Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/middleware/node/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
"@modelcontextprotocol/vitest-config": "workspace:^",
"@eslint/js": "catalog:devTools",
"@typescript/native-preview": "catalog:devTools",
"eslint": "catalog:devTools",
"eslint": "10.0.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL]: ESLint 10 pinned without a matching lockfile entry or v10-compatible companion plugins — install/lint will break

This PR hardcodes "eslint": "10.0.0" in only this package, but the committed pnpm-lock.yaml contains zero entries for eslint@10 (every package is resolved against eslint@9.39.4). The PR body itself warns: "Failed to update the pnpm-lock.yaml, please update manually before merging." Running pnpm install against this change will fail resolution in CI, so lint/check jobs won't run.

Even after the lockfile is regenerated, this creates a major version-skew hazard:

  • Every other package (client, server, core, codemod, express, hono, fastify, server-legacy) keeps eslint: catalog:devTools = ^9.39.2, so the workspace would have two eslint majors installed.
  • The companion plugins stay on v9: @eslint/js ^9.39.2, eslint-plugin-n ^17.23.1, typescript-eslint ^8.48.1, and the shared @modelcontextprotocol/eslint-config is built/validated against eslint 9. ESLint 10 is a major release with breaking changes; these v9 plugins are not guaranteed compatible with the v10 engine. The eslint-config flat config consumed by this package (./eslint.config.mjs) was authored for eslint 9.

A security bump should not silently introduce a toolchain-major jump in a single package. Recommended fixes, in order of preference:

  1. Update the catalog devTools.eslint to a patched v9 (the BRACEEXPANSION advisory is a transitive/minor issue, not something that requires ESLint 10) and keep all packages on catalog:devTools, OR
  2. If ESLint 10 is truly required, do it as a coordinated workspace-wide migration: bump eslint plus @eslint/js, typescript-eslint, eslint-plugin-n, eslint-config-prettier, and the shared @modelcontextprotocol/eslint-config together, regenerate pnpm-lock.yaml, and verify pnpm lint:all passes — not a one-package pin.

Do not merge until pnpm-lock.yaml actually resolves eslint@10 and the package's lint passes in CI.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

"eslint-config-prettier": "catalog:devTools",
"eslint-plugin-n": "catalog:devTools",
"prettier": "catalog:devTools",
Expand Down
Loading