fix(deps): update all dependencies#20
Conversation
renovate
Bot
force-pushed
the
renovate/all
branch
from
61f06bc to
4c58bf8
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/all
branch
9 times, most recently
from
52aba09 to
16d549f
Compare
renovate
Bot
force-pushed
the
renovate/all
branch
10 times, most recently
from
f240877 to
3c2e51f
Compare
renovate
Bot
force-pushed
the
renovate/all
branch
7 times, most recently
from
9456c54 to
0ff8d9f
Compare
renovate
Bot
force-pushed
the
renovate/all
branch
5 times, most recently
from
6ff8486 to
4c77644
Compare
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughBump CI action versions, pin pnpm to 11.1.2 in root and app, and update Changesets plus many app dependencies/devDependencies (Effect stack, TypeScript tooling, linting, testing, and build tools). ChangesToolchain and dependency upgrades
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related issues
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/actions/setup/action.yml:
- Line 13: The workflow currently uses a mutable tag "pnpm/action-setup@v6";
replace that with an immutable full commit SHA (40-hex) for pnpm/action-setup to
pin the action (e.g., "pnpm/action-setup@<full-commit-sha>"). Locate the "uses:
pnpm/action-setup@v6" entry in the action.yml and update it to the exact commit
SHA from the pnpm/action-setup repository, verify the SHA is full-length (40
characters) and that the workflow still runs correctly after the change.
In @.github/workflows/checking-dependencies.yml:
- Line 15: Replace the mutable tag reference "uses: pnpm/action-setup@v6" with
an immutable pin to the full commit SHA for the pnpm/action-setup action (e.g.,
"uses: pnpm/action-setup@<full-commit-sha>"); locate the occurrences of
"pnpm/action-setup@v6" in the workflow and update them to the corresponding
release commit SHA from the action's repository, then verify the workflow runs
successfully.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 4cd2e52a-a23f-4849-8bc7-20b25e799703
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (5)
.github/actions/setup/action.yml.github/workflows/checking-dependencies.yml.github/workflows/snapshot.ymlpackage.jsonpackages/app/package.json
| steps: | ||
| - name: Install pnpm | ||
| uses: pnpm/action-setup@v3 | ||
| uses: pnpm/action-setup@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify mutable action refs under .github (tag-based refs like `@v1/`@v6).
# Expected: no matches after SHA pinning.
rg -n --iglob '*.yml' --iglob '*.yaml' 'uses:\s*[^@[:space:]]+@v[0-9]+(\.[0-9]+){0,2}\b' .githubRepository: ProverCoderAI/openapi-effect
Length of output: 1009
Pin pnpm/action-setup to an immutable commit SHA.
Line 13 uses a mutable tag (@v6). Please pin to a full-length commit SHA to reduce supply-chain risk and avoid policy breaks in hardened org settings.
🔒 Suggested change
- uses: pnpm/action-setup@v6
+ uses: pnpm/action-setup@<full-length-commit-sha> # v6.xReference: https://docs.github.com/actions/security-guides/security-hardening-for-github-actions
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/actions/setup/action.yml at line 13, The workflow currently uses a
mutable tag "pnpm/action-setup@v6"; replace that with an immutable full commit
SHA (40-hex) for pnpm/action-setup to pin the action (e.g.,
"pnpm/action-setup@<full-commit-sha>"). Locate the "uses: pnpm/action-setup@v6"
entry in the action.yml and update it to the exact commit SHA from the
pnpm/action-setup repository, verify the SHA is full-length (40 characters) and
that the workflow still runs correctly after the change.
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: pnpm/action-setup@v4 | ||
| - uses: pnpm/action-setup@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify mutable action refs under .github (tag-based refs like `@v1/`@v6).
# Expected: no matches after SHA pinning.
rg -n --iglob '*.yml' --iglob '*.yaml' 'uses:\s*[^@[:space:]]+@v[0-9]+(\.[0-9]+){0,2}\b' .githubRepository: ProverCoderAI/openapi-effect
Length of output: 1009
Pin pnpm/action-setup to a commit SHA instead of a mutable tag.
Line 15 uses @v6, which is a mutable tag reference. Per GitHub's security hardening guidelines, action references should be pinned to full commit SHAs to ensure immutability and prevent unintended updates from tag rewrites.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/checking-dependencies.yml at line 15, Replace the mutable
tag reference "uses: pnpm/action-setup@v6" with an immutable pin to the full
commit SHA for the pnpm/action-setup action (e.g., "uses:
pnpm/action-setup@<full-commit-sha>"); locate the occurrences of
"pnpm/action-setup@v6" in the workflow and update them to the corresponding
release commit SHA from the action's repository, then verify the workflow runs
successfully.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 6: The package.json currently sets "packageManager": "pnpm@11.1.2" but
pnpm v11 requires config and environment changes; run the recommended codemod
(pnpx codemod run pnpm-v10-to-v11) and then: move any settings under the
package.json "pnpm" field into pnpm-workspace.yaml, strip .npmrc to only
auth/registry entries, update .nvmrc and CI to Node.js 22+ to match pnpm v11,
rename any environment variables from npm_config_* to pnpm_config_ and manually
review remaining envs, and rename or invoke scripts named
clean/setup/deploy/rebuild using pnpm pm to avoid shadowing built-ins.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 78ded05a-1811-4eac-8349-84f29cb8618e
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (5)
.github/actions/setup/action.yml.github/workflows/checking-dependencies.yml.github/workflows/snapshot.ymlpackage.jsonpackages/app/package.json
🚧 Files skipped from review as they are similar to previous changes (4)
- .github/actions/setup/action.yml
- .github/workflows/checking-dependencies.yml
- .github/workflows/snapshot.yml
- packages/app/package.json
| "private": true, | ||
| "description": "Monorepo workspace for effect-template", | ||
| "packageManager": "pnpm@10.30.1", | ||
| "packageManager": "pnpm@11.1.2", |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
pnpm 11 breaking changes and migration guide
💡 Result:
pnpm 11 is a major release that introduces significant breaking changes, security-first defaults, and architectural improvements [1]. The official migration guide is available at https://pnpm.io/11.x/migration [2]. Key Breaking Changes and Migration Steps Configuration Changes pnpm 11 significantly changes how configuration is handled [3][1]: - Configuration is no longer read from the pnpm field in package.json; move these settings to pnpm-workspace.yaml [3][2]. -.npmrc files are now restricted to auth and registry settings only [3][1]. All other settings (e.g., hoist-pattern, node-linker) must be moved to pnpm-workspace.yaml using camelCase keys [3][2]. - npm_config_* environment variables are no longer supported; rename them to pnpm_config_* [3][1]. - pnpm no longer reads npm's global config at $PREFIX/etc/npmrc [1]. Dependency and Script Management - Build-dependency settings (onlyBuiltDependencies, neverBuiltDependencies, etc.) are consolidated into a single allowBuilds map in pnpm-workspace.yaml [3][1]. - Package manager strictness settings are collapsed into a single pmOnFail setting [3][2]. - Script names now shadow built-in commands [3]. If you have scripts named clean, setup, deploy, or rebuild, pnpm will execute your script instead of the built-in command; use pnpm pm to access the built-in version [3]. - pnpm install -g (with no arguments) is no longer supported; use pnpm add -g instead [3][1]. Environment and Infrastructure - Node.js 18, 19, 20, and 21 are no longer supported; Node.js 22+ is required [1]. - pnpm is now distributed as pure ESM [1]. - Global installs are now isolated using a global-virtual-store, preventing interference between global packages [1]. Security and New Features - Minimum Release Age: By default, pnpm 11 blocks the installation of package versions published within the last 24 hours to mitigate supply chain attacks [4][5][6]. - Exotic Subdependencies: pnpm 11 blocks dependencies resolved from non-standard sources (e.g., Git repositories or direct tarball URLs) by default [4][6]. - Native Publish: The npm CLI fallback for publishing has been removed in favor of a native implementation [1]. - Store Index: The store index has been migrated from a JSON-per-package format to a single SQLite database for improved performance [1][5]. Migration Tooling The pnpm team provides a codemod to automate many of these changes [2]. You can run it in your project directory: pnpx codemod run pnpm-v10-to-v11 [2] For changes that cannot be automated, such as environment variable updates, manual review is required [3][2].
Citations:
- 1: https://pnpm.io/blog/releases/11.0
- 2: https://pnpm.io/11.x/migration
- 3: https://pnpm.io/migration
- 4: https://gbhackers.com/pnpm-11-enables-default-release-age-guard/
- 5: https://cyberpress.org/pnpm-blocks-supply-attacks/
- 6: https://undercodenews.com/pnpm-11-reinvents-javascript-security-a-new-era-for-dependency-protection/
🌐 Web query:
pnpm 11.1.2 release notes and security advisories
💡 Result:
As of May 17, 2026, pnpm version 11.1.2 is the latest release [1]. Release Notes for pnpm 11.1.2 Specific release notes for version 11.1.2 were not explicitly detailed in the provided search results, as it is a very recent patch release [1]. However, it follows the major 11.1.0 and 11.1.1 releases, which introduced several significant features and fixes [2][3][4]: - New Commands: Added pnpm audit signatures (to verify ECDSA registry signatures), pnpm bugs (to open package bug trackers), and pnpm owner (to manage package owners) [3][4]. - Named Registries: Added support for installing packages from arbitrary named registries, including a built-in gh: prefix for the GitHub Packages npm registry [3][4]. - CI Improvements: Introduced the --no-runtime flag (config: runtime=false) to skip installing runtime entries (e.g., Node.js) in CI environments [3][4]. - Fixes: Version 11.1.1 included fixes for installability validation in workspace projects, resolved issues with pnpm add for named registries, and updated @zkochan/cmd-shim to improve compatibility with Git Bash on Windows [2]. Security Advisories There are no specific security advisories listed for version 11.1.2. Users should monitor the official pnpm GitHub Security Advisories page for any future disclosures [5]. Recent security-related updates in the pnpm 11 series include: - Minimum Release Age: pnpm 11 introduced a default Minimum Release Age of 24 hours (1440 minutes), which prevents the installation of newly published package versions to mitigate supply chain attacks [6][7][8]. - Enhanced Auditing: pnpm audit now queries the registry's bulk security advisories endpoint and filters by GitHub Advisory ID (GHSA) rather than CVE identifiers [9]. - Security Hardening: pnpm 11 requires Node.js 22+ and is distributed as pure ESM [10][11]. It also includes improved control over lifecycle scripts via the allowBuilds model [7][8]. For the most up-to-date information, always check the official pnpm releases page on GitHub and the security advisories section [12][5].
Citations:
- 1: https://www.npmjs.com/package/pnpm?activeTab=versions
- 2: https://github.com/pnpm/pnpm/releases/tag/v11.1.1
- 3: https://pnpm.io/blog/releases/11.1
- 4: https://newreleases.io/project/npm/pnpm/release/11.1.0
- 5: https://github.com/pnpm/pnpm/security/advisories
- 6: https://gbhackers.com/pnpm-11-enables-default-release-age-guard/
- 7: https://undercodenews.com/pnpm-11-reinvents-javascript-security-a-new-era-for-dependency-protection/
- 8: https://pnpm.io/supply-chain-security
- 9: https://pnpm.io/cli/audit
- 10: https://github.com/pnpm/pnpm/releases/tag/v11.0.0
- 11: https://pnpm.io/blog/releases/11.0
- 12: https://github.com/pnpm/pnpm/releases
Review pnpm 11 migration requirements before merging.
This major version upgrade introduces breaking changes that require configuration updates and environment adjustments:
- Configuration files: Settings in
package.json'spnpmfield must move topnpm-workspace.yaml. Update.npmrcto contain only auth and registry settings. - Node.js requirement: pnpm 11 requires Node.js 22+. Verify your project's
.nvmrcand CI configuration specify a compatible version. - Environment variables: Any
npm_config_*variables must be renamed topnpm_config_*. - Script behavior: Scripts named
clean,setup,deploy, orrebuildnow shadow built-in commands; usepnpm pmto access built-in versions.
Run the migration codemod to automate configuration changes:
pnpx codemod run pnpm-v10-to-v11
Refer to https://pnpm.io/11.x/migration for the complete migration guide. Manual review is needed for environment variable updates that the codemod cannot automate.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` at line 6, The package.json currently sets "packageManager":
"pnpm@11.1.2" but pnpm v11 requires config and environment changes; run the
recommended codemod (pnpx codemod run pnpm-v10-to-v11) and then: move any
settings under the package.json "pnpm" field into pnpm-workspace.yaml, strip
.npmrc to only auth/registry entries, update .nvmrc and CI to Node.js 22+ to
match pnpm v11, rename any environment variables from npm_config_* to
pnpm_config_ and manually review remaining envs, and rename or invoke scripts
named clean/setup/deploy/rebuild using pnpm pm to avoid shadowing built-ins.
|
Надо смержить сюда main ветку и исправить все ошибки в CI/CD что бы код был с актуальными библиотеками |
|
🤖 AI Work Session Started Starting automated work session at 2026-06-19T19:17:51.406Z The PR has been converted to draft mode while work is in progress. This comment marks the beginning of an AI work session. Please wait for the session to finish, and provide your feedback. |
|
Update: the CI/CD fix is implemented and verified, but I cannot push it directly to this PR head branch. Blocker:
Prepared fix:
What the fix covers:
Verification:
Needed human action: either grant/push access to |
🤖 Solution Draft LogThis log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
📊 Context and tokens usage:
Total: (508.9K + 13.1M cached) input tokens, 68.4K output tokens, $21.304392 cost 🤖 Models used:
📎 Log file uploaded as Repository (75696KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
🔄 Auto-restart triggered (iteration 1)Reason: CI failures detected Starting new session to address the issues. Auto-restart-until-mergeable mode is active. This run will stop after 5 restart iterations. |
|
Rechecked the failing CI/CD status in this restart session. Findings:
Verification repeated locally with Node
Fork CI also has successful runs for Remaining blocker is repository permissions, not code: |
🔄 Auto-restart-until-mergeable Log (iteration 1)This log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
🤖 Models used:
📎 Log file uploaded as Repository (96784KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
🔄 Auto-restart triggered (iteration 2)Reason: CI failures detected Starting new session to address the issues. Auto-restart-until-mergeable mode is active. This run will stop after 5 restart iterations. |
|
Rechecked and updated the prepared fix in this restart session. Current prepared commit:
Root causes confirmed from upstream CI logs for old SHA
Verification on current SHA
Remaining blocker is repository permission, not code. Needed maintainer action: push/cherry-pick |
🔄 Auto-restart-until-mergeable Log (iteration 2)This log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
🤖 Models used:
📎 Log file uploaded as Repository (2 chunks) (116514KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
🔄 Auto-restart triggered (iteration 3)Reason: CI failures detected Starting new session to address the issues. Auto-restart-until-mergeable mode is active. This run will stop after 5 restart iterations. |
|
Restart iteration 3 rechecked the prepared CI fix. Current verified head:
Fresh upstream CI logs downloaded in this session confirm old-head root causes:
Verification repeated on
Push blocker remains external: Needed maintainer action: push or cherry-pick |
🔄 Auto-restart-until-mergeable Log (iteration 3)This log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
🤖 Models used:
📎 Log file uploaded as Repository (2 chunks) (139990KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
🔄 Auto-restart triggered (iteration 4)Reason: CI failures detected Starting new session to address the issues. Auto-restart-until-mergeable mode is active. This run will stop after 5 restart iterations. |
|
Restart iteration 4 rechecked the CI/CD fix. Current verified head:
Fresh upstream logs downloaded in this session confirm the old-head failures:
Verification repeated locally on
Push status:
Needed maintainer action: push or cherry-pick |
🔄 Auto-restart-until-mergeable Log (iteration 4)This log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
🤖 Models used:
📎 Log file uploaded as Repository (2 chunks) (154923KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
🔄 Auto-restart triggered (iteration 5)Reason: CI failures detected Starting new session to address the issues. Auto-restart-until-mergeable mode is active. This run will stop after 5 restart iterations. |
|
Restart iteration 5 rechecked the CI/CD failures and the prepared fix. Current verified fix:
Fresh upstream CI status:
Root causes confirmed from downloaded upstream logs:
Verification repeated locally on
Fork CI on
Push status:
Needed maintainer action: push or cherry-pick |
🔄 Auto-restart-until-mergeable Log (iteration 5)This log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
🤖 Models used:
📎 Log file uploaded as Repository (2 chunks) (177139KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
|
|
🤖 AI Work Session Completed Work session ended at 2026-06-19T20:58:19.771Z The PR will be converted back to ready for review. This comment marks the end of an AI work session. New comments after this time will be considered as feedback. |
2 participants
This PR contains the following updates:
^2.4.4→^2.5.0^0.5.2→^0.7.0^2.29.8→^2.31.0^4.6.0→^4.7.22.0.2→2.1.03.3.3→3.3.5^24.10.13→^24.13.2^8.56.0→^8.61.1^8.56.0→^8.61.1^4.0.18→^4.1.9^1.6.9→^1.6.20v6→v7v6→v7^3.19.18→^3.21.4^10.0.1→^10.5.0^4.4.4→^4.4.5^12.1.1→^13.0.0^4.0.0→^4.1.0^63.0.0→^68.0.0^17.3.0→^17.6.0^4.0.8→^5.0.1124.13.1→24.17.010.30.1→11.8.0v4→v6v3→v6^5.9.3→^6.0.3^8.56.0→^8.61.1^7.3.1→^8.0.16^4.0.18→^4.1.9cc @skulidropek
Release Notes
biomejs/biome (@biomejs/biome)
v2.5.0Compare Source
Minor Changes
#9539
f0615fdThanks @ematipico! - Added a new reporter calledconcise. When--reporter=conciseis passed the commandsformat,lint,checkandci, the diagnostics are printed in a compact manner:#9495
2056b23Thanks @aviraldua93! - Added theuseKeyWithClickEventsa11y lint rule for HTML files (.html,.vue,.svelte,.astro). This is a port of the existing JSX rule. The rule enforces that elements with anonclickhandler also have at least one keyboard event handler (onkeydown,onkeyup, oronkeypress) to ensure keyboard accessibility.Inherently keyboard-accessible elements (
<a>,<button>,<input>,<select>,<textarea>,<option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or withrole="presentation"/role="none".#9152
9ec8500Thanks @ematipico! - Added new nursery lint rulenoUndeclaredClassesfor HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used inclass="..."(orclassName) attributes that are not defined in any<style>block or linked stylesheet reachable from the file.#9152
9ec8500Thanks @ematipico! - Added new nursery lint rulenoUnusedClassesfor CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.#9546
6567efaThanks @nhedger! - Added abiome upgradecommand for standalone installations. It upgrades Homebrew installs withbrew upgrade biome, updates manually installed binaries from the latest GitHub release, and tells npm users to upgrade with their package manager instead.#9716
701767aThanks @faizkhairi! - Added the HTML version of theuseHeadingContentrule. The rule now enforces that heading elements (h1-h6) have content accessible to screen readers in HTML, Vue, Svelte, and Astro files.#9582
f437ef8Thanks @rahuld109! - Added the HTML version of theuseKeyWithMouseEventsrule. The rule now enforces thatonmouseoveris accompanied byonfocusandonmouseoutis accompanied byonblurin HTML, Vue, Svelte, and Astro files.#9275
1fdbceeThanks @ff1451! - Added the new assist actionuseSortedTypeFields, which sorts the fields of GraphQL object types, interface types and input object types alphabetically, e.g.name, age, idbecomesage, id, name.#10561
78075b7Thanks @Conaclos! - Added a newstyleoption to useExportType,which enforces a style for exporting types.
This is the same option as the one provided by
useImportType.#8987
d16e32bThanks @DerTimonius! - Ported theuseValidAnchorrule to HTML. This rule enforces that all anchors are valid and that they are navigable elements.#9533
4d251d4Thanks @ematipico! - Theinitcommand now prints the Biome logo.#10069
0eb9310Thanks @Netail! - Added the HTML lint rulenoStaticElementInteractions, which enforces that static, visible elements (such as<div>) that have click handlers use the valid role attribute.Invalid:
#9134
2a43488Thanks @ematipico! - Added the assist actionuseSortedPackageJson.This action organizes package.json fields according to the same conventions as the popular sort-package-json tool.
#9309
7daa18bThanks @Bertie690! - TheallowDoubleNegationoption has been added tonoImplicitCoercionsto allow ignoring double negations inside code.With the option enabled, the following example is considered valid and is ignored by the rule:
#9700
894f3fbThanks @ematipico! - The Biome Language server now supports the "go-to definition" feature.When the cursor of the mouse is hovering an entity (variable, CSS class, type, etc.), and the command CTRL + click is triggered, the editor jumps to where this entity is defined, if the language server can find it.
Here's what Biome is able to resolve:
#10070
bae0710Thanks @Conaclos! - Added the:STYLE:group matcher fororganizeImportsthat matches style imports.For example, the following configuration...
{ "assist": { "actions": { "source": { "organizeImports": { "level": "on", "options": { "groups": ["**", "!:STYLE:"], "sortBareImports": true } } } } } }...places style imports last:
#9170
e3107deThanks @mdrobny! - AddedbundleDependenciesoption to NoUndeclaredDependencies rule.This rule now supports imports of packages that are defined only in
bundleDependenciesandbundledDependenciesarrays.#9547
01f8473Thanks @mujpao! - Added new assist ruleuseSortedAttributesfor HTML, porting the existing JSX rule. This rule enforces sorted HTML attributes.Invalid
#9366
2ca1117Thanks @dyc3! - Added thehtml.parser.vueconfiguration option. When enabled, it adds support for the parsing of Vue in.htmlfiles. Most Vue users don't need to enable this option since Vue files typically use the.vueextension, but it can be useful for projects that embed Vue syntax in regular HTML files.#9073
74b20eeThanks @chocky335! - Added support for applying GritQL plugin rewrites as code actions. GritQL plugins that use the rewrite operator (=>) now produce fixable diagnostics for JavaScript, CSS, and JSON files. By default, plugin rewrites are treated as unsafe fixes and require--write --unsafeto apply. Plugin authors can passfix_kind = "safe"toregister_diagnostic()to mark a fix as safe, allowing it to be applied with just--write.Example plugin (
useConsoleInfo.grit):Running
biome check --writeapplies safe rewrites. Unsafe rewrites (the default, orfix_kind = "unsafe") still require--write --unsafe.#9384
f4c9edcThanks @Conaclos! - Added thesortBareImportsoption toorganizeImports,which allows bare imports to be sorted within other imports when set to
false.{ "assist": { "actions": { "source": { "organizeImports": { "level": "on", "options": { "sortBareImports": true } } } } } }#8731
e7872bfThanks @siketyan! - Added the watch mode (--watch) to the CLI forcheck/format/lintcommands. By enabling this option, Biome will re-run the check automatically when any file in the workspace has changed after the first run.#10106
9b35f78Thanks @ematipico! - Biome can now format and lint.svgfiles.#9967
e9b6c17Thanks @dyc3! - Added HTML support fornoExcessiveLinesPerFile. Biome now reports HTML files that exceed the configured line limit, including whenskipBlankLinesis enabled.#9491
b3eb63cThanks @IxxyDev! - Added the HTML lint rulenoAriaUnsupportedElements. This rule enforces that elements that do not support ARIA roles, states, and properties (meta,html,script,style) do not haveroleoraria-*attributes.#9306
afd57a6Thanks @viraxslot! - Added thenoNoninteractiveTabindexlint rule for HTML. This rule enforces thattabindexis not used on non-interactive elements, as it can cause usability issues for keyboard users.#9276
6d041d9Thanks @IxxyDev! - Added the HTML lint rulenoRedundantRoles. This rule enforces that explicitroleattributes are not the same as the implicit/default role of an HTML element. It supports HTML, Vue, Svelte, and Astro files.#9813
69aadc2Thanks @ematipico! - Added a new linter configuration calledpreset. With the new option, users can enable different kinds of rules at once.The following presets are available:
"recommended": it enables all Biome-recommended rules, or recommended rules of a group;"all": it enables all Biome rules, or enables all rules of a group;"none": it disables all Biome rules, or disable all rules of a group.You can enable recommended rules:
{ "linter": { "rules": { "preset": "recommended" } } }You can enable all rules at once:
Or enable all rules for a group:
This new option, however, doesn't affect how nursery rules work. Nursery rules must be enabled singularly, due to their nature.
This new option is meant to replace
recommended, so make sure to run themigratecommand.#10022
3422d71Thanks @Netail! - Added the HTML lint rulenoNoninteractiveElementToInteractiveRole, which enforces that interactive ARIA roles are not assigned to non-interactive HTML elements.Invalid:
#8396
13785fcThanks @apple-yagi! - Biome now supports pnpm catalogs (default and named) when resolving dependencies for linting. This behavior is opt-in and requires settingjavascript.resolver.experimentalPnpmCatalogstotrue.#10028
1009414Thanks @Netail! - Added the HTML lint rulenoInteractiveElementToNoninteractiveRole, which enforces that non-interactive ARIA roles are not assigned to interactive HTML elements.Invalid:
#9853
816302fThanks @Netail! - Added the new assist actionuseSortedSelectionSet, which sorts GraphQL selection sets alphabetically, e.g.name, age, idbecomesage, id, name.Invalid:
#10074
9c7c6ebThanks @georgephillips! - Added akindfield to theImportMatcherused by theorganizeImportsassist action. The new field selects imports by their syntactic kind and currently supportsbare(matching side-effect imports such asimport "polyfill") with optional!negation (!bare). The matcher composes with the existingtypeandsourcefields, so users can express patterns such as "only bare imports that import a CSS file" ({ "kind": "bare", "source": "**/*.css" }).For example, with the following configuration:
{ "assist": { "actions": { "source": { "organizeImports": { "level": "on", "options": { "sortBareImports": true, "groups": [ { "kind": "!bare" }, ":BLANK_LINE:", { "kind": "bare" } ] } } } } } }...the following code:
...is organized as:
#9171
ce65710Thanks @chocky335! - Addedincludesoption for plugin file scoping. Plugins can now be configured with glob patterns to restrict which files they run on. Use negated globs for exclusions.{ "plugins": [ "global-plugin.grit", { "path": "scoped-plugin.grit", "includes": ["src/**/*.ts", "!**/*.test.ts"] } ] }#9617
dcb99efThanks @faizkhairi! - PorteduseAriaActivedescendantWithTabindexa11y rule to HTML.#9496
1dfb829Thanks @aviraldua93! - Added HTML support for thenoAriaHiddenOnFocusableaccessibility lint rule, which enforces thataria-hidden="true"is not set on focusable elements. Focusable elements include native interactive elements (<button>,<input>,<select>,<textarea>), elements withhref(<a>,<area>), elements withtabindex >= 0, and editing hosts (contenteditable). Includes an unsafe fix to remove thearia-hiddenattribute.#9792
f516854Thanks @Maximiliano-Zeballos! - Added theuseSemanticElementslint rule for HTML. The rule now detects the use ofroleattributes in HTML elements and suggests using semantic elements instead.For example, the following code is now flagged:
The rule suggests using
<nav>instead.#9761
cbbb7d5Thanks @Maximiliano-Zeballos! - Ported theuseValidAriaPropslint rule to HTML. This rule checks that allaria-*attributes used in HTML elements are valid ARIA attributes as defined by the WAI-ARIA specification.#9928
aa82576Thanks @aviraldua93! - PorteduseValidAriaValuesto HTML. Biome now validates staticaria-*attribute values in HTML elements against WAI-ARIA types, catching invalid values such asaria-hidden="yes".#10562
6642895Thanks @ematipico! - Promoted 73 nursery rules to stable groups.Four rules were renamed as part of the promotion:
noFloatingClassesis nownoUnusedInstantiation, because the rule checks any discardednewexpression, not only classes.noMultiStris nownoMultilineString.useFindis nowuseArrayFind.useSpreadis nowuseSpreadOverApply, because the rule enforces spread call arguments overFunction.apply(), not array or object spread.Correctness
Promoted the following rules to the
correctnessgroup:noBeforeInteractiveScriptOutsideDocumentnoUnusedInstantiationuseInlineScriptId(recommended, Next.js domain)noVueVIfWithVFor(recommended, Vue domain)useVueValidVBind(recommended, Vue domain)useVueValidVElse(recommended, Vue domain)useVueValidVElseIf(recommended, Vue domain)useVueValidVHtml(recommended, Vue domain)useVueValidVIf(recommended, Vue domain)useVueValidVOn(recommended, Vue domain)useVueValidVText(recommended, Vue domain)useVueValidTemplateRoot(recommended, Vue domain)useVueValidVCloak(recommended, Vue domain)useVueValidVOnce(recommended, Vue domain)useVueValidVPre(recommended, Vue domain)useVueVForKey(recommended, Vue domain)noDuplicateAttributes(recommended)noDuplicateArgumentNames(recommended)noDuplicateInputFieldNames(recommended)noDuplicateVariableNames(recommended)noDuplicateEnumValueNames(recommended)useLoneAnonymousOperation(recommended)Suspicious
Promoted the following rules to the
suspiciousgroup:noShadownoUnnecessaryConditionsnoParametersOnlyUsedInRecursionnoUnknownAttributeuseArraySortComparenoForInnoDuplicatedSpreadPropsnoEqualsToNullnoProto(recommended)noUndeclaredEnvVars(recommended, Turborepo domain)noReturnAssign(default severity:error)noDuplicateEnumValues(recommended)noVueArrowFuncInWatch(recommended, Vue domain)noNestedPromisesnoLeakedRendernoDeprecatedMediaType(recommended)noDuplicateGraphqlOperationNameuseRequiredScriptsStyle
Promoted the following rules to the
stylegroup:useVueMultiWordComponentNames(recommended, Vue domain)useVueDefineMacrosOrdernoIncrementDecrementnoContinueuseSpreadOverApplynoTernarynoMultilineStringnoMultiAssignnoExcessiveClassesPerFilenoExcessiveLinesPerFilenoVueOptionsApiuseErrorCauseuseConsistentEnumValueTypeuseConsistentMethodSignaturesuseGlobalThis(default severity:warn)useDestructuringuseVueHyphenatedAttributes(recommended, Vue domain)useVueConsistentVBindStyle(recommended, Vue domain)useVueConsistentVOnStyle(recommended, Vue domain)noHexColorsuseConsistentGraphqlDescriptionsnoRootTypeuseLoneExecutableDefinitionuseInputNameComplexity
Promoted the following rules to the
complexitygroup:useArrayFindnoRedundantDefaultExport(default severity:warn)noUselessReturnnoDivRegexPerformance
Promoted the following rules to the
performancegroup:noSyncScriptsnoJsxPropsBinduseVueVaporSecurity
Promoted the following rules to the
securitygroup:noScriptUrl(recommended)A11y
Promoted the following rules to the
a11ygroup:noAmbiguousAnchorText(recommended)#10121
450f8e1Thanks @jongwan56! - Biome now applies Git's local exclude file when VCS ignore files are enabled. Files listed in.git/info/excludeare skipped the same way as files listed in.gitignore, including in linked worktrees.#9397
d5913c9Thanks @mvarendorff! - Addedignoreoption to the noUnusedVariables rule. The option allows excluding identifiers by providing a list of ignored names. It also allows excluding kinds of identifiers from this rule entirely, which may be useful when loading classes dynamically.For example, unused classes as well as all unused variables, functions, etc. called "unused" may be ignored entirely with the following configuration:
{ "ignore": { "*": ["unused"], "class": ["*"] } }#10089
71a21f0Thanks @Netail! - Added the lint rulenoLabelWithoutControlto HTML, which enforces that a label element or component has a text label and an associated input.#10015
1828261Thanks @Netail! - Added the HTML lint ruleuseAriaPropsSupportedByRole, which enforces that ARIA properties are valid for the roles that are supported by the element.#10234
1a51569Thanks @ematipico! - Added thedelimiterSpacingformatter option. This option inserts spaces inside delimiters (after the opening delimiter and before the closing delimiter) when the content fits on a single line. Empty delimiters are not affected, and no space is added before the opening delimiter. The specific delimiters affected depend on the language. It can be configured globally viaformatter.delimiterSpacingor per-language viajavascript.formatter.delimiterSpacing,json.formatter.delimiterSpacing, andcss.formatter.delimiterSpacing. Defaults tofalse.JavaScript
When enabled, Biome inserts spaces inside parentheses (e.g.,
foo( a, b )), square brackets (e.g.,[ a, b ]), template literal interpolations (e.g.,${ expr }), and the logical NOT operator (e.g.,! x, but in chains only after the last one:!! x). Only applies when the content fits on a single line. Empty delimiters and the space before the opening delimiter are not affected.JSX
When enabled, Biome inserts spaces inside JSX expression braces (e.g.,
attr={ value }) and spread attributes (e.g.,{ ...props }). Only applies when the content fits on a single line. Empty delimiters are not affected.TypeScript
When enabled, Biome inserts spaces inside TypeScript angle brackets (e.g.,
foo< T >()), indexed access types (e.g.,T[ K ]), mapped types, tuple types, type parameters, and index signatures. Only applies when the content fits on a single line. Empty delimiters are not affected.JSON
When enabled, Biome inserts spaces inside square brackets when the content fits on a single line. Empty brackets are not affected.
CSS
When enabled, Biome inserts spaces inside parentheses and square brackets when the content fits on a single line. Empty delimiters are not affected.
#10461
6bac1c3Thanks @TXWSLYF! - Implements #9445. Added theallowImplicitoption touseIterableCallbackReturn. When enabled, callbacks can usereturn;to implicitly returnundefined, matching ESLint'sarray-callback-returnrule.#9571
5a8eb75Thanks @dyc3! - Added configurable options to theuseNumericSeparatorsrule. Users can now customize the minimum number of digits required before adding separators and the group length for each type of numeric literal (binary,octal,decimal,hexadecimal).{ "linter": { "rules": { "style": { "useNumericSeparators": { "level": "error", "options": { "decimal": { "minimumDigits": 7, "groupLength": 3 }, "hexadecimal": { "minimumDigits": 4, "groupLength": 2 } } } } } } }#10067
6064312Thanks @Netail! - Added the lint ruleuseFocusableInteractiveto HTML, which enforces elements with an interactive role and interaction handler to be focusable.Invalid:
#10026
fb42ac4Thanks @Netail! - Added the HTML lint rulenoNoninteractiveElementInteractions, which disallows use event handlers on non-interactive elements.Invalid:
#10000
2093e3eThanks @Netail! - Added the new assist actionuseSortedEnumMembers, which sorts TypeScript & GraphQL enum members.Invalid:
#10013
ad01d3dThanks @Netail! - Added the HTML lint ruleuseValidAutocomplete, which enforces using valid values for theautocompleteattribute oninputelements.Patch Changes
#10498
995c1ffThanks @citadelgrad! - Added the nursery ruleuseReactFunctionComponentDefinition, which enforces a consistent function type for named React function components.For example, the following snippet triggers the rule by default.
#9974
ff635a9Thanks @pkallos! - AddedignoreMixedLogicalExpressionsto [useNullishCoalescing]Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.