9.12.0

In this release:

• We improved the precision of the Cognitive Complexity for JSX by ignoring shorthand such as short-circuit logic.

• We added 6 new rules for detecting performance issues in React:

  • S6477: Mandatory keys in JSX list components
  • S6479: No array index for keys in JSX list components
  • S6486: No uniq values as keys for JSX list components
  • S6480: Disallow .bind() and arrow functions in JSX props
  • S6481: React Context Provider values should not have unstable identities
  • S6478: React components should not be nested

Milestone: https://github.com/SonarSource/SonarJS/issues?q=is%3Aclosed+milestone%3A9.12

Full Changelog: 9.11.1.20218...9.12.0.20319

9.11.1

Fix dependency injection of JavaScriptProjectChecker for SonarCloud

Milestone: https://github.com/SonarSource/SonarJS/milestone/63?closed=1

SonarQube version: 9.8

9.11.0

This new version:

• Improves the performance of slow rules
• Brings a better experience for TSconfig with node_modules
• Adds support for CSS analysis in SonarLint
• Enables typed rules for JS in SonarLint
• Support TypeScript 4.9

Milestone: https://github.com/SonarSource/SonarJS/milestone/63?closed=1

SonarQube version: 9.8

9.10.0

This new version adds 16 AWS CDK rules and includes fixes listed in the 9.10 milestone.

9.9.0

SonarJS hardening before SonarQube 9.7.

Details are available in 9.9 milestone.

9.8.0

faster PR analysis
security analysis for AWS YAML
TypeScript 4.8
deprecation of Node.JS v14
remove support for Node.JS v12

Details are available in 9.8 milestone.

9.7.0

In this release, we've worked on two main topics

• Improve integration with SonarLint
• Fix false-positives for S1313 and S5860

Details are available in 9.7 milestone.

This release will be soon available on SonarCloud and will ship in SonarQube 9.7 and SonarLint

9.6.0

In this release, we've worked on two main topics

• Reduce the number of false-positives in projects using React
• Add new security hotspots targeting AWS S3 buckets with Node AWS CDK

Details are available in the 9.6 milestone

This release will be soon available on SonarCloud and will ship in SonarQube 9.6 and SonarLint

9.5.0

This is a big release where we focused on catching React-specific bugs and code smells.
We are also introducing checks for code inside AWS template files 🤯.

We have 7 new rules for React:

• S6440: Ensure Hooks are always called from the top of React function Components. This helps when first starting with hooks, while also catching some mistakes that might be hard to see otherwise. See React's own Rules of Hooks.
• S6441: Detect methods of React component classes that are not used inside the Component. Lifecycle methods are excluded. Overall, this helps detect dead code but importantly it also catches uses of methods outside the components. This goes against React's data model and can break many assumptions. See the details for ways to solve it.
• S6442: Prevent hooks from being called directly in the body of components, which causes an infinite render loop. This can happen by accident or when you're starting to learn hooks. See the relevant meme on Twitter.
• S6443: Ensure a Hook' setter is not called with the current state. This does nothing, so it is very likely a mistake, like a forgotten Boolean inversion or something else.
• S6438: When starting with JSX you might not know that regular comments produce an unexpected DOM node. That can be quite surprising, but now you're safe with this rule.
• S6435: Detect when you forget to return from a React class component. This can happen by mistake and React won't complain so it can be hard to find!
• S6439: Prevents accidentally rendering unexpected characters that come from conditionals in JSX. See the rule details for some examples. Did you know about this?

Some improvements:

• S1534: Now detects duplicated attributes in JSX literals. This helps with typos and duplicates quite a lot!
• S2589: No longer raises an issue for expressions passed as children for JSX literals. That means fewer false positives.
• S905: Now helps detect missing return statements in React function components. Similar to what S6435 does in class components.
• S5148: Now handles an additional edge case to help secure your code when opening Browser windows programmatically.
• S1135: Now covers an edge case where TODOs were not being seen. It's all in the details.

For AWS users:

• We now check the JavaScript and TypeScript code embedded inside AWS template files in YAML.
• This should work out-of-the-box, without any additional action on your part.
• You can now benefit from all the same rules that are supported in stand-alone code files!

Here are the details of the Milestone.

All of this is available now in SonarCloud and will be on SonarQube 9.6 and in SonarLint when released.

Stay tuned for more things to come for React and AWS!

9.4.0

In this release, we have added 3 new rules and did some hardening (details here). We also updated some major dependencies.

JS/TS

• Upgrade TypeScript to 4.7 (#3180)
• Add S5148 ('link-with-target-blank'): Authorizing an opened window to access back to the originating window is security-sensitive (#2621)
• Add S4125 ('valid-typeof'): "typeof" expressions should only be compared to valid values (#625)
• Add S6397 ('single-char-in-character-classes'): Character classes in regular expressions should not contain only one character (#3085)

CSS

• Upgrade stylelint to 14.9.1 (#3182)

Part of SonarQube 9.6