feat(config): upgrade Biome.js to v2.3.10 and optimize framework configs

[Copilot]

Pull request

Description

Upgraded Biome.js from 2.3.3 to 2.3.10 across all configurations. Added 9 new nursery rules from releases 2.3.4-2.3.10 and refactored configuration structure to eliminate duplicate rules and disable inapplicable rules for framework-specific contexts.

Security & Correctness

• noScriptUrl - blocks javascript: URLs (XSS prevention)
• noEqualsToNull - enforces strict equality for null checks
• useArraySortCompare - requires compareFunction in Array#sort
• useAwaitThenable - validates await usage on Promises only
• useRegexpExec - prefers RegExp#exec over String#match

JSX & Accessibility

• noLeakedRender - prevents unintended value rendering (e.g., 0)
• noDuplicatedSpreadProps - catches duplicate spread identifiers
• noAmbiguousAnchorText - flags generic link text ("click here", etc.)

Code Quality

• noMultiStr - disallows escaped newline multiline strings

Fixed noBiomeFirstException by removing redundant ** pattern from root config (base config already provides catch-all).

Updated schema references in all config files: base.json, nextjs.json, nestjs.json, solidjs.json.

Configuration Structure Changes

Refactored framework-specific configurations to follow proper extension pattern:

• base.json: Contains all 9 new shared rules that apply to all projects
• nestjs.json: NestJS-specific overrides (decorator support, DI compatibility) + disabled inapplicable rules
• nextjs.json: Only Next.js-specific rules (routing, performance, accessibility)
• solidjs.json: SolidJS-specific rules (React compatibility) + disabled React-specific hooks

Removed duplicate rules from framework-specific configs since they extend base.json via:

"extends": ["@tutods/biome-config", "@tutods/biome-config/nestjs"]

Disabled Inapplicable Rules:

• NestJS (backend): Disabled JSX/React rules (noLeakedRender, noDuplicatedSpreadProps, noUselessFragments), a11y rules (not applicable for backend APIs), and frontend-specific rules (noAmbiguousAnchorText, useSortedClasses)
• SolidJS: Disabled useHookAtTopLevel (React-specific rule that doesn't apply to Solid's reactivity model where "hooks" like createSignal run once for setup, not on every render)

Upgrade Details

Version Changes

• Previous Version: 2.3.3
• New Version: 2.3.10

Files Updated

• /biome.json - Updated schema to 2.3.10, fixed noBiomeFirstException
• /package.json - Updated @biomejs/biome to ^2.3.10
• /configs/biome-config/package.json - Updated dependencies and peerDependencies
• /configs/biome-config/base.json - Updated schema to 2.3.10, added 9 new rules
• /configs/biome-config/nextjs.json - Updated schema, removed duplicate rules
• /configs/biome-config/nestjs.json - Updated schema, removed duplicate rules, disabled inapplicable rules
• /configs/biome-config/solidjs.json - Updated schema, removed duplicate rules, disabled React-specific rules

New Rules Evaluation
All 9 rules added are from the nursery category (experimental but stable). Rules evaluated but not added:

• noContinue - too opinionated for general use
• noUndeclaredEnvVars - only relevant for Turborepo projects
• useRequiredScripts - project standards already established

NestJS Configuration
Current NestJS-specific settings are optimal for backend development:

• unsafeParameterDecoratorsEnabled: true - allows decorators like @Injectable, @controller
• useImportType: "off" - prevents breaking dependency injection
• noStaticOnlyClass: "off" - allows NestJS module patterns
• noUselessConstructor: "off" - allows DI constructors
• useHookAtTopLevel: "off" - disabled (React-specific)
• Disabled JSX/React, a11y, and frontend-specific rules

Testing Results

• ✅ All lint checks pass (21 files)
• ✅ Build succeeds without errors
• ✅ CI lint works correctly
• ✅ Zero breaking changes to existing code
• ✅ No deprecated rules present
• ✅ Configuration properly extends base config
• ✅ Framework-specific rules correctly applied/disabled per context

Motivation and Context

Staying current with Biome.js releases provides access to improved security rules, better correctness checks, and enhanced developer experience. The new rules catch common bugs and security issues automatically.

Refactoring the configuration structure eliminates rule duplication and ensures consistent linting behavior across all frameworks while maintaining framework-specific overrides where needed. Disabling inapplicable rules prevents false positives and irrelevant warnings in backend and framework-specific contexts.

References

Types of changes

• Breaking change (a fix or feature that would cause existing functionality to change)
• Bugfix (a non-breaking change that fixes an issue)
• Chore (a task that doesn't add or fix existing code or tests)
• New feature (a non-breaking change that adds functionality)
• Performance (a non-breaking change that reduces time or space complexity of a flow)
• Refactor (a non-breaking change that restructures existing code)
• Test (added or updated existing tests without implementation changes)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Upgrade Biome.js configuration to latest version and review rules</issue_title>
<issue_description>Upgrade the Biome.js configuration to the latest available version.

• Update all Biome-related config files.
• Address and fix any deprecated rules.
• Investigate new rules available in the latest Biome.js release and analyze if they should be added to the configuration.
• Test the updated configuration to ensure compatibility and maintain or improve code quality.

Acceptance Criteria:

• All Biome.js related configs are using the latest version.
• No deprecated rules are present.
• A report (comment or README update) is posted summarizing changes and any new rules considered/added/skipped, with reasoning.

Reference: Biome.js Documentation

If you encounter any blockers, please describe them in the issue comments.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Upgrade Biome.js configuration to latest version and review rules #569

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[tutods]

@copilot The upgrade report leave it on a comment or on the pull request description, remove the file please.

[Copilot]

@copilot The upgrade report leave it on a comment or on the pull request description, remove the file please.

Done! Removed the BIOME_UPGRADE_REPORT.md file. The upgrade details are now in the PR description. (commit 6f886a8)

[tutods]

@copilot The shared rules should be only added on base.json. The other files will be used together with base.json, like:

"extends": ["@tutods/biome-config", "@tutods/biome-config/nestjs"],

It's important to have in mind that nestjs.json could have a few disabled rules to avoid issues because it's a backend project.
Any other rule that should be added specific for Nestjs?

[Copilot]

@copilot The shared rules should be only added on base.json. The other files will be used together with base.json, like:

"extends": ["@tutods/biome-config", "@tutods/biome-config/nestjs"],...

Fixed! Removed all duplicate shared rules from nestjs.json, nextjs.json, and solidjs.json. They now only contain framework-specific overrides. (commit 0180840)

Regarding NestJS-specific rules: The current configuration is already optimized for NestJS with:

• unsafeParameterDecoratorsEnabled: true - allows decorators like @Injectable, @controller
• useImportType: "off" - prevents breaking DI by converting imports to type-only
• noStaticOnlyClass: "off" - allows NestJS module patterns
• noUselessConstructor: "off" - allows DI constructors
• useHookAtTopLevel: "off" - disabled since it's React-specific

Biome doesn't have additional NestJS-specific rules beyond these decorator/DI compatibility settings.

[tutods]

@copilot Should any rule from base.json be disabled on nestjs.json or solidjs.json?

[Copilot]

@copilot Should any rule from base.json be disabled on nestjs.json or solidjs.json?

Yes, added necessary rule disables. (commit c947abc)

NestJS (backend):

• Disabled JSX/React rules: noLeakedRender, noDuplicatedSpreadProps, noUselessFragments
• Disabled a11y rules: Not applicable for backend APIs
• Disabled frontend-specific: noAmbiguousAnchorText, useSortedClasses

SolidJS:

• Disabled useHookAtTopLevel: React-specific rule that doesn't apply to Solid's reactivity model (Solid's "hooks" like createSignal run once for setup, not on every render)

All other base.json rules are applicable to both frameworks.

[Copilot]

Pull request overview

This PR upgrades Biome.js from version 2.3.3 to 2.3.10 and refactors the configuration structure to eliminate duplication across framework-specific configs.

• Updated all schema references from 2.2.4/2.3.3 to 2.3.10
• Added 9 new lint rules to the base configuration for improved code quality and security
• Refactored framework-specific configs to contain only overrides, removing duplicate rules already present in base.json

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
configs/biome-config/base.json	Updated schema to 2.3.10 and added 9 new rules (noScriptUrl, useArraySortCompare, useAwaitThenable, useRegexpExec, noEqualsToNull, noLeakedRender, noDuplicatedSpreadProps, noAmbiguousAnchorText, noMultiStr) to the nursery section
configs/biome-config/nextjs.json	Updated schema to 2.3.10 and removed duplicate style rules, keeping only Next.js-specific overrides (noHeadElement in style, noImgElement in performance)
configs/biome-config/nestjs.json	Updated schema to 2.3.10, removed duplicate style rules, and added appropriate disables for frontend-specific rules (a11y, JSX rules) that don't apply to backend projects
configs/biome-config/solidjs.json	Updated schema to 2.3.10, removed duplicate style rules, and kept only SolidJS-specific overrides (noReactSpecificProps error, useHookAtTopLevel disabled)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Several of these rules may have graduated from the nursery category in Biome v2.3.10 and should be placed in their appropriate stable categories instead:

• noScriptUrl should likely be in the "security" category
• useArraySortCompare, useAwaitThenable, useRegexpExec, and noEqualsToNull should likely be in the "suspicious" category
• noMultiStr should likely be in the "style" category
• noAmbiguousAnchorText should likely be in the "a11y" category

Placing rules in the wrong category can cause configuration issues when these rules graduate from nursery. Please verify the correct category for each rule in the Biome v2.3.10 documentation and move them to their appropriate stable categories if they've graduated.