Fix all npm audit vulnerabilities by upgrading dependencies#80
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Updates lint/build toolchain dependencies and ESLint/TypeScript lint configuration to address npm audit security findings (notably minimatch ReDoS and serialize-javascript RCE) while preserving prior lint behavior where possible.
Changes:
- Upgrades key devDependencies (notably
@typescript-eslint/*to v8 andcopy-webpack-pluginto v14) and bumps Volta Node version. - Replaces
eslint-config-erb/eslint-config-airbnb-basewith explicitairbnb+prettier+ plugin-based configs and adds@stylistic/eslint-plugin-tsfor rule parity. - Updates
tsconfig.lint.jsonto enableallowJsfor lint-only type-aware parsing.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
tsconfig.lint.json |
Enables allowJs in the lint-specific TS config to support type-aware linting without createDefaultProgram. |
package.json |
Upgrades/adjusts linting and build dependencies to remediate audit vulnerabilities and resolve peer conflicts. |
.eslintrc.cjs |
Reworks ESLint config to explicitly extend Airbnb/Prettier/plugin presets and swaps lines-between-class-members to @stylistic/ts rule. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
lyonsil
force-pushed
the
npm-audit-fix-20260306
branch
from
bef38a9 to
cfdb400
Compare
@typescript-eslint/* ^6 → ^8 - Fixes minimatch ReDoS vulnerabilities copy-webpack-plugin ^12 → ^14 - Fixes serialize-javascript RCE vulnerability eslint-config-erb removed - Source of the peer dep conflicts; replaced by direct configs eslint-config-airbnb-base removed - Redundant — eslint-config-airbnb already depends on it eslint-config-airbnb added - Previously pulled in by erb eslint-config-prettier added - Previously pulled in by erb eslint-plugin-prettier added - Previously pulled in by erb @stylistic/eslint-plugin-ts ^2.13.0 added - Provides lines-between-class-members rule with exceptAfterOverload support, which was removed from @typescript-eslint v8 ESLint behavioral parity: - All rules erb explicitly set are preserved. - lines-between-class-members now uses @stylistic/ts/lines-between-class-members to preserve the original exceptAfterOverload: true option. tsconfig.lint.json change: allowJs: true only affects the lint-specific tsconfig (not builds), and is the official replacement for the removed createDefaultProgram. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
lyonsil
force-pushed
the
npm-audit-fix-20260306
branch
from
cfdb400 to
3e02365
Compare
tjcouch-sil
approved these changes
Mar 6, 2026
Member
tjcouch-sil
left a comment
tjcouch-sil
left a comment
There was a problem hiding this comment.
Very nice! Same things apply here as in the other PR.
@tjcouch-sil reviewed 6 files and all commit messages, and made 1 comment.
Reviewable status:complete! all files reviewed, all discussions resolved (waiting on irahopkinson).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
@typescript-eslint/* ^6 → ^8
copy-webpack-plugin ^12 → ^14
eslint-config-erb removed
eslint-config-airbnb-base removed
eslint-config-airbnb added
eslint-config-prettier added
eslint-plugin-prettier added
@stylistic/eslint-plugin-ts ^2.13.0 added
ESLint behavioral parity:
tsconfig.lint.json change: allowJs: true only affects the lint-specific tsconfig (not builds), and is the official replacement for the removed createDefaultProgram.
Note: The @typescript-eslint v6 → v8 upgrade may cause some rules to flag new issues in downstream repos due to bug fixes and stricter detection in v8. This is inherent to the major version upgrade required by the security fixes.
This change is