click handlers use the valid role attribute.Invalid:
#9134
2a43488Thanks @ematipico! - Added the assist actionuseSortedPackageJson.This action organizes package.json fields according to the same conventions as the popular sort-package-json tool.
#9309
7daa18bThanks @Bertie690! - TheallowDoubleNegationoption has been added tonoImplicitCoercionsto allow ignoring double negations inside code.With the option enabled, the following example is considered valid and is ignored by the rule:
#9700
894f3fbThanks @ematipico! - The Biome Language server now supports the "go-to definition" feature.When the cursor of the mouse is hovering an entity (variable, CSS class, type, etc.), and the command CTRL + click is triggered, the editor jumps to where this entity is defined, if the language server can find it.
Here's what Biome is able to resolve:
#10070
bae0710Thanks @Conaclos! - Added the:STYLE:group matcher fororganizeImportsthat matches style imports.For example, the following configuration...
{ "assist": { "actions": { "source": { "organizeImports": { "level": "on", "options": { "groups": ["**", "!:STYLE:"], "sortBareImports": true } } } } } }...places style imports last:
#9170
e3107deThanks @mdrobny! - AddedbundleDependenciesoption to NoUndeclaredDependencies rule.This rule now supports imports of packages that are defined only in
bundleDependenciesandbundledDependenciesarrays.#9547
01f8473Thanks @mujpao! - Added new assist ruleuseSortedAttributesfor HTML, porting the existing JSX rule. This rule enforces sorted HTML attributes.Invalid
#9366
2ca1117Thanks @dyc3! - Added thehtml.parser.vueconfiguration option. When enabled, it adds support for the parsing of Vue in.htmlfiles. Most Vue users don't need to enable this option since Vue files typically use the.vueextension, but it can be useful for projects that embed Vue syntax in regular HTML files.#9073
74b20eeThanks @chocky335! - Added support for applying GritQL plugin rewrites as code actions. GritQL plugins that use the rewrite operator (=>) now produce fixable diagnostics for JavaScript, CSS, and JSON files. By default, plugin rewrites are treated as unsafe fixes and require--write --unsafeto apply. Plugin authors can passfix_kind = "safe"toregister_diagnostic()to mark a fix as safe, allowing it to be applied with just--write.Example plugin (
useConsoleInfo.grit):Running
biome check --writeapplies safe rewrites. Unsafe rewrites (the default, orfix_kind = "unsafe") still require--write --unsafe.#9384
f4c9edcThanks @Conaclos! - Added thesortBareImportsoption toorganizeImports,which allows bare imports to be sorted within other imports when set to
false.{ "assist": { "actions": { "source": { "organizeImports": { "level": "on", "options": { "sortBareImports": true } } } } } }#8731
e7872bfThanks @siketyan! - Added the watch mode (--watch) to the CLI forcheck/format/lintcommands. By enabling this option, Biome will re-run the check automatically when any file in the workspace has changed after the first run.#10106
9b35f78Thanks @ematipico! - Biome can now format and lint.svgfiles.#9967
e9b6c17Thanks @dyc3! - Added HTML support fornoExcessiveLinesPerFile. Biome now reports HTML files that exceed the configured line limit, including whenskipBlankLinesis enabled.#9491
b3eb63cThanks @IxxyDev! - Added the HTML lint rulenoAriaUnsupportedElements. This rule enforces that elements that do not support ARIA roles, states, and properties (meta,html,script,style) do not haveroleoraria-*attributes.#9306
afd57a6Thanks @viraxslot! - Added thenoNoninteractiveTabindexlint rule for HTML. This rule enforces thattabindexis not used on non-interactive elements, as it can cause usability issuesConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.