[Snyk] Security upgrade eslint from 9.39.4 to 10.0.0#71
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-17706650
|
This major upgrade to ESLint v10 introduces significant breaking changes, most notably the complete removal of the legacy Key Breaking Changes:
Recommendation: Source: ESLint v10.0.0 Release Notes, Migration Guide
|
|
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
| "@eslint/js": "catalog:devTools", | ||
| "@typescript/native-preview": "catalog:devTools", | ||
| "eslint": "catalog:devTools", | ||
| "eslint": "10.0.0", |
There was a problem hiding this comment.
CRITICAL: ESLint 10 bump diverges from the catalog and is not synced to the lockfile, so it will fail install/lint.
This PR pins eslint to a hard-coded exact 10.0.0 while every other package still uses catalog:devTools (^9.39.2). Problems:
- Lockfile not updated. Snyk's own PR description warns "Failed to update the pnpm-lock.yaml, please update manually before merging." The lockfile still resolves
eslint@9.39.4everywhere (grep ofpnpm-lock.yamlshows noeslint@10).pnpm installin CI will be inconsistent / fail the lockfile check. - Inconsistent across the monorepo. All other packages (
client,server,core, etc.) keepcatalog:devTools. Bumping onlyhonomeans two ESLint majors coexist in one workspace, which pnpm/eslint peer resolution will reject. - ESLint 10 is a major breaking change (removes
.eslintrc, requires flat config, Node >=20.19). The shared@modelcontextprotocol/eslint-configdep is stillcatalog:devTools(^9.39.2), so this package'seslint.config.mjsimporting it would pull an incompatible peer. The whole monorepo must migrate to ESLint 10 together, not one leaf package. - Exact pin instead of
^10.0.0. Even if intentional, an exact10.0.0pin breaks the catalog-driven single-version-of-truth strategy this repo uses.
Recommendation: revert this line; fix the brace-expansion vuln at the catalog level (or bump all packages + shared config + lockfile together), since the fix belongs in catalogs.devTools.eslint in pnpm-workspace.yaml.
| "eslint": "10.0.0", | |
| "eslint": "catalog:devTools", |
Code Review SummaryStatus: 1 Issue Found | Recommendation: Address before merge Overview
\n
Issue Details (click to expand)CRITICAL
\n
Files Reviewed (1 file)
Fix these issues in Kilo Cloud Reviewed by hy3-20260706:free · Input: 25.3K · Output: 2.6K · Cached: 208.5K Review guidance: REVIEW.md from base branch |
Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
packages/middleware/hono/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-BRACEEXPANSION-17706650
Breaking Change Risk
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
This change is