[Snyk] Upgrade @biomejs/biome from 1.8.3 to 2.1.4

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade @biomejs/biome from 1.8.3 to 2.1.4.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 35 versions ahead of your current version.

• The recommended version was released 24 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	63	Proof of Concept
	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	63	No Known Exploit
	Excessive Platform Resource Consumption within a Loop SNYK-JS-BRACES-6838727	63	Proof of Concept
	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	63	Proof of Concept
	Improper Handling of Extra Parameters SNYK-JS-FOLLOWREDIRECTS-6141137	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GETFUNCNAME-5923417	63	Proof of Concept
	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	63	No Known Exploit
	Denial of Service (DoS) SNYK-JS-WS-7266574	63	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	63	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	63	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	63	No Known Exploit
	Improper Link Resolution Before File Access ('Link Following') SNYK-JS-TARFS-10293725	63	No Known Exploit
	Symlink Attack SNYK-JS-TARFS-9535930	63	Mature
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-3244450	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELHELPERS-9397697	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELRUNTIME-10044504	63	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	63	No Known Exploit
	Improper Control of Dynamically-Managed Code Resources SNYK-JS-EJS-6689533	63	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	63	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	63	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	63	No Known Exploit
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	63	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	63	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITENDPOINT-8730856	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITPLUGINPAGINATEREST-8730855	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITREQUEST-8730853	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITREQUESTERROR-8730854	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	63	Proof of Concept
	Improper Input Validation SNYK-JS-POSTCSS-5926692	63	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-ROLLUP-8073097	63	Proof of Concept
	Symlink Attack SNYK-JS-TMP-11501554	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	63	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	63	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-2429795	63	Proof of Concept

Release notes

Package name: @biomejs/biome

• 2.1.4 - 2025-08-07
  

  2.1.4

  Patch Changes

  • #7121 b9642ab Thanks @ arendjr! - Fixed #7111: Imported symbols using aliases are now correctly recognised.

  • #7103 80515ec Thanks @ omasakun! - Fixed #6933 and #6994.

    When the values of private member assignment expressions, increment expressions, etc. are used, those private members are no longer marked as unused.

  • #6887 0cc38f5 Thanks @ ptkagori! - Added the noQwikUseVisibleTask rule to Qwik.

    This rule is intended for use in Qwik applications to warn about the use of useVisibleTask$() functions which require careful consideration before use.

    Invalid:

    useVisibleTask$(() => {
      console.log("Component is visible");
    });

    Valid:

    useTask$(() => {
      console.log("Task executed");
    });

  • #7084 50ca155 Thanks @ ematipico! - Added the new nursery rule noUnnecessararyConditions, which detects whenever some conditions don't
    change during the life cycle of the program, and truthy or false, hence deemed redundant.

    For example, the following snippets will trigger the rule:

    // Always truthy literal conditions
    if (true) {
      console.log("always runs");
    }

    // Unnecessary condition on constrained string type
    function foo(arg: "bar" | "baz") {
      if (arg) {
        // This check is unnecessary
      }
    }

  • #6887 0cc38f5 Thanks @ ptkagori! - Added the useImageSize rule to Biome.

    The useImageSize rule enforces the use of width and height attributes on <img> elements for performance reasons. This rule is intended to prevent layout shifts and improve Core Web Vitals by ensuring images have explicit dimensions.

    Invalid:

    <img src="/image.png" />
    <img src="https://example.com/image.png" />
    <img src="/image.png" width="200" />
    <img src="/image.png" height="200" />

    Valid:

    <img width="200" height="600" src="/static/images/portrait-01.webp" />
    <img width="100" height="100" src="https://example.com/image.png" />

  • #6887 0cc38f5 Thanks @ ptkagori! - Added the useAnchorHref rule to Biome.

    The useAnchorHref rule enforces the presence of an href attribute on <a> elements in JSX. This rule is intended to ensure that anchor elements are always valid and accessible.

    Invalid:

    <a>Link</a>

    <a target="_blank">External</a>

    Valid:

    <a href="/home">Home</a>

    <a href="https://example.com" target="_blank">
      External
    </a>

  • #7100 29fcb05 Thanks @ Jayllyz! - Added the rule noNonNullAssertedOptionalChain.

    This rule prevents the use of non-null assertions (!) immediately after optional chaining expressions (?.). Optional chaining is designed to safely handle nullable values by returning undefined when the chain encounters null or undefined. Using a non-null assertion defeats this purpose and can lead to runtime errors.

    // Invalid - non-null assertion after optional chaining
    obj?.prop!;
    obj?.method()!;
    obj?.[key]!;
    obj?.prop!;

    // Valid - proper optional chaining usage
    obj?.prop;
    obj?.method();
    obj?.prop ?? defaultValue;
    obj!.prop?.method();

  • #7129 9f4538a Thanks @ drwpow! - Removed option, combobox, listbox roles from useSemanticElements suggestions

  • #7106 236deaa Thanks @ arendjr! - Fixed #6985: Inference of return types no longer mistakenly picks up return types of nested functions.

  • #7102 d3118c6 Thanks @ omasakun! - Fixed #7101: noUnusedPrivateClassMembers now handles members declared as part of constructor arguments:

    1. If a class member defined in a constructor argument is only used within the constructor, it removes the private modifier and makes it a plain method argument.
    2. If it is not used at all, it will prefix it with an underscore, similar to noUnusedFunctionParameter.

  • #7104 5395297 Thanks @ harxki! - Reverting to prevent regressions around ref handling

  • #7143 1a6933a Thanks @ siketyan! - Fixed #6799: The noImportCycles rule now ignores type-only imports if the new ignoreTypes option is enabled (enabled by default).

    [!WARNING]
    Breaking Change: The noImportCycles rule no longer detects import cycles that include one or more type-only imports by default.
    To keep the old behaviour, you can turn off the ignoreTypes option explicitly:

    {
      "linter": {
        "rules": {
          "nursery": {
            "noImportCycles": {
              "options": {
                "ignoreTypes": false
              }
            }
          }
        }
      }
    }

  • #7099 6cc84cb Thanks @ arendjr! - Fixed #7062: Biome now correctly considers extended configs when determining the mode for the scanner.

  • #6887 0cc38f5 Thanks @ ptkagori! - Added the useQwikClasslist rule to Biome.

    This rule is intended for use in Qwik applications to encourage the use of the built-in class prop (which accepts a string, object, or array) instead of the classnames utility library.

    Invalid:

    <div class={classnames({ active: true, disabled: false })} />

    Valid:

    <div classlist={{ active: true, disabled: false }} />

  • #7019 57c15e6 Thanks @ fireairforce! - Added support in the JS parser for import source(a stage3 proposal). The syntax looks like:

    import source foo from "<specifier>";

  • #7053 655049e Thanks @ jakeleventhal! - Added the useConsistentTypeDefinitions rule.

    This rule enforces consistent usage of either interface or type for object type definitions in TypeScript.

    The rule accepts an option to specify the preferred style:

    • interface (default): Prefer using interface for object type definitions
    • type: Prefer using type for object type definitions

    Examples:

    // With default option (interface)
    // ❌ Invalid
    type Point = { x: number; y: number };

    // ✅ Valid
    interface Point {
    x: number;
    y: number;
    }

    // With option { style: "type" }
    // ❌ Invalid
    interface Point {
    x: number;
    y: number;
    }

    // ✅ Valid
    type Point = { x: number; y: number };

    The rule will automatically fix simple cases where conversion is straightforward.

  What's Changed

  • ci: use faster runners on Windows by @ ematipico in #7041
  • chore: use own semver parser by @ ematipico in #7061
  • docs(analyze): about "Services" by @ dyc3 in #7058
  • feat(parse/tailwind): start implementing lexer/parser by @ dyc3 in #6986
  • feat(qwik): add few new lint rules by @ ptkagori in #6887
  • chore: add Claude sub-agents by @ ematipico in #7066
  • feat(format/html): implement suppression comments by @ dyc3 in #5356
  • feat: add tailwind domain by @ dyc3 in #6972
  • chore(lint): add version to the released rules by @ siketyan in #7087
  • chore(deps): update rust:1.88.0 docker digest to af306cf by @ renovate[bot] in #7042
  • chore(deps): update rust crate serde_json to 1.0.142 by @ renovate[bot] in #7089
  • chore(deps): update @ biomejs packages by @ renovate[bot] in #7091
  • chore(deps): update dependency @ types/node to v22.17.0 by @ renovate[bot] in #7092
  • chore(deps): update dependency eslint to v9.32.0 by @ renovate[bot] in #7093
  • chore(deps): update github-actions by @ renovate[bot] in #7094
  • chore(deps): update rust crate tokio to 1.47.1 by @ renovate[bot] in #7096
  • feat(analyze/js): added rule for @ typescript-eslint/consistent-type-definitions by @ jakeleventhal in #7053
  • fix(core): consider extended configs for scan kind by @ arendjr in #7099
  • feat(analyse/js): add noNonNullAssertedOptionalChain rule by @ Jayllyz in #7100
  • fix(core): return type inference no longer picks up nested returns by @ arendjr in #7106
  • fix(lint/noUnusedPrivateClassMembers): improve member usage check by @ omasakun in #7103
  • fix(lint/noUnusedPrivateClassMembers): handle class members declared in constructor parameters correctly by @ omasakun in #7102
  • chore: setup autofix.ci workflow by @ arendjr in #7113
  • revert: "fix(lint/noUnassignedVariables): handle JSX ref attribute ass… by @ harxki in #7104
  • feat(lint): rule noUnnecessaryConditions by @ ematipico in #7084
  • chore: add CodeRabbit config by @ arendjr in #7114
  • ci: use faster runners on depot by @ siketyan in #7115
  • feat(parser): support import source by @ fireairforce in #7019
  • chore: apply CodeRabbit nits by @ arendjr in #7116
  • fix(core): resolve aliased imports by @ arendjr in #7121
  • fix: remove option, combobox, listbox from semantic element suggestions by @ drwpow in #7129
  • feat(analyze/js): add noVueDataObjectDeclaration by @ amousa11 in #6574
  • feat(lint): add ignoreTypes option to the noImportCycles rule by @ siketyan in #7143
  • ci: release by @ github-actions[bot] in #7069

  New Contributors

  • @ jakeleventhal made their first contribution in #7053
  • @ omasakun made their first contribution in #7103
  • @ amousa11 made their first contribution in #6574

  Full Changelog: https://github.com/biomejs/biome/compare/@ biomejs/biome@2.1.3...@ biomejs/biome@2.1.4

• 2.1.3 - 2025-07-29
  

  2.1.3

  Patch Changes

  • #7057 634a667 Thanks @ mdevils! - Added the rule noVueReservedKeys, which prevents the use of reserved Vue keys.

    It prevents the use of Vue reserved keys such as those starting with # @ biomejs/biome (like $el, $data, $props) and keys starting with _` in data properties, which can cause conflicts and unexpected behavior in Vue components.

    Invalid example

    <script>
    export default {
      data: {
        $el: "",
        _foo: "bar",
      },
    };
    </script>