9.11.0

This new version:

• Improves the performance of slow rules
• Brings a better experience for TSconfig with node_modules
• Adds support for CSS analysis in SonarLint
• Enables typed rules for JS in SonarLint
• Support TypeScript 4.9

Milestone: https://github.com/SonarSource/SonarJS/milestone/63?closed=1

SonarQube version: 9.8

9.10.0

This new version adds 16 AWS CDK rules and includes fixes listed in the 9.10 milestone.

9.9.0

SonarJS hardening before SonarQube 9.7.

Details are available in 9.9 milestone.

9.8.0

faster PR analysis
security analysis for AWS YAML
TypeScript 4.8
deprecation of Node.JS v14
remove support for Node.JS v12

Details are available in 9.8 milestone.

9.7.0

In this release, we've worked on two main topics

• Improve integration with SonarLint
• Fix false-positives for S1313 and S5860

Details are available in 9.7 milestone.

This release will be soon available on SonarCloud and will ship in SonarQube 9.7 and SonarLint

9.6.0

In this release, we've worked on two main topics

• Reduce the number of false-positives in projects using React
• Add new security hotspots targeting AWS S3 buckets with Node AWS CDK

Details are available in the 9.6 milestone

This release will be soon available on SonarCloud and will ship in SonarQube 9.6 and SonarLint

9.5.0

This is a big release where we focused on catching React-specific bugs and code smells.
We are also introducing checks for code inside AWS template files 🤯.

We have 7 new rules for React:

• S6440: Ensure Hooks are always called from the top of React function Components. This helps when first starting with hooks, while also catching some mistakes that might be hard to see otherwise. See React's own Rules of Hooks.
• S6441: Detect methods of React component classes that are not used inside the Component. Lifecycle methods are excluded. Overall, this helps detect dead code but importantly it also catches uses of methods outside the components. This goes against React's data model and can break many assumptions. See the details for ways to solve it.
• S6442: Prevent hooks from being called directly in the body of components, which causes an infinite render loop. This can happen by accident or when you're starting to learn hooks. See the relevant meme on Twitter.
• S6443: Ensure a Hook' setter is not called with the current state. This does nothing, so it is very likely a mistake, like a forgotten Boolean inversion or something else.
• S6438: When starting with JSX you might not know that regular comments produce an unexpected DOM node. That can be quite surprising, but now you're safe with this rule.
• S6435: Detect when you forget to return from a React class component. This can happen by mistake and React won't complain so it can be hard to find!
• S6439: Prevents accidentally rendering unexpected characters that come from conditionals in JSX. See the rule details for some examples. Did you know about this?

Some improvements:

• S1534: Now detects duplicated attributes in JSX literals. This helps with typos and duplicates quite a lot!
• S2589: No longer raises an issue for expressions passed as children for JSX literals. That means fewer false positives.
• S905: Now helps detect missing return statements in React function components. Similar to what S6435 does in class components.
• S5148: Now handles an additional edge case to help secure your code when opening Browser windows programmatically.
• S1135: Now covers an edge case where TODOs were not being seen. It's all in the details.

For AWS users:

• We now check the JavaScript and TypeScript code embedded inside AWS template files in YAML.
• This should work out-of-the-box, without any additional action on your part.
• You can now benefit from all the same rules that are supported in stand-alone code files!

Here are the details of the Milestone.

All of this is available now in SonarCloud and will be on SonarQube 9.6 and in SonarLint when released.

Stay tuned for more things to come for React and AWS!

9.4.0

In this release, we have added 3 new rules and did some hardening (details here). We also updated some major dependencies.

JS/TS

• Upgrade TypeScript to 4.7 (#3180)
• Add S5148 ('link-with-target-blank'): Authorizing an opened window to access back to the originating window is security-sensitive (#2621)
• Add S4125 ('valid-typeof'): "typeof" expressions should only be compared to valid values (#625)
• Add S6397 ('single-char-in-character-classes'): Character classes in regular expressions should not contain only one character (#3085)

CSS

• Upgrade stylelint to 14.9.1 (#3182)

Part of SonarQube 9.6

9.3.0

In this release, we have added 2 new rules and did some hardening. We also updated some major dependencies.

CSS

• Fix FP S4650 ('function-calc-no-unspaced-operator'): should allow missing spaces around '*' and '/' operators (#3098)
• Support "display-mode" media query in S4661 (#3137)
• Upgrade stylelint to 14.8.4 (#3149)

JS/TS

• Add S4036 ('no-os-command-from-path'): Searching OS commands in PATH is security-sensitive (#2036)
• Add S6426 ('no-exclusive-tests'): Exclusive tests should not be commited to version control (#2861)
• Exclude JavaScript require statements from copy-paste detection (#2971)
• Fix FP S1128 ('unused-import'): Generalize imports matching kebab case references (#3125)
• Fix FP S1172 ('no-unused-function-argument'): Ignore 'this' parameters (#3114)
• Fix FP S1186 ('no-empty-function'): Ignore private constructors (#3115)
• Fix FP S3001 ('no-delete-var'): Ignore object optional properties (#2994)
• Fix FP S3403 ('different-types-comparison'): Symbols should be comparable (#3132)
• Remove spaces from the default value of JavaScript execution environments (#2632)
• S3504 ('no-var') should be part of SonarWay profile (#3101)
• Upgrade ESLint to 8.16.0 and TypeScript ESLint to 5.26.0 (#3150)

Docs

• Update docs - add Angular to supported frameworks (#3128)

Part of SonarQube 9.5

9.2.0

In this release, we now explicitly require Node.js 12.22.0 as a minimum for CSS, JavaScript, and TypeScript analysis. Previously, we only considered the major version of Node.js. We also upgraded Stylelint dependency and updated the configuration of a few rules on the same occasion. A consequence of this upgrade is introducing a custom implementation of S5362 and the activation of S4650 in the default profile, which used to overlap with one another. Finally, we improved the behavior of a few JavaScript and TypeScript rules.

CSS

• Update Stylelint to 14.6.1 (#3089)
• Update S4649 ('font-family-no-missing-generic-family-keyword'): support 'ignoreFontFamilies' option (#3095)
• Update S4653 ('unit-no-unknown'): Drop obsolete hardcoded configuration (#3108)
• Update S4662 ('at-rule-no-unknown'): Ignore TailwindCSS main directives by default (#3107)
• Fix FP S4660 ('selector-pseudo-element-no-unknown'): Ignore Blazor '::deep' combinator (#3096)
• Fix FP S4662 ('at-rule-no-unknown'): Ignore Sass forward rule (#3094)
• Activate S4650 ('function-calc-no-unspaced-operator') in default profile (#3106)

JavaScript / TypeScript

• Improve S100 ('function-name'): Ignore React Functional Components (#3109)
• Improve S138 ('sonar-max-lines-per-function'): Ignore React Functional Components (#3104)
• Improve S4328 ('no-implicit-dependencies'): Consider 'baseUrl' (#3087)
• Improve S4328 ('no-implicit-dependencies'): Check package.json files in all levels up (#3102)

Miscellaneous

• Require Node.js 12.22.0 (#3111)

Part of SonarQube 9.5