Skip to content

deps: Bump the dev-dependencies group across 1 directory with 3 updates#35

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/dev-dependencies-08e518d3e3
Open

deps: Bump the dev-dependencies group across 1 directory with 3 updates#35
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/dev-dependencies-08e518d3e3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps the dev-dependencies group with 3 updates in the / directory: @biomejs/biome, @tanstack/devtools-vite and react-doctor.

Updates @biomejs/biome from 2.3.11 to 2.5.2

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.5.2

2.5.2

Patch Changes

  • #10595 f458028 Thanks @​pkallos! - Added the option ignoreBooleanCoercion to useNullishCoalescing. When enabled, Biome ignores || and ||= used inside a Boolean() call, where coalescing on falsy values is intentional.

  • #10798 4a32b63 Thanks @​pkallos! - Added the option ignorePrimitives to useNullishCoalescing. When enabled, Biome ignores ||, ||=, and ternary expressions whose non-nullish operands are all primitives the option opts out of. Use true to ignore all primitives, or an object selecting string, number, boolean, or bigint.

  • #10545 f3d4c00 Thanks @​Mokto! - Added the new nursery rule noSvelteUnnecessaryStateWrap, which reports unnecessary $state() wrapping of classes from svelte/reactivity that are already reactive.

    <script>
    import { SvelteMap } from "svelte/reactivity";
    const map = $state(new SvelteMap()); // redundant
    </script>
  • #10752 f62fb8b Thanks @​ematipico! - Fixed #10739. Now the rule useValidAutocomplete correctly flags the autoComplete attribute.

  • #10796 f1b3ab2 Thanks @​ematipico! - Fixed #10768. Improved the performance of the Biome Language Server by cancelling certain in-flight operations when there are fast updates.

  • #10719 aa649b5 Thanks @​minseong0324! - Fixed noMisleadingReturnType false positive on returns that use a widening type assertion: "a" as string is no longer reported as misleading. The rule now also reports a literal-pinning assertion such as false as false, matching the existing as const behavior.

    // No longer flagged (returns are `string`):
    function getValue(b: boolean): string {
      if (b) return "a" as string;
      return "b" as string;
    }
    // Now also reported, like as const (returns false):
    function isReady(): boolean {
    return false as false;
    }

  • #10678 8f073a7 Thanks @​PranavAchar01! - Fixed #7718: Biome now correctly parses CSS nesting selectors when & appears as a trailing sub-selector after a type selector, e.g. h1& { color: red; }.

  • #10756 5ec965a Thanks @​denbezrukov! - Fixed CSS formatter output for selector lists with allowWrongLineComments and // comments after a selector comma. Biome now keeps the selector before the line comment inline instead of breaking it across descendant combinators.

    -.powerPathNavigator
    -  .helm
    -  button.pressedButton, // pressed
    +.powerPathNavigator .helm button.pressedButton, // pressed
     .powerPathNavigator .helm button:active:not(.disabledButton) {
     }

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.5.2

Patch Changes

  • #10595 f458028 Thanks @​pkallos! - Added the option ignoreBooleanCoercion to useNullishCoalescing. When enabled, Biome ignores || and ||= used inside a Boolean() call, where coalescing on falsy values is intentional.

  • #10798 4a32b63 Thanks @​pkallos! - Added the option ignorePrimitives to useNullishCoalescing. When enabled, Biome ignores ||, ||=, and ternary expressions whose non-nullish operands are all primitives the option opts out of. Use true to ignore all primitives, or an object selecting string, number, boolean, or bigint.

  • #10545 f3d4c00 Thanks @​Mokto! - Added the new nursery rule noSvelteUnnecessaryStateWrap, which reports unnecessary $state() wrapping of classes from svelte/reactivity that are already reactive.

    <script>
    import { SvelteMap } from "svelte/reactivity";
    const map = $state(new SvelteMap()); // redundant
    </script>
  • #10752 f62fb8b Thanks @​ematipico! - Fixed #10739. Now the rule useValidAutocomplete correctly flags the autoComplete attribute.

  • #10796 f1b3ab2 Thanks @​ematipico! - Fixed #10768. Improved the performance of the Biome Language Server by cancelling certain in-flight operations when there are fast updates.

  • #10719 aa649b5 Thanks @​minseong0324! - Fixed noMisleadingReturnType false positive on returns that use a widening type assertion: "a" as string is no longer reported as misleading. The rule now also reports a literal-pinning assertion such as false as false, matching the existing as const behavior.

    // No longer flagged (returns are `string`):
    function getValue(b: boolean): string {
      if (b) return "a" as string;
      return "b" as string;
    }
    // Now also reported, like as const (returns false):
    function isReady(): boolean {
    return false as false;
    }

  • #10678 8f073a7 Thanks @​PranavAchar01! - Fixed #7718: Biome now correctly parses CSS nesting selectors when & appears as a trailing sub-selector after a type selector, e.g. h1& { color: red; }.

  • #10756 5ec965a Thanks @​denbezrukov! - Fixed CSS formatter output for selector lists with allowWrongLineComments and // comments after a selector comma. Biome now keeps the selector before the line comment inline instead of breaking it across descendant combinators.

    -.powerPathNavigator
    -  .helm
    -  button.pressedButton, // pressed
    +.powerPathNavigator .helm button.pressedButton, // pressed
     .powerPathNavigator .helm button:active:not(.disabledButton) {
     }
  • #10757 6232fcd Thanks @​PranavAchar01! - Fixed #8269: the CSS parser now accepts Tailwind @variant and @utility names that start with a digit, such as the 2xl breakpoint.

... (truncated)

Commits

Updates @tanstack/devtools-vite from 0.4.1 to 0.8.1

Release notes

Sourced from @​tanstack/devtools-vite's releases.

@​tanstack/devtools-vite@​0.8.1

Patch Changes

  • Updated dependencies []:
    • @​tanstack/devtools-client@​0.0.8

@​tanstack/devtools-vite@​0.8.0

Minor Changes

  • #384 958c683 - feat: deliver devtools events from isolated server runtimes over Vite's native HotChannel

    Server code running in an isolated runtime (Nitro v3 worker thread, Cloudflare workerd, or any separate thread/process) does not share globalThis.__TANSTACK_EVENT_TARGET__ with the Vite dev process, so devtools events emitted on the server never reached the panel.

    The Vite plugin now bridges those events over the framework's existing import.meta.hot HotChannel — the same connection the runtime already uses for HMR. It injects a tiny, dev-only bridge into the event client when it runs in a non-client environment and wires each server environment's hot channel to the in-process ServerEventBus. No new WebSocket, no fetch, no reconnect logic, and no new runtime dependencies; the bridge is fully tree-shaken in production.

@​tanstack/devtools-vite@​0.7.2

Patch Changes

  • #466 73983a7 - Fix the plugin marketplace rendering empty ("No additional plugins available") when it should list installable plugins.

    • The client event bus no longer silently drops events emitted while its WebSocket is still connecting. Such events are now queued and flushed once the socket opens, so the marketplace's mounted request reliably reaches the server bus.
    • The marketplace now re-requests package.json every time it is opened and retries until the data arrives, so re-opening always re-fetches the plugin list.
    • Added TanStack AI Devtools (@tanstack/react-ai-devtools) to the plugin marketplace registry.
  • #449 2a2f9eb - Fix invalid syntax generated when removing parenthesized devtools JSX expressions.

  • Updated dependencies [73983a7]:

    • @​tanstack/devtools-client@​0.0.7
    • @​tanstack/devtools-event-bus@​0.4.2

@​tanstack/devtools-vite@​0.7.1

Patch Changes

  • #450 cf89dcd - fix go to source file whose path contains $ symbol

@​tanstack/devtools-vite@​0.7.0

Minor Changes

  • migrate from Babel to oxc-parser + MagicString (#397)

@​tanstack/devtools-vite@​0.6.1

Patch Changes

  • Fix unnecessary condition ESLint error in console pipe log method lookup. (#432)

... (truncated)

Changelog

Sourced from @​tanstack/devtools-vite's changelog.

0.8.1

Patch Changes

  • Updated dependencies []:
    • @​tanstack/devtools-client@​0.0.8

0.8.0

Minor Changes

  • #384 958c683 - feat: deliver devtools events from isolated server runtimes over Vite's native HotChannel

    Server code running in an isolated runtime (Nitro v3 worker thread, Cloudflare workerd, or any separate thread/process) does not share globalThis.__TANSTACK_EVENT_TARGET__ with the Vite dev process, so devtools events emitted on the server never reached the panel.

    The Vite plugin now bridges those events over the framework's existing import.meta.hot HotChannel — the same connection the runtime already uses for HMR. It injects a tiny, dev-only bridge into the event client when it runs in a non-client environment and wires each server environment's hot channel to the in-process ServerEventBus. No new WebSocket, no fetch, no reconnect logic, and no new runtime dependencies; the bridge is fully tree-shaken in production.

0.7.2

Patch Changes

  • #466 73983a7 - Fix the plugin marketplace rendering empty ("No additional plugins available") when it should list installable plugins.

    • The client event bus no longer silently drops events emitted while its WebSocket is still connecting. Such events are now queued and flushed once the socket opens, so the marketplace's mounted request reliably reaches the server bus.
    • The marketplace now re-requests package.json every time it is opened and retries until the data arrives, so re-opening always re-fetches the plugin list.
    • Added TanStack AI Devtools (@tanstack/react-ai-devtools) to the plugin marketplace registry.
  • #449 2a2f9eb - Fix invalid syntax generated when removing parenthesized devtools JSX expressions.

  • Updated dependencies [73983a7]:

    • @​tanstack/devtools-client@​0.0.7
    • @​tanstack/devtools-event-bus@​0.4.2

0.7.1

Patch Changes

  • #450 cf89dcd - fix go to source file whose path contains $ symbol

0.7.0

Minor Changes

  • migrate from Babel to oxc-parser + MagicString (#397)

... (truncated)

Commits
  • e026667 ci: Version Packages (#475)
  • 7114ecd test: e2e suite (8 apps + server↔client probe) + unit/component coverage (#472)
  • f17d7e8 chore: add bugs.url metadata to all published packages (#470)
  • d9f2b37 ci: Version Packages (#468)
  • 958c683 feat: deliver devtools events from isolated server runtimes via Vite HotChann...
  • ca6e266 ci: Version Packages (#465)
  • 2a2f9eb fix(devtools-vite): preserve valid syntax when removing parenthesized devtool...
  • 45d9b8e ci: Version Packages (#453)
  • cf89dcd fix: fix go to source file whose path contains $ symbol (#450)
  • 5d359f2 ci: Version Packages (#442)
  • Additional commits viewable in compare view

Updates react-doctor from 0.5.8 to 0.7.1

Release notes

Sourced from react-doctor's releases.

react-doctor@0.7.1

Patch Changes

  • #1062 6b21b70 Thanks @​devin-ai-integration! - Surface when a scan target had no discoverable React project, so a gated-off run can't pass for a clean one.

    • The JSON report now carries reactDetected: false (additive optional field on schemaVersion 1 and 2) when no scanned project resolved a React or Preact runtime — the case where every React-runtime rule family gates off and the report would otherwise be byte-indistinguishable from a genuinely clean scan. It's true when any project resolved a runtime, and absent when nothing was scanned or the run errored. Consumers gating on the report (CI, verifiers, pre-commit hooks) should treat reactDetected === false as "wrong scan target", not "all clear"; per-project detail is already available via projects[].project.reactVersion / preactVersion.
    • The CLI prints a stderr warning in the same case: "No React project detected at — React rules were gated off; this is not the same as a clean scan."
    • The programmatic API mirrors the signal: diagnose() results carry reactDetected (DiagnoseResult.reactDetected, per-project on ProjectResultOk, aggregate on DiagnoseProjectsResult — absent when no project scanned successfully), and the hasReactRuntime(project) predicate is exported from react-doctor/api and @react-doctor/api.
  • Updated dependencies [c0c3fc1]:

    • oxlint-plugin-react-doctor@0.7.1
    • deslop-js@0.7.1

react-doctor@0.7.0

Patch Changes

  • #1060 ced746f Thanks @​rayhanadev! - The whole cache stack now survives CI's fresh checkouts, so the GitHub Action's persisted REACT_DOCTOR_CACHE_DIR actually warms every layer instead of only the content-addressed ones. The whole-repo scan-result cache moves under the shared per-project cache root (honoring REACT_DOCTOR_CACHE_DIR like the lint, sidecar, dead-code, and supply-chain caches — previously it silently escaped the action's cache into node_modules/.cache or the OS temp dir), and its key drops every stat-based fingerprint that a re-clone rotates: config files and gitignored dotenv files are now content-hashed, and the toolchain is keyed by package versions (matching the lint ruleset hash) rather than install mtimes. The stat-fingerprinted dead-code caches gain mtime repair (the ninja/restat pattern): entries carry a content-hash witness, and a stat mismatch over identical bytes — every file after a fresh checkout — re-hashes once, accepts the entry, and persists the refreshed stat so the cost is paid once per checkout, not per run. This covers core's whole-project dead-code result cache (per-file (mtime, size, hash) records replacing the stats-in-key fingerprint) and deslop-js's incremental summary store (parse summaries, package-reference facts, and the manifest/bundler-config fingerprints feeding the collect/resolution hashes). Expired supply-chain score entries are also pruned past their TTL so restored cache directories stop accumulating dead purls. Everything stays fail-open and byte-identical to an uncached scan; on a re-cloned repo with one changed file, a warm scan now replays ~100% of lint, sidecar, and parse work instead of starting cold.

  • #1056 20d81f6 Thanks @​rayhanadev! - Hardened the dead-code result cache key against two silent-staleness classes. The fingerprinted extension and manifest name lists are now imported from deslop-js/analyzed-inputs — a new dependency-free subpath export assembled from the same constants deslop's own readers consume — so a deslop upgrade that widens its walk can never under-invalidate the cache. And the key now includes @react-doctor/core's own version, so upgrading react-doctor re-analyzes instead of replaying cached diagnostics shaped by an older core's post-processing. The cache schema-version constant remains for cache-format changes only.

  • #1053 e257a5e Thanks @​rayhanadev! - Rescans now skip the dead-code analysis entirely when nothing it reads has changed. The pass persists its diagnostics keyed by a fingerprint over the analyzed source tree (stat-based, so additions, deletions, and edits all invalidate), the project's manifests, tsconfigs, lockfiles, knip/entry/ignore configuration, and the analyzer version — on an unchanged-input rerun the stored result replays instead of re-walking the whole import graph, cutting several seconds off warm rescans of large repos. Only complete, successful passes are stored; REACT_DOCTOR_NO_CACHE (or the granular REACT_DOCTOR_NO_DEAD_CODE_CACHE) disables it.

  • #1057 ce49250 Thanks @​rayhanadev! - Dead-code analysis is now incremental across scans. deslop-js gains an opt-in incrementalCachePath config field: one stat walk per run (following directory symlinks, like the glob scans it stands in for) validates four independently keyed layers — per-file parse summaries (mtime+size), the collected file list, the module-resolution map (dropped whenever the file set or a bundler/tsconfig-like config changes, since resolution is file-set-dependent), and the per-file package-reference facts behind the unused-dependency content scans. The same walk also answers the stale-package file-discovery globs (config/docs/rescue/package.json/nx/tsconfig scans, verified byte-identical against fast-glob), so a cached run never re-walks the tree for them. Entry resolution deliberately stays live every run (it reads config/doc/sibling-source content no fingerprint can validate); on cached runs it moves to a dedicated worker thread so its filesystem work overlaps the main-thread analysis instead of serializing after it. Every layer fails open — corrupt, truncated, or version/config-mismatched stores degrade to a fresh computation, never a wrong result — writes are atomic and skipped when clean, and results are byte-identical to an uncached run. Unused-export detection also indexes re-export edges by source module, dropping an O(entry points × edges) scan that dominated the detector on large repos.

    react-doctor points the analysis worker at a per-project summary store next to the existing whole-result dead-code cache, so a changed-files rescan of a large repo re-parses only what changed (sentry, 9k files: ~8.0s → ~3.2s with 0-10 files edited; ~4.0s after adding a file; the cache-fill run costs the same as an uncached scan). The worker also stops running the discarded DRY-pattern redundancy detectors (reportRedundancy: false), which shrinks the summary store by dropping fields only those detectors read, and reports the cache outcome as deadCode.summaryCacheHits / deadCode.summaryCacheMisses in anonymized telemetry (absent whenever no analysis consulted the store). REACT_DOCTOR_NO_CACHE (or the granular REACT_DOCTOR_NO_DEAD_CODE_CACHE) disables it.

  • #1054 8c004f0 Thanks @​rayhanadev! - Instant reruns now also work with uncommitted changes: the whole-repo scan-result cache no longer requires a clean worktree — it keys on the exact dirty state (every modified, staged, renamed, deleted, and untracked path plus a hash of its content), so rescanning the same work-in-progress tree hits the cache while any edit still invalidates it.

  • #1052 1571119 Thanks @​rayhanadev! - Restore instant reruns on large repos: raise runGit's output cap so the whole-repo scan-result cache works past ~15k tracked files.

    The cache's clean-worktree gates shell out to git through a helper that used Node's default 1 MiB maxBuffer. On repos with roughly 15-25k tracked files (getsentry/sentry: 20,343), git ls-files -v alone exceeds that, execFileSync throws ENOBUFS, the helper swallows it into null, and the gates read null as "hidden tracked state" — so the cache silently never stored or served a scan on exactly the repos where the instant-rerun path saves the most time. The helper now runs with an explicit 64 MiB cap, which clears monorepos with hundreds of thousands of files while still bounding a pathological child process.

  • #1058 ea9a775 Thanks @​rayhanadev! - Warm rescans now skip the cross-file lint sidecar for files whose dependencies are unchanged. Previously the per-file lint cache replayed most rules but re-linted EVERY file with the cross-file ruleset (no-barrel-import, the Next.js metadata/Suspense rules, no-mutating-reducer-state, the React Native text rules) on every scan, because a sibling edit can flip an unchanged file's verdict. Each file now carries a dependency fingerprint — the exact set of filesystem probes (resolved import targets, barrel chains, ancestor layouts, nearest package.json/tsconfig, and the negative resolution candidates that catch shadowing) its cross-file rules consulted — and the sidecar replays the stored diagnostics when every probe still answers the same, re-linting only files whose dependency set changed. Every entry fails open (corrupt store, unparseable file, partial lint → fresh re-lint), a cross-file rule without a registered dependency collector re-lints everywhere, and REACT_DOCTOR_NO_CACHE (or the granular REACT_DOCTOR_NO_SIDECAR_CACHE) disables it.

  • #1059 bdf8074 Thanks @​rayhanadev! - Added cache-temperature telemetry to the per-scan Sentry wide event, so cache effectiveness is queryable at a glance instead of being inferred from per-subsystem dims. cache.temperature classifies every scan as turbo (whole-repo scan-result replay — now marked by an explicit wholeRepoCacheHit flag on the replay path, never inferred from absent dims), warm (any incremental reuse across the per-file lint, sidecar, or dead-code caches), cold (caches on, zero reuse), or disabled (the global REACT_DOCTOR_NO_CACHE off-switch). cache.warmth is the numeric headline magnitude in [0, 1] — the plain mean of the known subsystem reuse fractions, skipping subsystems that never consulted a cache. The existing per-subsystem dims (lint.cacheHitRatio, lint.sidecarReplayRatio, deadCode.cacheHit, deadCode.summaryCacheHits/Misses) are unchanged. Telemetry-only: no new counters, no JSON-report or cache-schema changes.

  • Updated dependencies [ced746f, 20d81f6, ce49250]:

    • deslop-js@0.7.0
    • oxlint-plugin-react-doctor@0.7.0

react-doctor@0.6.3

Patch Changes

  • #1045 fc75a3e Thanks @​rayhanadev! - Balance lint batches by file size (LPT) so one oversized batch no longer sets the whole scan's wall clock. The full-scan batcher greedily filled 100-file chunks in discovery order, so a directory of large files (generated modules, vendored bundles, big test fixtures — adjacent in git ls-files order) all landed in ONE batch: on a 619-file corpus with six ~240 KB files that straggler batch ran ~7.5 s while the other six workers finished in ~1 s and idled — and a big enough cluster can trip the 60 s per-batch timeout and drop files. The planner now keeps the same batch count (and therefore the same subprocess count and CPU) but assigns files largest-first to the least-loaded batch, so every batch carries an even share of files and bytes: 2.2× faster wall clock on the skewed corpus (9.7 s → 4.3 s), no measurable change on uniform repos, and diagnostics verified byte-identical on both. Splitting into MORE batches to feed idle workers was measured to regress (each extra concurrent subprocess pays a contended cold start that outweighs its smaller file share) and is deliberately not done. REACT_DOCTOR_LINT_BATCH_ORDERING=arrival rolls back to the old greedy chunking; the previous opt-in cost mode (sort-descending-then-chunk, which concentrated the heavy files instead of spreading them) is superseded by the balanced plan.

  • #1046 59e8178 Thanks @​rayhanadev! - Stop lint's pre-spawn setup from starving the overlapped security-scan and supply-chain passes.

    The security scan already runs on a cooperative background fiber that overlaps the lint pass, but a forked fiber only advances when the main thread yields — and lint's synchronous pre-spawn prefix (full-scan file discovery plus the per-file cache's content-hash partition over every candidate file) held the event loop until the first oxlint subprocess spawned. The overlapped passes now start immediately: the lint runner hands the loop back once before discovery and yields on the shared cooperative time budget while hashing, and the security scan's own directory walk (previously one unyielding readdir+classify burst before its first budget checkpoint) yields walk-progress markers so large trees can't stall lint subprocess draining or concurrently-scanning sibling projects. Diagnostics are byte-identical and the report order is unchanged.

  • Updated dependencies [173cc0a, 173cc0a, 173cc0a, 173cc0a, 173cc0a, 173cc0a, b4faf74, 173cc0a, 173cc0a, 173cc0a, 173cc0a, 173cc0a, 173cc0a, 173cc0a, 173cc0a, b4faf74, b4faf74, 072d37e, 2980d0f, 5fec491, 05f6399, a1c8ee1, fa61c20, ac71a3b, d8628d7, ebeee56, da3b19c, 6a9a73b, 173cc0a, 173cc0a]:

... (truncated)

Changelog

Sourced from react-doctor's changelog.

0.7.1

Patch Changes

  • #1062 6b21b70 Thanks @​devin-ai-integration! - Surface when a scan target had no discoverable React project, so a gated-off run can't pass for a clean one.

    • The JSON report now carries reactDetected: false (additive optional field on schemaVersion 1 and 2) when no scanned project resolved a React or Preact runtime — the case where every React-runtime rule family gates off and the report would otherwise be byte-indistinguishable from a genuinely clean scan. It's true when any project resolved a runtime, and absent when nothing was scanned or the run errored. Consumers gating on the report (CI, verifiers, pre-commit hooks) should treat reactDetected === false as "wrong scan target", not "all clear"; per-project detail is already available via projects[].project.reactVersion / preactVersion.
    • The CLI prints a stderr warning in the same case: "No React project detected at — React rules were gated off; this is not the same as a clean scan."
    • The programmatic API mirrors the signal: diagnose() results carry reactDetected (DiagnoseResult.reactDetected, per-project on ProjectResultOk, aggregate on DiagnoseProjectsResult — absent when no project scanned successfully), and the hasReactRuntime(project) predicate is exported from react-doctor/api and @react-doctor/api.
  • Updated dependencies [c0c3fc1]:

    • oxlint-plugin-react-doctor@0.7.1
    • deslop-js@0.7.1

0.7.0

Patch Changes

  • #1060 ced746f Thanks @​rayhanadev! - The whole cache stack now survives CI's fresh checkouts, so the GitHub Action's persisted REACT_DOCTOR_CACHE_DIR actually warms every layer instead of only the content-addressed ones. The whole-repo scan-result cache moves under the shared per-project cache root (honoring REACT_DOCTOR_CACHE_DIR like the lint, sidecar, dead-code, and supply-chain caches — previously it silently escaped the action's cache into node_modules/.cache or the OS temp dir), and its key drops every stat-based fingerprint that a re-clone rotates: config files and gitignored dotenv files are now content-hashed, and the toolchain is keyed by package versions (matching the lint ruleset hash) rather than install mtimes. The stat-fingerprinted dead-code caches gain mtime repair (the ninja/restat pattern): entries carry a content-hash witness, and a stat mismatch over identical bytes — every file after a fresh checkout — re-hashes once, accepts the entry, and persists the refreshed stat so the cost is paid once per checkout, not per run. This covers core's whole-project dead-code result cache (per-file (mtime, size, hash) records replacing the stats-in-key fingerprint) and deslop-js's incremental summary store (parse summaries, package-reference facts, and the manifest/bundler-config fingerprints feeding the collect/resolution hashes). Expired supply-chain score entries are also pruned past their TTL so restored cache directories stop accumulating dead purls. Everything stays fail-open and byte-identical to an uncached scan; on a re-cloned repo with one changed file, a warm scan now replays ~100% of lint, sidecar, and parse work instead of starting cold.

  • #1056 20d81f6 Thanks @​rayhanadev! - Hardened the dead-code result cache key against two silent-staleness classes. The fingerprinted extension and manifest name lists are now imported from deslop-js/analyzed-inputs — a new dependency-free subpath export assembled from the same constants deslop's own readers consume — so a deslop upgrade that widens its walk can never under-invalidate the cache. And the key now includes @react-doctor/core's own version, so upgrading react-doctor re-analyzes instead of replaying cached diagnostics shaped by an older core's post-processing. The cache schema-version constant remains for cache-format changes only.

  • #1053 e257a5e Thanks @​rayhanadev! - Rescans now skip the dead-code analysis entirely when nothing it reads has changed. The pass persists its diagnostics keyed by a fingerprint over the analyzed source tree (stat-based, so additions, deletions, and edits all invalidate), the project's manifests, tsconfigs, lockfiles, knip/entry/ignore configuration, and the analyzer version — on an unchanged-input rerun the stored result replays instead of re-walking the whole import graph, cutting several seconds off warm rescans of large repos. Only complete, successful passes are stored; REACT_DOCTOR_NO_CACHE (or the granular REACT_DOCTOR_NO_DEAD_CODE_CACHE) disables it.

  • #1057 ce49250 Thanks @​rayhanadev! - Dead-code analysis is now incremental across scans. deslop-js gains an opt-in incrementalCachePath config field: one stat walk per run (following directory symlinks, like the glob scans it stands in for) validates four independently keyed layers — per-file parse summaries (mtime+size), the collected file list, the module-resolution map (dropped whenever the file set or a bundler/tsconfig-like config changes, since resolution is file-set-dependent), and the per-file package-reference facts behind the unused-dependency content scans. The same walk also answers the stale-package file-discovery globs (config/docs/rescue/package.json/nx/tsconfig scans, verified byte-identical against fast-glob), so a cached run never re-walks the tree for them. Entry resolution deliberately stays live every run (it reads config/doc/sibling-source content no fingerprint can validate); on cached runs it moves to a dedicated worker thread so its filesystem work overlaps the main-thread analysis instead of serializing after it. Every layer fails open — corrupt, truncated, or version/config-mismatched stores degrade to a fresh computation, never a wrong result — writes are atomic and skipped when clean, and results are byte-identical to an uncached run. Unused-export detection also indexes re-export edges by source module, dropping an O(entry points × edges) scan that dominated the detector on large repos.

    react-doctor points the analysis worker at a per-project summary store next to the existing whole-result dead-code cache, so a changed-files rescan of a large repo re-parses only what changed (sentry, 9k files: ~8.0s → ~3.2s with 0-10 files edited; ~4.0s after adding a file; the cache-fill run costs the same as an uncached scan). The worker also stops running the discarded DRY-pattern redundancy detectors (reportRedundancy: false), which shrinks the summary store by dropping fields only those detectors read, and reports the cache outcome as deadCode.summaryCacheHits / deadCode.summaryCacheMisses in anonymized telemetry (absent whenever no analysis consulted the store). REACT_DOCTOR_NO_CACHE (or the granular REACT_DOCTOR_NO_DEAD_CODE_CACHE) disables it.

  • #1054 8c004f0 Thanks @​rayhanadev! - Instant reruns now also work with uncommitted changes: the whole-repo scan-result cache no longer requires a clean worktree — it keys on the exact dirty state (every modified, staged, renamed, deleted, and untracked path plus a hash of its content), so rescanning the same work-in-progress tree hits the cache while any edit still invalidates it.

  • #1052 1571119 Thanks @​rayhanadev! - Restore instant reruns on large repos: raise runGit's output cap so the whole-repo scan-result cache works past ~15k tracked files.

    The cache's clean-worktree gates shell out to git through a helper that used Node's default 1 MiB maxBuffer. On repos with roughly 15-25k tracked files (getsentry/sentry: 20,343), git ls-files -v alone exceeds that, execFileSync throws ENOBUFS, the helper swallows it into null, and the gates read null as "hidden tracked state" — so the cache silently never stored or served a scan on exactly the repos where the instant-rerun path saves the most time. The helper now runs with an explicit 64 MiB cap, which clears monorepos with hundreds of thousands of files while still bounding a pathological child process.

  • #1058 ea9a775 Thanks @​rayhanadev! - Warm rescans now skip the cross-file lint sidecar for files whose dependencies are unchanged. Previously the per-file lint cache replayed most rules but re-linted EVERY file with the cross-file ruleset (no-barrel-import, the Next.js metadata/Suspense rules, no-mutating-reducer-state, the React Native text rules) on every scan, because a sibling edit can flip an unchanged file's verdict. Each file now carries a dependency fingerprint — the exact set of filesystem probes (resolved import targets, barrel chains, ancestor layouts, nearest package.json/tsconfig, and the negative resolution candidates that catch shadowing) its cross-file rules consulted — and the sidecar replays the stored diagnostics when every probe still answers the same, re-linting only files whose dependency set changed. Every entry fails open (corrupt store, unparseable file, partial lint → fresh re-lint), a cross-file rule without a registered dependency collector re-lints everywhere, and REACT_DOCTOR_NO_CACHE (or the granular REACT_DOCTOR_NO_SIDECAR_CACHE) disables it.

  • #1059 bdf8074 Thanks @​rayhanadev! - Added cache-temperature telemetry to the per-scan Sentry wide event, so cache effectiveness is queryable at a glance instead of being inferred from per-subsystem dims. cache.temperature classifies every scan as turbo (whole-repo scan-result replay — now marked by an explicit wholeRepoCacheHit flag on the replay path, never inferred from absent dims), warm (any incremental reuse across the per-file lint, sidecar, or dead-code caches), cold (caches on, zero reuse), or disabled (the global REACT_DOCTOR_NO_CACHE off-switch). cache.warmth is the numeric headline magnitude in [0, 1] — the plain mean of the known subsystem reuse fractions, skipping subsystems that never consulted a cache. The existing per-subsystem dims (lint.cacheHitRatio, lint.sidecarReplayRatio, deadCode.cacheHit, deadCode.summaryCacheHits/Misses) are unchanged. Telemetry-only: no new counters, no JSON-report or cache-schema changes.

  • Updated dependencies [ced746f, 20d81f6, ce49250]:

    • deslop-js@0.7.0
    • oxlint-plugin-react-doctor@0.7.0

0.6.3

Patch Changes

  • #1045 fc75a3e Thanks @​rayhanadev! - Balance lint batches by file size (LPT) so one oversized batch no longer sets the whole scan's wall clock. The full-scan batcher greedily filled 100-file chunks in discovery order, so a directory of large files (generated modules, vendored bundles, big test fixtures — adjacent in git ls-files order) all landed in ONE batch: on a 619-file corpus with six ~240 KB files that straggler batch ran ~7.5 s while the other six workers finished in ~1 s and idled — and a big enough cluster can trip the 60 s per-batch timeout and drop files. The planner now keeps the same batch count (and therefore the same subprocess count and CPU) but assigns files largest-first to the least-loaded batch, so every batch carries an even share of files and bytes: 2.2× faster wall clock on the skewed corpus (9.7 s → 4.3 s), no measurable change on uniform repos, and diagnostics verified byte-identical on both. Splitting into MORE batches to feed idle workers was measured to regress (each extra concurrent subprocess pays a contended cold start that outweighs its smaller file share) and is deliberately not done. REACT_DOCTOR_LINT_BATCH_ORDERING=arrival rolls back to the old greedy chunking; the previous opt-in cost mode (sort-descending-then-chunk, which concentrated the heavy files instead of spreading them) is superseded by the balanced plan.

  • #1046 59e8178 Thanks @​rayhanadev! - Stop lint's pre-spawn setup from starving the overlapped security-scan and supply-chain passes.

... (truncated)

Commits
  • 160f84c chore: version packages (#1063)
  • 6b21b70 feat(core): surface reactDetected so a gated-off scan can't pass for clean (#...
  • 574cba6 chore: version packages (#1055)
  • ced746f fix(core): make the cache stack survive CI checkouts and the action cache (#1...
  • bdf8074 feat(telemetry): classify every scan's cache temperature in the wide event (#...
  • ea9a775 perf(core): incremental cross-file sidecar lint via dependency probe traces (...
  • ce49250 perf(core): incremental dead-code analysis via a per-file summary cache (#1057)
  • 8c004f0 perf(cli): key the scan-result cache on dirty worktree content instead of bai...
  • e257a5e perf(core): cache dead-code results so unchanged rescans skip the analysis (#...
  • 1571119 fix(cli): raise runGit maxBuff...

    Description has been truncated


    View with Codesmith Autofix with Codesmith
    Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

Bumps the dev-dependencies group with 3 updates in the / directory: [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome), [@tanstack/devtools-vite](https://github.com/TanStack/devtools/tree/HEAD/packages/devtools-vite) and [react-doctor](https://github.com/millionco/react-doctor/tree/HEAD/packages/react-doctor).


Updates `@biomejs/biome` from 2.3.11 to 2.5.2
- [Release notes](https://github.com/biomejs/biome/releases)
- [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md)
- [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.5.2/packages/@biomejs/biome)

Updates `@tanstack/devtools-vite` from 0.4.1 to 0.8.1
- [Release notes](https://github.com/TanStack/devtools/releases)
- [Changelog](https://github.com/TanStack/devtools/blob/main/packages/devtools-vite/CHANGELOG.md)
- [Commits](https://github.com/TanStack/devtools/commits/@tanstack/devtools-vite@0.8.1/packages/devtools-vite)

Updates `react-doctor` from 0.5.8 to 0.7.1
- [Release notes](https://github.com/millionco/react-doctor/releases)
- [Changelog](https://github.com/millionco/react-doctor/blob/main/packages/react-doctor/CHANGELOG.md)
- [Commits](https://github.com/millionco/react-doctor/commits/react-doctor@0.7.1/packages/react-doctor)

---
updated-dependencies:
- dependency-name: "@biomejs/biome"
  dependency-version: 2.5.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-dependencies
- dependency-name: "@tanstack/devtools-vite"
  dependency-version: 0.8.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-dependencies
- dependency-name: react-doctor
  dependency-version: 0.7.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants