Skip to content

feat(m0): adopt Biome for linting and formatting #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
miccy wants to merge 161 commits into from
Closed

feat(m0): adopt Biome for linting and formatting #12

miccy wants to merge 161 commits into from

Conversation

@miccy
Copy link
Collaborator

@miccy miccy commented Dec 24, 2025

Goal

Adopt Biome as the sole tool for linting and formatting.

Changes

  • Replaced ESLint and Prettier with Biome across the monorepo.
  • Created shared @evolu/biome-config package.
  • Updated package.json scripts (lint -> biome check, format -> biome check --write).
  • Integrated lint and format tasks with Turborepo.
  • Fixed formatting and linting issues identified by Biome.
  • Cherry-picked critical fixes from dev-v8.

Verification

  • pnpm lint passes (using Biome)
  • pnpm format passes (using Biome)
  • All packages use shared Biome config

steida added 30 commits November 30, 2025 23:45
@steida
Update pnpm-lock.yaml
469d4d1
@steida
Raise minimum Node.js version to 24 in all packages
11af2dc 
Updated the 'engines.node' field from >=22.0.0 to >=24.0.0 across all package.json files to require the current LTS version. This is a major version change for all affected packages.
@steida
Leverage using with Node 24
bba73d6
@steida
Update pnpm-lock.yaml
87b32fe
@steida
Add resource management polyfills and docs
76babe6 
Introduces polyfills for Symbol.dispose, Symbol.asyncDispose, DisposableStack, and AsyncDisposableStack to support automatic resource cleanup in environments lacking native support. Updates documentation and navigation to cover resource management concepts and usage. Refactors example to use DisposableStack for safer URL cleanup. Adds comprehensive tests for polyfill correctness and updates Result tests for resource management patterns.
@steida
Refactor resource management test structure
6b2ef92 
Groups tests for resource management under more descriptive nested 'describe' blocks for 'using keyword', 'DisposableStack', and 'AsyncDisposableStack'. This improves test organization and readability without changing test logic.
@steida
Add generator-based composition tests for Result
ad353f0 
Introduces tests demonstrating generator-based monadic composition with the Result type, comparing imperative and generator patterns, verifying type inference, performance, and resource disposal behavior. These tests illustrate how generator composition can reduce boilerplate.
@steida
Update Prettier config for embedded SQL tags
2c4fe0a 
Added 'sql.raw' to the embeddedSqlTags in prettier.config.mjs to support additional SQL formatting. Updated .prettierignore to adjust ignored paths for API reference MDX files.
@steida
Fix SQL createAppTable formatting
ffcffb4
@steida
Improve resource management docs
88dabe9
@steida
Update dependencies in pnpm-lock.yaml
f46f25c 
Bump various dependencies including @typescript-eslint, shiki, vitest, @op-engineering/op-sqlite, @react-navigation, electron-to-chromium, sf-symbols-typescript, and tinyexec to their latest versions for improved stability, features, and security.
@steida
Replace interface-based symmetric encryption with direct function-bas…
45dae12 
…ed API
@steida
Update pnpm-lock.yaml
34669e4
@steida
Remove TimeDep from EvoluDeps and related usage
23402c1
@steida
Raise minimum Node.js version to 24 in all packages
5a4d172 
Updated the 'engines.node' field from >=22.0.0 to >=24.0.0 across all package.json files to require the current LTS version. This is a major version change for all affected packages.
@steida
Leverage using with Node 24
7268cde
@steida
Update pnpm-lock.yaml
b4858fa
@steida
Add resource management polyfills and docs
d1f817f 
Introduces polyfills for Symbol.dispose, Symbol.asyncDispose, DisposableStack, and AsyncDisposableStack to support automatic resource cleanup in environments lacking native support. Updates documentation and navigation to cover resource management concepts and usage. Refactors example to use DisposableStack for safer URL cleanup. Adds comprehensive tests for polyfill correctness and updates Result tests for resource management patterns.
@steida
Refactor resource management test structure
7ef3b51 
Groups tests for resource management under more descriptive nested 'describe' blocks for 'using keyword', 'DisposableStack', and 'AsyncDisposableStack'. This improves test organization and readability without changing test logic.
@steida
Add generator-based composition tests for Result
8f47597 
Introduces tests demonstrating generator-based monadic composition with the Result type, comparing imperative and generator patterns, verifying type inference, performance, and resource disposal behavior. These tests illustrate how generator composition can reduce boilerplate.
@steida
Update Prettier config for embedded SQL tags
e4d0d7b 
Added 'sql.raw' to the embeddedSqlTags in prettier.config.mjs to support additional SQL formatting. Updated .prettierignore to adjust ignored paths for API reference MDX files.
@steida
Fix SQL createAppTable formatting
f48fbbf
@steida
Improve resource management docs
216a294
@steida
Update dependencies in pnpm-lock.yaml
f4f0bbc 
Bump various dependencies including @typescript-eslint, shiki, vitest, @op-engineering/op-sqlite, @react-navigation, electron-to-chromium, sf-symbols-typescript, and tinyexec to their latest versions for improved stability, features, and security.
@steida
Replace interface-based symmetric encryption with direct function-bas…
953c1fb 
…ed API
@steida
Update pnpm-lock.yaml
6ff8bb0
@steida
Remove TimeDep from EvoluDeps and related usage
e01010a
@steida
Update pnpm-lock.yaml
7a8b588
@steida
Merge branch 'common-v8' of https://github.com/evoluhq/evolu into com…
b76322e 
…mon-v8
@steida
Update README files
ebcaa53
steida and others added 7 commits January 12, 2026 11:52
@steida
Update documentation formatting in Redacted.ts
bb08cd7
@steida
Simplify module export documentation in local-first
2875de9
@steida
Update documentation headings from '##' to '### Example'
eeb63f4
@steida
Refactor Task.ts for structured concurrency and DI
c47319a 
Major rewrite of Task.ts to implement JavaScript-native structured concurrency, including new types for Task, Runner, Fiber, and AsyncDisposableStack. Adds support for dependency injection, resource management, and monitoring via Runner events. Updates documentation and examples to reflect new API and usage patterns.
@miccy
Merge upstream/common-v8 preserving Biome/Bun configuration
c3e818b 
- Take Steida's new code: Task.ts (structured concurrency), Schedule, Listeners, Set, Tracer
- Preserve our Biome/Bun migration (no ESLint/Prettier)
- Remove: eslint.config.mjs, prettier.config.mjs, .prettierignore
- Keep: biome.json, Bun scripts in package.json

New modules from upstream:
- Task.ts: Complete rewrite with Runner, Fiber, AsyncDisposableStack
- OldTask.ts: Backward compatibility for WebSocket
- Schedule.ts: Composable retry/repeat strategies
- Listeners.ts: Pub-sub notifications
- Set.ts: Type-safe immutable Set helpers
- Tracer.ts: Observability interface
@miccy
fix(tests): remove empty Cache.test.ts and obsolete snapshots
7210b55
@miccy
chore: update biome.json schema to 2.3.11
ee9581a
@snyk-io
Copy link

snyk-io bot commented Jan 12, 2026
edited
Loading

⚠️ Snyk checks are incomplete.

Status Scanner Critical High Medium Low Total (0)
⚠️ Open Source Security 0 0 0 0 See details

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@socket-security
Copy link

socket-security bot commented Jan 12, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedhappy-dom@​16.8.197258894100
Addedrss@​1.2.210010010075100
Addedsimple-functional-loader@​1.2.1941008075100
Addedmdx-annotations@​0.1.49010010076100
Addedshiki@​3.21.01001007798100
Addeduser-agent-data-types@​0.4.21001007880100
Addedvitest@​4.0.17981007997100
Updated@​types/​react@​19.2.7 ⏵ 19.2.8100 +110079 +195100
Addedfast-glob@​3.3.39910010080100
Addedunist-util-filter@​5.0.110010010082100
Addedmdast-util-to-string@​4.0.010010010082100
Addedunist-util-visit@​5.0.010010010082100
Addednext@​16.1.183100919870
Addednext-themes@​0.4.61001009883100
Addedremark@​15.0.11001009883100
Addedremark-gfm@​4.0.19910010083100
Addedreact-highlight-words@​0.21.0991009684100
Addedtailwindcss@​4.1.181001008498100
Addedreact@​19.2.31001008497100
Added@​types/​sharedworker@​0.0.205991008496100
Addedremark-mdx@​3.1.110010010085100
Added@​testing-library/​user-event@​14.6.110010010087100
Addedflexsearch@​0.8.21210010010088100
Addedtypescript@​5.9.31001009010090
Addedsharp@​0.34.59210010090100
Updated@​tabler/​icons-react@​3.36.0 ⏵ 3.36.1991009891 +1100
Added@​testing-library/​react@​16.3.19910010091100
Addedreact-dom@​19.2.31001009298100
Addedzustand@​5.0.1010010010093100
Addedmotion@​12.26.210010010098100
Updated@​types/​node@​25.0.3 ⏵ 24.10.8100 +1100100 +20100 +5100

View full report

@socket-security
Copy link

socket-security bot commented Jan 12, 2026
edited
Loading

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Critical
Critical CVE: Happy DOM: VM Context Escape can lead to Remote Code Execution in npm happy-dom

CVE: GHSA-37j7-fg3j-429f Happy DOM: VM Context Escape can lead to Remote Code Execution (CRITICAL)

Affected versions: < 20.0.0

Patched version: 20.0.0

From: packages/react-web/package.jsonnpm/[email protected]

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Telemetry collection: npm next

Note: Can be disabled by setting the environment variable NEXT_TELEMETRY_DISABLED=1 . See https://nextjs.org/telemetry for more information

From: apps/web/package.jsonnpm/[email protected]

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm typescript

License: LicenseRef-W3C-Community-Final-Specification-Agreement - the applicable license policy does not allow this license (4) (package/ThirdPartyNoticeText.txt)

From: packages/react-web/package.jsonnpm/[email protected]

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm vite is 91.0% likely obfuscated

Confidence: 0.91

Location: Package overview

From: ?npm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Low adoption: npm @rollup/rollup-linux-loong64-musl

Location: Package overview

From: ?npm/[email protected]npm/@rollup/[email protected]

ℹ Read more on: This package | This alert | What are unpopular packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Unpopular packages may have less maintenance and contain other problems.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Low adoption: npm @rollup/rollup-linux-ppc64-musl

Location: Package overview

From: ?npm/[email protected]npm/@rollup/[email protected]

ℹ Read more on: This package | This alert | What are unpopular packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Unpopular packages may have less maintenance and contain other problems.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Low adoption: npm @rollup/rollup-openbsd-x64

Location: Package overview

From: ?npm/[email protected]npm/@rollup/[email protected]

ℹ Read more on: This package | This alert | What are unpopular packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Unpopular packages may have less maintenance and contain other problems.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm memoize-one

Reason: New custom equality api does not play well with all equality helpers. Please use v5.x

From: ?npm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Low adoption: npm obug

Location: Package overview

From: ?npm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What are unpopular packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Unpopular packages may have less maintenance and contain other problems.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

miccy and others added 18 commits January 12, 2026 14:17
@miccy
chore: consolidate Biome configuration
57cabb8
@miccy
update: minor dephs
2963e13
@miccy
update: minor (yellow) deps
0551405
@miccy
fix: promise and task
cab053d
@steida @miccy
Disable web docs test
be844fb
@steida @miccy
js/incomplete-multi-character-sanitization fix
7cd7851
@steida @miccy
Add Playwright browser installation to CI workflow
fd46fdd
@steida @miccy
Increase Node.js memory limit for build script
c51612e 
Updated the build script to set NODE_OPTIONS=--max-old-space-size=8192, increasing the memory allocation for Next.js builds from 4GB to 8GB to help prevent out-of-memory errors during the build process.
@steida @miccy
Rename searchUtils.js to searchUtils.mjs and update imports
ebaaf1b
@steida @miccy
Update README with web build notes and instructions
fb934cc 
Added details about the web build process, including the use of webpack, memory options to prevent heap OOM, and macOS-specific file limit instructions. Clarifies that 'pnpm build:web' builds both docs and web.
@steida @miccy
Update build script memory option in package.json
0dc8b19
@steida @miccy
Comment out glob import and dynamic MDX loading
8a06990 
Disabled the use of fast-glob and dynamic importing of MDX files in the docs layout to improve build and hot reload performance. Added a note explaining the reason and replaced the dynamic section loading with an empty object.
@steida @miccy
Refactor tests to use sync Task functions
c732570 
Replaces unnecessary async arrow functions with synchronous ones in Task-related tests, improving readability and reducing boilerplate.
@steida @miccy
Rename RunnerSnapshot to FiberSnapshot
11847cf
@steida @miccy
Update Task test to use run parameter
d8cc334
@miccy
chore: sync with upstream/common-v8 and polish monorepo
55e73e1 
- Sync all commits from upstream/common-v8
- Resolve conflicts in Task.ts and Task.test.ts
- Unify dependencies across monorepo (React 19.2.3, TS 5.9.3, Vitest 4.0.17)
- Update root README.md to use Bun and Biome conventions
- Migrate root package.json scripts to Bun
- Fix Typedoc generation by disabling Prettier integration
- Fix linting and types in apps/web and packages
@miccy
upgrade: bun 1.3.6 and turbo 2.7.4
6c3afe4
@miccy
fix: finished
c950582
@miccy miccy closed this Jan 16, 2026
@miccy miccy deleted the feat/m0-biome branch January 16, 2026 09:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@miccy miccy

Labels

biome Biome tooling bun Bun runtime dependencies Pull requests that update a dependency file feature New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[M0] Biome Migration: Replace ESLint+Prettier

2 participants

@miccy @steida