[Snyk] Security upgrade eslint from 9.39.4 to 10.0.0#72
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-17706650
|
This major upgrade to ESLint v10 introduces significant breaking changes, most notably the complete removal of the legacy Key Breaking Changes:
Recommendation: Source: ESLint v10.0.0 Release Notes, Migration Guide
|
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
| "@eslint/js": "catalog:devTools", | ||
| "@typescript/native-preview": "catalog:devTools", | ||
| "eslint": "catalog:devTools", | ||
| "eslint": "10.0.0", |
There was a problem hiding this comment.
[CRITICAL]: ESLint 10 pinned without a matching lockfile entry or v10-compatible companion plugins — install/lint will break
This PR hardcodes "eslint": "10.0.0" in only this package, but the committed pnpm-lock.yaml contains zero entries for eslint@10 (every package is resolved against eslint@9.39.4). The PR body itself warns: "Failed to update the pnpm-lock.yaml, please update manually before merging." Running pnpm install against this change will fail resolution in CI, so lint/check jobs won't run.
Even after the lockfile is regenerated, this creates a major version-skew hazard:
- Every other package (client, server, core, codemod, express, hono, fastify, server-legacy) keeps
eslint: catalog:devTools=^9.39.2, so the workspace would have two eslint majors installed. - The companion plugins stay on v9:
@eslint/js^9.39.2,eslint-plugin-n^17.23.1,typescript-eslint^8.48.1, and the shared@modelcontextprotocol/eslint-configis built/validated against eslint 9. ESLint 10 is a major release with breaking changes; these v9 plugins are not guaranteed compatible with the v10 engine. Theeslint-configflat config consumed by this package (./eslint.config.mjs) was authored for eslint 9.
A security bump should not silently introduce a toolchain-major jump in a single package. Recommended fixes, in order of preference:
- Update the catalog
devTools.eslintto a patched v9 (theBRACEEXPANSIONadvisory is a transitive/minor issue, not something that requires ESLint 10) and keep all packages oncatalog:devTools, OR - If ESLint 10 is truly required, do it as a coordinated workspace-wide migration: bump
eslintplus@eslint/js,typescript-eslint,eslint-plugin-n,eslint-config-prettier, and the shared@modelcontextprotocol/eslint-configtogether, regeneratepnpm-lock.yaml, and verifypnpm lint:allpasses — not a one-package pin.
Do not merge until pnpm-lock.yaml actually resolves eslint@10 and the package's lint passes in CI.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
Code Review SummaryStatus: 1 Issue Found | Recommendation: Address before merge Overview
Issue Details (click to expand)CRITICAL
Files Reviewed (1 file)
Fix these issues in Kilo Cloud Reviewed by hy3-20260706:free · Input: 57.7K · Output: 4.4K · Cached: 318.6K Review guidance: REVIEW.md from base branch |
Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
packages/middleware/node/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-BRACEEXPANSION-17706650
Breaking Change Risk
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
This change is