[Snyk] Upgrade @biomejs/biome from 1.8.3 to 2.1.3

[snyk-io]

Snyk has created this PR to upgrade @biomejs/biome from 1.8.3 to 2.1.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 34 versions ahead of your current version.

• The recommended version was released 23 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELHELPERS-9397697	140	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELRUNTIME-10044504	140	Proof of Concept
	Symlink Attack SNYK-JS-TMP-11501554	140	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	140	Proof of Concept

Release notes

Package name: @biomejs/biome

• 2.1.3 - 2025-07-29
  

  2.1.3

  Patch Changes

  • #7057 634a667 Thanks @ mdevils! - Added the rule noVueReservedKeys, which prevents the use of reserved Vue keys.

    It prevents the use of Vue reserved keys such as those starting with # @ biomejs/biome (like $el, $data, $props) and keys starting with _` in data properties, which can cause conflicts and unexpected behavior in Vue components.

    Invalid example

    <script>
    export default {
      data: {
        $el: "",
        _foo: "bar",
      },
    };
    </script>

    <script>
    export default {
      computed: {
        $data() {
          return this.someData;
        },
      },
    };
    </script>

    Valid examples

    <script>
    export default {
      data() {
        return {
          message: "Hello Vue!",
          count: 0,
        };
      },
    };
    </script>

    <script>
    export default {
      computed: {
        displayMessage() {
          return this.message;
        },
      },
    };
    </script>

  • #6941 734d708 Thanks @ JamBalaya56562! - Added @ eslint-react/no-nested-component-definitions as a rule source for noNestedComponentDefinitions. Now it will get picked up by biome migrate --eslint.

  • #6463 0a16d54 Thanks @ JamBalaya56562! - Fixed a website link for the useComponentExportOnlyModules linter rule to point to the correct URL.

  • #6944 e53f2fe Thanks @ sterliakov! - Fixed #6910: Biome now ignores type casts and assertions when evaluating numbers for noMagicNumbers rule.

  • #6991 476cd55 Thanks @ denbezrukov! - Fixed #6973: Add support for parsing the :active-view-transition-type() pseudo-class

    :active-view-transition-type(first second) {
    }

  • #6992 0b1e194 Thanks @ ematipico! - Added a new JSON rule called noQuickfixBiome, which disallow the use of code action quickfix.biome inside code editor settings.

  • #6943 249306d Thanks @ JamBalaya56562! - Fixed @ vitest/eslint-plugin source url.

  • #6947 4c7ed0f Thanks @ JamBalaya56562! - Fixed ESLint migration for the rule prefer-for from eslint-plugin-solid to Biome's useForComponent.

  • #6976 72ebadc Thanks @ siketyan! - Fixed #6692: The rules noUnusedVariables and noUnusedFunctionParameters no longer cause an infinite loop when the suggested name is not applicable (e.g. the suggested name is already declared in the scope).

  • #6990 333f5d0 Thanks @ rvanlaarhoven! - Fixed the documentation URL for lint/correctness/noUnknownPseudoClass

  • #7000 4021165 Thanks @ harxki! - Fixed #6795: noUnassignedVariables now correctly recognizes variables used in JSX ref attributes.

  • #7044 b091ddf Thanks @ ematipico! - Fixed #6622, now the rule useSemanticElements works for JSX self-closing elements too.

  • #7014 c4864e8 Thanks @ siketyan! - Fixed #6516: The biome migrate command no longer break the member list with trailing comments.

  • #6979 29cb6da Thanks @ unvalley! - Fixed #6767: useSortedClasses now correctly removes leading and trailing whitespace in className.

    Previously, trailing spaces in className were not fully removed.

    // Think we have this code:
    <div className="text-sm font-bold " />

    // Before: applied fix, but a trailing space was preserved
    <div className="font-bold text-sm " />

    // After: applied fix, trailing spaces removed
    <div className="font-bold text-sm" />

  • #7055 ee4828d Thanks @ dyc3! - Added the nursery rule useReactFunctionComponents. This rule enforces the preference to use function components instead of class components.

    Valid:

    function Foo() {
      return <div>Hello, world!</div>;
    }

    Invalid:

    class Foo extends React.Component {
      render() {
        return <div>Hello, world!</div>;
      }
    }

  • #6924 2d21be9 Thanks @ ematipico! - Fixed #113, where the Biome Language Server didn't correctly update the diagnostics when the configuration file is modified in the editor. Now the diagnostics are correctly updated every time the configuration file is modified and saved.

  • #6931 e6b2380 Thanks @ arendjr! - Fixed #6915: useHookAtTopLevel no longer hangs when rules call themselves recursively.

  • #7012 01c0ab4 Thanks @ siketyan! - Fixed #5837: Invalid suppression comments such as biome-ignore-all-start or biome-ignore-all-end no longer causes a panic.

  • #6949 48462f8 Thanks @ fireairforce! - Support parse import defer(which is a stage3 proposal). The syntax look like this:

    import defer * as foo from "<specifier>";

  • #6938 5feb5a6 Thanks @ vladimir-ivanov! - Fixed #6919 and #6920:
    useReadonlyClassProperties now does checks for mutations in async class methods.

    Example:

    class Counter3 {
      private counter: number;
      async count() {
        this.counter = 1;
        const counterString = `${this.counter++}`;
      }
    }

  • #6942 cfda528 Thanks @ sterliakov! - Fixed #6939. Biome now understands this binding in classes outside of methods.

  What's Changed

  • docs: explain how to document options by @ ematipico in #6916
  • chore: fix changelog by @ dyc3 in #6917
  • fix: update useComponentExportOnlyModules website link by @ JamBalaya56562 in #6463
  • fix(lsp): update diagnostics on watched files by @ ematipico in #6924
  • fix(linter): fix recursive hooks by @ arendjr in #6931
  • perf: introduce Path type by @ arendjr in #6935
  • ci: add French, Spanish and Ukrainian to labeler by @ JamBalaya56562 in #6926
  • refactor: add no-nested-component-definitions rule to eslint migration by @ JamBalaya56562 in #6941
  • fix: typo perfer-for → prefer-for by @ JamBalaya56562 in #6947
  • fix(core): fix type inference of this by @ sterliakov in #6942
  • fix(biome_js_analyze): ignore as const and similar wrappers in noMagicNumbers rule by @ sterliakov in #6944
  • fix: typo @ vitest/eslint-plugin source url by @ JamBalaya56562 in #6943
  • chore(deps): update github-actions by @ renovate[bot] in #6954
  • perf: shrink Text by @ arendjr in #6946
  • fix(deps): update rust crate roaring to 0.11.1 by @ renovate[bot] in #6959
  • chore(deps): update typescript-eslint monorepo to v8.37.0 by @ renovate[bot] in #6960
  • chore(deps): update rust crate serde_json to 1.0.141 by @ renovate[bot] in #6957
  • chore(deps): update dependency @ types/node to v22.16.5 by @ renovate[bot] in #6956
  • feat(biome-js-analyze): expanded support for useReadonlyClassProperties to cover async class methods too by @ vladimir-ivanov in #6938
  • chore(deps): update dependency @ types/node to v22.16.5 by @ renovate[bot] in #6955
  • feat(parser): support import defer by @ fireairforce in #6949
  • chore: split Type from TypeData by @ arendjr in #6963
  • feat(yaml_parser): parse flow constructs by @ vohoanglong0107 in #6961
  • fix: remove infinite loop on function A(A) {} by @ siketyan in #6976
  • feat(parse): add tailwind grammar by @ dyc3 in #6978
  • fix(deps): update @ biomejs packages (major) by @ renovate[bot] in #6962
  • feat(parse): add tailwind parser by @ dyc3 in #6980
  • fix: update documentation URL for noUnknownPseudoClass by @ rvanlaarhoven in #6990
  • fix(lint/useSortedClasses): remove leading and trailing whitespaces by @ unvalley in #6979
  • feat(json/analyze): rule noQuickfixBiome by @ ematipico in #6992
  • chore: update generated code from analyzer codegen by @ harxki in #7001
  • refactor(formatter): specialised verbatim formatting by @ ematipico in #7002
  • fix(css_parser): add active-view-transition-type() (#6973) by @ denbezrukov in #6991
  • fix(suppression): invalid suppression comments should not cause a panic by @ siketyan in #7012
  • fix(migrate): transfer comments to the separator by @ siketyan in #7014
  • test(biome-js-analyze): add tests to cover tests to cover ??=, ||=, &&= by @ vladimir-ivanov in #7010
  • fix(lint/noUnassignedVariables): handle JSX ref attribute assignments by @ harxki in #7000
  • ci: use depot cargo in the PR workflow by @ ematipico in #7045
  • Revert "ci: use depot cargo in the PR workflow" by @ ematipico in #7046
  • fix(lint): useSemanticElements self-closing elements by @ ematipico in #7044
  • chore(deps): update rust:1.88.0-bullseye docker digest to b315f98 by @ renovate[bot] in #7043
  • ci: make it so windows devs don't get lints that don't show up on linux/macos by @ dyc3 in #7003
  • docs: update analyzer CONTRIBUTING.md by @ dyc3 in #7056
  • refactor(format): use specialised tokens by @ ematipico in #7052
  • feat(lint): implement noVueReservedKeys rule by @ mdevils in #7057
  • feat(analyze/js): add useReactFunctionComponents rule by @ dyc3 in #7055
  • ci: release by @ github-actions[bot] in #6927

  New Contributors

  • @ rvanlaarhoven made their first contribution in #6990
  • @ harxki made their first contribution in #7001

  Full Changelog: https://github.com/biomejs/biome/compare/@ biomejs/biome@2.1.2...@ biomejs/biome@2.1.3

• 2.1.2 - 2025-07-17
  

  2.1.2

  Patch Changes

  • #6865 b35bf64 Thanks @ denbezrukov! - Fix #6485: Handle multiple semicolons correctly in blocks (#6485)

    div {
      box-sizing: border-box;
      color: red;
    }

  • #6798 3579ffa Thanks @ dyc3! - Fixed #6762, Biome now knows that ~/.config/zed/settings.json and ~/.config/Code/User/settings.json allows comments by default.

  • #6839 4cd62d8 Thanks @ ematipico! - Fixed #6838, where the Biome File Watcher incorrectly watched and stored ignored files, causing possible memory leaks when those files were dynamically created (e.g. built files).

  • #6879 0059cd9 Thanks @ denbezrukov! - Refactor: remove one level of indirection for CSS declarations with semicolon
    Previously, accessing a declaration from a list required an extra step:

    item
    .as_any_css_declaration_with_semicolon()
    .as_css_declaration_with_semicolon()

    Now, it can be done directly with:

    item.as_css_declaration_with_semicolon()

  • #6839 4cd62d8 Thanks @ ematipico! - Fixed a bug where the Biome Language Server didn't correctly ignore specific files when vcs.useIgnoreFile is set to true.

  • #6884 5ff50f8 Thanks @ arendjr! - Improved the performance of noImportCycles by ~30%.

  • #6903 241dd9e Thanks @ arendjr! - Fixed #6829: Fixed a false positive reported by useImportExtensions when importing a .js file that had a matching .d.ts file in the same folder.

  • #6846 446112e Thanks @ darricheng! - Fixed an issue where biome was using the wrong string quotes when the classes string has quotes, resulting in invalid code after applying the fix.

  • #6823 eebc48e Thanks @ arendjr! - Improved #6172: Optimised the way function arguments are stored in Biome's type inference. This led to about 10% performance improvement in RedisCommander.d.ts and about 2% on @ next/font type definitions.

  • #6878

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
package.json	34% smaller

[snyk-io]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)