Changed #

• avoid_double_for_money: BREAKING - Rule is now much stricter to eliminate false positives. Only flags unambiguous money terms: price, money, currency, salary, wage, and currency codes (dollar, euro, yen, usd, eur, gbp, jpy, cad, aud). Generic terms like total, amount, balance, cost, fee, tax, discount, payment, revenue, profit, budget, expense, income are no longer flagged as they have too many non-monetary uses.

Fixed #

• avoid_sensitive_data_in_logs: Fixed false positives for null checks and property access. Now only flags direct value interpolation ($password, ${password}), not expressions like ${credential != null}, ${password.length}, or ${token?.isEmpty}. Pre-compiled regex patterns for better performance.
• avoid_hardcoded_encryption_keys: Simplified rule to only detect string literals passed directly to Key.fromUtf8(), Key.fromBase64(), etc. - removes false positives from variable name heuristics

Fixed #

• require_unique_iv_per_encryption: Improved IV variable name detection to avoid false positives like "activity", "private", "derivative" - now uses proper word boundary detection for camelCase and snake_case patterns

Quick Fixes #

• require_unique_iv_per_encryption: Auto-replaces IV.fromUtf8/IV.fromBase64 with IV.fromSecureRandom(16)

Fixed #

• avoid_shrinkwrap_in_scrollview: Rule now properly skips widgets with NeverScrollableScrollPhysics - the recommended fix should no longer trigger the lint
• Test fixtures: Updated fixture files with correct expect_lint annotations and disabled conflicting rules in example analysis_options.yaml

Fixed #

• Rule detection for implicit constructors: Fixed avoid_gradient_in_build, avoid_shrinkwrap_in_scrollview, avoid_nested_scrollables_conflict, and avoid_excessive_bottom_nav_items rules not detecting widgets created without explicit new/const keywords
• AST visitor pattern: Rules now use GeneralizingAstVisitor or addNamedExpression callbacks to properly detect both explicit and implicit constructor calls
• Test fixtures: Updated expect_lint positions to match actual lint locations

Changed #

• Rule implementation: AvoidGradientInBuildRule now uses GeneralizingAstVisitor with both visitInstanceCreationExpression and visitMethodInvocation
• Rule implementation: AvoidShrinkWrapInScrollViewRule now uses addNamedExpression to detect shrinkWrap: true directly
• Rule implementation: AvoidNestedScrollablesConflictRule now uses visitor pattern with RecursiveAstVisitor
• Rule implementation: AvoidExcessiveBottomNavItemsRule now uses addNamedExpression to detect excessive items

Added #

• 29 New Rules covering disposal, build method anti-patterns, scroll/list issues, cryptography, and JSON/DateTime handling:

Disposal Rules (2 rules)

• require_media_player_dispose - Warns when VideoPlayerController/AudioPlayer is not disposed
• require_tab_controller_dispose - Warns when TabController is not disposed

Build Method Anti-Patterns (8 rules)

• avoid_gradient_in_build - Warns when Gradient objects are created inside build()
• avoid_dialog_in_build - Warns when showDialog is called inside build()
• avoid_snackbar_in_build - Warns when showSnackBar is called inside build()
• avoid_analytics_in_build - Warns when analytics calls are made inside build()
• avoid_json_encode_in_build - Warns when jsonEncode is called inside build()
• avoid_getit_in_build - Warns when GetIt service locator is used inside build()
• avoid_canvas_operations_in_build - Warns when Canvas operations are used outside CustomPainter
• avoid_hardcoded_feature_flags - Warns when if(true)/if(false) patterns are used

Scroll and List Rules (7 rules)

• avoid_shrinkwrap_in_scrollview - Warns when shrinkWrap: true is used inside a ScrollView
• avoid_nested_scrollables_conflict - Warns when nested scrollables don't have explicit physics
• avoid_listview_children_for_large_lists - Suggests ListView.builder for large lists
• avoid_excessive_bottom_nav_items - Warns when BottomNavigationBar has more than 5 items
• require_tab_controller_length_sync - Validates TabController length matches tabs count
• avoid_refresh_without_await - Ensures RefreshIndicator onRefresh returns Future
• avoid_multiple_autofocus - Warns when multiple widgets have autofocus: true

Cryptography Rules (4 rules)

• avoid_hardcoded_encryption_keys - Warns when encryption keys are hardcoded
• prefer_secure_random_for_crypto - Warns when Random() is used for cryptographic purposes
• avoid_deprecated_crypto_algorithms - Warns when MD5, SHA1, DES are used
• require_unique_iv_per_encryption - Warns when static or reused IVs are detected

JSON and DateTime Rules (8 rules)

• require_json_decode_try_catch - Warns when jsonDecode is used without try-catch
• avoid_datetime_parse_unvalidated - Warns when DateTime.parse is used without try-catch
• prefer_try_parse_for_dynamic_data - CRITICAL: Warns when int/double/num.parse is used without try-catch
• avoid_double_for_money - Warns when double is used for money/currency values
• avoid_sensitive_data_in_logs - Warns when sensitive data appears in log statements
• require_getit_reset_in_tests - Warns when GetIt is used in tests without reset
• require_websocket_error_handling - Warns when WebSocket listeners lack error handlers
• avoid_autoplay_audio - Warns when autoPlay: true is set on audio/video players

Changed #

• Docs: Updated rule count from 792+ to 821+
• Impact tuning: avoid_hardcoded_feature_flags and avoid_autoplay_audio changed to low to match INFO severity
• Impact tuning: avoid_double_for_money promoted to critical to match ERROR severity (financial bugs)

Quick Fixes #

• prefer_secure_random_for_crypto: Auto-replaces Random() with Random.secure()
• avoid_datetime_parse_unvalidated: Auto-replaces DateTime.parse with DateTime.tryParse
• prefer_try_parse_for_dynamic_data: Auto-replaces int/double/num.parse with tryParse
• avoid_autoplay_audio: Auto-sets autoPlay: false
• avoid_hardcoded_feature_flags: Adds TODO comment for feature flag replacement

Added #

• 25 New Rules covering network performance, state management, testing, security, and database patterns:

Network Performance (6 rules)

• prefer_http_connection_reuse - Warns when HTTP clients are created without connection reuse
• avoid_redundant_requests - Warns about API calls in build()/initState() without caching
• require_response_caching - Warns when GET responses aren't cached
• prefer_pagination - Warns when APIs return large collections without pagination
• avoid_over_fetching - Warns when fetching more data than needed
• require_cancel_token - Warns when async requests lack cancellation in StatefulWidgets

State Management (3 rules)

• require_riverpod_lint - Warns when Riverpod projects don't include riverpod_lint
• require_multi_provider - Warns about nested Provider widgets instead of MultiProvider
• avoid_nested_providers - Warns about Provider inside Consumer callbacks

Testing (4 rules)

• prefer_fake_over_mock - Warns about excessive mocking vs simpler fakes
• require_edge_case_tests - Warns when tests don't cover edge cases
• prefer_test_data_builder - Warns about complex test objects without builders
• avoid_test_implementation_details - Warns when tests verify internal implementation

Security (6 rules)

• require_data_encryption - Warns when sensitive data stored without encryption
• prefer_data_masking - Warns when sensitive data displayed without masking
• avoid_screenshot_sensitive - Warns about sensitive screens without screenshot protection
• require_secure_password_field - Warns about password fields without secure keyboard settings
• avoid_path_traversal - Warns about file path traversal vulnerabilities
• prefer_html_escape - Warns about user content in WebViews without HTML escaping

Database (6 rules)

• require_database_migration - Warns about database schema changes without migration support
• require_database_index - Warns about queries on non-indexed fields
• prefer_transaction_for_batch - Warns about multiple writes not batched in transactions
• require_hive_database_close - Warns when database connections not properly closed
• require_type_adapter_registration - Warns about Hive type adapters not registered
• prefer_lazy_box_for_large - Warns about large data in regular Hive boxes vs lazy boxes

Changed #

• Docs: Updated rule count from 767+ to 792+
• Impact tuning: prefer_fake_over_mock, prefer_test_data_builder, require_response_caching, avoid_over_fetching changed to opinionated

Quick Fix #

• require_secure_password_field: Auto-adds enableSuggestions: false and autocorrect: false

Changed #

• Docs: README now has a Limitations section clarifying Dart-only analysis and dependency_overrides behavior.

Added #

• Quick fix: avoid_isar_enum_field auto-converts enum fields to string storage.

Changed #

• Impact tuning: avoid_isar_enum_field promoted to LintImpact.high.

Fixed #

• Restored NullabilitySuffix-based checks for analyzer compatibility.

Added #

• Opinionated severity: Added LintImpact.opinionated.
• New rule: prefer_future_void_function_over_async_callback.
• Configuration template: Added example/analysis_options_template.yaml with 767+ rules.

Fixed #

• Empty block warnings in async callback fixture tests.

Changed #

• Docs: Updated counts to reflect 767+ rules.
• Severity: Stylistic rules moved to LintImpact.opinionated.

• Updated the banner image to show the project name Saropa Lints.

Added #

• New documentation guides: using_with_flutter_lints.md and migration_from_solid_lints.md.
• Added "Related Packages" section to VGA guide.

Changed #

• Naming: Standardized "Saropa Lints" vs saropa_lints across all docs.
• Migration Guides: Updated rules (766+), versions (^1.3.0), and tier counts.

Added #

• Impact Classification System: Categorized rules by critical, high, medium, and low.
• Impact Report CLI Tool: dart run saropa_lints:impact_report for prioritized violation reporting.
• 47 New Rules: Covering Riverpod, GetX, Bloc, Accessibility, Security, and Testing.
• 11 New Quick Fixes.

Fixed #

• Resolved 25 violations for curly_braces_in_flow_control_structures.

Added #

• 50 New Rules: Massive expansion across Riverpod, Build Performance, Testing, Security, and Forms.
• Added support for sealed events in Bloc.

For details on the initial release and versions 0.1.0 through 1.6.0, please refer to CHANGELOG_ARCHIVE.md.