[Snyk] Security upgrade eslint from 8.27.0 to 10.0.0#114
[Snyk] Security upgrade eslint from 8.27.0 to 10.0.0#114revan-zhang wants to merge 1 commit intomainfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-15789759
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| "dotenv": "^10.0.0", | ||
| "dotenv-expand": "^5.1.0", | ||
| "eslint": "^8.23.1", | ||
| "eslint": "^10.0.0", |
There was a problem hiding this comment.
🔴 ESLint major version bump to v10 breaks all linting due to incompatible legacy .eslintrc config and ESLint 8-era plugins
ESLint is bumped from ^8.23.1 to ^10.0.0 (resolving to 10.1.0 in the lockfile), but the project relies entirely on the legacy .eslintrc configuration format (.eslintrc:1-37) and the eslintConfig field in package.json:179-181. ESLint 9 deprecated .eslintrc support, and ESLint 10 removed it entirely — only flat config (eslint.config.js) is supported. Additionally, all ESLint plugins and configs are pinned to ESLint 8-compatible versions (e.g., @typescript-eslint/eslint-plugin: ^5.38.0, @typescript-eslint/parser: ^5.38.0, eslint-config-wesbos: ^3.0.2, eslint-plugin-react-hooks: ^4.6.0, eslint-config-react-app: ^7.0.1), which have peer dependencies on ESLint 8 and use the legacy plugin API. This will cause yarn lint, yarn lint:fix, and the eslint-webpack-plugin integration during yarn start/yarn build to fail.
| "eslint": "^10.0.0", | |
| "eslint": "^8.23.1", |
Was this helpful? React with 👍 or 👎 to provide feedback.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| "dotenv": "^10.0.0", | ||
| "dotenv-expand": "^5.1.0", | ||
| "eslint": "^8.23.1", | ||
| "eslint": "^10.0.0", |
There was a problem hiding this comment.
ESLint 10 breaks project's legacy eslintrc configuration
High Severity
Upgrading eslint from ^8.23.1 to ^10.0.0 will break linting entirely. ESLint 10 completely removed support for the legacy eslintrc configuration format, but this project defines its ESLint config via the eslintConfig field in package.json (using "extends": "react-app"), which is the legacy format. Additionally, all companion packages (eslint-config-airbnb, eslint-config-react-app, eslint-config-prettier, eslint-config-airbnb-typescript, eslint-config-wesbos, eslint-webpack-plugin, etc.) are pinned to versions that only support ESLint 8's legacy config and declare eslint@^8 as a peer dependency. The lint and lint:fix scripts will fail, and the webpack build may also break since eslint-webpack-plugin is configured.
Additional Locations (1)
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonyarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-BRACEEXPANSION-15789759
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Note
Medium Risk
Upgrades core lint tooling (
eslintv8→v10) and rewrites parts of the dependency tree, which may cause new lint rule/CLI/config incompatibilities in CI or local dev.Overview
Updates
eslintfrom^8.23.1to^10.0.0inpackage.jsonas part of a security-driven dependency upgrade.Refreshes
yarn.lockto the new ESLint v10 dependency graph (notably pulling in newerminimatch/brace-expansionand related packages) to remediate the reported vulnerability.Written by Cursor Bugbot for commit 238d95d. This will update automatically on new commits. Configure here.