[Snyk] Security upgrade eslint from 9.39.4 to 10.0.0#75
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-17706650
|
This major upgrade to ESLint v10 introduces significant breaking changes, most notably the complete removal of the legacy Key Breaking Changes:
Recommendation: Source: ESLint v10.0.0 Release Notes, Migration Guide
|
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
| "@types/eventsource": "catalog:devTools", | ||
| "@typescript/native-preview": "catalog:devTools", | ||
| "eslint": "catalog:devTools", | ||
| "eslint": "10.0.0", |
There was a problem hiding this comment.
[CRITICAL]: pnpm-lock.yaml is not updated for this dependency change and CI install will fail
This PR hardcodes "eslint": "10.0.0" here, but pnpm-lock.yaml is unchanged on the branch and still resolves eslint@9.39.4 everywhere (confirmed: no eslint@10 entry in the lockfile). pnpm's default --frozen-lockfile (used in CI) will reject the mismatch and the packages/server install/build/lint steps will fail. Snyk's own PR warning called this out: *"Failed to update the pnpm-lock.yaml, please update manually before merging."
Before this can merge, run pnpm install so the lockfile records eslint@10.0.0, and commit the regenerated pnpm-lock.yaml.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
| "@types/eventsource": "catalog:devTools", | ||
| "@typescript/native-preview": "catalog:devTools", | ||
| "eslint": "catalog:devTools", | ||
| "eslint": "10.0.0", |
There was a problem hiding this comment.
[WARNING]: Hardcoding 10.0.0 diverges from the catalog:devTools eslint and creates version skew with sibling packages
The repo uses a pnpm catalog: eslint: ^9.39.2 is defined in pnpm-workspace.yaml and every other package pulls eslint via catalog:devTools. Pinning a bare 10.0.0 here forks @modelcontextprotocol/server off the catalog, so it will run a different major of eslint than client, core-internal, core, etc. This defeats the catalog's purpose (single-source version management) and is easy to regress on the next catalog bump.
Consider either (a) updating the catalog eslint entry to 10.0.0 (and bumping the whole workspace together), or (b) keeping catalog:devTools and updating the catalog value — rather than a one-off hardcoded version in a single package.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
| "@types/eventsource": "catalog:devTools", | ||
| "@typescript/native-preview": "catalog:devTools", | ||
| "eslint": "catalog:devTools", | ||
| "eslint": "10.0.0", |
There was a problem hiding this comment.
[WARNING]: ESLint v10 is a major bump; companion devDeps remain pinned to v9-era ranges and may be incompatible
eslint-config-prettier, eslint-plugin-n, typescript-eslint, and @eslint/js are still catalog:devTools, which currently resolve to v9-compatible versions (@eslint/js: ^9.39.2, typescript-eslint: ^8.48.1, eslint-plugin-n: ^17.23.1). ESLint v10 drops Node <20.19 and the legacy .eslintrc system; flat-config plugins often require a matching major. Mixing eslint@10 with v9-era companion plugins risks peer-dependency and runtime incompatibilities in pnpm run lint.
Verify the companion lint plugins support eslint@10 (and that this repo's flat config / Node version satisfy v10 requirements) before merging; bump the companions in lockstep if needed.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
| "@types/eventsource": "catalog:devTools", | ||
| "@typescript/native-preview": "catalog:devTools", | ||
| "eslint": "catalog:devTools", | ||
| "eslint": "10.0.0", |
There was a problem hiding this comment.
[SUGGESTION]: Add a changeset for this dependency change
The repo maintains .changeset/ and uses changesets for releases. A dependency bump (even a dev dependency) normally warrants a changeset so downstream consumers / release notes reflect it. Consider adding a .changeset/*.md describing the eslint major bump in packages/server.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
Code Review SummaryStatus: 4 Issues Found | Recommendation: Address before merge Overview
Issue Details (click to expand)CRITICAL
WARNING
SUGGESTION
Files Reviewed (1 files)
Fix these issues in Kilo Cloud Reviewed by hy3-20260706:free · Input: 62K · Output: 4.1K · Cached: 315.6K Review guidance: REVIEW.md from base branch |
Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
packages/server/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-BRACEEXPANSION-17706650
Breaking Change Risk
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
This change is