[ { "path": ".devcontainer/Dockerfile", "content": "# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.222.0/containers/javascript-node/.devcontainer/base.Dockerfile\n\n# [Choice] Node.js version (use -bullseye variants on local arm64/Apple Silicon): 16, 14, 12, 16-bullseye, 14-bullseye, 12-bullseye, 16-buster, 14-buster, 12-buster\nARG VARIANT=\"16\"\nFROM mcr.microsoft.com/vscode/devcontainers/javascript-node:${VARIANT}\n\n# [Optional] Uncomment this section to install additional OS packages.\n# RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \\\n# && apt-get -y install --no-install-recommends \n\n# [Optional] Uncomment if you want to install an additional version of node using nvm\n# ARG EXTRA_NODE_VERSION=10\n# RUN su node -c \"source/usr/local/share/nvm/nvm.sh && nvm install ${EXTRA_NODE_VERSION}\"\n\n# [Optional] Uncomment if you want to install more global node modules\n# RUN su node -c \"npm install -g \" \n" }, { "path": ".devcontainer/devcontainer.json", "content": "// For format details, see https://aka.ms/devcontainer.json. For config options, see the README at:\n// https://github.com/microsoft/vscode-dev-containers/tree/v0.222.0/containers/javascript-node\n{\n \"name\": \"Node.js\",\n \"build\": {\n \"dockerfile\": \"Dockerfile\",\n // Update 'VARIANT' to pick a Node version: 16, 14, 12.\n // Append -bullseye or -buster to pin to an OS version.\n // Use -bullseye variants on local arm64/Apple Silicon.\n \"args\": {\"VARIANT\": \"22\"}\n },\n\n // Set *default* container specific settings.json values on container create.\n \"settings\": {},\n\n // Add the IDs of extensions you want installed when the container is created.\n \"extensions\": [\"dbaeumer.vscode-eslint\"],\n\n // Use 'forwardPorts' to make a list of ports inside the container available locally.\n // \"forwardPorts\": [],\n\n // Use 'postCreateCommand' to run commands after the container is created.\n // \"postCreateCommand\": \"yarn install\",\n\n // Comment out to connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.\n \"remoteUser\": \"node\",\n \"features\": {\n \"git\": \"latest\"\n }\n}\n" }, { "path": ".eslint-doc-generatorrc.js", "content": "/** @type {import('eslint-doc-generator').GenerateOptions} */\nexport default {\n configEmoji: [\n ['browser', 'πŸ”'],\n ['internal', 'πŸ”'],\n ['react', 'βš›οΈ'],\n ],\n ruleDocSectionInclude: ['Rule Details', 'Version'],\n}\n" }, { "path": ".github/dependabot.yml", "content": "version: 2\nupdates:\n - package-ecosystem: npm\n directory: '/'\n schedule:\n interval: weekly\n open-pull-requests-limit: 99\n groups:\n all-dependencies:\n patterns:\n - \"*\" \n - package-ecosystem: github-actions\n directory: '/'\n schedule:\n interval: weekly\n open-pull-requests-limit: 99\n" }, { "path": ".github/workflows/nodejs.yml", "content": "name: Node CI\n\non:\n push:\n branches-ignore:\n - 'dependabot/**'\n pull_request:\n\njobs:\n build:\n runs-on: ubuntu-latest\n\n strategy:\n matrix:\n node-version: [20, 22]\n\n steps:\n - uses: actions/checkout@v6\n - name: Use Node.js ${{ matrix.node-version }}\n uses: actions/setup-node@v6\n with:\n node-version: ${{ matrix.node-version }}\n cache: npm\n - name: Install\n run: npm ci\n - name: Test\n run: npm test\n" }, { "path": ".github/workflows/publish.yml", "content": "name: Publish\n\non:\n release:\n types: [created]\n\npermissions:\n contents: read\n id-token: write\n\njobs:\n publish-npm:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v6\n - uses: actions/setup-node@v6\n with:\n node-version: 22\n registry-url: https://registry.npmjs.org/\n cache: npm\n - run: npm ci\n - run: npm test\n - run: npm version ${TAG_NAME} --git-tag-version=false\n env:\n TAG_NAME: ${{ github.event.release.tag_name }}\n - run: npm whoami; npm --ignore-scripts publish --provenance\n env:\n NODE_AUTH_TOKEN: ${{secrets.npm_token}}\n" }, { "path": ".gitignore", "content": "node_modules/\nnpm-debug.log\nyarn.lock\n" }, { "path": "CODEOWNERS", "content": "* @github/web-systems-reviewers\n" }, { "path": "CONTRIBUTING.md", "content": "## Publishing this package\n\nPublishing this package to npm is done via a [GitHub action](https://github.com/github/eslint-plugin-github/blob/main/.github/workflows/publish.yml) which triggers when a new GitHub Release is created.\n\nTo publish to npm, create a release, give it an appropriate [Semantic Versioning](https://semver.org/) tag and fill out the release description. Once you publish the release, the GitHub action will be triggered and it will publish to npm.\n" }, { "path": "LICENSE", "content": "Copyright (c) 2016 GitHub, Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining\na copy of this software and associated documentation files (the\n\"Software\"), to deal in the Software without restriction, including\nwithout limitation the rights to use, copy, modify, merge, publish,\ndistribute, sublicense, and/or sell copies of the Software, and to\npermit persons to whom the Software is furnished to do so, subject to\nthe following conditions:\n\nThe above copyright notice and this permission notice shall be\nincluded in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\nNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE\nLIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION\nOF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION\nWITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n" }, { "path": "README.md", "content": "# eslint-plugin-github\n\n## Installation\n\n```sh\nnpm install --save-dev eslint eslint-plugin-github\n```\n\n## Setup\n\n### Legacy Configuration (`.eslintrc`)\n\nAdd `github` to your list of plugins in your ESLint config.\n\nJSON ESLint config example:\n\n```json\n{\n \"plugins\": [\"github\"]\n}\n```\n\nExtend the configs you wish to use.\n\nJSON ESLint config example:\n\n```json\n{\n \"extends\": [\"plugin:github/recommended\"]\n}\n```\n\n### Flat Configuration (`eslint-config.js`)\n\nImport the `eslint-plugin-github`, and extend any of the configurations using `getFlatConfigs()` as needed like so:\n\n```js\nimport github from 'eslint-plugin-github'\n\nexport default [\n github.getFlatConfigs().browser,\n github.getFlatConfigs().recommended,\n github.getFlatConfigs().react,\n ...github.getFlatConfigs().typescript,\n {\n files: ['**/*.{js,mjs,cjs,jsx,mjsx,ts,tsx,mtsx}'],\n ignores: ['eslint.config.mjs'],\n rules: {\n 'github/array-foreach': 'error',\n 'github/async-preventdefault': 'warn',\n 'github/no-then': 'error',\n 'github/no-blur': 'error',\n },\n },\n]\n```\n\n> [!NOTE]\n> If you configured the `filenames/match-regex` rule, please note we have adapted the match regex rule into `eslint-plugin-github` as the original `eslint-filenames-plugin` is no longer maintained and needed a flat config support update. \n> \n> Please update the name to `github/filenames-match-regex`, and note, the default rule is kebab case or camelCase with one hump. For custom configuration, such as matching for camelCase regex, here's an example:\n>\n> `'github/filenames-match-regex': ['error', '^([a-z0-9]+)([A-Z][a-z0-9]+)*$'],`\n\nThe available configs are:\n\n- `internal`\n - Rules useful for github applications.\n- `browser`\n - Useful rules when shipping your app to the browser.\n- `react`\n - Recommended rules for React applications.\n- `recommended`\n - Recommended rules for every application.\n- `typescript`\n - Useful rules when writing TypeScript.\n\n### Component mapping (Experimental)\n\n_Note: This is experimental and subject to change._\n\nThe `react` config includes rules which target specific HTML elements. You may provide a mapping of custom components to an HTML element in your `eslintrc` configuration to increase linter coverage.\n\nBy default, these eslint rules will check the \"as\" prop for underlying element changes. If your repo uses a different prop name for polymorphic components provide the prop name in your `eslintrc` configuration under `polymorphicPropName`.\n\n```json\n{\n \"settings\": {\n \"github\": {\n \"polymorphicPropName\": \"asChild\",\n \"components\": {\n \"Box\": \"p\",\n \"Link\": \"a\"\n }\n }\n }\n}\n```\n\nThis config will be interpreted in the following way:\n\n- All `` elements will be treated as a `p` element type.\n- `` without a defined `as` prop will be treated as a `a`.\n- `` will be treated as a `button` element type.\n\n### Rules\n\n\n\nπŸ’Ό Configurations enabled in.\\\nπŸ” Set in the `browser` configuration.\\\nπŸ” Set in the `internal` configuration.\\\nβš›οΈ Set in the `react` configuration.\\\nβœ… Set in the `recommended` configuration.\\\nπŸ”§ Automatically fixable by the [`--fix` CLI option](https://eslint.org/docs/user-guide/command-line-interface#--fix).\\\n❌ Deprecated.\n\n| NameΒ Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β  | Description | πŸ’Ό | πŸ”§ | ❌ |\n| :------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------------------- | :- | :- | :- |\n| [a11y-aria-label-is-well-formatted](docs/rules/a11y-aria-label-is-well-formatted.md) | enforce [aria-label] text to be formatted as you would visual text. | βš›οΈ | | |\n| [a11y-no-generic-link-text](docs/rules/a11y-no-generic-link-text.md) | disallow generic link text | | | ❌ |\n| [a11y-no-title-attribute](docs/rules/a11y-no-title-attribute.md) | disallow using the title attribute | βš›οΈ | | |\n| [a11y-no-visually-hidden-interactive-element](docs/rules/a11y-no-visually-hidden-interactive-element.md) | enforce that interactive elements are not visually hidden | βš›οΈ | | |\n| [a11y-role-supports-aria-props](docs/rules/a11y-role-supports-aria-props.md) | enforce that elements with explicit or implicit roles defined contain only `aria-*` properties supported by that `role`. | βš›οΈ | | |\n| [a11y-svg-has-accessible-name](docs/rules/a11y-svg-has-accessible-name.md) | require SVGs to have an accessible name | βš›οΈ | | |\n| [array-foreach](docs/rules/array-foreach.md) | enforce `for..of` loops over `Array.forEach` | βœ… | | |\n| [async-currenttarget](docs/rules/async-currenttarget.md) | disallow `event.currentTarget` calls inside of async functions | πŸ” | | |\n| [async-preventdefault](docs/rules/async-preventdefault.md) | disallow `event.preventDefault` calls inside of async functions | πŸ” | | |\n| [authenticity-token](docs/rules/authenticity-token.md) | disallow usage of CSRF tokens in JavaScript | πŸ” | | |\n| [filenames-match-regex](docs/rules/filenames-match-regex.md) | require filenames to match a regex naming convention | | | |\n| [get-attribute](docs/rules/get-attribute.md) | disallow wrong usage of attribute names | πŸ” | πŸ”§ | |\n| [js-class-name](docs/rules/js-class-name.md) | enforce a naming convention for js- prefixed classes | πŸ” | | |\n| [no-blur](docs/rules/no-blur.md) | disallow usage of `Element.prototype.blur()` | πŸ” | | |\n| [no-d-none](docs/rules/no-d-none.md) | disallow usage the `d-none` CSS class | πŸ” | | |\n| [no-dataset](docs/rules/no-dataset.md) | enforce usage of `Element.prototype.getAttribute` instead of `Element.prototype.datalist` | πŸ” | | |\n| [no-dynamic-script-tag](docs/rules/no-dynamic-script-tag.md) | disallow creating dynamic script tags | βœ… | | |\n| [no-implicit-buggy-globals](docs/rules/no-implicit-buggy-globals.md) | disallow implicit global variables | βœ… | | |\n| [no-inner-html](docs/rules/no-inner-html.md) | disallow `Element.prototype.innerHTML` in favor of `Element.prototype.textContent` | πŸ” | | |\n| [no-innerText](docs/rules/no-innerText.md) | disallow `Element.prototype.innerText` in favor of `Element.prototype.textContent` | πŸ” | πŸ”§ | |\n| [no-then](docs/rules/no-then.md) | enforce using `async/await` syntax over Promises | βœ… | | |\n| [no-useless-passive](docs/rules/no-useless-passive.md) | disallow marking a event handler as passive when it has no effect | πŸ” | πŸ”§ | |\n| [prefer-observers](docs/rules/prefer-observers.md) | disallow poorly performing event listeners | πŸ” | | |\n| [require-passive-events](docs/rules/require-passive-events.md) | enforce marking high frequency event handlers as passive | πŸ” | | |\n| [unescaped-html-literal](docs/rules/unescaped-html-literal.md) | disallow unescaped HTML literals | πŸ” | | |\n\n\n" }, { "path": "bin/eslint-ignore-errors.js", "content": "#!/usr/bin/env node\n// Disables eslint rules in a JavaScript file with next-line comments. This is\n// useful when introducing a new rule that causes many failures. The comments\n// can be fixed and removed at while updating the file later.\n//\n// Usage:\n//\n// eslint-ignore-errors app/assets/javascripts/something.js\n\nconst fs = require('fs')\nconst execFile = require('child_process').execFile\n\nexecFile('eslint', ['--format', 'json', process.argv[2]], (error, stdout) => {\n for (const result of JSON.parse(stdout)) {\n const filename = result.filePath\n const jsLines = fs.readFileSync(filename, 'utf8').split('\\n')\n const offensesByLine = {}\n let addedLines = 0\n\n // Produces {47: ['github/no-d-none', 'github/no-blur'], 83: ['github/no-blur']}\n for (const message of result.messages) {\n if (offensesByLine[message.line]) {\n offensesByLine[message.line].push(message.ruleId)\n } else {\n offensesByLine[message.line] = [message.ruleId]\n }\n }\n\n for (const line of Object.keys(offensesByLine)) {\n const lineIndex = line - 1 + addedLines\n const previousLine = jsLines[lineIndex - 1]\n const ruleIds = offensesByLine[line].join(', ')\n if (isDisableComment(previousLine)) {\n jsLines[lineIndex - 1] = previousLine.replace(/\\s?\\*\\/$/, `, ${ruleIds} */`)\n } else {\n const leftPad = ' '.repeat(jsLines[lineIndex].match(/^\\s*/g)[0].length)\n jsLines.splice(lineIndex, 0, `${leftPad}/* eslint-disable-next-line ${ruleIds} */`)\n }\n addedLines += 1\n }\n\n if (result.messages.length !== 0) {\n fs.writeFileSync(filename, jsLines.join('\\n'), 'utf8')\n }\n }\n})\n\nfunction isDisableComment(line) {\n return line.match(/\\/\\* eslint-disable-next-line .+\\*\\//)\n}\n" }, { "path": "docs/rules/a11y-aria-label-is-well-formatted.md", "content": "# Enforce [aria-label] text to be formatted as you would visual text (`github/a11y-aria-label-is-well-formatted`)\n\nπŸ’Ό This rule is enabled in the βš›οΈ `react` config.\n\n\n\n## Rule Details\n\n`[aria-label]` content should be formatted in the same way you would visual text. Please use sentence case.\n\nDo not connect the words like you would an ID. An `aria-label` is not an ID, and should be formatted as human-friendly text.\n\n## Resources\n\n- [Using aria-label](https://www.w3.org/WAI/tutorials/forms/labels/#using-aria-label)\n\n## Examples\n\n### **Incorrect** code for this rule πŸ‘Ž\n\n```html\n\n```\n\n```html\n\n```\n\n### **Correct** code for this rule πŸ‘\n\n```html\n\n```\n\n```html\n\n```\n\n## Version\n" }, { "path": "docs/rules/a11y-no-generic-link-text.md", "content": "# Disallow generic link text (`github/a11y-no-generic-link-text`)\n\n❌ This rule is deprecated. It was replaced by `jsx-a11y/anchor-ambiguous-text`.\n\n\n\n## Rule Details\n\nAvoid setting generic link text like, \"Click here\", \"Read more\", and \"Learn more\" which do not make sense when read out of context.\n\nScreen reader users often tab through links on a page to quickly find content without needing to listen to the full page. When link text is too generic, it becomes difficult to quickly identify the destination of the link. While it is possible to provide a more specific link text by setting the `aria-label`, this results in divergence between the label and the text and is not an ideal, future-proof solution.\n\nAdditionally, generic link text can also problematic for heavy zoom users where the link context is out of view.\n\nEnsure that your link text is descriptive and the purpose of the link is clear even when read out of context of surrounding text.\nLearn more about how to write descriptive link text at [Access Guide: Write descriptive link text](https://www.accessguide.io/guide/descriptive-link-text)\n\n### Use of ARIA attributes\n\nIf you _must_ use ARIA to replace the visible link text, include the visible text at the beginning.\n\nFor example, on a pricing plans page, the following are good:\n\n- Visible text: `Learn more`\n- Accessible label: `Learn more about GitHub pricing plans`\n\nAccessible βœ…\n\n```html\nLearn more\n```\n\nInaccessible 🚫\n\n```html\nLearn more\n```\n\nIncluding the visible text in the ARIA label satisfies [SC 2.5.3: Label in Name](https://www.w3.org/WAI/WCAG21/Understanding/label-in-name.html).\n\n#### False negatives\n\nCaution: because of the restrictions of static code analysis, we may not catch all violations.\n\nPlease perform browser tests and spot checks:\n\n- when `aria-label` is set dynamically\n- when using `aria-labelledby`\n\n## Resources\n\n- [Primer: Links](https://primer.style/design/accessibility/links)\n- [Understanding Success Criterion 2.4.4: Link Purpose (In Context)](https://www.w3.org/WAI/WCAG21/Understanding/link-purpose-in-context.html)\n- [WebAim: Links and Hypertext](https://webaim.org/techniques/hypertext/)\n- [Deque: Use link text that make sense when read out of context](https://dequeuniversity.com/tips/link-text)\n\n## Examples\n\n### **Incorrect** code for this rule πŸ‘Ž\n\n```jsx\nLearn more\n```\n\n```jsx\nRead more\n```\n\n```jsx\n\n Read more\n\n```\n\n```jsx\n\n Read more\n\n```\n\n### **Correct** code for this rule πŸ‘\n\n```jsx\nLearn more about GitHub\n```\n\n```jsx\nCreate a new repository\n```\n\n## Version\n" }, { "path": "docs/rules/a11y-no-title-attribute.md", "content": "# Disallow using the title attribute (`github/a11y-no-title-attribute`)\n\nπŸ’Ό This rule is enabled in the βš›οΈ `react` config.\n\n\n\nThe title attribute is strongly discouraged. The only exception is on an `\n```\n\n## Version\n" }, { "path": "docs/rules/a11y-no-visually-hidden-interactive-element.md", "content": "# Enforce that interactive elements are not visually hidden (`github/a11y-no-visually-hidden-interactive-element`)\n\nπŸ’Ό This rule is enabled in the βš›οΈ `react` config.\n\n\n\n## Rule Details\n\nThis rule guards against visually hiding interactive elements. If a sighted keyboard user navigates to an interactive element that is visually hidden they might become confused and assume that keyboard focus has been lost.\n\nNote: we are not guarding against visually hidden `input` elements at this time. Some visually hidden inputs might cause a false positive (e.g. some file inputs).\n\n### Why do we visually hide content?\n\nVisually hiding content can be useful when you want to provide information specifically to screen reader users or other assistive technology users while keeping content hidden from sighted users.\n\nApplying the following css will visually hide content while still making it accessible to screen reader users.\n\n```css\nclip-path: inset(50%);\nheight: 1px;\noverflow: hidden;\nposition: absolute;\nwhite-space: nowrap;\nwidth: 1px;\n```\n\nπŸ‘Ž Examples of **incorrect** code for this rule:\n\n```jsx\n\n```\n\n```jsx\n\n \n\n```\n\n```jsx\nSubmit\n```\n\nπŸ‘ Examples of **correct** code for this rule:\n\n```jsx\n

Welcome to GitHub

\n```\n\n```jsx\n\n

Welcome to GitHub

\n\n```\n\n```jsx\nWelcome to GitHub\n```\n\n## Options\n\n- className - A css className that visually hides content. Defaults to `sr-only`.\n- componentName - A react component name that visually hides content. Defaults to `VisuallyHidden`.\n\n```json\n{\n \"a11y-no-visually-hidden-interactive-element\": [\n \"error\",\n {\n \"className\": \"visually-hidden\",\n \"componentName\": \"VisuallyHidden\"\n }\n ]\n}\n```\n\n## Version\n" }, { "path": "docs/rules/a11y-role-supports-aria-props.md", "content": "# Enforce that elements with explicit or implicit roles defined contain only `aria-*` properties supported by that `role` (`github/a11y-role-supports-aria-props`)\n\nπŸ’Ό This rule is enabled in the βš›οΈ `react` config.\n\n\n\n## Rule Details\n\nThis rule enforces that elements with explicit or implicit roles defined contain only `aria-*` properties supported by that `role`.\n\nFor example, this rule aims to discourage common misuse of the `aria-label` and `aria-labelledby` attribute. `aria-label` and `aria-labelledby` support is only guaranteed on interactive elements like `button` or `a`, or on static elements like `div` and `span` with a permitted `role`. This rule will allow `aria-label` and `aria-labelledby` usage on `div` and `span` elements if it set to a role other than the ones listed in [WSC: a list of ARIA roles which cannot be named](https://w3c.github.io/aria/#namefromprohibited). This rule will never permit usage of `aria-label` and `aria-labelledby` on `h1`, `h2`, `h3`, `h4`, `h5`, `h6`, `strong`, `i`, `p`, `b`, or `code`.\n\n### \"Help! I'm trying to set a tooltip on a static element and this rule flagged it!\"\n\nPlease do not use tooltips on static elements. It is a highly discouraged, inaccessible pattern.\nSee [Primer: Tooltip alternatives](https://primer.style/design/accessibility/tooltip-alternatives) for what to do instead.\n\n### Resources\n\n- [w3c/aria Consider prohibiting author naming certain roles #833](https://github.com/w3c/aria/issues/833)\n- [Not so short note on aria-label usage - Big Table Edition](https://html5accessibility.com/stuff/2020/11/07/not-so-short-note-on-aria-label-usage-big-table-edition/)\n- [Your tooltips are bogus](https://heydonworks.com/article/your-tooltips-are-bogus/)\n- [Primer: Tooltip alternatives](https://primer.style/design/accessibility/tooltip-alternatives)\n\n### Disclaimer\n\nThere are conflicting resources and opinions on what elements should support these naming attributes. For now, this rule will operate under a relatively simple heuristic aimed to minimize false positives. This may have room for future improvements. Learn more at [W3C Name Calcluation](https://w3c.github.io/aria/#namecalculation).\n\n### **Incorrect** code for this rule πŸ‘Ž\n\n```erb\nI am some text.\n```\n\n```erb\nPlease be careful of the following.\n```\n\n```erb\n
Goodbye
\n```\n\n```erb\n

Page title

\n```\n\n### **Correct** code for this rule πŸ‘\n\n```erb\n\n```\n\n```erb\n\n

Add bold text or turn selection into bold text

\n```\n\n```erb\nHello\n```\n\n```erb\n
Goodbye
\n```\n\n```erb\n

Page title

\n```\n\n```erb\n
\n

Heading

\n
\n```\n\n## Version\n" }, { "path": "docs/rules/a11y-svg-has-accessible-name.md", "content": "# Require SVGs to have an accessible name (`github/a11y-svg-has-accessible-name`)\n\nπŸ’Ό This rule is enabled in the βš›οΈ `react` config.\n\n\n\n## Rule Details\n\nAn `` must have an accessible name. Set `aria-label` or `aria-labelledby`, or nest a `` element as the first child of the `` element.\n\nHowever, if the `` is purely decorative, hide it with `aria-hidden=\"true\"` or `role=\"presentation\"`.\n\n## Resources\n\n- [Accessible SVGs](https://css-tricks.com/accessible-svgs/)\n\n## Examples\n\n### **Incorrect** code for this rule πŸ‘Ž\n\n```html\n\n \n\n```\n\n```html\n\n \n\n```\n\n```html\n\n \n Circle with a black outline and red fill\n\n```\n\n### **Correct** code for this rule πŸ‘\n\n```html\n\n Circle with a black outline and red fill\n \n\n```\n\n```html\n\n \n\n```\n\n```html\n\n \n\n```\n\n```html\n\n```\n\n```html\n\n \n\n```\n\n## Version\n" }, { "path": "docs/rules/array-foreach.md", "content": "# Enforce `for..of` loops over `Array.forEach` (`github/array-foreach`)\n\nπŸ’Ό This rule is enabled in the βœ… `recommended` config.\n\n\n\nPrefer `for...of` statement instead of `Array.forEach`.\n\n## Rule Details\n\nHere's a summary of why `forEach` is disallowed, and why we prefer `for...of` for almost any use-case of `forEach`:\n\n- Allowing `forEach` encourages **layering of \"bad practices\"**, such as using `Array.from()` (which is less performant than using `for...of`).\n- When more requirements are added on, `forEach` typically gets **chained** with other methods like `filter` or `map`, causing multiple iterations over the same Array. Encouraging `for` loops discourages chaining and encourages single-iteration logic (e.g. using a `continue` instead of `filter`).\n- `for` loops are considered \"more readable\" and have **clearer intent**.\n- `for...of` loops offer the **most flexibility** for iteration (especially vs `Array.from`).\n\nTypically developers will reach for a `forEach` when they want to iterate over a set of items. However not all \"iterables\" have access to Array methods. So a developer might convert their iterable to an Array by using `Array.from(iter).forEach()`. This code has introduced performance problems, where a `for...of` loop would be more performant.\n\n`forEach` does not do anything special with the Array - it does not create a new array or does not aid in encapsulation (except for introducing a new lexical scope within the callback, which isn't a benefit considering we use `let`/`const`). We don't disallow `map`/`filter`/`reduce` because they have a tangible effect - they create a new array - which would take _more_ code and be _less_ readable to do with a `for...of` loop, the exception being as more requirements are added, and we start chaining array methods together...\n\nOften when using a method like `forEach` - when coming back to add new code, let's say to filter certain elements from the Array before operating on them, a developer is implicitly encouraged to use Array's method chaining to achieve this result. For example if we wanted to filter out bad apples from an Array of Apples, if the code already uses `forEach`, then its a simple addition to add `filter()`:\n\n```diff\n apples\n+ .filter(apple => !apple.bad)\n .forEach(polishApple)\n```\n\nThe problem we now have is that we're iterating multiple times over the items in a collection. Using `forEach` to begin with is what encouraged the chaining, if this were a `for` loop then the equivalent behavior would be to use 2 `for` loops, which a developer is far less likely to write, so the `for` loop instead encourages an imperative style `continue`, keeping within a single set of iterations:\n\n```diff\n for(const apple of apples) {\n+ if (apple.bad) continue\n polishApple(apple)\n }\n```\n\nChaining isn't always necessarily bad. Chaining can advertise a series of transformations that are independent from one another, and therefore aid readability. Additionally, sometimes the \"goto-style\" behavior of `continue` in for loops can hamper readability. For small Arrays, performance is not going to be of concern, but caution should be applied where there is a potentially unbounded Array (such as iterating over a fetched users list) as performance can easily become a bottleneck when unchecked.\n\nThe `forEach` method passes more than just the current item it is iterating over. The signature of the `forEach` callback method is `(cur: T, i: Number, all: []T) => void` and it can _additionally_ override the `receiver` (`this` value), meaning that often the _intent_ of what the callback does is hidden. To put this another way, there is _no way_ to know what the following code operates on without reading the implementation: `forEach(polishApple)`.\n\nThe `for` loop avoids this issue. Calls are explicit within the `for` loop, as they are not passed around. For example:\n\n```js\nfor (const apple of apples) {\n polishApple(apple)\n}\n```\n\nWe know this code can only possibly mutate `apple`, as the return value is discarded, there is no `receiver` (`this` value) as `.call()` is not used, and it cannot operate on the whole array of `apples` because it is not passed as an argument. In this respect, we can establish what the intent of `polishApple(apple)` is far more than `forEach(polishApple)`. It is too easy for `forEach` to obscure the intent.\n\nWhile `forEach` provides a set of arguments to the callback, it is still overall _less flexible_ than a `for` loop. A `for` loop can conditionally call the callback, can pass additional arguments to the callback (which would otherwise need to be hoisted or curried), can opt to change the `receiver` (`this` value) or not pass any `receiver` at all. This extra flexibility is the reason we almost always prefer to use `for` loops over any of the Array iteration methods.\n\nA good example of how `for` loops provide flexibility, where `forEach` constrains it, is to see how an iteration would be refactored to handle async work. Consider the following...\n\n```js\napples.forEach(polishApple)\n// vs...\nfor (const apple of apples) {\n polishApple(apple)\n}\n```\n\nIf `polishApple` needed to do some serial async work, then we'd need to refactor the iteration steps to accommodate for this async work, by `await`ing each call to `polishApple`. We cannot simply pass an `async` function to `forEach`, as it does not understand async functions, instead we'd have to turn the `forEach` into a `reduce` and combine that with a `Promise` returning function. For example:\n\n```diff\n- apples.forEach(polishApple)\n+ await apples.reduce((cur, next) => cur.then(() => polishApple(next)), Promise.resolve())\n```\n\nCompare this to the `for` loop, which has a much simpler path to refactoring:\n\n```diff\n for (const apple of apples) {\n- polishApple(apple)\n+ await polishApple(apple)\n }\n```\n\nSee also https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for...of\n\nπŸ‘Ž Examples of **incorrect** code for this rule:\n\n```js\nels.forEach(el => {\n el\n})\n```\n\nπŸ‘ Examples of **correct** code for this rule:\n\n```js\nfor (const el of els) {\n el\n}\n```\n\nUse [`entries()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/entries) to get access to the index:\n\n```js\nfor (const [i, el] of els.entries()) {\n el.name = `Element ${i}`\n}\n```\n\n## Version\n\n4.3.2\n" }, { "path": "docs/rules/async-currenttarget.md", "content": "# Disallow `event.currentTarget` calls inside of async functions (`github/async-currenttarget`)\n\nπŸ’Ό This rule is enabled in the πŸ” `browser` config.\n\n\n\n## Rule Details\n\nAccessing `event.currentTarget` inside an `async function()` will likely be `null` as `currentTarget` is mutated as the event is propagated.\n\n1. A `click` event is dispatched\n2. The handler is invoked once with the expected `currentTarget`\n3. An `await` defers the execution\n4. The event dispatch continues, `event.currentTarget` is modified to point to the current target of another event handler and nulled out at the end of the dispatch\n5. The async function resumes\n6. `event.currentTarget` is now `null`\n\nIf you're using `async`, you'll need to synchronously create a reference to `currentTarget` before any async activity.\n\nπŸ‘Ž Examples of **incorrect** code for this rule:\n\n```js\ndocument.addEventListener('click', async function (event) {\n // event.currentTarget will be an HTMLElement\n const url = event.currentTarget.getAttribute('data-url')\n const data = await fetch(url)\n\n // But now, event.currentTarget will be null\n const text = event.currentTarget.getAttribute('data-text')\n // ...\n})\n```\n\nπŸ‘ Examples of **correct** code for this rule:\n\n```js\ndocument.addEventListener('click', function (event) {\n const currentTarget = event.currentTarget\n const url = currentTarget.getAttribute('data-url')\n\n // call async IIFE\n ;(async function () {\n const data = await fetch(url)\n\n const text = currentTarget.getAttribute('data-text')\n // ...\n })()\n})\n```\n\nAlternatively, extract a function to create an element reference.\n\n```js\ndocument.addEventListener('click', function (event) {\n fetchData(event.currentTarget)\n})\n\nasync function fetchData(el) {\n const url = el.getAttribute('data-url')\n const data = await fetch(url)\n const text = el.getAttribute('data-text')\n // ...\n}\n```\n\n## Version\n\n4.3.2\n" }, { "path": "docs/rules/async-preventdefault.md", "content": "# Disallow `event.preventDefault` calls inside of async functions (`github/async-preventdefault`)\n\nπŸ’Ό This rule is enabled in the πŸ” `browser` config.\n\n\n\nUsing `event.preventDefault()` inside an `async function()` won't likely work as you'd expect because synchronous nature of event dispatch.\n\n## Rule Details\n\n1. A `click` event is dispatched\n2. This handler is scheduled but not ran immediately because its marked async.\n3. The event dispatch completes and nothing has called `preventDefault()` _yet_ and the default click behavior occurs.\n4. The async function is scheduled and runs.\n5. Calling `preventDefault()` is now a no-op as the synchronous event dispatch has already completed.\n\nIf you're using `async`, you likely need to wait on a promise in the event handler. In this case you can split the event handler in two parts, one synchronous and asynchronous.\n\nπŸ‘Ž Examples of **incorrect** code for this rule:\n\n```js\ndocument.addEventListener('click', async function (event) {\n const data = await fetch()\n\n event.preventDefault()\n})\n```\n\nπŸ‘ Examples of **correct** code for this rule:\n\n```js\ndocument.addEventListener('click', function (event) {\n // preventDefault in a regular function\n event.preventDefault()\n\n // call async helper function\n loadData(event.target)\n})\n\nasync function loadData(el) {\n const data = await fetch()\n // ...\n}\n```\n\nThis could also be done with an async IIFE.\n\n```js\ndocument.addEventListener('click', function (event) {\n // preventDefault in a regular function\n event.preventDefault()\n\n // call async IIFE\n ;(async function () {\n const data = await fetch()\n // ...\n })()\n})\n```\n\n## Version\n\n4.3.2\n" }, { "path": "docs/rules/authenticity-token.md", "content": "# Disallow usage of CSRF tokens in JavaScript (`github/authenticity-token`)\n\nπŸ’Ό This rule is enabled in the πŸ” `internal` config.\n\n\n\n## Rule Details\n\nThe Rails `form_tag` helper creates a `
` element with a `
\">
\n```\n\nAllows you to select elements by `js-org-update` and still filter by the `data-org-name` attribute if you need to. Both `js-org-update` and `data-org-name` are clearly static symbols that are easy to search for.\n\n`js-` classes must start with `js-` (obviously) and only contain lowercase letters and numbers separated by `-`s. The ESLint [`github/js-class-name`](https://github.com/github/eslint-plugin-github/blob/master/lib/rules/js-class-name.js) rule enforces this style.\n\n[@defunkt's original proposal from 2010](https://web.archive.org/web/20180902223055/http://ozmm.org/posts/slightly_obtrusive_javascript.html).\n\nπŸ‘Ž Examples of **incorrect** code for this rule:\n\n```js\nconst el = document.querySelector('.js-Foo')\n```\n\nπŸ‘ Examples of **correct** code for this rule:\n\n```js\nconst el = document.querySelector('.js-foo')\n```\n\n## Version\n\n4.3.2\n" }, { "path": "docs/rules/no-blur.md", "content": "# Disallow usage of `Element.prototype.blur()` (`github/no-blur`)\n\nπŸ’Ό This rule is enabled in the πŸ” `browser` config.\n\n\n\nDo not use `element.blur()`. Blurring an element causes the focus position to be reset causing accessibility issues when using keyboard or voice navigation. Instead, restore focus by calling `element.focus()` on a prior element.\n\n## Rule Details\n\n- [Use of `blur()` is discouraged by WHATWG HTML spec](https://html.spec.whatwg.org/multipage/interaction.html#dom-blur)\n\nπŸ‘Ž Examples of **incorrect** code for this rule:\n\n```js\nmenu.addEventListener('close', () => {\n input.blur()\n})\n```\n\nπŸ‘ Examples of **correct** code for this rule:\n\n```js\nmenu.addEventListener('open', () => {\n const previouslyFocusedElement = document.activeElement\n\n input.focus()\n\n menu.addEventListener('close', () => {\n previouslyFocusedElement.focus()\n })\n})\n```\n\n## Version\n\n4.3.2\n" }, { "path": "docs/rules/no-d-none.md", "content": "# Disallow usage the `d-none` CSS class (`github/no-d-none`)\n\nπŸ’Ό This rule is enabled in the πŸ” `internal` config.\n\n\n\n## Rule Details\n\nIdeally JavaScript behaviors should not rely on Primer CSS when the `hidden` property can be used.\n\nπŸ‘Ž Examples of **incorrect** code for this rule:\n\n```js\ndiv.classList.add('d-none')\n```\n\nπŸ‘ Examples of **correct** code for this rule:\n\n```js\ndiv.hidden = false\n```\n\n## Version\n\n4.3.2\n" }, { "path": "docs/rules/no-dataset.md", "content": "# Enforce usage of `Element.prototype.getAttribute` instead of `Element.prototype.datalist` (`github/no-dataset`)\n\nπŸ’Ό This rule is enabled in the πŸ” `browser` config.\n\n\n\n## Rule Details\n\nDue to [camel-case transformations](https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/dataset#Name_conversion), using dataset is not easily greppable. Instead, use `el.getAttribute('data-what-ever')`.\n\nπŸ‘Ž Examples of **incorrect** code for this rule:\n\n```js\nel.dataset.coolThing\n```\n\nπŸ‘ Examples of **correct** code for this rule:\n\n```js\nel.getAttribute('data-cool-thing')\n```\n\n## Version\n\n4.3.2\n" }, { "path": "docs/rules/no-dynamic-script-tag.md", "content": "# Disallow creating dynamic script tags (`github/no-dynamic-script-tag`)\n\nπŸ’Ό This rule is enabled in the βœ… `recommended` config.\n\n\n\n## Rule Details\n\nCreating dynamic script tags bypasses a lot of security measures - like SRIs - and pose a potential threat to your application.\nInstead of creating a `script` tag in the client, provide all necessary `script` tags in the page's HTML.\n\nπŸ‘Ž Examples of **incorrect** code for this rule:\n\n```js\ndocument.createElement('script')\ndocument.getElementById('some-id').type = 'text/javascript'\n```\n\nπŸ‘ Examples of **correct** code for this rule:\n\n```html\n\n