New rules help you catch missing Android permissions, missing iOS privacy strings, desktop window setup, and gaps around background audio and location, notifications, Firestore rules, and secrets on disk before they bite at review or runtime. A couple of noisy false positives in internationalization and iOS camera permission checks are gone, and the cross-file CLI can warn when library code has no matching test file. — log

Fixed #

• avoid_builder_index_out_of_bounds now treats idx, realIndex, and itemIndex inside bracket lookups like the existing index/i handling, so Carousel-style and similar builder callbacks get the same bounds heuristics. No action required unless you relied on the blind spot; add guards where the rule now applies.
• The same rule’s DartDoc now states that each list subscripted with the builder index needs its own visible bound or matching item count when lengths are not provable from the source. No action required.
• require_intl_plural_rules no longer treats code between string literals (for example (hour == …) next to AM/PM labels) as if it were text inside a quoted string, so 12-hour clock helpers are not mistaken for manual noun pluralization. No action required.
• require_image_picker_permission_ios now reads ios/Runner/Info.plist through the shared plist checker so it does not warn when NSCameraUsageDescription is already present. No action required.

Added #

• Added require_android_manifest_entries to flag permission-gated Android API usage when the app manifest is missing required android.permission.* entries, so runtime-denied features are caught during analysis instead of on devices. Add the missing <uses-permission> rows in android/app/src/main/AndroidManifest.xml where reported.
• Added require_ios_info_plist_entries to report permission-gated iOS API usage when required NS*UsageDescription keys are absent from Info.plist, so App Store rejection and runtime permission crashes are caught during analysis. Add the missing key(s) to ios/Runner/Info.plist where reported.
• Added require_desktop_window_setup to report desktop window-manager API usage when desktop runner setup files are missing, so desktop-only configuration gaps are surfaced before runtime. Ensure the relevant windows/, linux/, or macos/ runner files are present when using desktop window APIs.
• Added avoid_audio_in_background_without_config to flag background audio usage when iOS UIBackgroundModes audio or Android manifest foreground-service / audio declarations are missing, so store review and runtime failures are caught during analysis.
• Added avoid_geolocator_background_without_config to flag Geolocator.getPositionStream when iOS background location or Android background location permission is not reflected in platform config files.
• Added require_notification_icon_kept to warn when FCM or local notifications are used but ProGuard/R8 rules do not appear to keep notification icon resources.
• Added require_firestore_security_rules to report FirebaseFirestore usage when no firestore.rules file exists at the project root.
• Added require_env_file_gitignore to report .env / .env.* files at the project root that are not covered by .gitignore patterns.
• Extended dart run saropa_lints:cross_file with missing mirror test detection: each lib/**/*.dart (except main.dart, generated-style names, and lib/generated/) is checked for a matching test/**/*_test.dart; results appear in text/JSON output, HTML report, baselines (format version 2), and non-zero exit when present.

require_animation_controller_dispose stops nagging when you really did tear down an AnimationController using a disposeSafe-style helper next to dispose, and the help text you read in the editor now matches what the linter reports. Rule counts and Marketplace-facing copy line up across the package and extension, publish and audit flows are a little sturdier, and you do not need new analysis_options toggles to pick any of this up. — log

Fixed #

• require_animation_controller_dispose now treats disposeSafe(…) like dispose(…) in your State.dispose() so custom safe-dispose extensions are not reported, and the rule message was refreshed so on-screen wording stays aligned with that behavior. No action required; remove suppression comments you added only for this false positive.

saropa_depend_on_referenced_packages is removed because the Dart SDK already ships the same check via lints / flutter_lints, and saropa’s copy kept false-positiveing on legitimate imports. You still get the behavior from the SDK; nothing breaks if you leave old config in place. — log

Removed #

• Removed saropa_depend_on_referenced_packages so duplicate / noisy import checks go away while the SDK lint keeps the same coverage for you. No action required; delete any saropa_depend_on_referenced_packages entry from analysis_options.yaml when you tidy config.

Analysis reports and the Run Analysis popup now show which saropa_lints build ran, and the popup can copy or open the latest consolidated report without digging through folders. Theme- and platform-driven color branches no longer trip avoid_color_only_meaning, and prefer_final_locals stops suggesting final where the variable is reassigned inside nested blocks or closures. — log

Added #

• Run Analysis popup adds Copy Report and Open Report (plus palette commands) so you can share or open the latest *_saropa_lint_report.log in one step instead of browsing dated folders under reports/. No action required.

Changed #

• Extension Run Analysis stamps extension reports and the issue popup with the resolved saropa_lints version and source (hosted / path / git) when pubspec.lock allows, so you can confirm which build ran without opening files. No action required.

Fixed #

• prefer_final_locals no longer false-positives when a local is reassigned inside nested blocks, control flow, or closures, so the quick fix matches real code and you can rely on the rule again. No action required; details in bugs/prefer_final_locals_false_positive_nested_assignments.md.
• avoid_color_only_meaning skips ordinary theme, platform, and directionality-driven color branches so theming code stays clean without ignores. No action required; details in bugs/avoid_color_only_meaning_false_positive_theme_dark_mode_conditional.md.
• Analyzer-plugin text reports now show a real Version: from your project root instead of unknown, so each report identifies the plugin build that produced it. No action required.

Three animation-focused rules catch inert Animation.value reads in build, mis-matched ticker mixins, and press-and-bounce forward() without from: 0.0. Several platform rules and avoid_platform_specific_imports quiet down when the project cannot hit the failure mode (for example mobile-only apps without web/). Pubspec dependency discovery works again, saropa’s import rule is renamed to saropa_depend_on_referenced_packages so it no longer doubles the SDK lint, large reports open with triage-oriented sections, and Run Analysis popups show real issue counts. — log

Added #

• Added avoid_inert_animation_value_in_build (recommended, error) so you catch opacity and other reads that never refresh because build does not rerun on ticks, without noise on listening builders. No action required; see bugs/infra_propose_avoid_inert_animation_value_in_build.md.
• Added prefer_single_ticker_provider_state_mixin (recommended, info) so single-controller states use the lighter mixin and intent is obvious. No action required; see bugs/infra_propose_prefer_single_ticker_provider_state_mixin.md.
• Added prefer_animation_controller_forward_from_zero (recommended, warning) with a quick fix so press-and-bounce gestures always restart from zero and feel consistent on rapid taps. No action required.

Changed #

• Consolidated analysis logs now lead with concentration, delta-since-last-run, and triage hints on large backlogs, and the top-rules table adds share, source, and fixable columns so you can prioritize work. No action required; see bugs/infra_analysis_report_insufficient_for_large_backlogs.md.

Fixed #

• Several “wrong platform” rules now bail when the repo cannot build the platform they warn about, so mobile-only and similar setups stop getting irrelevant noise. No action required; see bugs/platform_gate_missing_from_sibling_rules.md.
• avoid_platform_specific_imports stays silent when the Flutter app has no web/ tree, since dart:io web breakage is not applicable there. No action required; see bugs/avoid_platform_specific_imports_false_positive_non_web_project.md.
• Pubspec dependency names parse correctly again so hasDependency-gated rules and import checks behave; this removes the flood of bogus “not in pubspec” findings. No action required; see bugs/depend_on_referenced_packages_name_collision_with_sdk_lint.md.
• Renamed saropa’s duplicate lint to saropa_depend_on_referenced_packages so counts and ignores align with the SDK’s depend_on_referenced_packages. Use // ignore: saropa_depend_on_referenced_packages or disable that code in plugins: saropa_lints if you only want to silence saropa’s copy; // ignore: depend_on_referenced_packages still targets the SDK lint only.
• Analyzer-plugin reports populate the configuration block instead of showing “not captured,” so reports stay self-describing. No action required.
• Extension Run Analysis warning popups show the real issue count from violations.json instead of a slice of progress stderr. No action required; see bugs/infra_run_analysis_popup_dumps_progress_stderr.md.

New avoid_drift_insert_missing_conflict_target flags Drift inserts that omit the right onConflict target on tables with a non-primary unique index, matching the class of SQLite UNIQUE failures you otherwise hit at runtime. — log

Added #

• Added avoid_drift_insert_missing_conflict_target (essential, error) so Drift inserts declare the correct conflict target when a non-PK unique index exists and you avoid silent SqliteException failures. No action required; see bugs/infra_new_rule_drift_insert_missing_conflict_target.md.

Path-safety rules ignore clearly safe literal-only helpers and common Dart SDK path sources, avoid_null_assertion skips typical RegExpMatch.group(n)! after a match, and prefer_debug_print stops recommending Flutter-only APIs in pure Dart packages. — log

Fixed #

• avoid_path_traversal and require_file_path_sanitization no longer flag private helpers fed only literals or paths resolved via trusted SDK entry points, so asset helpers and similar code stay clean while real taint stays covered. No action required; see bugs/avoid_path_traversal_false_positive_internal_resolver_parameter.md and bugs/require_file_path_sanitization_false_positive_internal_resolver_parameter.md.
• prefer_debug_print is skipped for non-Flutter packages so you are not told to import Flutter just to silence print guidance. No action required; see bugs/prefer_debug_print_false_positive_pure_dart_package.md.
• avoid_null_assertion allows RegExpMatch.group(n)! on matched regex results so you are not pushed into dead null-fallbacks for common parsing loops. No action required; see bugs/avoid_null_assertion_false_positive_regex_match_group.md.

saropa_lints itself passes dart analyze --fatal-infos again thanks to dogfood-only disables and small plugin fixes; publish script gains a publish-existing-.vsix mode. — log

Fixed #

• dart analyze --fatal-infos is clean on saropa_lints itself via targeted code fixes plus dogfood-only disables in this repo’s analysis_options.yaml, so maintainers can ship without thousands of self-applied rule hits while published consumer behavior is unchanged. No action required for package users.

Hotfix: tier-based scan and similar flows no longer crash on the second file when rule packs merge into an unmodifiable tier set. — log

Fixed #

• Rule-pack reload now copies enabled-rule sets before mutating them, so scan with essential/recommended tiers and pack merges no longer throws on the second analyzed file. No action required.

Windows vibrancy scans run again, footprint sizes reflect transitive packages, the analyzer plugin logs to reports/.saropa_lints/plugin.log and no longer goes silent when the server cwd differs from your project, the vibrancy report toolbar adds rescan / open-project / copy-all-json, and prefer_listenable_builder nudges AnimatedBuilder uses that should be ListenableBuilder. — log

Added #

• Plugin log file at reports/.saropa_lints/plugin.log surfaces startup and config-load issues without digging in Dart server logs. No action required.
• prefer_listenable_builder (recommended, info) with quick fix for Listenable sources that are not Animation, gated below Flutter 3.13. No action required; see plan/054-prefer_listenable_builder_over_animated_builder.md.
• ProjectContext.flutterSdkAtLeast lets future rules respect declared Flutter lower bounds. No action required.
• Vibrancy report toolbar adds Copy All JSON, Rescan, and Open Another Project for side-by-side scans. No action required.

Changed #

• Vibrancy commands are grouped under the Saropa palette with shorter titles; command IDs unchanged. No action required.
• Stars column becomes Likes + Downloads (per-package signals) with JSON fields updated accordingly. No action required.
• Update column right-aligns with other numeric columns. No action required.

Fixed #

• Extension vibrancy CLI on Windows now resolves dart.bat via the shell so pub graph and outdated data load instead of failing quietly. No action required.
• Footprint modes now include sizes for transitives pulled from pub cache so Own / +Unique / +All differ when deps exist. No action required.
• Analyzer plugin registers all rules then honors diagnostics: from the real project root, so IDE sessions no longer show zero saropa diagnostics when config was read from the wrong cwd. No action required.
• Import+export on the same file counts once in References, with both line locations preserved in tooltips and exports. No action required.
• Report and Known Issues search trims whitespace and adds a clear control so pasted names match rows. No action required.
• Header gauge fill renders correctly after CSS fix. No action required.
• Violations tree filenames open the editor on click when the file exists. No action required.

Publish script now verifies Marketplace and Open VSX separately, so an expired Marketplace token surfaces a concrete ACTION REQUIRED warning and auto-opens the manage page instead of a silent 0-exit. — log

Letter grades replace fractional scores across the vibrancy report, tree, exports, and related UI, and footprint views clarify unique versus shared transitive size. Ten new quick fixes land for common style rules, plus two new Dart rules for symlink checks and JS interop migration. — log

Added #

• Ten new quick fixes cover record wildcards, const/final tweaks, unawaited, doc new cleanup, and related style nags so lightbulb workflows cover more rules. No action required.
• prefer_type_sync_over_is_link_sync (recommended, warning) steers you off Windows-broken isLinkSync toward typeSync link detection. No action required.
• avoid_removed_js_number_to_dart (recommended, warning) flags removed JSNumber.toDart and points to typed toDartDouble / toDartInt. No action required.
• Vibrancy report adds footprint toggles, true-footprint detail, re-export-aware single-use logic, optional startup-scan skip with settings, wired cache TTL, and clear-cache resets the skip fingerprint. No action required.

Changed #

• Vibrancy surfaces grades (A–F) instead of n/10 in reports, cards, gauge, tooltips, CodeLens, diagnostics, exports (JSON still carries numeric score), and logger output for consistent scanning. No action required.

Fixed #

• Dense report headers stay on one line with nowrap layout, and the “(new)” age suffix under one month is dropped as misleading. No action required.

The vibrancy report adds a radial gauge, letter-grade badges, expandable per-package detail, keyboard navigation, and a Deps column that highlights shared transitives. — log

Added #

• Saropa Package Vibrancy report shows version, gauge, A–F badges, expandable rows with full package context, keyboard navigation, and a Deps column with shared-transitive emphasis so dependency risk is obvious at a glance. No action required.

Fixed #

• Gauge thresholds match category cutoffs; sorting and filtering keep detail rows attached to their parent so expanded cards never orphan. No action required.

Package upgrade plans skip constraints you cannot bump via semver, show real resolver errors, and keep iterating after a single package fails. — log

Fixed #

• Upgrade planner omits git/path/SDK entries that cannot be semver-bumped, prints concrete pub errors instead of generic “pub get failed,” and advances to the next package after each rollback. No action required.

Size Distribution splits unique versus shared transitives and adds “Exclude shared” so apparent package weight reflects deps you do not already carry. — log

Added #

• Size Distribution chart separates unique and shared transitive weight with an optional hide-shared toggle so bar, donut, and table percentages reflect removable cost. No action required.

Overview shows a Set Up Project banner and activation toast when saropa_lints is missing from pubspec.yaml, so onboarding is one click. — log

Changed #

• Extension surfaces setup banner plus activation toast for Dart workspaces without saropa_lints so install/configure is obvious. No action required.

Analyzer 11 compatibility is restored so saropa_lints resolves on current Flutter stable (analyzer 12 required meta versions Flutter does not ship yet). Rule and quick-fix counts are unchanged from the prior release line. — log

Fixed #

• Dependency stack pins analyzer and analyzer_plugin to ranges compatible with Flutter stable’s pinned meta, fixing pub resolution failures. No action required; see bugs/infra_meta_pin_flutter_incompatible.md.
• Small compatibility shim keeps class-body iteration working on analyzer 11. No action required.

Ten new quick fixes cover library names, late patterns, unawaited, toString, @useResult, and positional booleans so more saropa rules are one-click fixable in the IDE. — log

Added #

• Quick fixes ship for unnecessary_library_name, avoid_late_for_nullable, prefer_late_final, prefer_abstract_final_static_class, avoid_async_call_in_sync_function, avoid_default_tostring, missing_use_result_annotation, avoid_unnecessary_local_late, avoid_unnecessary_late_fields, and avoid_positional_boolean_parameters, reducing manual cleanup. No action required.

Changed #

• RemoveLateKeywordFix also covers local variable statements used by avoid_unnecessary_local_late. No action required.

Extension Overview gains command search, embedded health and risk summaries, richer vibrancy package detail (logos, README shots, adoption bonus), unique-vs-shared dependency insight, File Risk workflow polish, and suppression records exported with violations for auditing. — log

Added #

• Command catalog sidebar, embedded health/risk cards, richer vibrancy detail (topics, likes, docs, README imagery with CSP updates), reverse-dependency scoring bonus, and plugin suppression tracking in violations.json so ignored diagnostics are measurable. No action required.

Changed #

• Vibrancy charts and trees highlight unique vs shared transitives; File Risk moves up with JSON export, click-to-open, diagnostics-aware hiding, persistent disable actions, cleaner labels, and richer pubspec hovers with outbound links. No action required.

Fixed #

• Violations tree survives transient violations.json read gaps; pubspec diagnostics dedupe on startup; stale-override detection respects active SDK-pin overrides. No action required.

Pubspec lines can opt out of specific saropa pubspec checks with inline comments, prefer_l10n_yaml_config stops false-positiveing split l10n setups, and vibrancy scan logging is calmer. — log

Added #

• # saropa_lints:ignore <codes> on pubspec lines suppresses individual pubspec validation hits without turning rules off globally. No action required.

Fixed #

• prefer_l10n_yaml_config ignores the normal generate: true + l10n.yaml combo. No action required.
• Vibrancy scan logs debounce, append per day, and skip duplicate runs instead of spawning endless log files. No action required.

CI publish unblocked by removing a stray publish_to: "none" placeholder from the package manifest. — log

Fixed #

• Repository pubspec.yaml no longer carries a template publish_to: "none" so automated pub publish succeeds. No action required for consumers.

Pubspec and adoption tooling see fewer false positives, diagnostics pick up a consistent [saropa_lints] prefix, plugin self-fire guards work per-file, Help hub and command catalog UX improve, and dependency sort preserves comments. — log

Fixed #

• avoid_hardcoded_config, pubspec ordering, adoption badges, prefer_publish_to_none, and prefixed pubspec diagnostics trim false positives on normal Flutter/SDK layouts. No action required.
• Plugin self-source checks run per-file so rules no longer fire on their own fixture literals. No action required.

Added (Extension) #

• Help hub command plus Overview/Violations entry points surface onboarding, catalog, and pub.dev links without hunting the palette. No action required.

Fixed (Extension) #

• Sort Dependencies keeps per-entry comments and trailing section banners instead of deleting them. No action required.

Changed (Extension) #

• Command catalog gains refreshed layout, codicons, recent-command replay, tighter toolbars, and better search ordering for narrow layouts. No action required.

Looking for older changes? See CHANGELOG_ARCHIVE.md for versions 0.1.0 through 10.11.0.