9.7.0

In this release, we've worked on two main topics

• Improve integration with SonarLint
• Fix false-positives for S1313 and S5860

Details are available in 9.7 milestone.

This release will be soon available on SonarCloud and will ship in SonarQube 9.7 and SonarLint

9.6.0

In this release, we've worked on two main topics

• Reduce the number of false-positives in projects using React
• Add new security hotspots targeting AWS S3 buckets with Node AWS CDK

Details are available in the 9.6 milestone

This release will be soon available on SonarCloud and will ship in SonarQube 9.6 and SonarLint

9.5.0

This is a big release where we focused on catching React-specific bugs and code smells.
We are also introducing checks for code inside AWS template files 🤯.

We have 7 new rules for React:

• S6440: Ensure Hooks are always called from the top of React function Components. This helps when first starting with hooks, while also catching some mistakes that might be hard to see otherwise. See React's own Rules of Hooks.
• S6441: Detect methods of React component classes that are not used inside the Component. Lifecycle methods are excluded. Overall, this helps detect dead code but importantly it also catches uses of methods outside the components. This goes against React's data model and can break many assumptions. See the details for ways to solve it.
• S6442: Prevent hooks from being called directly in the body of components, which causes an infinite render loop. This can happen by accident or when you're starting to learn hooks. See the relevant meme on Twitter.
• S6443: Ensure a Hook' setter is not called with the current state. This does nothing, so it is very likely a mistake, like a forgotten Boolean inversion or something else.
• S6438: When starting with JSX you might not know that regular comments produce an unexpected DOM node. That can be quite surprising, but now you're safe with this rule.
• S6435: Detect when you forget to return from a React class component. This can happen by mistake and React won't complain so it can be hard to find!
• S6439: Prevents accidentally rendering unexpected characters that come from conditionals in JSX. See the rule details for some examples. Did you know about this?

Some improvements:

• S1534: Now detects duplicated attributes in JSX literals. This helps with typos and duplicates quite a lot!
• S2589: No longer raises an issue for expressions passed as children for JSX literals. That means fewer false positives.
• S905: Now helps detect missing return statements in React function components. Similar to what S6435 does in class components.
• S5148: Now handles an additional edge case to help secure your code when opening Browser windows programmatically.
• S1135: Now covers an edge case where TODOs were not being seen. It's all in the details.

For AWS users:

• We now check the JavaScript and TypeScript code embedded inside AWS template files in YAML.
• This should work out-of-the-box, without any additional action on your part.
• You can now benefit from all the same rules that are supported in stand-alone code files!

Here are the details of the Milestone.

All of this is available now in SonarCloud and will be on SonarQube 9.6 and in SonarLint when released.

Stay tuned for more things to come for React and AWS!

9.4.0

In this release, we have added 3 new rules and did some hardening (details here). We also updated some major dependencies.

JS/TS

• Upgrade TypeScript to 4.7 (#3180)
• Add S5148 ('link-with-target-blank'): Authorizing an opened window to access back to the originating window is security-sensitive (#2621)
• Add S4125 ('valid-typeof'): "typeof" expressions should only be compared to valid values (#625)
• Add S6397 ('single-char-in-character-classes'): Character classes in regular expressions should not contain only one character (#3085)

CSS

• Upgrade stylelint to 14.9.1 (#3182)

Part of SonarQube 9.6

9.3.0

In this release, we have added 2 new rules and did some hardening. We also updated some major dependencies.

CSS

• Fix FP S4650 ('function-calc-no-unspaced-operator'): should allow missing spaces around '*' and '/' operators (#3098)
• Support "display-mode" media query in S4661 (#3137)
• Upgrade stylelint to 14.8.4 (#3149)

JS/TS

• Add S4036 ('no-os-command-from-path'): Searching OS commands in PATH is security-sensitive (#2036)
• Add S6426 ('no-exclusive-tests'): Exclusive tests should not be commited to version control (#2861)
• Exclude JavaScript require statements from copy-paste detection (#2971)
• Fix FP S1128 ('unused-import'): Generalize imports matching kebab case references (#3125)
• Fix FP S1172 ('no-unused-function-argument'): Ignore 'this' parameters (#3114)
• Fix FP S1186 ('no-empty-function'): Ignore private constructors (#3115)
• Fix FP S3001 ('no-delete-var'): Ignore object optional properties (#2994)
• Fix FP S3403 ('different-types-comparison'): Symbols should be comparable (#3132)
• Remove spaces from the default value of JavaScript execution environments (#2632)
• S3504 ('no-var') should be part of SonarWay profile (#3101)
• Upgrade ESLint to 8.16.0 and TypeScript ESLint to 5.26.0 (#3150)

Docs

• Update docs - add Angular to supported frameworks (#3128)

Part of SonarQube 9.5

9.2.0

In this release, we now explicitly require Node.js 12.22.0 as a minimum for CSS, JavaScript, and TypeScript analysis. Previously, we only considered the major version of Node.js. We also upgraded Stylelint dependency and updated the configuration of a few rules on the same occasion. A consequence of this upgrade is introducing a custom implementation of S5362 and the activation of S4650 in the default profile, which used to overlap with one another. Finally, we improved the behavior of a few JavaScript and TypeScript rules.

CSS

• Update Stylelint to 14.6.1 (#3089)
• Update S4649 ('font-family-no-missing-generic-family-keyword'): support 'ignoreFontFamilies' option (#3095)
• Update S4653 ('unit-no-unknown'): Drop obsolete hardcoded configuration (#3108)
• Update S4662 ('at-rule-no-unknown'): Ignore TailwindCSS main directives by default (#3107)
• Fix FP S4660 ('selector-pseudo-element-no-unknown'): Ignore Blazor '::deep' combinator (#3096)
• Fix FP S4662 ('at-rule-no-unknown'): Ignore Sass forward rule (#3094)
• Activate S4650 ('function-calc-no-unspaced-operator') in default profile (#3106)

JavaScript / TypeScript

• Improve S100 ('function-name'): Ignore React Functional Components (#3109)
• Improve S138 ('sonar-max-lines-per-function'): Ignore React Functional Components (#3104)
• Improve S4328 ('no-implicit-dependencies'): Consider 'baseUrl' (#3087)
• Improve S4328 ('no-implicit-dependencies'): Check package.json files in all levels up (#3102)

Miscellaneous

• Require Node.js 12.22.0 (#3111)

Part of SonarQube 9.5

9.1.1

Bug fix for the documentation at docs.sonarsource.com

9.1.0

In this release, and as promised previously, we extend our offering of rules providing quick fixes with a new pack of 30 more rules. This now makes a total of 53 rules that will propose solutions to fix your code flaws as you write code in your IDEs. Finally, this release introduces the support of TypeScript 4.6, and it also enables S1172 ('no-unused-function-argument') in the default profile.

Quick fixes

• Add quick fix for S108 ('no-empty') (#3057)
• Add quick fix for S125 ('no-commented-code') (#3037)
• Add quick fix for S1110 ('no-redundant-parentheses') (#3039)
• Add quick fix for S1126 ('prefer-single-boolean-return') (#3064)
• Add quick fix for S1128 ('unused-import') (#3059)
• Add quick fix for S1172 ('no-unused-function-argument') (#3038)
• Add quick fix for S1186 ('no-empty-function') (#3056)
• Add quick fix for S1533 ('no-primitive-wrappers') (#3042)
• Add quick fix for S1534 (no-dupe-keys) (#3036)
• Add quick fix for S1763 ('no-unreachable') (#3051)
• Add quick fix for S2688 ('use-isnan') (#3058)
• Add quick fix for S2757 ('non-existent-operator') (#3063)
• Add quick fix for S2871 ('no-alphabetical-sort') (#3043)
• Add quick fix for S2990 ('no-global-this') (#3044)
• Add quick fix for S3403 ('different-types-comparison') (#3045)
• Add quick fix for S3415 ('inverted-assertion-arguments') (#3046)
• Add quick fix for S3626 ('no-redundant-jump') (#3065)
• Add quick fix for S3696 ('no-throw-literal') (#3050)
• Add quick fix for S3863 ('no-duplicate-imports-decorator') (#3070)
• Add quick fix for S3972 ('no-same-line-conditional') (#3066)
• Add quick fix for S3981 ('no-collection-size-mischeck') (#3067)
• Add quick fix for S3984 ('no-unthrown-error') (#3041)
• Add quick fix for S4138 ('prefer-for-of') (#3062)
• Add quick fix for S4322 ('prefer-type-guard') (#3052)
• Add quick fix for S4619 ('no-in-misuse') (#3053)
• Add quick fix for S4621 ('no-duplicate-in-composite') (#3061)
• Add quick fix for S4623 ('no-undefined-argument') (#3040)
• Add quick fix for S4634 ('prefer-promise-shorthand') (#3049)
• Add quick fix for S4782 ('no-redundant-optional') (#3060)
• Add quick fix for S6325 ('prefer-regex-literals') (#3048)

Miscellaneous

• Activate S1172 ('no-unused-function-argument') in default profile (#3035)
• Support TypeScript 4.6 (#3068)

Part of SonarQube 9.4

9.0.0.17505

• support TypeScript 4.5
• drop support for Node.js 10
• upgrade to ESLint 8.x (technical dependency)

P.S. We bumped the major version so that major version is with sync with major version of SonarQube it's gonna be part of.

Part of SonarQube 9.4

8.9.0

In this release, we introduce the support of Quick Fixes for JavaScript/TypeScript analysis in IDEs. We provide a total of 23 rules with quick fixes for now, and there will be more to come soon.

Here are the 23 rules that currently support quick fixes:

• S113, S1116, S1131, S1264, S1438, S1441, S1488, S1537, S1940, S2427, S2933, S2966, S3257, S3353, S3498, S3504, S3512, S3812, S4023, S4156, S4157, S4204, S4325.

Last but not least, this release also includes fixes for a few FPs tickets as well as some enhancements:

• Exclude import statements from duplication computation (#2954)
• Introduce back sonar.typescript.lcov.reportPaths as alias for sonar.javascript.lcov.reportPaths (#2958)
• Improve warning messages for Node.js deprecation (#2959
• Update message for S2819 ('post-message') (#2956)
• Match S1172 ('no-unused-function-argument') behaviour to TypeScript compiler (#2964)
• Enable S1172 ('no-unused-function-argument') for TypeScript (#2964)
• Fix FP S1135 ('todo-tag'): surrounding accented characters should be considered (#2960)
• Fix FP S3317 ('file-name-differ-from-class'): consider dot notation in filenames (#2963)
• Fix FP S4822 ('no-try-promise'): consider yield as an alternative to await (#2962))
• Upgrade eslint-plugin-sonarjs to 0.12.0 (#2967)

Part of SonarQube 9.4