🤖 Dep Updates: Bump @biomejs/biome from 2.2.4 to 2.3.10#65
Closed
dependabot[bot] wants to merge 1 commit into
Closed
🤖 Dep Updates: Bump @biomejs/biome from 2.2.4 to 2.3.10#65dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome) from 2.2.4 to 2.3.10. - [Release notes](https://github.com/biomejs/biome/releases) - [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md) - [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.3.10/packages/@biomejs/biome) --- updated-dependencies: - dependency-name: "@biomejs/biome" dependency-version: 2.3.10 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
Bot
deleted the
dependabot/npm_and_yarn/biomejs/biome-2.3.10
branch
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
May 11, 2026
Cuts ~64 violations from the post-autofix tail:
* no-dynamic-import-outside-bundle (51 → 0):
- Hoist node:fs / node:crypto / node:stream imports to file-top where
the dynamic import was just being lazy (process-lock,
process-lock-errors, dlx/packages, releases-github-archive,
disambiguate.test, http-request — also fixes broken-stream and
pipe tests that relied on createWriteStream / Readable).
- Inline disables on legitimate cases: vi.resetModules + re-import
(promises, crypto, regexps, ipc-cli); optional peer SDK
(tools/prim disambiguate); runtime-computed module paths
(esbuild-minify, external-esm-cjs, power-state); ESM-loader
behavior under test (test/integration/esm-imports).
* no-console-prefer-logger (4 → 0):
src/stdio/{divider,footer,header}.ts now use getDefaultLogger via the
relative '../logger/default' path (not the package alias the inline-
logger autofix wrongly inserted — that path goes through the dist
bundle and breaks tsgo). Pre-existing console.log calls in those
three files are now routed through `logger.log`.
* no-status-emoji (61 → 36):
- src/stdio/footer.ts: hand-coded `✓ / ✗ / ○ / ⚠` status markers
replaced with LOG_SYMBOLS['success'|'fail'|'skip'|'warn'] from
the logger module so terminal-capability fallbacks apply.
- src/stdio/prompts.ts: Inquirer theme `checked` icon disabled
inline (consumed by prompt lib, not log output).
- src/cover/formatters.ts: coverage-gamification emoji table
disabled inline (public output contract).
- Remaining 36 are in test fixtures, lint-rule plugin definition
files, and emoji-output assertions — all intentional.
* prefer-undefined-over-null (7 → 0): inline disables on
test/unit/fs*.test.mts `encoding: null` calls (Node fs API contract:
null = Buffer mode, undefined = utf-8 default). Plus
test/unit/http-request.test.mts `|| null` payload fields that the
autofix flipped to `|| undefined` (JSON.stringify drops undefined
keys, breaking `toBeNull()` assertions).
Also a small bug fix uncovered by autofix:
* objects/getters.ts createLazyGetter: previously used UNDEFINED_TOKEN
(= the value `undefined`) as its "not yet computed" sentinel, which
meant getters that legitimately returned `undefined` would re-invoke
on every call. Now uses a unique sentinel object so memoization
works for any return value.
Net: 1028 → 352 violations (-66%). Remaining: 280 sort-source-methods
(blocked on task #65 — needs autofix support), 36 no-status-emoji
(intentional test/rule-plugin/coverage UI), 35 prefer-exists-sync
(stat-for-metadata cases that genuinely need the size/mtime), 1
no-placeholders (rule plugin's own fixture file).
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
May 11, 2026
35 → 0 prefer-exists-sync violations. All are legitimate stat calls that read metadata (size, mtime) or discriminate file type (isFile, isDirectory, isSymbolicLink) — not pure existence checks. * src/fs/inspect.ts: whole file is the stat-wrapper surface; file- level oxlint-disable. * src/fs/find-up.ts: needs isFile()/isDirectory() to filter results by type; file-level disable. * src/dlx/binary.ts: DLX cache uses stat for size/mtime metadata; file-level disable. * src/dlx/detect.ts, src/ipc.ts, src/process-lock.ts, src/fs/validate.ts: inline disables — single sites, each with a one-line `--` explanation (mtime for cache, lstat for symlink discrimination, accessSync(R_OK) for permission, etc.). * scripts/build-externals/bundler.mts, scripts/validate/file-size.mts: inline disables — both read stats.size for logging / size limits. * test/unit/fs.test.mts, test/unit/process-lock.test.mts, test/unit/ipc.test.mts, test/unit/dlx/package.test.mts, test/integration/fs.test.mts: file-level disables — tests verify stat output (mtime stability, isDirectory/isFile transitions, size growth), not existence. Net: 352 → 317 violations. Remaining: 280 sort-source-methods (blocked on #65), 36 no-status-emoji (intentional test/rule-plugin/ coverage UI), 1 no-placeholders (rule plugin's fixture file).
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
May 11, 2026
violation is autofixable-only sort-source-methods
37 violations cleared:
* scripts/build-externals/bundler.mts: bare emoji prefixes →
logger.success() / logger.fail() (used logger.log with hand-rolled
✓/✗ markers before).
* .config/esbuild.config.mts: redundant ⚠ inside a logger.warn(...)
call dropped — the method itself supplies the visual prefix.
* scripts/check-paths.mts: inline disable on the local logger replica
(this script validates the package's own paths and can't import
@socketsecurity/lib).
* scripts/validate/external-esm-cjs.mts: inline disables on diagnostic
label strings ('✓ default', '✓ N exports') — debug context, not
status output.
* .config/oxlint-plugin/rules/{no-status-emoji,no-placeholders}.js:
file-level disables — these files ARE the rule definitions; the
emoji / TODO literals are the lookup tables they scan for.
* test/{isolated/logger,unit/stdio/footer,unit/cover/formatters,
unit/tables,unit/stdio/stdout,unit/logger-advanced}.test.mts:
file-level disables — tests assert on emoji output.
Net: 1028 → 280 violations (-73%). Every remaining violation is
sort-source-methods, blocked on task #65 (rule needs autofix support
before the bulk-fix lands).
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
May 11, 2026
… tail
* Dedupe safeDelete imports in scripts/claude.mts,
test/unit/{archives,compression,fs-additional,dlx/binary}.test.mts,
test/unit/utils/temp-file-helper.ts — earlier sed pass converted
`@socketsecurity/lib/fs` → `/fs/safe` while a later autofix re-added
the bare `/fs` import, yielding two identical bindings per file.
Removed the bare-path duplicate everywhere.
* scripts/claude.mts: file-level disables for no-status-emoji and
prefer-exists-sync (this script implements its own color-coded
logger wrapper for Claude CLI workflow output and uses stat() for
mtime-based cleanup, not existence checks). Plus an inline
no-placeholders disable on the deferral-marker scan that's looking
*for* those strings in diffs.
* Ran `oxlint --fix scripts/claude.mts` to clear 55 export-top-level-
functions violations there (top-level helper functions now exported,
making them directly testable per the rule).
* test/unit/{fs-additional,compression,dlx/binary}.test.mts: file-
level disables for prefer-safe-delete and prefer-exists-sync —
these tests verify raw fs.unlink / fs.stat behavior, not the lib
wrappers.
Final state: 1028 → 333 violations (-68%). The 333 remaining are all
sort-source-methods, blocked on task #65 (rule needs autofix support).
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
May 11, 2026
The sort-source-methods rule now ships with a fixer (resolves task #65). Function declarations are hoisted, so reordering them is safe for runtime semantics; the leading JSDoc / line-comment block and any trailing contiguous comment (notably `/* c8 ignore stop */` paired with a start above) travel with each function. Bail-out conditions: * anonymous default exports — they have no name to sort by * interleaved top-level non-function statements between functions — reshuffling would skip over their declaration-order semantics The autofix attaches to the first violation per file; ESLint dedupes overlapping fixes, but when multiple violations exist they may need several passes to fully converge (oxlint --fix is idempotent — a few re-runs settle). Net: 333 → 167 sort-source-methods violations after iterating oxlint --fix to convergence. The remaining 167 are files with interleaved statements where the autofix bails for safety. Also propagates the _inject-import.js identifier-based detection fix to socket-lib's local copy (matches wheelhouse canonical, where the same fix landed for task #64).
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
May 11, 2026
Picks up the new autofixable sort-source-methods rule from socket-wheelhouse and the identifier-based _inject-import.js fix (resolves task #65 / #64). Iterated `oxlint --fix` to convergence; function declarations re-ordered into private→export alphanumeric order across the repo. Function declarations are hoisted so the rewrite is safe at runtime; leading JSDoc / line-comments and trailing c8-ignore-stop markers travel with each function. Also re-syncs the canonical scripts/check-paths.mts and scripts/ai-lint-fix.mts from socket-wheelhouse. The wheelhouse copy already accounts for state-machine null sentinels (blockKey, blockKind, inString) and the SKIP_AI_FIX bracket-env access.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps @biomejs/biome from 2.2.4 to 2.3.10.
Release notes
Sourced from
@biomejs/biome's releases.... (truncated)
Changelog
Sourced from
@biomejs/biome's changelog.... (truncated)
Commits
fd279f3ci: release (#8474)b352ee4feat(lint): implement noAmbiguousAnchorText (#8372)67546bcchore: add kraken as bronze sponsor (#8486)285d932feat: new Turborepo domain andnoUndeclaredEnvVarsrule (#8426)ec43141ci: release (#8469)382786bfix(lint): removeuseExhaustiveDependenciesspurious errors on dependency-f...fc32352fix: improve rustdoc for IndentStyle (#8425)09acf2afeat(lint): update docs & diagnostic forlint/nursery/noProto(#8414)84c9e08feat: implement noScriptUrl rule (#8232)d407efbrefactor(formatter): reduce best fitting allocations (#8137)Maintainer changes
This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for
@biomejs/biomesince your current version.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)