sverklo
v0.28.3
B
Overall Health

biomejs/biome


https://github.com/biomejs/biome
2026-04-19 00:02:46
A
Dead code
0% orphan symbols (0/23042)
A
Circular deps
0 cycles detected
A
Coupling
max fan-in: 4 (packages/@biomejs/js-api/src/common.ts)
F
Security
49 concerns found

Overview

  • 8555 files indexed
  • 40786 code symbols extracted
  • 311084 symbol references tracked
  • 0 active memories (0 core, 0 stale)
  • Languages: rust (4079), javascript (2938), typescript (1538)

God Nodes (most-referenced symbols)

These are the symbols your codebase depends on most. Changes here have the largest blast radius.

  • into — 7041 references
  • fmt — 6045 references
  • format — 5199 references
  • next — 4998 references
  • kind — 4612 references
  • node — 4111 references
  • syntax — 3564 references
  • element — 2915 references
  • into_iter — 2770 references
  • splice_slots — 2636 references

Hub Files (highest PageRank)

Core architectural files — imported by many others.

  • crates/biomejsanalyze/tests/specs/suspicious/noImportCycles/invalidBaz.js (1.00)
  • crates/biomejsanalyze/tests/specs/suspicious/noImportCycles/invalidFoobar.js (0.93)
  • crates/biomeformattertest/src/prettier/prepare_tests.js (0.74)
  • crates/biomejsanalyze/tests/specs/correctness/noUndeclaredDependencies/valid.ts (0.71)
  • packages/@biomejs/js-api/src/wasm.ts (0.51)
  • packages/@biomejs/js-api/src/common.ts (0.47)
  • crates/biomejsanalyze/tests/specs/correctness/noPrivateImports/sub/index.js (0.29)
  • crates/biomejsanalyze/tests/specs/nursery/noFloatingPromises/invalidGenericWrapper/trace.ts (0.27)
  • crates/biomejsanalyze/tests/specs/nursery/noFloatingPromises/validGenericWrapper/trace.ts (0.27)
  • packages/prettier-compare/src/languages.ts (0.27)

Orphans

No obvious dead code — every named symbol has at least one reference.

Coupling (high-PageRank files)

  • crates/biomejsanalyze/tests/specs/suspicious/noImportCycles/invalidBaz.js (1.00)
  • crates/biomejsanalyze/tests/specs/suspicious/noImportCycles/invalidFoobar.js (0.93)
  • crates/biomeformattertest/src/prettier/prepare_tests.js (0.74)
  • crates/biomejsanalyze/tests/specs/correctness/noUndeclaredDependencies/valid.ts (0.71)
  • packages/@biomejs/js-api/src/wasm.ts (0.51)

Security Issues (49 found)

Critical (11)

  • Hardcoded secretcrates/biomejsanalyze/tests/specs/security/noSecrets/invalid.js:3
  • const slackToken = "xoxb-not-a-real-token-this-will-not-work";
  • API tokencrates/biomejsanalyze/tests/specs/security/noSecrets/invalid.js:3
  • const slackToken = "xoxb-not-a-real-token-this-will-not-work";
  • Hardcoded secretcrates/biomejsanalyze/tests/specs/security/noSecrets/invalid.js:4
  • const awsApiKey = "AKIA1234567890EXAMPLE"
  • API tokencrates/biomejsanalyze/tests/specs/security/noSecrets/invalid.js:4
  • const awsApiKey = "AKIA1234567890EXAMPLE"
  • Private keycrates/biomejsanalyze/tests/specs/security/noSecrets/invalid.js:5
  • const rsaPrivateKey = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA1234567890..."
  • Hardcoded secretcrates/biomejsanalyze/tests/specs/security/noSecrets/invalid.js:8
  • const githubToken = "githubpat1234567890abcdefghijklmnopqrstuvwxyz";
  • API tokencrates/biomejsanalyze/tests/specs/security/noSecrets/invalid.js:8
  • const githubToken = "githubpat1234567890abcdefghijklmnopqrstuvwxyz";
  • API tokencrates/biomecli/tests/cases/configextends.rs:109
  • fn extendsconfigokfromnpmpackagewithauthorfield() {
  • API tokencrates/biomecli/tests/cases/configextends.rs:161
  • "extendsconfigokfromnpmpackagewithauthorfield",
  • API tokencrates/biomecli/tests/cases/configextends.rs:169
  • fn extendsconfigokfromnpmpackagewithconditionnames() {
  • ...and 1 more

High (5)

  • eval() usagecrates/biomejsanalyze/src/lint/security/noglobaleval.rs:86
  • <Emphasis>"eval()"</Emphasis>" exposes to security risks and performance issues."
  • eval() usagecrates/biomejsanalyze/src/lint/security/noglobaleval.rs:93
  • "Refactor the code so that it doesn't need to call "<Emphasis>"eval()"</Emphasis>"."
  • eval() usagecrates/biomejsanalyze/src/lint/nursery/noimpliedeval.rs:149
  • "Implied "<Emphasis>"eval()"</Emphasis>" is not allowed."
  • eval() usagecrates/biomejsanalyze/src/lint/nursery/noimpliedeval.rs:155
  • " is a form of implied "<Emphasis>"eval()"</Emphasis>" and can lead to security and performance issues."
  • eval() usagecrates/biomejsanalyze/src/lint/nursery/noimpliedeval.rs:170
  • "It parses strings into executable code at runtime and has the same security and performance drawbacks as "<Emphasis>"ev

Low (33)

  • debugger statemente2e-tests/relative-path-ignore-file/file.js:1
  • debugger;
  • debugger statementcrates/biomejsanalyze/src/suppressions.tests.rs:318
  • debugger;
  • debugger statementcrates/biomejsanalyze/src/suppressions.tests.rs:364
  • debugger;
  • debugger statementcrates/biomejsanalyze/src/suppressions.tests.rs:412
  • debugger;
  • debugger statementcrates/biomejsanalyze/src/suppressions.tests.rs:692
  • debugger;
  • debugger statementcrates/biomejsanalyze/src/suppressions.tests.rs:695
  • debugger;
  • debugger statementcrates/biomejsanalyze/src/suppressions.tests.rs:697
  • debugger;
  • debugger statementcrates/biome_lsp/src/server.tests.rs:3588
  • let filelintonly = r#"debugger;\n"#;
  • Excessive console.logcrates/biomejssemantic/src/semantic_model/closure.rs:460
  • let two_captures = "let a, b; function f(c) {console.log(a, b, c)}";
  • Excessive console.logcrates/biomejssemantic/src/semantic_model/closure.rs:466
  • console.log(a);
  • ...and 23 more

Suggested Next Steps

  • Before refactoring into, run sverklo_impact to see the 7041 call sites
  • crates/biomejsanalyze/tests/specs/suspicious/noImportCycles/invalidBaz.js is your most-imported file — changes here cascade widely
Powered by Sverklo — local-first code intelligence
npm install -g sverklo