fix(linter): detect process.env when process is imported from module

[FrederickStempfle]

Summary

Fixes #9061

noProcessEnv currently only flags process.env when process is a global. If you import it from "process" or "node:process", the rule stays silent.

The original ESLint rule has the same gap (eslint/eslint#12385) — their maintainers intended to catch imported process too, but couldn't due to the limitations of ESLint's static analysis. Since biome's semantic model can distinguish where a binding comes from, we can handle it properly here.

This checks the binding's import source when process is bound, using the same pattern other rules already use (e.g. useQwikMethodUsage). Both "process" and "node:process" are covered, including namespace imports (import * as process). Imports from unrelated modules are left alone.

Known limitations (follow-up work):

• const process = require("process") — CommonJS require doesn't create a JsImport node, so it won't be caught. Could be added separately.
• import { env } from "process" — No process.env expression exists in this case, so the rule's query type doesn't match it.

[changeset-bot]

🦋 Changeset detected

Latest commit: 6521f66

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 13 packages

Name	Type
@biomejs/biome	Patch
@biomejs/cli-win32-x64	Patch
@biomejs/cli-win32-arm64	Patch
@biomejs/cli-darwin-x64	Patch
@biomejs/cli-darwin-arm64	Patch
@biomejs/cli-linux-x64	Patch
@biomejs/cli-linux-arm64	Patch
@biomejs/cli-linux-x64-musl	Patch
@biomejs/cli-linux-arm64-musl	Patch
@biomejs/wasm-web	Patch
@biomejs/wasm-bundler	Patch
@biomejs/wasm-nodejs	Patch
@biomejs/backend-jsonrpc	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0385eb2 and 49a7586.

⛔ Files ignored due to path filters (4)

• crates/biome_js_analyze/tests/specs/style/noProcessEnv/invalidImport.js.snap is excluded by !**/*.snap and included by **
• crates/biome_js_analyze/tests/specs/style/noProcessEnv/invalidNamespaceImport.js.snap is excluded by !**/*.snap and included by **
• crates/biome_js_analyze/tests/specs/style/noProcessEnv/invalidNodeImport.js.snap is excluded by !**/*.snap and included by **
• crates/biome_js_analyze/tests/specs/style/noProcessEnv/validOtherModule.js.snap is excluded by !**/*.snap and included by **

📒 Files selected for processing (6)

• .changeset/fix-no-process-env-imports.md
• crates/biome_js_analyze/src/lint/style/no_process_env.rs
• crates/biome_js_analyze/tests/specs/style/noProcessEnv/invalidImport.js
• crates/biome_js_analyze/tests/specs/style/noProcessEnv/invalidNamespaceImport.js
• crates/biome_js_analyze/tests/specs/style/noProcessEnv/invalidNodeImport.js
• crates/biome_js_analyze/tests/specs/style/noProcessEnv/validOtherModule.js

---

Walkthrough

This pull request extends the noProcessEnv linter rule to detect process.env access when the process object is imported from the "process" or "node:process" modules, addressing a false negative. The implementation adds a new helper function that checks import sources through syntax ancestry traversal. Four new test files are added to validate the rule against different import patterns (default import, namespace import, named import, and a negative case with unrelated modules).

Suggested labels

A-Linter, L-JavaScript

Suggested reviewers

• dyc3
• ematipico
• Netail

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarises the main change: detecting process.env when process is imported from a module, directly addressing issue #9061.
Description check	✅ Passed	The description clearly explains the fix, references the linked issue, and details both implementation approach and known limitations.
Linked Issues check	✅ Passed	The PR fully addresses issue #9061 by implementing detection of process.env for both default and namespace imports from 'process' and 'node:process' modules.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the noProcessEnv rule; no extraneous modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 58 untouched benchmarks
⏩ 168 skipped benchmarks¹

---

_{Comparing FrederickStempfle:fix/no-process-env-imports (6521f66) with main (f3a6a6b)}

Footnotes

1. 168 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩