chore(deps-dev): Bump @biomejs/biome from 1.9.4 to 2.4.13

[dependabot]

Bumps @biomejs/biome from 1.9.4 to 2.4.13.

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.13

2.4.13

Patch Changes

• #9969 c5eb92b Thanks @​officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

  For example, the following code triggers the rule:

  const a = `${"hello"}`; // can be 'hello'
  const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
  const c = `${"a"}${"b"}`; // can be 'ab'

• #10037 f785e8c Thanks @​minseong0324! - Fixed #9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.

  class Store {
    get status(): string {
      if (Math.random() > 0.5) return "loading";
      return "idle";
    }
    set status(v: string) {}
  }

• #10084 5e2f90c Thanks @​jiwon79! - Fixed #10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

  The following pattern is now considered valid:

  /[a-z\&]/v;

• #10063 c9ffa16 Thanks @​Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #10035 946b50e Thanks @​Netail! - Fixed #10032: useIframeSandbox now flags if there's no initializer value.

• #9865 68fb8d4 Thanks @​dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

  For example, the following snippet triggers the rule:

  const foo = node.innerText;

• #10023 bd1e74f Thanks @​ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.13

Patch Changes

• #9969 c5eb92b Thanks @​officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

  For example, the following code triggers the rule:

  const a = `${"hello"}`; // can be 'hello'
  const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
  const c = `${"a"}${"b"}`; // can be 'ab'

• #10037 f785e8c Thanks @​minseong0324! - Fixed #9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.

  class Store {
    get status(): string {
      if (Math.random() > 0.5) return "loading";
      return "idle";
    }
    set status(v: string) {}
  }

• #10084 5e2f90c Thanks @​jiwon79! - Fixed #10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

  The following pattern is now considered valid:

  /[a-z\&]/v;

• #10063 c9ffa16 Thanks @​Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #10035 946b50e Thanks @​Netail! - Fixed #10032: useIframeSandbox now flags if there's no initializer value.

• #9865 68fb8d4 Thanks @​dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

  For example, the following snippet triggers the rule:

  const foo = node.innerText;

• #10023 bd1e74f Thanks @​ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

  For example, the following code triggers the rule:

... (truncated)

Commits

• e316150 ci: release (#9991)
• 11ddc05 feat(lint): add useReactNativePlatformComponents rule and options (#10033)
• 1603f78 feat(js_analyze): implement noJsxLeakedDollar (#9911)
• c5eb92b feat(linter): add nursery rule noUnnecessaryTemplateExpression (#9969)
• 5cc83b1 feat(lint/js): add noLoopFunc (#9815)
• bd1e74f feat(lint): add react native deep import rule (#10023)
• 68fb8d4 feat(lint/js): add useDomNodeTextContent (#9865)
• 94ccca9 feat(lint): add noReactNativeLiteralColors (#10012)
• 3dce737 feat(lint/js): add useDomQuerySelector (#9885)
• 131019e feat(lint): add noReactNativeRawText (#10005)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​biomejs/biome since your current version.

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

🔒 Security Review

This PR is a straightforward dev-dependency bump of @biomejs/biome from 1.9.4 to 2.4.12. The changes are confined to:

• package.json: updated the @biomejs/biome version specifier
• package-lock.json: updated resolved versions, integrity hashes, and platform-specific optional dependencies for the new biome version

Analysis against CLAUDE.md review priorities:

1. Wire-format stability — No changes to any source code. encrypt() output is unaffected.
2. Nonce handling — No source changes.
3. AEAD + AAD binding — No source changes.
4. Key separation — No source changes.
5. Verify-after-encrypt — No source changes.
6. Constant-time comparisons — No source changes.
7. Secure memory — No source changes.
8. Canonical JSON — No source changes.
9. CSPRNG only — No source changes.
10. No external fetches — No new runtime dependencies; biome is a dev-only linter/formatter.

The major version jump (1.x → 2.x) for biome could introduce new lint rules or formatting changes, but biome is a dev dependency only — it has zero impact on the runtime library, wire format, or cryptographic properties.

#	Severity	File	Issue	Status
—	—	—	No security or correctness issues found	—

No Critical, High, Medium, or Low findings.

VERDICT: PASS

[github-actions]

🔒 Security Review

This PR is a dev-dependency bump only — upgrading @biomejs/biome from 1.9.4 to 2.4.12 (a linter/formatter). The version bump in package.json from 0.1.0-alpha.1 to 0.2.0-alpha.2 also appears in the lockfile.

Let me verify there are no source code changes hiding in the diff.

The diff touches exactly three files:

• package.json — @biomejs/biome version in devDependencies
• package-lock.json — lockfile entries for biome and its platform-specific binaries, plus the project version bump

No runtime source code, no cryptographic logic, no test files, no configuration affecting encryption/decryption behavior are modified.

---

Findings

#	Severity	File	Line	Issue	Priority	Fix
1	Low	package-lock.json	9	The project version was bumped from 0.1.0-alpha.1 to 0.2.0-alpha.2 inside the lockfile. A dev-dependency bump alone doesn't typically warrant a semver-minor version bump. This isn't a security issue but could cause confusion if the version wasn't intentionally changed in package.json proper (the version field in package.json is not shown in the diff, suggesting it was changed in a prior commit).	N/A	Confirm the version bump is intentional and was made in a separate commit; if not, revert the version field in the lockfile.

No cryptographic code is touched. No runtime dependencies are added or changed. No wire-format, nonce, AEAD, key-derivation, or comparison logic is affected. The biome upgrade is a major version jump (1.x → 2.x) which may change lint/format rules — but that's a DX concern, not a security concern.

VERDICT: PASS

[github-actions]

🔒 Security Review

This PR is a dev-dependency-only bump of @biomejs/biome from 1.9.4 to 2.4.13. Let me verify the diff contains nothing beyond the lockfile and package.json changes.

The diff modifies exactly two files:

1. package-lock.json — version bumps for @biomejs/biome and all its platform-specific optional dependencies from 1.9.4 to 2.4.13, plus removal of hasInstallScript: true.
2. package.json — the devDependencies entry for @biomejs/biome changes from ^1.9.4 to ^2.4.13.

Review against CLAUDE.md priorities

#	Priority	Status
1	Wire-format stability	No source code changes — wire format unaffected.
2	Nonce handling	No source code changes.
3	AEAD + AAD binding	No source code changes.
4	Key separation	No source code changes.
5	Verify-after-encrypt	No source code changes.
6	Constant-time comparisons	No source code changes.
7	Secure memory	No source code changes.
8	Canonical JSON	No source code changes.
9	CSPRNG only	No source code changes.
10	No external fetches	No runtime dependencies added. Biome is a dev-only linter/formatter.

Findings

Severity	File	Line	Issue	Priority	Fix
—	—	—	No issues found	—	—

This is a straightforward dev-dependency version bump for the Biome linter/formatter. It touches no runtime code, no cryptographic logic, no wire format, and adds no runtime dependencies. The major version jump (1.x → 2.x) may require biome config adjustments, but that is a DX concern, not a security concern.

Low (informational): Biome 2.x is a major version with potential breaking changes to lint rules and formatter output. The maintainer should confirm that npx biome check still passes cleanly after this bump, and that any reformatting doesn't create noise in future diffs. This does not block merge.

VERDICT: PASS

[github-actions]

🔒 Security Review

This is a straightforward dev-dependency bump of @biomejs/biome from 1.9.4 to 2.4.13. Let me verify there are no other changes in the diff.

The diff modifies only:

• package.json — version string in devDependencies
• package-lock.json — resolved versions, integrity hashes, and platform-specific optional dependencies for the Biome linter/formatter

Analysis against CLAUDE.md review priorities:

1. Wire-format stability — Not affected. No changes to encrypt() or any runtime code.
2. Nonce handling — Not affected. No source changes.
3. AEAD + AAD binding — Not affected.
4. Key separation — Not affected.
5. Verify-after-encrypt — Not affected.
6. Constant-time comparisons — Not affected.
7. Secure memory — Not affected.
8. Canonical JSON — Not affected.
9. CSPRNG only — Not affected.
10. No external fetches — Not affected. Biome is a local dev tool (linter/formatter), not a runtime dependency.

The change is limited to a dev-only tooling upgrade. No runtime dependencies are added, removed, or modified. No source code changes. The hasInstallScript field was removed, which is expected — Biome 2.x dropped its postinstall script in favor of pre-built binaries.

#	Severity	File	Issue	Verdict
—	—	—	No findings	—

No security issues identified. This is a dev-dependency version bump with no impact on runtime behavior, wire format, or cryptographic code paths.

VERDICT: PASS

[github-actions]

🔒 Security Review

This PR is a straightforward dev-dependency version bump: @biomejs/biome from 1.9.4 to 2.4.13. The changes are confined to package.json and package-lock.json.

Review

Files changed: package.json, package-lock.json

What this PR does: Bumps the Biome linter/formatter dev dependency from v1.9.4 to v2.4.13.

Analysis against CLAUDE.md review priorities:

1. Wire-format stability — Not affected. No runtime code changed.
2. Nonce handling — Not affected.
3. AEAD + AAD binding — Not affected.
4. Key separation — Not affected.
5. Verify-after-encrypt — Not affected.
6. Constant-time comparisons — Not affected.
7. Secure memory — Not affected.
8. Canonical JSON — Not affected.
9. CSPRNG only — Not affected.
10. No external fetches — Not affected. Biome is a dev-only tool (linter/formatter), not a runtime dependency.

Dependency surface check: @biomejs/biome is listed under devDependencies, not dependencies. It does not ship with the library at runtime. The hasInstallScript flag was removed in the new version, which is a positive change (fewer install-time side effects).

No runtime code, cryptographic logic, wire format, or production dependency graph is touched by this PR.

Findings Summary

#	Severity	File	Line	Issue	Verdict
—	—	—	—	No issues found	—

No Critical, High, Medium, or Low findings.

VERDICT: PASS

[github-actions]

🔒 Security Review

This is a straightforward dev-dependency bump — @biomejs/biome from 1.9.4 to 2.4.13. Let me verify there are no other changed files.

The diff only touches:

• package.json — bumps @biomejs/biome version in devDependencies
• package-lock.json — corresponding lockfile updates for the new Biome version and its platform-specific binaries

Analysis against CLAUDE.md review priorities:

1. Wire-format stability — No changes to encrypt() or any runtime code. Biome is a dev-only linter/formatter. Not affected.
2. Nonce handling — No runtime code changed. Not affected.
3. AEAD + AAD binding — No runtime code changed. Not affected.
4. Key separation — Not affected.
5. Verify-after-encrypt — Not affected.
6. Constant-time comparisons — Not affected.
7. Secure memory — Not affected.
8. Canonical JSON — Not affected.
9. CSPRNG only — Not affected.
10. No external fetches — Biome is a local CLI tool, no runtime network requests added. Not affected.

No runtime dependencies are added or modified. The hasInstallScript flag was removed by the upstream package (Biome 2.x dropped its install script), which is a minor positive — fewer post-install scripts reduce supply-chain attack surface.

---

Findings

#	Severity	File	Line	Issue	Verdict
—	—	—	—	No issues found. This is a dev-dependency-only version bump with no runtime impact.	—

No Critical, High, Medium, or Low findings.

VERDICT: PASS

[dependabot]

Superseded by #28.