You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#1745e244adf Thanks @iiroj! - Node.js v20 is no longer supported, and the oldest supported version is now 22.22.1, which is an active LTS version at the time of this release. Node.js 20 will be EOL after April 2026. Please upgrade your Node.js version!
#16760584e0b Thanks @outslept! - Lint-staged now tries to verify the installed Git version is at least 2.32.0, released in 2021. If you're using an even older Git version, you need to upgrade it before running lint-staged!
#17452dcc40a Thanks @iiroj! - The dependency yaml is now marked as optional and probably won't be installed by default. If you're using a YAML configuration file you should install the package separately:
npm install --development yaml
If you're using .lintstagedrc as the config file name (without a file extension), it will be treated as a YAML file. If the content is JSON, consider renaming it to .lintstagedrc.json to avoid needing to install yaml.
Minor Changes
#1748809d5ef Thanks @iiroj! - Add new option --hide-all for hiding all unstaged changes and untracked files, before running tasks. This makes it easier to run tools like Knip which check for unused code. Untracked files are included in the backup stash and restored automatically after running.
When using a Node.js version manager with multiple versions installed (nvm, n, for example), scripts with the #!/usr/bin/env node shebang (Prettier, ESLint, for example) were previously spawned using the default Node.js version configured by the version manager (the one which node points to) on POSIX systems. Now, they will be spawned with the same version that lint-staged itself was started with.
For example, if your default Node.js version is 24.14.1 but lint-staged is run with the latest version 25.9.0, the tasks spawned by lint-staged will now also use version 25.9.0. Previously they were spawned using 24.14.1.
When installing Node.js from the Ubuntu App Center (Snap store), the node executable available in PATH is a symlink pointing to Snap itself. The sandboxing features of Snap prevented lint-staged from spawning scripts with the #!/usr/bin/env node shebang, because it meant lint-staged tried to spawn Snap via the symlink. This resulted in an ENOENT error when trying to run prettier, for example. Now, since the real node executable's directory is available in the PATH, lint-staged will instead spawn the script with the real node binary succesfully.
#1761d3251b1 Thanks @iiroj! - Lint-staged now runs git update-index --again after running tasks, instead of git add <originally staged files>. This should improve compatibility when using non-default indexes, for example when committing with a pathspec git commit -m "message" . instead of adding files to the index.
#1745a9585ac Thanks @iiroj! - Remove commander as a dependency and use the built-in parseArgs from node:util to parse CLI flags.
#1750a401818 Thanks @iiroj! - Remove manual handling for git stash --keep-index resurrecting deleted files, because the issue was fixed in Git 2.23.0 and lint-staged requires at least Git 2.32.0.
#1771c4b8936 Thanks @iiroj! - Fix documentation about multiple config files and the --cwd option. When using it, all tasks will be run in the specified directory. For example, to run everything in the actual process.cwd(), use lint-staged --cwd=".".
#1698feda37a Thanks @iiroj! - Run external processes with tinyexec instead of nano-spawn. nano-spawn replaced execa in lint-staged version 16 to limit the amount of npm dependencies required, but caused some unknown issues related to spawning tasks. Let's hope tinyexec improves the situation.
#16991346d16 Thanks @iiroj! - Remove pidtree as a dependency. When a task fails, its sub-processes are killed more efficiently via the process group on Unix systems, and the taskkill command on Windows.
Patch Changes
#172687467aa Thanks @iiroj! - Incorrect brace expansions like *.{js} (nothing to expand) are detected exhaustively, instead of just a single pass.
Configuration
📅 Schedule: (UTC)
Branch creation
At any time (no schedule defined)
Automerge
At any time (no schedule defined)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
If you want to rebase/retry this PR, check this box
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
Review the following alerts detected in dependencies.
According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.
Action
Severity
Alert (click "▶" to expand/collapse)
Block
Potential code anomaly (AI signal): npm yaml is 100.0% likely to have a medium risk anomaly
Notes: The code presents a standard, non-malicious NodeBase component used in YAML/JS conversion. The primary risk surface is the optional reviver and onAnchor callbacks provided by the user: if untrusted, these can execute arbitrary code or influence the transformed representation via applyReviver or the reviver itself. This is expected behavior for extensible YAML libraries; ensure callbacks come from trusted sources and sandbox or validate revivers where possible.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/yaml@2.8.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
renovate
Bot
force-pushed
the
renovate/lint-staged-17.x
branch
from
This PR contains the following updates:
^16.0.0→^17.0.0Release Notes
lint-staged/lint-staged (lint-staged)
v17.0.3Compare Source
Patch Changes
06813f9Thanks @iiroj! - Fix lint-staged behavior when implicitly committing files without usinggit addby either:git commit -am "my commit message"where-a(--all) means to automatically stage all tracked modified and deleted filesgit commit -m "my commit message" .where.is an example of a pathspec where matching files will be stagedv17.0.2Compare Source
Patch Changes
88670caThanks @iiroj! - Enable immutable GitHub releasesv17.0.1Compare Source
Patch Changes
4a5664bThanks @iiroj! - Adjust GitHub Actions workflow so that automatic publishing works with signed commits.v17.0.0Compare Source
Major Changes
#1745
e244adfThanks @iiroj! - Node.js v20 is no longer supported, and the oldest supported version is now22.22.1, which is an active LTS version at the time of this release. Node.js 20 will be EOL after April 2026. Please upgrade your Node.js version!#1676
0584e0bThanks @outslept! - Lint-staged now tries to verify the installed Git version is at least2.32.0, released in 2021. If you're using an even older Git version, you need to upgrade it before running lint-staged!#1745
2dcc40aThanks @iiroj! - The dependencyyamlis now marked as optional and probably won't be installed by default. If you're using a YAML configuration file you should install the package separately:If you're using
.lintstagedrcas the config file name (without a file extension), it will be treated as a YAML file. If the content is JSON, consider renaming it to.lintstagedrc.jsonto avoid needing to installyaml.Minor Changes
#1748
809d5efThanks @iiroj! - Add new option--hide-allfor hiding all unstaged changes and untracked files, before running tasks. This makes it easier to run tools like Knip which check for unused code. Untracked files are included in the backup stash and restored automatically after running.#1759
f13045aThanks @iiroj! - Update dependencies, includingtinyexec@1.1.1to fix the following issues:#!/usr/bin/env nodeshebang (Prettier, ESLint, for example) were previously spawned using the default Node.js version configured by the version manager (the onewhich nodepoints to) on POSIX systems. Now, they will be spawned with the same version that lint-staged itself was started with.nodeexecutable available inPATHis a symlink pointing to Snap itself. The sandboxing features of Snap prevented lint-staged from spawning scripts with the#!/usr/bin/env nodeshebang, because it meant lint-staged tried to spawn Snap via the symlink. This resulted in anENOENTerror when trying to runprettier, for example. Now, since the realnodeexecutable's directory is available in thePATH, lint-staged will instead spawn the script with the realnodebinary succesfully.#1761
d3251b1Thanks @iiroj! - Lint-staged now runsgit update-index --againafter running tasks, instead ofgit add <originally staged files>. This should improve compatibility when using non-default indexes, for example when committing with a pathspecgit commit -m "message" .instead of adding files to the index.#1745
a9585acThanks @iiroj! - Removecommanderas a dependency and use the built-inparseArgsfromnode:utilto parse CLI flags.Patch Changes
#1755
c82d30bThanks @iiroj! - All tests now pass on the Bun runtime (latest).#1750
a401818Thanks @iiroj! - Remove manual handling forgit stash --keep-indexresurrecting deleted files, because the issue was fixed in Git2.23.0and lint-staged requires at least Git2.32.0.#1771
c4b8936Thanks @iiroj! - Fix documentation about multiple config files and the--cwdoption. When using it, all tasks will be run in the specified directory. For example, to run everything in the actualprocess.cwd(), uselint-staged --cwd=".".v16.4.0Compare Source
Minor Changes
687fc90Thanks @hyperz111! - Replacemicromatchwithpicomatchto reduce dependencies.v16.3.4Compare Source
Patch Changes
9d6e827Thanks @iiroj! - Update dependencies, includingtinyexec@1.0.4to make sure localnode_modules/.binare preferred to global locations (released intinyexec@1.0.3).v16.3.3Compare Source
Patch Changes
0109e8dThanks @iiroj! - Make sure Git's warning about CRLF line-endings doesn't interfere with creating initial backup stash.v16.3.2Compare Source
Patch Changes
2adaf6cThanks @iiroj! - Hide the extracmdwindow on Windows by spawning tasks without thedetachedoption.v16.3.1Compare Source
Patch Changes
cd5d762Thanks @iiroj! - Removenano-spawnas a dependency frompackage.jsonas it was replaced withtinyexecand is no longer used.v16.3.0Compare Source
Minor Changes
#1698
feda37aThanks @iiroj! - Run external processes withtinyexecinstead ofnano-spawn.nano-spawnreplacedexecain lint-staged version 16 to limit the amount of npm dependencies required, but caused some unknown issues related to spawning tasks. Let's hopetinyexecimproves the situation.#1699
1346d16Thanks @iiroj! - Removepidtreeas a dependency. When a task fails, its sub-processes are killed more efficiently via the process group on Unix systems, and thetaskkillcommand on Windows.Patch Changes
87467aaThanks @iiroj! - Incorrect brace expansions like*.{js}(nothing to expand) are detected exhaustively, instead of just a single pass.Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.