[Snyk] Security upgrade eslint from 8.27.0 to 9.0.0#113
[Snyk] Security upgrade eslint from 8.27.0 to 9.0.0#113revan-zhang wants to merge 1 commit intomainfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-FLATTED-15700433
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| "dotenv": "^10.0.0", | ||
| "dotenv-expand": "^5.1.0", | ||
| "eslint": "^8.23.1", | ||
| "eslint": "^9.0.0", |
There was a problem hiding this comment.
🔴 ESLint 9 upgrade breaks linting: .eslintrc config and .eslintignore are ignored by default
ESLint 9 switched to the "flat config" system (eslint.config.js) by default. The project's .eslintrc configuration file and .eslintignore file will no longer be automatically loaded when running eslint . or eslint . --fix (see package.json:107-108). This means all custom rules, extends (wesbos/typescript), parser options, plugin settings, and ignore patterns defined in .eslintrc and .eslintignore will be silently dropped. ESLint will either error out (if it can't find a valid flat config) or lint with no project-specific rules applied.
Additionally, several eslint config/plugin dependencies are incompatible with ESLint 9:
eslint-config-react-app@7.0.1eslint-config-wesbos@3.0.2eslint-config-airbnb@19.0.4eslint-config-airbnb-typescript@16.2.0eslint-plugin-react-hooks@4.6.0eslint-webpack-plugin@3.1.1
To fix this, either migrate to the flat config format and update all plugins, or stay on ESLint 8.
| "eslint": "^9.0.0", | |
| "eslint": "^8.23.1", |
Was this helpful? React with 👍 or 👎 to provide feedback.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| "dotenv": "^10.0.0", | ||
| "dotenv-expand": "^5.1.0", | ||
| "eslint": "^8.23.1", | ||
| "eslint": "^9.0.0", |
There was a problem hiding this comment.
ESLint 9 upgrade breaks incompatible plugin ecosystem
High Severity
Upgrading eslint to ^9.0.0 (resolved to 9.39.4) without upgrading the companion ESLint ecosystem packages will break linting and builds. @typescript-eslint/eslint-plugin and @typescript-eslint/parser at ^5.38.0 require ESLint 8 (need v8+). eslint-webpack-plugin at ^3.1.1 doesn't support ESLint 9 (need v4.2.0+). eslint-config-react-app at ^7.0.1 doesn't support ESLint 9's flat config. The project's eslintConfig in package.json uses the legacy extends key, which is unsupported in ESLint 9's default flat config mode.
Additional Locations (2)
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonyarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-FLATTED-15700433
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution
Note
Medium Risk
Dependency-only change, but ESLint major version bump can break local linting/CI and may require config/plugin compatibility updates.
Overview
Upgrades
eslintfrom v8 to v9 (Snyk-driven security fix) and refreshesyarn.lockto pull in the new ESLint dependency tree, including updates that address the reportedflattedprototype pollution vulnerability.No application/runtime code changes; impact is limited to development tooling and dependency resolution.
Written by Cursor Bugbot for commit 696b557. This will update automatically on new commits. Configure here.