Release 0.9.7 (#199)

Co-authored-by: oxc-bot <176400334+oxc-bot@users.noreply.github.com>

src/docs/guide/usage/linter/generated-cli.md

@@ -65,6 +65,8 @@ Arguments:
   Enable the promise plugin and detect promise usage problems
 - **`    --node-plugin`** —
   Enable the node plugin and detect node usage problems
+- **`    --security-plugin`** —
+  Enable the security plugin and detect security problems
 
 ## Fix Problems
 

src/docs/guide/usage/linter/generated-config.md

@@ -61,6 +61,14 @@ Globals can be disabled by setting their value to `"off"`. For example, in an en
 
 You may also use `"readable"` or `false` to represent `"readonly"`, and `"writeable"` or `true` to represent `"writable"`.
 
+## plugins
+
+type: `array`
+
+### plugins[n]
+
+type: `string`
+
 ## rules
 
 type: `object`

src/docs/guide/usage/linter/generated-rules.md

@@ -2,10 +2,10 @@
 
 The progress of all rule implementations is tracked [here](https://github.com/oxc-project/oxc/issues/481).
 
-- Total number of rules: 429
+- Total number of rules: 432
 - Rules turned on by default: 96
 
-## Correctness (169):
+## Correctness (170):
 
 Code that is outright wrong or useless.
 | Rule name | Source | Default | Fixable? |
@@ -154,6 +154,7 @@ Code that is outright wrong or useless.
 | [no-render-return-value](/docs/guide/usage/linter/rules/react/no-render-return-value.html) | react | ✅ | |
 | [no-string-refs](/docs/guide/usage/linter/rules/react/no-string-refs.html) | react | ✅ | |
 | [void-dom-elements-no-children](/docs/guide/usage/linter/rules/react/void-dom-elements-no-children.html) | react | ✅ | |
+| [api-keys](/docs/guide/usage/linter/rules/security/api-keys.html) | security | | |
 | [no-duplicate-enum-values](/docs/guide/usage/linter/rules/typescript/no-duplicate-enum-values.html) | typescript | ✅ | |
 | [no-extra-non-null-assertion](/docs/guide/usage/linter/rules/typescript/no-extra-non-null-assertion.html) | typescript | ✅ | |
 | [no-misused-new](/docs/guide/usage/linter/rules/typescript/no-misused-new.html) | typescript | ✅ | |
@@ -192,7 +193,7 @@ Code that can be written to run faster.
 | [jsx-no-new-function-as-prop](/docs/guide/usage/linter/rules/react_perf/jsx-no-new-function-as-prop.html) | react_perf | | |
 | [jsx-no-new-object-as-prop](/docs/guide/usage/linter/rules/react_perf/jsx-no-new-object-as-prop.html) | react_perf | | |
 
-## Restriction (58):
+## Restriction (57):
 
 Lints which prevent the use of language and library features. Must not be enabled as a whole, should be considered on a case-by-case basis before enabling.
 | Rule name | Source | Default | Fixable? |
@@ -209,7 +210,7 @@ Lints which prevent the use of language and library features. Must not be enable
 | [no-iterator](/docs/guide/usage/linter/rules/eslint/no-iterator.html) | eslint | | 🚧 |
 | [no-plusplus](/docs/guide/usage/linter/rules/eslint/no-plusplus.html) | eslint | | 🚧 |
 | [no-proto](/docs/guide/usage/linter/rules/eslint/no-proto.html) | eslint | | 🚧 |
-| [no-regex-spaces](/docs/guide/usage/linter/rules/eslint/no-regex-spaces.html) | eslint | | |
+| [no-regex-spaces](/docs/guide/usage/linter/rules/eslint/no-regex-spaces.html) | eslint | | 🚧 |
 | [no-restricted-globals](/docs/guide/usage/linter/rules/eslint/no-restricted-globals.html) | eslint | | |
 | [no-undefined](/docs/guide/usage/linter/rules/eslint/no-undefined.html) | eslint | | |
 | [no-unsafe-optional-chaining](/docs/guide/usage/linter/rules/eslint/no-unsafe-optional-chaining.html) | eslint | | |
@@ -229,7 +230,6 @@ Lints which prevent the use of language and library features. Must not be enable
 | [no-const-enum](/docs/guide/usage/linter/rules/oxc/no-const-enum.html) | oxc | | 🛠️ |
 | [no-optional-chaining](/docs/guide/usage/linter/rules/oxc/no-optional-chaining.html) | oxc | | |
 | [no-rest-spread-properties](/docs/guide/usage/linter/rules/oxc/no-rest-spread-properties.html) | oxc | | |
-| [avoid-new](/docs/guide/usage/linter/rules/promise/avoid-new.html) | promise | | |
 | [catch-or-return](/docs/guide/usage/linter/rules/promise/catch-or-return.html) | promise | | |
 | [spec-only](/docs/guide/usage/linter/rules/promise/spec-only.html) | promise | | |
 | [button-has-type](/docs/guide/usage/linter/rules/react/button-has-type.html) | react | | |
@@ -256,12 +256,14 @@ Lints which prevent the use of language and library features. Must not be enable
 | [prefer-node-protocol](/docs/guide/usage/linter/rules/unicorn/prefer-node-protocol.html) | unicorn | | 🛠️ |
 | [prefer-number-properties](/docs/guide/usage/linter/rules/unicorn/prefer-number-properties.html) | unicorn | | 🚧 |
 
-## Suspicious (18):
+## Suspicious (20):
 
 code that is most likely wrong or useless.
 | Rule name | Source | Default | Fixable? |
 | ------------------------------- | ---------- | ------- | -------- |
+| [no-extend-native](/docs/guide/usage/linter/rules/eslint/no-extend-native.html) | eslint | | |
 | [no-new](/docs/guide/usage/linter/rules/eslint/no-new.html) | eslint | | |
+| [no-unexpected-multiline](/docs/guide/usage/linter/rules/eslint/no-unexpected-multiline.html) | eslint | | ⚠️🛠️️ |
 | [no-useless-concat](/docs/guide/usage/linter/rules/eslint/no-useless-concat.html) | eslint | | |
 | [no-useless-constructor](/docs/guide/usage/linter/rules/eslint/no-useless-constructor.html) | eslint | | 🛠️ |
 | [no-duplicates](/docs/guide/usage/linter/rules/import/no-duplicates.html) | import | | |
@@ -355,7 +357,7 @@ Lints which are rather strict or have occasional false positives.
 | [prefer-type-error](/docs/guide/usage/linter/rules/unicorn/prefer-type-error.html) | unicorn | | 🛠️ |
 | [require-number-to-fixed-digits-argument](/docs/guide/usage/linter/rules/unicorn/require-number-to-fixed-digits-argument.html) | unicorn | | 🛠️ |
 
-## Style (99):
+## Style (100):
 
 Code that should be written in a more idiomatic way.
 | Rule name | Source | Default | Fixable? |
@@ -413,6 +415,7 @@ Code that should be written in a more idiomatic way.
 | [require-hook](/docs/guide/usage/linter/rules/jest/require-hook.html) | jest | | |
 | [require-top-level-describe](/docs/guide/usage/linter/rules/jest/require-top-level-describe.html) | jest | | |
 | [no-exports-assign](/docs/guide/usage/linter/rules/node/no-exports-assign.html) | node | | 🛠️ |
+| [avoid-new](/docs/guide/usage/linter/rules/promise/avoid-new.html) | promise | | |
 | [param-names](/docs/guide/usage/linter/rules/promise/param-names.html) | promise | | |
 | [prefer-await-to-then](/docs/guide/usage/linter/rules/promise/prefer-await-to-then.html) | promise | | |
 | [jsx-boolean-value](/docs/guide/usage/linter/rules/react/jsx-boolean-value.html) | react | | 🛠️ |

src/docs/guide/usage/linter/rules/eslint/no-extend-native.md

@@ -0,0 +1,53 @@
+<!-- This file is auto-generated by tasks/website/src/linter/rules/doc_page.rs. Do not edit it manually. -->
+
+# eslint/no-extend-native <Badge type="info" text="Suspicious" />
+
+<div class="rule-meta">
+</div>
+
+### What it does
+
+Prevents extending native global objects such as `Object`, `String`, or `Array` with new
+properties.
+
+### Why is this bad?
+
+Extending native objects can cause unexpected behavior and conflicts with other code.
+
+For example:
+
+```js
+// Adding a new property, which might seem okay
+Object.prototype.extra = 55;
+
+// Defining a user object
+const users = {
+  1: "user1",
+  2: "user2",
+};
+
+for (const id in users) {
+  // This will print "extra" as well as "1" and "2":
+  console.log(id);
+}
+```
+
+### Examples
+
+Examples of **incorrect** code for this rule:
+
+```js
+Object.prototype.p = 0;
+Object.defineProperty(Array.prototype, "p", { value: 0 });
+```
+
+Examples of **correct** code for this rule:
+
+```js
+x.prototype.p = 0;
+Object.defineProperty(x.prototype, "p", { value: 0 });
+```
+
+## References
+
+- [Rule Source](https://github.com/oxc-project/oxc/blob/main/crates/oxc_linter/src/rules/eslint/no_extend_native.rs)

src/docs/guide/usage/linter/rules/eslint/no-regex-spaces.md

@@ -3,6 +3,9 @@
 # eslint/no-regex-spaces <Badge type="info" text="Restriction" />
 
 <div class="rule-meta">
+<Alert class="fix" type="info">
+<span class="emoji">🚧</span> An auto-fix is still under development.
+</Alert>
 </div>
 
 ### What it does

src/docs/guide/usage/linter/rules/eslint/no-unexpected-multiline.md

@@ -0,0 +1,55 @@
+<!-- This file is auto-generated by tasks/website/src/linter/rules/doc_page.rs. Do not edit it manually. -->
+
+# eslint/no-unexpected-multiline <Badge type="info" text="Suspicious" />
+
+<div class="rule-meta">
+<Alert class="fix" type="info">
+<span class="emoji">⚠️🛠️️</span> A dangerous auto-fix is available for this rule.
+</Alert>
+</div>
+
+### What it does
+
+In most cases, semicolons are not required in JavaScript in order for code to be parsed
+and executed as expected. Typically this occurs because semicolons are automatically
+inserted based on a fixed set of rules. This rule exists to detect those cases where a semicolon
+is NOT inserted automatically, and may be parsed differently than expected.
+
+### Why is this bad?
+
+Code that has unexpected newlines may be parsed and executed differently than what the
+developer intended. This can lead to bugs that are difficult to track down.
+
+### Examples
+
+Examples of **incorrect** code for this rule:
+
+```js
+var a = b(x || y).doSomething();
+
+var a = b[(a, b, c)].forEach(doSomething);
+
+let x = (function () {})`hello`;
+
+foo / bar / g.test(baz);
+```
+
+Examples of **correct** code for this rule:
+
+```js
+var a = b;
+(x || y).doSomething();
+
+var a = b;
+[a, b, c].forEach(doSomething);
+
+let x = function () {};
+`hello`;
+
+foo;
+/bar/g.test(baz);
+```
+
+## References
+
+- [Rule Source](https://github.com/oxc-project/oxc/blob/main/crates/oxc_linter/src/rules/eslint/no_unexpected_multiline.rs)

src/docs/guide/usage/linter/rules/promise/avoid-new.md

@@ -1,24 +1,38 @@
 <!-- This file is auto-generated by tasks/website/src/linter/rules/doc_page.rs. Do not edit it manually. -->
 
-# promise/avoid-new <Badge type="info" text="Restriction" />
+# promise/avoid-new <Badge type="info" text="Style" />
 
 <div class="rule-meta">
 </div>
 
 ### What it does
 
-Disallow creating new promises outside of utility libs.
+Disallow creating promises with `new Promise()`.
 
 ### Why is this bad?
 
-If you dislike the new promise style promises.
+Many cases that use `new Promise()` could be refactored to use an
+`async` function. `async` is considered more idiomatic in modern JavaScript.
 
 ### Example
 
+Examples of **incorrect** code for this rule:
+
+```javascript
+function foo() {
+  return new Promise((resolve, reject) => {
+    /* ... */
+  });
+}
+```
+
+Examples of **correct** code for this rule:
+
 ```javascript
-new Promise((resolve, reject) => {
-  /* ... */
-});
+async function foo() {
+  // ...
+}
+const bar = await Promise.all([baz(), bang()]);
 ```
 
 ## References

src/docs/guide/usage/linter/rules/promise/catch-or-return.md

@@ -7,13 +7,15 @@
 
 ### What it does
 
-Ensure that each time a then() is applied to a promise, a catch() is applied as well.
-Exceptions are made if you are returning that promise.
+Ensure that each time a `then()` is applied to a promise, a `catch()`
+must be applied as well. Exceptions are made for promises returned from
+a function.
 
 ### Why is this bad?
 
-Not catching errors in a promise can cause hard to debug problems or missing handling of
-error conditions.
+Not catching errors in a promise can cause hard to debug problems or
+missing handling of error conditions. In the worst case, unhandled
+promise rejections can cause your application to crash.
 
 ### Example
 

src/docs/guide/usage/linter/rules/security/api-keys.md

@@ -0,0 +1,72 @@
+<!-- This file is auto-generated by tasks/website/src/linter/rules/doc_page.rs. Do not edit it manually. -->
+
+# security/api-keys <Badge type="info" text="Correctness" />
+
+<div class="rule-meta">
+</div>
+
+### What it does
+
+Disallows hard-coded API keys and other credentials.
+
+### Why is this bad?
+
+Hard-coding API keys and committing them to source control is a serious
+security risk.
+
+1. If your code is leaked, attackers can use your API keys to access your
+   services and data.
+2. Accidental bundling of API keys can lead them to be exposed publicly
+   in your website, compriming your services.
+3. Any developer or contractor you hire will have access to your
+   services, even after they lose access to your codebase.
+4. Even after being deleted, they will be visible in your git repo's
+   commit history.
+5. Key rotation requires a code change and redeployment, and can
+   therefore not be handled by security teams or by automated systems.
+6. Many, many more reasons.
+
+```ts
+const API_KEY = "abcdef123456";
+const data = await fetch("/api/some/endpoint", {
+  headers: {
+    Authorization: `Bearer ${API_KEY}`,
+  },
+});
+```
+
+### What To Do Instead
+
+:::warning
+The Oxc team are not security experts. We do not endorse any particular
+key management service or strategy. Do your research and choose the best
+solution/architecture for your use case.
+:::
+
+One possible alternative is to store secrets in a secure secrets manager
+(such as [AWS
+KMS](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/kms/),
+[HashiCorp Vault](https://github.com/nodevault/node-vault/tree/master),
+[Pangea](https://pangea.cloud/docs/sdk/js/vault#retrieve), etc.) and
+request them when your application starts (e.g. a Docker container, an
+EC2).
+
+### Examples
+
+Examples of **incorrect** code for this rule:
+
+```js
+const AWS_ACCESS_KEY_ID = "AKIA1234X678C123B567";
+const OPENAI_API_KEY = "sk_test_1234567890";
+```
+
+Examples of **correct** code for this rule:
+
+```js
+const AWS_ACCESS_KEY_ID = process.env.AWS_ACCESS_KEY_ID;
+const OPENAI_API_KEY = await getSecret("open-ai-api-key");
+```
+
+## References
+
+- [Rule Source](https://github.com/oxc-project/oxc/blob/main/crates/oxc_linter/src/rules/security/api_keys/mod.rs)