Skip to content

🚨 [security] [js] Update eslint 9.39.2 → 10.0.0 (major)#643

Merged
digitaltom merged 2 commits intomainfrom
depfu/update/npm/eslint-10.0.0
Feb 16, 2026
Merged

🚨 [security] [js] Update eslint 9.39.2 → 10.0.0 (major)#643
digitaltom merged 2 commits intomainfrom
depfu/update/npm/eslint-10.0.0

Conversation

@depfu
Copy link
Contributor

@depfu depfu bot commented Feb 16, 2026

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ eslint (9.39.2 → 10.0.0) · Repo · Changelog

Release Notes

10.0.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​eslint/plugin-kit (indirect, 0.4.1 → 0.6.0) · Repo · Changelog

Release Notes

0.6.0 (from changelog)

More info than we can show here.

0.5.1 (from changelog)

More info than we can show here.

0.5.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

↗️ @​types/estree (indirect, 1.0.6 → 1.0.8) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ balanced-match (indirect, 1.0.2 → 4.0.2) · Repo

Release Notes

3.0.1

More info than we can show here.

3.0.0

More info than we can show here.

2.0.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ brace-expansion (indirect, 1.1.12 → 5.0.2) · Repo

Security Advisories 🚨

🚨 brace-expansion Regular Expression Denial of Service vulnerability

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

🚨 brace-expansion Regular Expression Denial of Service vulnerability

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

🚨 brace-expansion Regular Expression Denial of Service vulnerability

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

Release Notes

4.0.1

More info than we can show here.

4.0.0

More info than we can show here.

3.0.1

More info than we can show here.

3.0.0

More info than we can show here.

2.0.2

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ eslint-scope (indirect, 8.4.0 → 9.1.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ eslint-visitor-keys (indirect, 4.2.1 → 5.0.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ espree (indirect, 10.4.0 → 11.1.0) · Repo · Changelog

Release Notes

11.1.0 (from changelog)

More info than we can show here.

11.0.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

↗️ esquery (indirect, 1.6.0 → 1.7.0) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ minimatch (indirect, 3.1.2 → 10.2.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 @​isaacs/cliui (added, 9.0.0)

🆕 @​types/esrecurse (added, 4.3.1)

🆕 jackspeak (added, 4.2.3)

🗑️ @​eslint/eslintrc (removed)

🗑️ chalk (removed)

🗑️ concat-map (removed)

🗑️ lodash.merge (removed)

🗑️ strip-json-comments (removed)

🗑️ globals (removed)

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Feb 16, 2026
@coveralls
Copy link

coveralls commented Feb 16, 2026
edited
Loading

Pull Request Test Coverage Report for Build 22075550405

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 99.362%
Totals Coverage Status
Change from base Build 22070915790: 0.0%
Covered Lines: 779
Relevant Lines: 784
💛 - Coveralls

@digitaltom digitaltom merged commit c348def into main Feb 16, 2026
8 checks passed
@depfu depfu bot deleted the depfu/update/npm/eslint-10.0.0 branch February 16, 2026 20:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

depfu

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@coveralls @digitaltom