[Snyk] Security upgrade eslint from 8.57.0 to 9.26.0#314
[Snyk] Security upgrade eslint from 8.57.0 to 9.26.0#314
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ESLINT-15102420
There was a problem hiding this comment.
Pull request overview
This PR proposes a security upgrade of ESLint from version 8.57.0 to 9.26.0 to address vulnerability SNYK-JS-ESLINT-15102420 (Uncontrolled Recursion with severity score 623). However, critical security concerns have been identified that require immediate investigation before this PR can be considered for merging.
Changes:
- Upgrades eslint from ^8.56.0 to ^9.26.0 in package.json
- Updates package-lock.json with new dependency resolutions for ESLint 9.x
- Introduces suspicious dependencies including @modelcontextprotocol/sdk, zod, and numerous Express 5.x related packages
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Updates ESLint version to ^9.26.0, but @eslint/js remains at incompatible version ^8.57.0 |
| package-lock.json | Contains extensive dependency tree changes including highly suspicious dependencies that are not part of official ESLint |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -27,7 +27,7 @@ | |||
| "devDependencies": { | |||
| "@eslint/js": "^8.57.0", | |||
There was a problem hiding this comment.
The @eslint/js package version must be updated to match the ESLint version. When upgrading to ESLint 9.26.0, @eslint/js should also be upgraded to ^9.26.0. The current version ^8.57.0 is incompatible with ESLint 9.x and will cause runtime errors when the eslint.config.js file imports from @eslint/js. This is because ESLint 9.x expects a matching version of @eslint/js with compatible rule definitions and APIs.
| "@eslint/js": "^8.57.0", | |
| "@eslint/js": "^9.26.0", |
| "@eslint/js": "^8.57.0", | ||
| "chai": "^4.3.10", | ||
| "eslint": "^8.56.0", | ||
| "eslint": "^9.26.0", |
There was a problem hiding this comment.
The ESLint version 9.26.0 should be verified for legitimacy. Based on typical ESLint release patterns, version numbers in the 9.x series should follow semantic versioning. Please verify that version 9.26.0 exists in the official npm registry and matches the official ESLint releases. If this version doesn't exist or has unusual dependencies (like @modelcontextprotocol/sdk), it may indicate a compromised package or typosquatting attack.
| "eslint": "^9.26.0", | |
| "eslint": "^8.57.0", |
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-ESLINT-15102420
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.