Skip to content

Replace @wordpress/scripts with direct eslint dependency#215

Merged
eason9487 merged 3 commits intotrunkfrom
fix/replace-wp-scripts-with-eslint
Feb 27, 2026
Merged

Replace @wordpress/scripts with direct eslint dependency#215
eason9487 merged 3 commits intotrunkfrom
fix/replace-wp-scripts-with-eslint

Conversation

@eason9487
Copy link
Member

@eason9487 eason9487 commented Feb 27, 2026

Changes proposed in this Pull Request:

This repo only uses @wordpress/scripts for JS linting (wp-scripts lint-js), but the package pulls in 60 direct dependencies (webpack, jest, puppeteer, sass, stylelint, etc.) that are entirely unused. These transitive dependencies have been a recurring source of npm audit vulnerabilities (e.g., minimatch, webpack-dev-server, markdownlint-cli, ajv, axios).

What changed:

  • Remove @wordpress/scripts and replace with direct eslint and @babel/core dependencies
  • Add a root .eslintrc.js configured for the repo directory structure, replacing the inline eslintConfig in package.json
  • Set jest.version in eslint settings so eslint-plugin-jest works without the jest package (previously provided by @wordpress/scripts)
  • Suppress import/no-unresolved for stylelint in stylelintFormatter.js, which was previously masked by @wordpress/scripts bundling stylelint as a transitive dependency
  • Add an npm override for minimatch in @typescript-eslint/typescript-estree to fix the remaining transitive ReDoS vulnerability

Why this approach over adding more overrides:

An alternative considered was keeping @wordpress/scripts and adding npm overrides for each vulnerable transitive dependency (minimatch, webpack-dev-server, markdownlint-cli). While that resolves the current audit issues, it treats the symptoms rather than the cause. Each future vulnerability in any of the ~3,700 transitive packages would require a new override. Removing @wordpress/scripts reduces the dependency tree to ~1,300 packages (65% reduction) and eliminates the recurring maintenance burden.

Audit result:

The current trunk 43b1ec7 has 11 vulnerabilities (2 moderate, 9 high). This PR resolves all of them to 0.

Detailed test instructions:

  1. Run npm install
  2. Confirm package-lock.json has no new changes via git diff
  3. Run npm run lint:js
  4. Confirm the linting result is consistent with the trunk branch
  5. Run npm audit
  6. Confirm there are 0 vulnerabilities

@eason9487
Replace @wordpress/scripts with direct eslint dependency
4bd4dc5 
The repo only uses @wordpress/scripts for JS linting (wp-scripts
lint-js), but it pulls in 60 direct dependencies (webpack, jest,
puppeteer, sass, stylelint, etc.) that are entirely unused. These
transitive dependencies have been a recurring source of npm audit
vulnerabilities.

Replace the wp-scripts wrapper with a direct eslint call and add a
root .eslintrc.js configured for the repo directory structure. Add
@babel/core as a direct dependency required by @wordpress/eslint-plugin
for AST parsing, and set jest.version in eslint settings since jest is
no longer installed as a transitive dependency.
@eason9487
Suppress import/no-unresolved for stylelint in stylelintFormatter
af2a0c9 
The stylelint module is provided at runtime by the GitHub Actions
environment rather than as a direct dependency. This was previously
masked by @wordpress/scripts bundling stylelint as a transitive
dependency.
@eason9487
Fix minimatch vulnerability in @typescript-eslint/typescript-estree
e8b369e 
Add an npm override to resolve minimatch from 9.0.3 to 9.0.9, fixing
ReDoS vulnerabilities (GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj,
GHSA-23c5-xmqv-rm74) in the transitive dependency chain from
@wordpress/eslint-plugin.
@eason9487 eason9487 requested a review from Copilot February 27, 2026 07:47
@eason9487 eason9487 self-assigned this Feb 27, 2026
Copilot AI reviewed Feb 27, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR replaces @wordpress/scripts with direct eslint and @babel/core dependencies to reduce the dependency tree from ~3,700 to ~1,300 packages (65% reduction) and eliminate recurring npm audit vulnerabilities. The change addresses the root cause rather than treating symptoms through individual overrides.

Changes:

  • Removed @wordpress/scripts dependency and replaced with direct eslint and @babel/core dependencies
  • Migrated inline eslintConfig from package.json to a standalone .eslintrc.js file with improved configuration including jest version settings
  • Added import/no-unresolved suppression for stylelint import in the stylelint formatter to account for the external dependency pattern

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File Description
package.json Removed @wordpress/scripts; added eslint, @babel/core; moved eslintConfig to separate file; added minimatch override for security fix
.eslintrc.js New ESLint configuration file with settings for import resolver, jest version, and ignore patterns including .github/ and vendor/
packages/github-actions/actions/stylelint-annotation/src/stylelintFormatter.js Added import/no-unresolved to eslint-disable comment for stylelint import

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@eason9487 eason9487 merged commit b8087da into trunk Feb 27, 2026
5 checks passed
@eason9487 eason9487 deleted the fix/replace-wp-scripts-with-eslint branch February 27, 2026 07:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@eason9487 eason9487

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eason9487