SUPPLY-CHAIN REPORT

biomejs/biome

A toolchain for web projects, aimed to provide functionalities to maintain them. Biome offers formatter and linter, usable via CLI and LSP.

VERDICTCLEAN·100/100

View on GitHub →

STARS

24,403

FORKS

963

OPEN ISSUES

475

LANGUAGE

Rust

LICENSE

Apache-2.0

LAST PUSH

2026-04-17

SIGNALS

Historical supply-chain incidents

No known compromise, backdoor, or wallet-drainer incident in our curated DB.

Historical security advisories

No published security advisories on this repo.

Maintenance activity

Actively maintained. Last push 0 days ago.

Ecosystem trust

24,403 stars. Widely used — supply-chain attacks on popular repos are high-impact but also more likely to be caught fast.

License

Apache-2.0

METHODOLOGY

This report is generated on demand by querying the GitHub API for repository metadata and published security advisories, then cross-referencing our curated database of known supply-chain incidents (xz-utils, event-stream, ua-parser-js, colors.js, tj-actions, Codecov, and more). Results are cached for 24 hours. We do not scan repository code or dependencies — for that, see Snyk or Socket. Verdict: CLEAN ≥80, CAUTION 50–79, COMPROMISED<50.

SCAN A DEPLOYED SITE

Repo looks clean but the live deployment might still be exposing headers, CORS, or SSL misconfigurations.

SCAN A URL →

SCANNING biomejs/biome...