[Snyk] Security upgrade eslint from 8.27.0 to 9.0.0#112
[Snyk] Security upgrade eslint from 8.27.0 to 9.0.0#112revan-zhang wants to merge 1 commit intomainfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-FLATTED-15518041
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| "dotenv": "^10.0.0", | ||
| "dotenv-expand": "^5.1.0", | ||
| "eslint": "^8.23.1", | ||
| "eslint": "^9.0.0", |
There was a problem hiding this comment.
🔴 ESLint 9 major version upgrade breaks linting due to incompatible config format and plugin peer dependencies
Upgrading ESLint from ^8.23.1 to ^9.0.0 (resolves to 9.39.4 in yarn.lock) is a breaking change. ESLint 9 uses the flat config system (eslint.config.js) by default, but this project only has a legacy .eslintrc file and no eslint.config.js. Running eslint . (the lint script at package.json:107) will fail because ESLint 9 won't read .eslintrc without setting ESLINT_USE_FLAT_CONFIG=false. Additionally, the installed ESLint plugins and configs (eslint-config-react-app@7.0.1, eslint-config-airbnb@19.0.4, @typescript-eslint/eslint-plugin@^5.x, eslint-plugin-react-hooks@^4.6.0, eslint-webpack-plugin@3.2.0) all declare peer dependencies on ESLint 7 or 8, not ESLint 9. This also breaks the webpack dev server's ESLint integration via eslint-webpack-plugin (config/webpack.config.js).
| "eslint": "^9.0.0", | |
| "eslint": "^8.23.1", |
Was this helpful? React with 👍 or 👎 to provide feedback.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| "dotenv": "^10.0.0", | ||
| "dotenv-expand": "^5.1.0", | ||
| "eslint": "^8.23.1", | ||
| "eslint": "^9.0.0", |
There was a problem hiding this comment.
ESLint 9 upgrade breaks build with incompatible plugins
High Severity
Upgrading eslint from ^8.23.1 to ^9.0.0 (resolves to 9.39.4) without updating the rest of the ESLint ecosystem will break the project build. ESLint 9 removed resolvePluginsRelativeTo and changed the ESLint class API, but eslint-webpack-plugin@3.2.0 in config/webpack.config.js passes both resolvePluginsRelativeTo and baseConfig to the ESLint constructor. Additionally, eslint-config-react-app@^7.0.1, eslint-config-airbnb@^19.0.4, @typescript-eslint/*@^5.38.0, and other plugins all have peer dependencies on ESLint 8 and are incompatible with ESLint 9's flat config system. The eslintConfig section in package.json also uses the legacy .eslintrc format (extends: "react-app"), which ESLint 9 no longer loads by default.
Additional Locations (1)
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonyarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-FLATTED-15518041
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Note
Medium Risk
Upgrades
eslintto a new major version, which can change lint rules/CLI behavior and may require config/plugin compatibility adjustments. Changes are limited to dev tooling/dependency graph, with no runtime app logic modifications.Overview
Upgrades
eslintfrom8.27.0to9.xinpackage.jsonand refreshesyarn.lockto the new ESLint dependency tree.The lockfile update pulls in newer transitive packages (notably
flat-cache/flatted) to address the reported vulnerability and aligns related ESLint internals (@eslint/*,espree,globals, etc.) with ESLint v9.Written by Cursor Bugbot for commit 5129608. This will update automatically on new commits. Configure here.