Skip to content

Commit 8787f09

Browse files
digest: add issues for 2026-06-26
1 parent cb4c56d commit 8787f09

12 files changed

Lines changed: 312 additions & 0 deletions
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
---
2+
date: 2026-06-25
3+
repo: biomejs/biome
4+
size: M
5+
title: "Formatter and analyzer fixes land"
6+
excerpt: "Biome fixes CSS, GritQL, HTML linting, and TS formatter correctness, plus a small dependency bump."
7+
commits: 5
8+
authors: [ematipico, Zelys-DFKH, denbezrukov, henrybrewer00-dotcom]
9+
commit_authors: {"54e8239": ematipico, "0efe244": Zelys-DFKH, "5ec965a": denbezrukov, "e36fd8a": henrybrewer00-dotcom}
10+
---
11+
12+
### **CSS formatter keeps selector comments inline** (5ec965a)
13+
Biome now preserves selector lists on one line when a `//` comment follows a comma, instead of reflowing the selector into descendant combinators. This fixes a formatting regression that could significantly change CSS output for comment-heavy selectors.
14+
15+
### **GritQL now accepts positional arguments in calls** (0efe244)
16+
The Grit parser and pattern compiler were updated so unkeyed arguments are parsed as patterns unless a real `name = value` argument is present. This unblocks valid GritQL patterns that previously failed to parse, including pattern, function, and node calls.
17+
18+
### **`noUndeclaredClasses` handles `is:global` and HTML styles** (54e8239)
19+
The HTML analyzer was fixed to correctly recognize styles declared inside Astro `is:global` blocks and plain HTML documents. That closes a false-positive gap in class detection for mixed Astro/Svelte content and regular HTML.
20+
21+
### **Formatter keeps parentheses around `await`/`yield` instantiation targets** (e36fd8a)
22+
TypeScript instantiation expressions now retain parentheses around lower-precedence targets like `await`, `yield`, conditional expressions, and postfix updates. Without this, the formatter could change the meaning of code by letting type arguments attach to the wrong subexpression.
23+
24+
### Other misc changes
25+
- Dependency bump: `salsa` 0.27.0 → 0.27.2 (2ff160a)
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
---
2+
date: 2026-06-25
3+
repo: denoland/deno
4+
size: L
5+
title: "Security hardening and key bug fixes"
6+
excerpt: "Deno shipped npm trust-policy hardening, a default dependency-age cooldown, and several fixes across deploy, desktop, node, LSP, HTTP, and crypto."
7+
commits: 19
8+
authors: [divybot, nathanwhitbot, bartlomieju, nathanwhit, crowlbot, denobot, avocet-bot, littledivy, sigmaSd]
9+
commit_authors: {"2894458": avocet-bot, "8025886": crowlbot, "5a33eed": bartlomieju, "702cafb": bartlomieju, "90d901d": nathanwhitbot, "9eeca7b": divybot, "27a0882": divybot, "5317e3c": divybot, "4068b5b": divybot, "7ba7023": divybot, "2c7612d": divybot, "04ac9f1": nathanwhitbot, "16254ac": nathanwhitbot, "57f4d00": nathanwhit}
10+
---
11+
12+
### **npm resolver now uses trust-policy metadata and can block downgrades** (702cafb)
13+
Deno's npm resolver now understands publishing trust signals from the full packument and adds an opt-in `no-downgrade` trust policy. This is a substantial supply-chain hardening change that can affect dependency selection behavior.
14+
15+
### **Default minimum dependency age now skips fresh npm releases** (90d901d)
16+
The resolver now applies a default 24-hour minimum age when no other setting is configured, reducing exposure to freshly published packages. The change also adjusts precedence and parsing so `0` disables the filter, matching the new fallback behavior.
17+
18+
### **`Deno.serve` compression defaults to off** (57f4d00)
19+
Automatic response compression is now disabled by default, with explicit opt-in preserved. That changes runtime behavior for served responses and avoids surprising compressed output unless callers request it.
20+
21+
### **Vite projects are now detected for `deno desktop` / `deno compile`** (2c7612d)
22+
Framework detection now recognizes plain Vite apps, not just Vite SSR setups, and generates a static-site serving entrypoint with SPA fallback when there is no server file. This broadens out-of-the-box support for common Vite projects.
23+
24+
### **`node:vm` no longer panics on `import.meta` in `SourceTextModule`** (9eeca7b)
25+
The VM module path now wires V8's import-meta callback through to the user's `initializeImportMeta` handler instead of crashing on unknown modules. This fixes a real Node-compatibility panic for `vm.SourceTextModule`.
26+
27+
### **LSP now reports `TS2307` for missing imports in `.d.ts` entrypoints** (27a0882)
28+
The language server now surfaces unresolved imports in declaration-file entrypoints the same way `deno check` does. That closes a diagnostics gap that could hide missing dependency errors from editor feedback.
29+
30+
### **`node:test` mock timers now support `AbortSignal.timeout`** (5317e3c)
31+
`mock.timers.enable({ apis: ['AbortSignal.timeout'] })` now works, letting `AbortSignal.timeout()` follow the mocked clock instead of real time. This fills an important gap in the Node test polyfill.
32+
33+
### **WebCrypto now pads JWKs for AES-KW wrapping** (4068b5b)
34+
`subtle.wrapKey("jwk", ..., "AES-KW")` now pads serialized JWK JSON to an 8-byte boundary before wrapping, matching browser and Node behavior. That fixes a TypeError that previously broke JWK wrapping.
35+
36+
### **`process.resourceUsage()` is now implemented** (7ba7023)
37+
Deno's Node polyfill now exposes `process.resourceUsage()` with Node-compatible fields on both Unix and Windows. This unblocks code that relies on the API and previously saw it missing entirely.
38+
39+
### **`Headers` inspection preserves duplicate `Set-Cookie` values** (04ac9f1)
40+
Custom inspection for `Headers` now folds duplicate iterable header names instead of overwriting them, which matters for multi-value headers like `Set-Cookie`. This is a correctness fix for both Deno and Node-compatible behavior.
41+
42+
### **Node console now exposes lazy stdio streams** (16254ac)
43+
`console._stdout` and `console._stderr` are now present, matching Node's lazy stream properties. That helps compatibility with libraries like `consola` that probe those private fields.
44+
45+
### **Deploy config no longer strips explicit workspace-member includes** (8025886)
46+
Workspace-root deploy configs now keep `deploy.include` globs that intentionally point at workspace members, instead of dropping them during normalization. This fixes a bug where `deno deploy` could end up with an empty file set from the workspace root.
47+
48+
### Other misc changes
49+
- 2.9.0 release/version bump and generated workflow lockfile updates (1 commit)
50+
- `cargo publish` fix for `LAUFEY_VERSION` resolution during tarball verification (5a33eed)
51+
- `deno deploy` now prefers JSR `latest` for the bundled CLI (2894458)
52+
- Desktop macOS plist metadata and Wayland launcher tweaks (2 commits)
53+
- Small HTTP/Desktop config and test fixes, including zero-arg serve compression and a few compat regressions
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
---
2+
date: 2026-06-25
3+
repo: denoland/std
4+
size: N
5+
title: "No changes"
6+
excerpt: ""
7+
commits: 0
8+
---
9+
10+

src/posts/2026-06-25_jsr-io-jsr.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
---
2+
date: 2026-06-25
3+
repo: jsr-io/jsr
4+
size: N
5+
title: "No changes"
6+
excerpt: ""
7+
commits: 0
8+
---
9+
10+
Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
---
2+
date: 2026-06-25
3+
repo: leanprover/lean4
4+
size: L
5+
title: "Lean4 adds parser option propagation, float patterns"
6+
excerpt: "Major day for Lean4: doc rendering extensibility, `set_option in` parsing, float matching/equality, VCGen frames, and grind/perf fixes."
7+
commits: 17
8+
authors: [nomeata, david-christiansen, hargoniX, algebraic-dev, ia0, Kha, TwoFX, sgraf812, brettkoonce, pevogam, Seasawher]
9+
commit_authors: {"3061104": david-christiansen, "28c2e86": david-christiansen, "9d0f28f": hargoniX, "c60dff6": Kha, "29db757": nomeata, "4c59d1c": algebraic-dev, "dde9f3e": nomeata, "943e02c": TwoFX, "95176b3": hargoniX, "afe0cec": nomeata, "d96beb4": algebraic-dev, "08c8b6a": sgraf812, "72b149d": brettkoonce, "5a9514e": ia0, "8d50f53": ia0, "e6bfa44": pevogam, "0758b1d": Seasawher}
10+
---
11+
12+
### **Propagate `set_option ... in ...` into parsing** (28c2e86)
13+
`set_option` now affects the parser for the scoped body in commands, terms, and tactics, bringing it in line with `open ... in`. This is important for things like enabling/disabling syntax extensions such as Verso exactly where they’re needed.
14+
15+
### **Extend Verso docstrings with custom Markdown rendering** (3061104)
16+
Docstring lookup now has a Markdown-aware path and supports extensible Markdown rendering for custom inline/block elements instead of falling back to alternate text. This is a sizable LSP/docs upgrade: custom Verso elements can now render cleanly in hover and legacy Markdown clients, with a corresponding simplification of the saved element representation.
17+
18+
### **Add `Float`/`Float32` literals to `match` patterns** (dde9f3e)
19+
`match` can now use floating-point literals directly as patterns, including negative literals, and it recognizes both `Float` and `Float32` forms. The compiler uses the types’ `DecidableEq` instances, so bit-pattern distinctions like `0.0` vs `-0.0` matter.
20+
21+
### **Introduce `DecidableEq` for `Float` and `Float32`** (943e02c)
22+
Lean now has propositional equality for floats based on underlying bit patterns, distinct from `BEq`. That unlocks pattern matching on floats and gives users a precise equality notion for `Float`/`Float32`.
23+
24+
### **Add `frames` support to `vcgen`** (08c8b6a)
25+
`vcgen` gains a new `frames` clause for preserving state assertions across matched programs, along with a frame database and lazy elaboration machinery. This expands the tactic’s expressive power for verified do-notation and introduces a new framing side-goal (`WP.Frames`) when a frame is attached.
26+
27+
### **Teach `grind` about more locals without blocking** (afe0cec)
28+
`grind`, `exact?`, `apply?`, and `rw?` now iterate local constants via a non-blocking environment API instead of waiting on unrelated async theorem bodies. That should remove editor latency/hangs in long files, while also making local theorem collection more selective and robust.
29+
30+
### **Refine `Std.Time` week types and APIs** (4c59d1c)
31+
The `Std.Time` week naming/types were reshuffled so month/year ordinals line up more consistently, and the API now distinguishes aligned month weeks from year weeks more clearly. This is a source-level cleanup with some real type-signature impact for downstream time code.
32+
33+
### **Make `Selectable.combine` avoid deadlocks** (d96beb4)
34+
Async selection was reworked to remove the deadlock around `Selectable.combine` and fix a recursive-mutex issue in `Selectable.one`. This is a meaningful runtime fix for anyone composing async selectors.
35+
36+
### Other misc changes
37+
- Performance tweak for `Array`/`List.findIdx` e-matching (9d0f28f)
38+
- Make test snapshots opt-in (c60dff6)
39+
- Fix tests for #13705 (29db757)
40+
- Teach `grind` more about `{Array,Vector,List}.count` and membership (95176b3)
41+
- Docstring typo/wording fixes in `decide`, `Format.nest`, `Format.bracketFill`, `List.foldr`, and time parsing docs (72b149d, 5a9514e, 8d50f53, e6bfa44, 0758b1d)
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
---
2+
date: 2026-06-25
3+
repo: microsoft/typescript-go
4+
size: M
5+
title: "Native preview gets CJS root entrypoint"
6+
excerpt: "@typescript/native-preview now exposes a CommonJS `.` entrypoint for version data, improving package compatibility for CJS consumers."
7+
commits: 1
8+
---
9+
10+
### **Add CJS root version entrypoint for @typescript/native-preview** (c080da6)
11+
The package now exports `.` to a new CommonJS `version.cjs` stub, alongside matching `.d.cts` types. This makes the native-preview package easier to consume from CJS tooling and lets callers read `version` and `versionMajorMinor` from the package root without special handling.
12+
13+
### Other misc changes
14+
- Package export map updated to point `.` at the new stub entrypoint.
Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
---
2+
date: 2026-06-25
3+
repo: nodejs/node
4+
size: M
5+
title: "V8 promise cleanup and emulator support"
6+
excerpt: "Node backports V8 promise API removals, improves promise GC behavior, and adds build-time emulator support for cross-platform tool runs."
7+
commits: 10
8+
authors: [bakkot, tniessen, aduh95, tie, trivikr]
9+
commit_authors: {"74567b2": bakkot, "32ae06e": bakkot, "b0fa732": aduh95, "4f177f1": aduh95, "a811c34": tniessen, "652d033": tniessen, "6bda0ab": tniessen, "b087e92": tie, "c612f35": trivikr}
10+
---
11+
12+
### **Promise resolvers no longer keep resolved Promises alive** (74567b2)
13+
V8 now stores a single `Promise|Undefined` slot instead of separate promise/already-resolved fields for resolving functions. That lets the GC collect a resolved Promise even if its resolver callbacks are still reachable, reducing accidental retention.
14+
15+
### **V8 promise reject/resolve-after-resolved APIs are removed** (32ae06e)
16+
This backport removes the deprecated runtime hooks and public V8 API entries for `PromiseRejectAfterResolved` / `PromiseResolveAfterResolved`, and updates internal callers to return `undefined` instead. It’s a cleanup ahead of full removal of these events, so embedders should stop relying on them.
17+
18+
### **Configure can now inject an emulator for build tools** (b087e92)
19+
A new `--emulator` configure option threads an emulator command through GYP so host-built helpers like `mksnapshot`, `torque`, and other generated-action binaries can run under emulation during cross-platform builds. This addresses a real build constraint for targets whose helper binaries can’t execute natively on the build machine.
20+
21+
### **X.509 parser now handles large RSA exponents** (652d033)
22+
`GetExponentString()` no longer truncates or returns `null` for RSA public exponents that don’t fit in a single machine word; it now prints the full big integer via OpenSSL. That fixes certificate parsing for unusual but valid keys.
23+
24+
### **DH generator validation fixes very large values** (6bda0ab)
25+
The DH generator check is adjusted so very large generators aren’t misclassified by `std::optional` ordering quirks. This prevents valid large values from being rejected during crypto parameter validation.
26+
27+
### **Misc crypto cleanup and test/build updates**
28+
- Shared GitHub Actions workflow conversion for `build-shared` (b0fa732)
29+
- Libffi updater script refresh (4f177f1)
30+
- Minor `std::get_if` simplification in crypto DH code (a811c34)
31+
- Test fixture adjustment to keep a finalization object alive through exit (c612f35)
Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
---
2+
date: 2026-06-25
3+
repo: oven-sh/bun
4+
size: L
5+
title: "Bun hardens routers, patches, and markdown"
6+
excerpt: "Multiple crash fixes and correctness fixes landed, including a patch-applier guard, router panic fix, and a markdown UAF repair."
7+
commits: 7
8+
authors: [robobun, cirospaciari]
9+
commit_authors: {"5621c5d": robobun, "ed700c2": robobun, "de400b1": robobun, "237de94": robobun, "e112ac7": robobun, "d6a20b6": robobun}
10+
---
11+
12+
### **Fix URLPath::parse panic on `?` and empty-decoding paths** (5621c5d)
13+
`FileSystemRouter.match()` could crash when handed a bare query string or an input that percent-decodes to nothing, because `URLPath::parse` sliced past the start of an empty/short buffer. The fix clamps the slice bounds and adds coverage for the remote-crash cases.
14+
15+
### **Harden patch application against crafted panics** (e112ac7)
16+
`bun install` / `patchInternals.apply()` could panic on malformed patch input, including empty file-creation hunks and headers that claimed more deletions than the target file contained. The applier now treats empty hunks as empty files and uses saturating arithmetic for capacity bookkeeping so untrusted patches fail safely instead of crashing.
17+
18+
### **Fix use-after-free in `Bun.markdown.react()` / `render()`** (d6a20b6)
19+
Reference-style link and image metadata could outlive the temporary span detail they borrowed from, leading to corrupted `href`/`title` data and ASAN-detectable use-after-free. The renderer now stores owned copies for span metadata before building React/render output.
20+
21+
### **Report external crypto wrapper memory to GC** (de400b1)
22+
Several `node:crypto` wrapper classes were allocating OpenSSL contexts and buffers without telling JSC’s GC about the native memory they retained. This change wires up extra-memory accounting across the wrapper types, which should improve GC behavior under crypto-heavy workloads and reduce hidden native-memory growth.
23+
24+
### **Fix `napi_is_arraybuffer` for `SharedArrayBuffer`** (237de94)
25+
Bun was returning `true` for `SharedArrayBuffer`, diverging from Node/V8 semantics. The N-API binding now explicitly excludes shared buffers, aligning addon behavior with Node and tightening the API contract.
26+
27+
### **Remove stale `signal.is_dead()` assertion in blob piping** (ed700c2)
28+
A debug assertion in `pipe_readable_stream_to_blob` was tripping on a synchronous S3-stream failure path, even though the underlying state transition was valid. Removing the assertion prevents the crash; the new test documents the synchronous-close edge case.
29+
30+
### **Other misc changes**
31+
- Removed the `.zig` porting-reference sources and updated related docs/hooks/tooling (1 commit).
32+
- Documentation, skill, and hook rename churn tied to the Rust-only cleanup.

0 commit comments

Comments
 (0)