[Snyk] Security upgrade eslint from 8.11.0 to 9.0.0#42
[Snyk] Security upgrade eslint from 8.11.0 to 9.0.0#42earthiverse wants to merge 1 commit intomainfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @earthiverse, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request, automatically generated by Snyk, is a crucial security update for the project's npm dependencies. Its primary purpose is to upgrade the eslint package to its latest major version, 9.0.0, thereby mitigating an identified Regular Expression Denial of Service (ReDoS) vulnerability. This upgrade also involves a comprehensive refresh of the dependency tree, with many sub-dependencies being updated, added, or removed to align with the new eslint requirements.
Highlights
- Security Upgrade: Upgraded the
eslintdevelopment dependency from version8.11.0to9.0.0to address a critical Regular Expression Denial of Service (ReDoS) vulnerability (SNYK-JS-BRACEEXPANSION-9789073). - Major Version Bump: This is a major version upgrade for
eslint, which typically includes breaking changes and significant updates to its ecosystem, reflected in the extensive changes topackage-lock.json. - Transitive Dependency Updates: The
package-lock.jsonfile reflects a substantial number of transitive dependency updates, additions, and removals, ensuring compatibility with the neweslintversion and improving overall project security and stability.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request upgrades ESLint from v8 to v9 to address a security vulnerability. This is a major version upgrade and introduces several significant breaking changes that could impact the project.
Key points to consider before merging:
- Node.js Version Requirement: ESLint v9 requires Node.js
^18.18.0,^20.9.0, or>=21.1.0. Please ensure your development and CI/CD environments meet this requirement. - Configuration File Migration: ESLint v9 defaults to a new "flat" configuration format (
eslint.config.js). The traditional.eslintrc.*format is deprecated. If your project uses the older format, you will need to migrate your configuration. - Rule and API Changes: Several core rules have been changed or removed, and APIs for custom rules/plugins have been updated.
I've added a more detailed comment in package.json. It is highly recommended to review the ESLint v9 Migration Guide to understand the full scope of these changes and ensure a smooth transition.
| "@typescript-eslint/parser": "^5.16.0", | ||
| "copyfiles": "^2.4.1", | ||
| "eslint": "^8.11.0", | ||
| "eslint": "^9.0.0", |
There was a problem hiding this comment.
Upgrading to ESLint v9 is a major change with several breaking changes that need to be addressed.
-
Node.js Version: ESLint v9 requires Node.js
^18.18.0,^20.9.0, or>=21.1.0. Your project'senginesfield inpackage.json(if present) and your CI/CD environment configurations should be updated accordingly. Failure to do so will likely break your build. -
Configuration Format: ESLint v9 now uses a "flat config" (
eslint.config.js) by default, and the legacy.eslintrc.*format is deprecated. If you are using the old format, you will need to migrate. You can temporarily opt-out and continue using your.eslintrc.jsfile by settingESLINT_USE_FLAT_CONFIG=falsein your environment, but migration is recommended for long-term support. -
Removed/Changed Rules: Some rules have been removed (e.g.,
valid-jsdoc) or had their defaults changed. This could lead to new linting errors or different behavior.
Please consult the official ESLint v9 Migration Guide for a comprehensive list of changes and migration steps.
| "version": "0.12.3", | ||
| "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.12.3.tgz", | ||
| "integrity": "sha512-jsNnTBlMWuTpDkeE3on7+dWJi0D6fdDfeANj/w7MpS8ztROCoLvIO2nG0CcFj+E4k8j4QrSTh4Oryi3i2G669g==", | ||
| "deprecated": "Use @eslint/config-array instead", |
There was a problem hiding this comment.
This dependency, @humanwhocodes/config-array, is now deprecated as part of the ESLint v9 update. The suggested replacement is @eslint/config-array.
While this doesn't break the build now, it's a good idea to be aware of this for future maintenance and eventually migrate away from the deprecated package.
| "version": "2.0.3", | ||
| "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-2.0.3.tgz", | ||
| "integrity": "sha512-93zYdMES/c1D69yZiKDBj0V24vqNzB/koF26KPaagAfd3P/4gUlh3Dys5ogAK+Exi9QyzlD8x/08Zt7wIKcDcA==", | ||
| "deprecated": "Use @eslint/object-schema instead", |
There was a problem hiding this comment.
Similar to other packages from @humanwhocodes, this dependency, @humanwhocodes/object-schema, is now deprecated. The suggested replacement is @eslint/object-schema.
This is for your information to aid future maintenance.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-BRACEEXPANSION-9789073
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)