JavaScript

JavaScript

By DeepSource

Race condition in compound assignment JS-0040
Bug risk

When writing asynchronous code, it is possible to create subtle race condition bugs. Consider the following example:

Prefer not to declare variables in global scope JS-0067
Anti-pattern

It is considered a best practice to avoid 'polluting' the global scope with variables that are intended to be local to the script. Global variables created from a script can produce name collisions with global variables created from another script, which will usually lead to runtime errors or unexpected behavior. It is mostly useful for browser scripts.

Null comparisons without type-checking operators may not work as intended JS-0059
Bug risk
Autofix

Comparing to null without a type-checking operator (=== or !==), can have unintended results as the comparison will evaluate to true when comparing to not just a null, but also an undefined value.

Prefer not to extend native types JS-0061
Anti-pattern

In JavaScript, you can extend any object, including builtin or "native" objects. Sometimes people change the behavior of these native objects in ways that break the assumptions made about them in other parts of the code.

Avoid using promises in places not designed to handle them JS-0336
Anti-pattern

Using promises is forbidden in places where the TypeScript compiler allows them but they are not handled properly. These situations can often arise due to a missing await keyword or just a misunderstanding of the way async functions are handled/awaited.

Prevent missing displayName in a React component definition JS-0393
Anti-pattern

DisplayName allows you to name your component. This name is used by React in debugging messages.

Prefer a consistent naming pattern for type aliases JS-0509
Anti-pattern

'^([A-Z][a-z0-9]*)+Type$$' is the default pattern for type alias names.

Prevent usage of wrong DOM property JS-0455
Anti-pattern

React components use JSX, not HTML. So we need to use JSX attributes and React replicate the respective HTML property/attribute while rendering. Use of HTML property in JSX can sometimes lead to errors. For example, class is a keyword in JavaScript (JSX is an extension of JavaScript), so it will throw an error. However, in HTML it is a valid attribute.

Note: If you use React with Web Components, use the class attribute instead.

Found unreachable code JS-0025
Performance

Some code paths are unreachable because the return, throw, break, and continue statements unconditionally exit a block of code. The code statements after the above keywords (which exit the code block) will not execute.

The usage of __proto__ property is not recommended JS-0084
Anti-pattern
Autofix

__proto__ property has been deprecated as of ECMAScript 3.1 and shouldn't be used. Use Object.getPrototypeOf and Object.setPrototypeOf instead.

Avoid target='_blank' attribute without rel='noopener noreferrer' JS-0422
Security

When creating a JSX element with a tag, it is often desired to have the link open in a new tab using the target='_blank' attribute. Using this attribute unaccompanied by rel='noreferrer', however, is a severe security vulnerability.

Found flawed string comparison JS-W1040
Bug risk
Autofix

The result of a call to String#toUpperCase should only be compared with an uppercase string. Calls like s.toUpperCase() === "Not-Uppercase" will always evaluate to false. Similarly, calls to toLowerCase should only be compared with lowercase strings.

Marked Flow type identifiers as defined JS-0479
Anti-pattern

Located potential errors resulting from misspellings of variable and parameter names, or accidental implicit globals.

Should not use Arrow functions JS-0774
Bug risk

Arrow functions should not be used in computed properties because they are unable to access other properties (using this.property) of the same object. Accidental usage can thus lead to bugs.

Should not use .on() JS-0800
Bug risk

Avoid using .on() in favour of component's lifecycle hooks. The order of execution for on() is not deterministic.

Validation of JSX maximum depth JS-0415
Anti-pattern

Nesting JSX elements too deeply can confuse developers reading the code. To make maintenance and refactoring easier, DeepSource recommends limiting the maximum JSX tree depth to 4.

function or var declarations in nested blocks is not preferred JS-0016
Bug risk

Function declarations (with the function keyword) and variable declarations should preferably be in the root of a program or the body of a function. Having nested function declarations inside blocks may have unexpected results at runtime due to hoisting.

Migrate ember-data to @ember-data JS-0818
Bug risk

ember-data has been split in multiple packages. For instance, its store is now released in @ember-data/store package. These packages have been released starting from ember-data version 3.11.

Why we have to migrate?

  • Reduce Confusion & Bike Shedding
  • Improve The TypeScript Experience
  • Simplify The Mental Model
  • Provide a Clear Subdivision of Packages
Insecure web security preferences found in Electron JS-S1015
Security
Autofix

Setting webSecurity property to false, or allowRunningInsecureContent to true in an Electron renderer process like BrowserWindow or BrowserView disables crucial security features. By default, the webSecurity property is always true and the allowRunningInsecureContent property is always false.

Certificate validation is disabled in TLS connection JS-S1017
Security
Autofix

Certificate validation is an important aspect of Transport Layer Security (TLS) connections as it helps to ensure the authenticity and integrity of the data being transmitted. Disabling certificate validation can lead to several security risks, including Man-in-the-Middle Attacks. Without certificate validation, it is possible for an attacker to intercept the communication and present a fake certificate to the client.