[Snyk] Security upgrade eslint from 9.39.4 to 10.0.0#74
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-17706650
|
This major upgrade to ESLint v10 introduces significant breaking changes, most notably the complete removal of the legacy Key Breaking Changes:
Recommendation: Source: ESLint v10.0.0 Release Notes, Migration Guide
|
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
| "@modelcontextprotocol/vitest-config": "workspace:^", | ||
| "@typescript/native-preview": "catalog:devTools", | ||
| "eslint": "catalog:devTools", | ||
| "eslint": "10.0.0", |
There was a problem hiding this comment.
WARNING: Lockfile is stale — pnpm-lock.yaml still records eslint@9.39.4 for this package (specifier catalog:devTools). The PR body itself warns: "Failed to update the pnpm-lock.yaml, please update manually before merging." Until the lockfile is updated, this change installs nothing different.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
| "@modelcontextprotocol/vitest-config": "workspace:^", | ||
| "@typescript/native-preview": "catalog:devTools", | ||
| "eslint": "catalog:devTools", | ||
| "eslint": "10.0.0", |
There was a problem hiding this comment.
WARNING: Incomplete workspace-wide fix — the devTools catalog in pnpm-workspace.yaml still defines eslint: ^9.39.2, and every other package (including the shared @modelcontextprotocol/eslint-config) still uses catalog:devTools. Only packages/core bypasses the catalog, so the vulnerability is not fixed for the rest of the workspace and packages/core now runs eslint@10.0.0 against a shared config resolved for eslint@9.x.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
| "@modelcontextprotocol/vitest-config": "workspace:^", | ||
| "@typescript/native-preview": "catalog:devTools", | ||
| "eslint": "catalog:devTools", | ||
| "eslint": "10.0.0", |
There was a problem hiding this comment.
WARNING: Potential peer-dependency breakage — the lockfile shows typescript-eslint resolved to 8.57.2(eslint@9.39.4) and eslint-plugin-n to 17.24.0(eslint@9.39.4), indicating these plugins are peer-matched against eslint 9.x. Moving eslint to 10.0.0 without upgrading typescript-eslint and related plugins will likely cause lint failures.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
Code Review SummaryStatus: 3 Warnings | Recommendation: Address before merge Overview
Issue Details (click to expand)WARNING
Files Reviewed (1 file)
Fix these issues in Kilo Cloud Reviewed by step-3.7-flash-20260528 · Input: 58.9K · Output: 13K · Cached: 607.9K Review guidance: REVIEW.md from base branch |
Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
packages/core/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-BRACEEXPANSION-17706650
Breaking Change Risk
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
This change is