Bump eslint from 9.39.4 to 10.2.0

[dependabot]

Bumps eslint from 9.39.4 to 10.2.0.

Release notes

Sourced from eslint's releases.

v10.2.0

Features

• 586ec2f feat: Add meta.languages support to rules (#20571) (Copilot)
• 14207de feat: add Temporal to no-obj-calls (#20675) (Pixel998)
• bbb2c93 feat: add Temporal to ES2026 globals (#20672) (Pixel998)

Bug Fixes

• 542cb3e fix: update first-party dependencies (#20714) (Francesco Trotta)

Documentation

• a2af743 docs: add language to configuration objects (#20712) (Francesco Trotta)
• 845f23f docs: Update README (GitHub Actions Bot)
• 5fbcf59 docs: remove sourceType from ts playground link (#20477) (Tanuj Kanti)
• 8702a47 docs: Update README (GitHub Actions Bot)
• ddeaded docs: Update README (GitHub Actions Bot)
• 2b44966 docs: add Major Releases section to Manage Releases (#20269) (Milos Djermanovic)
• eab65c7 docs: update eslint versions in examples (#20664) (루밀LuMir)
• 3e4a299 docs: update ESM Dependencies policies with note for own-usage packages (#20660) (Milos Djermanovic)

Chores

• 8120e30 refactor: extract no unmodified loop condition (#20679) (kuldeep kumar)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#20697) (renovate[bot])
• 01ed3aa test: add unit tests for unicode utilities (#20622) (Manish chaudhary)
• 811f493 ci: remove --legacy-peer-deps from types integration tests (#20667) (Milos Djermanovic)
• 6b86fcf chore: update dependency npm-run-all2 to v8 (#20663) (renovate[bot])
• 632c4f8 chore: add prettier update commit to .git-blame-ignore-revs (#20662) (루밀LuMir)
• b0b0f21 chore: update dependency eslint-plugin-regexp to ^3.1.0 (#20659) (Milos Djermanovic)
• 228a2dd chore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#20661) (Milos Djermanovic)
• 3ab4d7e test: Add tests for eslintrc-style keys (#20645) (kuldeep kumar)

v10.1.0

Features

• ff4382b feat: apply fix for no-var in TSModuleBlock (#20638) (Tanuj Kanti)
• 0916995 feat: Implement api support for bulk-suppressions (#20565) (Blake Sager)

Bug Fixes

• 2b8824e fix: Prevent no-var autofix when a variable is used before declaration (#20464) (Amaresh S M)
• e58b4bf fix: update eslint (#20597) (renovate[bot])

Documentation

• b7b57fe docs: use correct JSDoc link in require-jsdoc.md (#20641) (mkemna-clb)
• 58e4cfc docs: add deprecation notice partial (#20639) (Milos Djermanovic)
• 7143dbf docs: update v9 migration guide for @eslint/js usage (#20540) (fnx)
• 035fc4f docs: note that globalReturn applies only with sourceType: "script" (#20630) (Milos Djermanovic)
• e972c88 docs: merge ESLint option descriptions into type definitions (#20608) (Francesco Trotta)
• 7f10d84 docs: Update README (GitHub Actions Bot)
• aeed007 docs: open playground link in new tab (#20602) (Tanuj Kanti)
• a0d1a37 docs: Add AI Usage Policy (#20510) (Nicholas C. Zakas)

Chores

... (truncated)

Commits

• 000128c 10.2.0
• 1988fad Build: changelog update for 10.2.0
• 542cb3e fix: update first-party dependencies (#20714)
• a2af743 docs: add language to configuration objects (#20712)
• 845f23f docs: Update README
• 5fbcf59 docs: remove sourceType from ts playground link (#20477)
• 8702a47 docs: Update README
• ddeaded docs: Update README
• 8120e30 refactor: extract no unmodified loop condition (#20679)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#20697)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[fossabot]

[fossabot]

Needs Review

I recommend reviewing this upgrade before merging because, while the project has already adopted flat config (eslint.config.mjs) and satisfies the Node.js >=24 engine requirement imposed by ESLint v10, several legacy plugins remain active that may be incompatible with ESLint v10 even via FlatCompat. Specifically, eslint-plugin-standard v5 (archived/unmaintained) is directly imported and registered as a plugin, eslint-plugin-node v11 (deprecated; eslint-plugin-n is its maintained successor) is pulled in transitively through eslint-config-standard, and eslint-config-airbnb-base v15 is used through FlatCompat without a known ESLint-v10-native release. Additionally, ESLint v10 adds three new rules to eslint:recommended (no-unassigned-vars, no-useless-assignment, preserve-caught-error) which the project extends, potentially causing new lint errors in src/. All identified security vulnerabilities are historical fixes included in the target version, representing a positive signal. Because this is a pure devDependency, there is zero runtime risk, but a broken lint step would block CI.

Tip: Comment @​fossabot fix to attempt automatic fixes.

Fix Suggestions

We identified 9 fixable issues in this upgrade.

• Remove eslint-plugin-standard from the project: 1) In eslint.config.mjs, delete the import line import standard from "eslint-plugin-standard" and remove any reference to standard in the plugins object (e.g., standard: standard or standard). 2) Run npm uninstall eslint-plugin-standard OR manually remove "eslint-plugin-standard" from devDependencies in package.json. This package is archived/unmaintained and incompatible with ESLint v10's internal API changes.
  Run: npm uninstall eslint-plugin-standard
  Files: eslint.config.mjs, package.json
• Replace deprecated eslint-plugin-node with its maintained successor eslint-plugin-n: 1) Run npm uninstall eslint-plugin-node && npm install --save-dev eslint-plugin-n OR manually swap in package.json. 2) In eslint.config.mjs, if eslint-plugin-node is directly imported, change the import from eslint-plugin-node to eslint-plugin-n. 3) In any rule configuration, rename rule prefixes from node/ to n/ (e.g., "node/no-unsupported-features" → "n/no-unsupported-features"). 4) If consumed transitively through eslint-config-standard, check if upgrading eslint-config-standard resolves the transitive dependency.
  Run: npm uninstall eslint-plugin-node && npm install --save-dev eslint-plugin-n
  Files: package.json, eslint.config.mjs
• Disable the three new eslint:recommended rules added in ESLint v10 to prevent unexpected CI failures, then enable them incrementally. In eslint.config.mjs, add to the rules override object: "no-unassigned-vars": "off", "no-useless-assignment": "off", "preserve-caught-error": "off". Alternatively, run npx eslint src/ first to see how many violations exist — if few, fix them directly instead of disabling.
  Run: npx eslint src/ 2>&1 | grep -E '(no-unassigned-vars|no-useless-assignment|preserve-caught-error)' | head -50
  Files: eslint.config.mjs
• Search all files in src/ for patterns that violate the new no-useless-assignment rule: assignments to variables that are never read afterward (e.g., let x = 1; x = 2; return x; where the first assignment is useless). Run npx eslint --rule '{"no-useless-assignment": "error"}' src/ to identify violations, then remove or refactor the useless assignments. If too many violations, disable the rule as described in the previous suggestion.
  Run: npx eslint --rule '{"no-useless-assignment": "error"}' src/
  Files: src/
• Search src/ for catch blocks that reassign or ignore the caught error parameter, which would violate the new preserve-caught-error rule. Run: grep -rn 'catch\s*(' src/ --include='*.ts' --include='*.tsx' --include='*.js' to find all catch blocks, then verify none reassign the error variable (e.g., catch (e) { e = new Error('...') }) or use empty catches without the error parameter when they should preserve it.
  Run: grep -rn 'catch\s*(' src/ --include='*.ts' --include='*.tsx' --include='*.js'
  Files: src/
• Evaluate whether eslint-config-airbnb-base v15 is compatible with ESLint v10 when used through FlatCompat. Check the eslint-config-airbnb-base repository for a v16+ release or ESLint v10 support statement. If no compatible version exists, consider: (a) switching to eslint-config-airbnb-base's flat config successor if available, (b) replacing it with equivalent manual rule configuration, or (c) using @​stylistic/eslint-plugin for formatting rules. The FlatCompat wrapper may mask incompatibilities that surface at runtime when rules use deprecated context APIs.
  Files: eslint.config.mjs, package.json
• Check eslint-plugin-react compatibility with ESLint v10 by reviewing ESLint v10 compatibility jsx-eslint/eslint-plugin-react#3977 and the plugin's latest release notes. If a compatible version exists (likely v7.38+ or v8+), upgrade it: npm install --save-dev eslint-plugin-react@​latest. If no compatible version exists yet, consider temporarily disabling react plugin rules or pinning to a canary/beta release. ESLint v10 changes JSX scope tracking which directly affects this plugin.
  Files: package.json, eslint.config.mjs
• Search eslint.config.mjs for any /* eslint-env */ comment references or configuration that sets env properties (e.g., env: { browser: true, node: true }). In ESLint v10, /* eslint-env */ comments cause errors and the env key is no longer supported even through FlatCompat. If found, replace with equivalent globals configuration using the globals npm package: e.g., import globals from 'globals'; ... languageOptions: { globals: { ...globals.node, ...globals.browser } }. Run: grep -rn 'eslint-env' src/ --include='*.ts' --include='*.tsx' --include='*.js' to find inline comments.
  Run: grep -rn 'eslint-env' src/ --include='*.ts' --include='*.tsx' --include='*.js' --include='*.mjs'
  Files: eslint.config.mjs, src/
• Verify @​eslint/eslintrc v3 is compatible with ESLint v10's FlatCompat requirements. Run npm ls @​eslint/eslintrc to check the installed version. If v3.x causes issues, upgrade to the latest: npm install --save-dev @​eslint/eslintrc@​latest. The FlatCompat utility from this package is the bridge for all legacy configs in this project (airbnb-base, standard) and must be compatible with ESLint v10.
  Run: npm ls @​eslint/eslintrc
  Files: package.json

AI Assistant Prompt

Copy prompt for AI assistant

# Fix ESLint v10 Upgrade Issues (fossa-action)

I'm upgrading `eslint` to v10 in this project. The project already uses flat config (`eslint.config.mjs`) and Node.js >=24. ESLint is a devDependency only (used via `lint` script in `package.json`). Several changes are needed to make the upgrade work.

## Priority 1: Remove/Replace Incompatible Plugins

### 1A. Remove `eslint-plugin-standard` (archived, incompatible with ESLint v10)

**Files:** `eslint.config.mjs`, `package.json`

Steps:
- In `eslint.config.mjs`: delete the import line `import standard from "eslint-plugin-standard"` and remove any `standard` references from plugins objects (e.g., `standard: standard` or `standard`).
- In `package.json`: remove `"eslint-plugin-standard"` from `devDependencies`.
- This package is archived/unmaintained. Its rules (e.g., `standard/no-callback-literal`) have been absorbed into other maintained packages.

### 1B. Replace `eslint-plugin-node` with `eslint-plugin-n`

**Files:** `package.json`, `eslint.config.mjs`

Steps:
- In `package.json`: replace `"eslint-plugin-node"` with `"eslint-plugin-n"` in devDependencies (use latest version).
- In `eslint.config.mjs`: change any import from `eslint-plugin-node` to `eslint-plugin-n`.
- Rename all rule prefixes from `node/` to `n/` (e.g., `"node/no-unsupported-features"` → `"n/no-unsupported-features"`).
- If consumed transitively through `eslint-config-standard`, check if upgrading `eslint-config-standard` resolves the transitive dependency automatically.

## Priority 2: Handle New `eslint:recommended` Rules

ESLint v10 adds three new rules to `eslint:recommended`. The project extends `eslint:recommended`, so these will be enforced immediately.

**File:** `eslint.config.mjs`

### 2A. Check for violations first

Before disabling, scan `src/` for violations:
- **`no-useless-assignment`**: Look for assignments to variables that are never read afterward.
- **`no-unassigned-vars`**: Look for declared variables that are never assigned.
- **`preserve-caught-error`**: Look for catch blocks that reassign or discard the caught error parameter (e.g., `catch (e) { e = new Error('...') }`).

### 2B. Disable or fix

If violations are few, fix them directly. If many, add these to the rules override object in `eslint.config.mjs` to prevent CI breakage:

```js
"no-unassigned-vars": "off",
"no-useless-assignment": "off",
"preserve-caught-error": "off",
```

These can be re-enabled incrementally after fixing violations.

## Priority 3: Verify FlatCompat and Legacy Config Compatibility

### 3A. Verify `@​eslint/eslintrc` version

**File:** `package.json`

- Check installed version of `@​eslint/eslintrc` (run `npm ls @​eslint/eslintrc`).
- Upgrade to latest if needed: the `FlatCompat` utility from this package bridges all legacy configs (airbnb-base, standard) and must be compatible with ESLint v10.

### 3B. Remove `/* eslint-env */` comments and `env` config

**Files:** `eslint.config.mjs`, all files in `src/`

- Search `eslint.config.mjs` for any `env: { ... }` properties — remove them.
- Search all `src/` files for `/* eslint-env */` inline comments — remove them.
- ESLint v10 errors on both of these.
- Replace with equivalent `globals` config using the `globals` npm package:

```js
import globals from 'globals';
// In languageOptions:
languageOptions: { globals: { ...globals.node } }
```

## Priority 4: Manual Review Items (FYI)

These require human judgment — please flag them but don't auto-fix:

1. **`eslint-config-airbnb-base` v15**: Check if a v16+ exists with ESLint v10 support. If not, consider replacing with manual rule config or `@​stylistic/eslint-plugin`. The `FlatCompat` wrapper may mask incompatibilities.

2. **`eslint-plugin-react`**: Check https://github.com/jsx-eslint/eslint-plugin-react/issues/3977 for ESLint v10 compatibility status. Upgrade to latest compatible version if available.

## Summary of Commands to Run After Changes

```bash
npm uninstall eslint-plugin-standard eslint-plugin-node
npm install --save-dev eslint-plugin-n@​latest @​eslint/eslintrc@​latest
npm install --save-dev globals  # if not already installed
npx eslint src/  # verify everything works
```

## Important Context
- This is a devDependency only — zero runtime risk
- The project already uses flat config (`eslint.config.mjs`), NOT legacy `.eslintrc`
- `src/index.ts` has inline suppressions for naming convention exceptions — preserve those
- CI currently passes; the goal is to keep it passing after the upgrade

What we checked

• Target version declared as "eslint": "^10.2.0" in devDependencies — a major version upgrade. ESLint v10 is a dev-only tool with no runtime impact. ^[1]
• Project engines field specifies "node": ">= 24.0.0", satisfying ESLint v10's minimum Node.js requirement of v24+. No Node.js compatibility issue. ^[2]
• Project already uses flat config format (eslint.config.mjs) — the mandatory ESLint v10 configuration format. No .eslintrc.* files are present, so the legacy-config removal is not an issue here. ^[3]
• eslint-plugin-standard v5 is directly imported (import standard from "eslint-plugin-standard") and registered as a plugin on line 33. This package is archived and unmaintained; its peer-dependency declarations target older ESLint major versions and its compatibility with ESLint v10 is not guaranteed. ^[4]
• eslint-plugin-node v11 is listed as a devDependency. This package is deprecated — eslint-plugin-n is its actively maintained successor. It is consumed transitively through eslint-config-standard and wrapped via FlatCompat, but v11 may emit peer-dependency warnings or fail rule resolution under ESLint v10. ^[5]
• The config extends "eslint:recommended" via FlatCompat. ESLint v10 adds three new rules to eslint:recommended: no-unassigned-vars, no-useless-assignment, and preserve-caught-error. These are not explicitly disabled in the rule overrides block, meaning they will be enforced and may introduce new lint errors across src/. ^[6]
• eslint-config-airbnb-base v15 is used via FlatCompat. This configuration was authored for the legacy eslintrc system. While FlatCompat wraps it, some rules it enables (e.g., deprecated rule context API usages in plugins it activates) could conflict with ESLint v10 stricter enforcement. ^[7]
• eslint-plugin-react v7.37.5 is in devDependencies. ESLint v10 changes JSX reference tracking (now correctly tracked in scope analysis for no-unused-vars/no-undef). Upstream compatibility issues between eslint-plugin-react and ESLint v10 are actively reported. ^[8]
• @​eslint/eslintrc v3.3.3 is present as a devDependency, providing the FlatCompat utility used in eslint.config.mjs to wrap legacy configs. This is the correct approach for bridging legacy plugins, but its effectiveness depends on each plugin's internal API usage. ^[9]
• Official ESLint v10 migration guide confirms: legacy .eslintrc format removed, /* eslint-env */ comments now cause errors, context.getCwd()/context.getFilename() and other deprecated rule context methods removed, fixer methods require string arguments, and LintMessage.nodeType removed. These affect custom rules and plugins — relevant to eslint-plugin-node v11 and eslint-plugin-standard v5. ^[10]
• ESLint v10 adds no-unassigned-vars, no-useless-assignment, and preserve-caught-error to eslint:recommended. Projects extending eslint:recommended without explicitly disabling these rules will receive new lint errors. ^[11]
• Reported compatibility issues between eslint-plugin-react and ESLint v10 stemming from API changes. The plugin's compatibility status with ESLint v10 should be verified before merging. ^[12]
• All 18 listed security vulnerabilities (ajv, minimatch, js-yaml, @​eslint/plugin-kit, lodash.merge, etc.) are historical fixes that are included in the target version — they are positive signals supporting upgrade safety, not new risks introduced by this upgrade. ^[13]

Dependency Usage

eslint serves exclusively as a developer tooling dependency, centralized in eslint.config.mjs and invoked via the lint script in package.json. It enforces a comprehensive, opinionated code quality standard across the TypeScript codebase by composing the Airbnb base style guide, Standard config, and @​typescript-eslint recommended rules — with inline suppressions appearing in src/index.ts for specific naming convention exceptions. This dependency has no impact on runtime application behavior or end-user functionality; it exists solely to maintain code consistency and catch potential issues during development and CI workflows.

• Project already uses flat config format (eslint.config.mjs) — the mandatory ESLint v10 configuration format. No .eslintrc.* files are present, so the legacy-config removal is not an issue here.
  eslint.config.mjs:1
• eslint-plugin-standard v5 is directly imported (import standard from "eslint-plugin-standard") and registered as a plugin on line 33. This package is archived and unmaintained; its peer-dependency declarations target older ESLint major versions and its compatibility with ESLint v10 is not guaranteed.
  eslint.config.mjs:4

View 2 more usages

• The config extends "eslint:recommended" via FlatCompat. ESLint v10 adds three new rules to eslint:recommended: no-unassigned-vars, no-useless-assignment, and preserve-caught-error. These are not explicitly disabled in the rule overrides block, meaning they will be enforced and may introduce new lint errors across src/.
  eslint.config.mjs:22
• eslint-config-airbnb-base v15 is used via FlatCompat. This configuration was authored for the legacy eslintrc system. While FlatCompat wraps it, some rules it enables (e.g., deprecated rule context API usages in plugins it activates) could conflict with ESLint v10 stricter enforcement.
  eslint.config.mjs:27

Changes

eslint has been updated with 60 security fixes, patching vulnerabilities in its transitive dependencies ajv, minimatch, js-yaml, lodash, and @​eslint/plugin-kit, including a catastrophic backtracking regex vulnerability in eslint itself. This update also carries 801 breaking changes accumulated across multiple major versions, including removal of legacy eslintrc-style configuration, dropped deprecated context methods, stricter RuleTester validation, removed formatters (codeframe, table), and significant changes to eslint:recommended rule sets — a thorough review of your ESLint configuration is required before merging.

• 53e9522 fix: strict removed formatters check (#20241) (ntnyq) (v10.0.1-10.0.2, changelog)
• 7ab77a2 fix: correct breaking deprecation of FlatConfig type (#19826) (Logicer) (v10.0.1-10.0.2, changelog)
• 5687ce7 fix: correct mismatched removed rules (#19734) (루밀LuMir) (v10.0.1-10.0.2, changelog)

View 29592 more changes

• 2b72361 fix: update ajv to 6.14.0 to address security vulnerabilities (#20537) (루밀LuMir) (v10.0.1-10.0.2, changelog)
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir) (v10.0.1-10.0.2, changelog)
• a463e7b chore: update dependency js-yaml to v4 [security] (#20319) (renovate[bot]) (v10.0.1-10.0.2, changelog)
• d498887 fix: bump @​eslint/plugin-kit to 0.3.4 to resolve vulnerability (#19965) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 50a8efd docs: report a sec vulnerability page (#16808) (Ben Perlmutter) (v10.0.1-10.0.2, changelog)
• 8167aa7 chore: bump version of minimatch due to security issue PRISMA-2022-0039 (#15774) (Jan Opravil) (v10.0.1-10.0.2, changelog)
• 9250d16 Upgrade: Bump lodash to fix security issue (#13993) (Frederik Prijck) (v10.0.1-10.0.2, changelog)
• 0f1f5ed Docs: Add security policy link to README (#13403) (Nicholas C. Zakas) (v10.0.1-10.0.2, changelog)
• 3396c3e Upgrade: karma@^4.0.1, drops Node 6 support, fixes vulnerability (#11570) (Kevin Partington) (v10.0.1-10.0.2, changelog)
• afe3d25 Upgrade: Bump js-yaml dependency to fix Denial of Service vulnerability (#11550) (Vernon de Goede) (v10.0.1-10.0.2, changelog)
• d3f3994 Docs: add information about reporting security issues (#10889) (Teddy Katz) (v10.0.1-10.0.2, changelog)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019) (Jamie Davis) (v10.0.1-10.0.2, changelog)
• Upgrade: Handlebars to >= 4.0.5 for security reasons (fixes #4642) (Jacques Favreau) (v10.0.1-10.0.2, changelog)
• 234d005 fix: minimatch security vulnerability patch for v9.x (#20549) (Andrej Beles) (v10.0.2-10.0.3, changelog)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#20538) (루밀LuMir) (v10.0.2-10.0.3, changelog)
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir) (v10.0.2-10.0.3, changelog)
• a463e7b chore: update dependency js-yaml to v4 [security] (#20319) (renovate[bot]) (v10.0.2-10.0.3, changelog)
• d498887 fix: bump @​eslint/plugin-kit to 0.3.4 to resolve vulnerability (#19965) (Milos Djermanovic) (v10.0.2-10.0.3, changelog)
• 50a8efd docs: report a sec vulnerability page (#16808) (Ben Perlmutter) (v10.0.2-10.0.3, changelog)
• 8167aa7 chore: bump version of minimatch due to security issue PRISMA-2022-0039 (#15774) (Jan Opravil) (v10.0.2-10.0.3, changelog)
• 9250d16 Upgrade: Bump lodash to fix security issue (#13993) (Frederik Prijck) (v10.0.2-10.0.3, changelog)
• 0f1f5ed Docs: Add security policy link to README (#13403) (Nicholas C. Zakas) (v10.0.2-10.0.3, changelog)
• 3396c3e Upgrade: karma@^4.0.1, drops Node 6 support, fixes vulnerability (#11570) (Kevin Partington) (v10.0.2-10.0.3, changelog)
• afe3d25 Upgrade: Bump js-yaml dependency to fix Denial of Service vulnerability (#11550) (Vernon de Goede) (v10.0.2-10.0.3, changelog)
• d3f3994 Docs: add information about reporting security issues (#10889) (Teddy Katz) (v10.0.2-10.0.3, changelog)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019) (Jamie Davis) (v10.0.2-10.0.3, changelog)
• Upgrade: Handlebars to >= 4.0.5 for security reasons (fixes #4642) (Jacques Favreau) (v10.0.2-10.0.3, changelog)
• 234d005 fix: minimatch security vulnerability patch for v9.x (#20549) (Andrej Beles) (v10.0.3-10.1.0, changelog)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#20538) (루밀LuMir) (v10.0.3-10.1.0, changelog)
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir) (v10.0.3-10.1.0, changelog)
• a463e7b chore: update dependency js-yaml to v4 [security] (#20319) (renovate[bot]) (v10.0.3-10.1.0, changelog)
• d498887 fix: bump @​eslint/plugin-kit to 0.3.4 to resolve vulnerability (#19965) (Milos Djermanovic) (v10.0.3-10.1.0, changelog)
• 50a8efd docs: report a sec vulnerability page (#16808) (Ben Perlmutter) (v10.0.3-10.1.0, changelog)
• 8167aa7 chore: bump version of minimatch due to security issue PRISMA-2022-0039 (#15774) (Jan Opravil) (v10.0.3-10.1.0, changelog)
• 9250d16 Upgrade: Bump lodash to fix security issue (#13993) (Frederik Prijck) (v10.0.3-10.1.0, changelog)
• 0f1f5ed Docs: Add security policy link to README (#13403) (Nicholas C. Zakas) (v10.0.3-10.1.0, changelog)
• 3396c3e Upgrade: karma@^4.0.1, drops Node 6 support, fixes vulnerability (#11570) (Kevin Partington) (v10.0.3-10.1.0, changelog)
• afe3d25 Upgrade: Bump js-yaml dependency to fix Denial of Service vulnerability (#11550) (Vernon de Goede) (v10.0.3-10.1.0, changelog)
• d3f3994 Docs: add information about reporting security issues (#10889) (Teddy Katz) (v10.0.3-10.1.0, changelog)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019) (Jamie Davis) (v10.0.3-10.1.0, changelog)
• Upgrade: Handlebars to >= 4.0.5 for security reasons (fixes #4642) (Jacques Favreau) (v10.0.3-10.1.0, changelog)
• 234d005 fix: minimatch security vulnerability patch for v9.x (#20549) (Andrej Beles) (v10.1.0-10.2.0, changelog)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#20538) (루밀LuMir) (v10.1.0-10.2.0, changelog)
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir) (v10.1.0-10.2.0, changelog)
• a463e7b chore: update dependency js-yaml to v4 [security] (#20319) (renovate[bot]) (v10.1.0-10.2.0, changelog)
• d498887 fix: bump @​eslint/plugin-kit to 0.3.4 to resolve vulnerability (#19965) (Milos Djermanovic) (v10.1.0-10.2.0, changelog)
• 50a8efd docs: report a sec vulnerability page (#16808) (Ben Perlmutter) (v10.1.0-10.2.0, changelog)
• 8167aa7 chore: bump version of minimatch due to security issue PRISMA-2022-0039 (#15774) (Jan Opravil) (v10.1.0-10.2.0, changelog)
• 9250d16 Upgrade: Bump lodash to fix security issue (#13993) (Frederik Prijck) (v10.1.0-10.2.0, changelog)
• 0f1f5ed Docs: Add security policy link to README (#13403) (Nicholas C. Zakas) (v10.1.0-10.2.0, changelog)
• 3396c3e Upgrade: karma@^4.0.1, drops Node 6 support, fixes vulnerability (#11570) (Kevin Partington) (v10.1.0-10.2.0, changelog)
• afe3d25 Upgrade: Bump js-yaml dependency to fix Denial of Service vulnerability (#11550) (Vernon de Goede) (v10.1.0-10.2.0, changelog)
• d3f3994 Docs: add information about reporting security issues (#10889) (Teddy Katz) (v10.1.0-10.2.0, changelog)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019) (Jamie Davis) (v10.1.0-10.2.0, changelog)
• Upgrade: Handlebars to >= 4.0.5 for security reasons (fixes #4642) (Jacques Favreau) (v10.1.0-10.2.0, changelog)
• 959d360 build: Support updates to previous major versions (#18871) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 113f51e docs: Mention package.json config support dropped (#18305) (Nicholas C. Zakas) (v10.0.1-10.0.2, changelog)
• 7c78576 docs: Add more removed context methods to migrate to v9 guide (#17951) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 3a877d6 docs: Update removed CLI flags migration (#17939) (Nicholas C. Zakas) (v10.0.1-10.0.2, changelog)
• 74794f5 chore: removed unused eslintrc modules (#17938) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• fffca5c docs: remove "Open in Playground" buttons for removed rules (#17791) (Francesco Trotta) (v10.0.1-10.0.2, changelog)
• becfdd3 docs: Make clear when rules are removed (#17728) (Nicholas C. Zakas) (v10.0.1-10.0.2, changelog)
• ce4f5ff docs: Replace removed related rules with a valid rule (#16800) (Ville Saalo) (v10.0.1-10.0.2, changelog)
• c9efb5f Fix: preserve formatting when rules are removed from disable directives (#15081) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 7cf96cf Breaking: Disallow reserved words in ES3 (fixes #15017) (#15046) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 305e14a Breaking: remove meta.docs.category in core rules (fixes #13398) (#14594) (薛定谔的猫) (v10.0.1-10.0.2, changelog)
• 24c9f2a Breaking: Strict package exports (refs #13654) (#14706) (Nicholas C. Zakas) (v10.0.1-10.0.2, changelog)
• 86d31a4 Breaking: disallow SourceCode#getComments() in RuleTester (refs #14744) (#14769) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 1d2213d Breaking: Fixable disable directives (fixes #11815) (#14617) (Josh Goldberg) (v10.0.1-10.0.2, changelog)
• 4a7aab7 Breaking: require meta for fixable rules (fixes #13349) (#14634) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• d6a761f Breaking: Require meta.hasSuggestions for rules with suggestions (#14573) (Bryan Mishkin) (v10.0.1-10.0.2, changelog)
• 6bd747b Breaking: support new regex d flag (fixes #14640) (#14653) (Yosuke Ota) (v10.0.1-10.0.2, changelog)
• 8b4f3ab Breaking: fix comma-dangle schema (fixes #13739) (#14030) (Joakim Nilsson) (v10.0.1-10.0.2, changelog)
• b953a4e Breaking: upgrade espree and support new class features (refs #14343) (#14591) (Toru Nagashima) (v10.0.1-10.0.2, changelog)
• 8cce06c Breaking: add some rules to eslint:recommended (refs #14673) (#14691) (薛定谔的猫) (v10.0.1-10.0.2, changelog)
• 86bb63b Breaking: Drop codeframe and table formatters (#14316) (Federico Brigante) (v10.0.1-10.0.2, changelog)
• f3cb320 Breaking: drop node v10/v13/v15 (fixes #14023) (#14592) (薛定谔的猫) (v10.0.1-10.0.2, changelog)
• 4c841b8 Breaking: allow all directives in line comments (fixes #14575) (#14656) (薛定谔的猫) (v10.0.1-10.0.2, changelog)
• c29bd9f Chore: Add breaking/core change link to issue templates (#13344) (Kai Cataldo) (v10.0.1-10.0.2, changelog)
• 4ef6158 Breaking: espree@​7.0.0 (#13270) (Kai Cataldo) (v10.0.1-10.0.2, changelog)
• 78c8cda Breaking: RuleTester Improvements (refs Update: RuleTester Improvements eslint/rfcs#25) (#12955) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 185982d Breaking: improve plugin resolving (refs New: Plugin Loading Improvement eslint/rfcs#47) (#12922) (Toru Nagashima) (v10.0.1-10.0.2, changelog)
• 48b122f Breaking: change relative paths with --config (refs New: Changing Base Path of overrides and ignorePatterns eslint/rfcs#37) (#12887) (Toru Nagashima) (v10.0.1-10.0.2, changelog)
• 0de91f3 Docs: removed correct code from incorrect eg (#13060) (Anix) (v10.0.1-10.0.2, changelog)
• 4af06fc Breaking: Test with an unknown error property should fail in RuleTester (#12096) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• afa9aac Breaking: class default true computed-property-spacing (fixes #12812) (#12915) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 7d52151 Breaking: classes default true in accessor-pairs (fixes #12811) (#12919) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 78182e4 Breaking: Add new rules to eslint:recommended (fixes #12911) (#12920) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 6423e11 Breaking: check unnamed default export in func-names (fixes #12194) (#12195) (Chiawen Chen) (v10.0.1-10.0.2, changelog)
• 4293229 Breaking: use-isnan enforceForSwitchCase default true (fixes #12810) (#12913) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• cf38d0d Breaking: change default ignore pattern (refs New: Update Default Ignore Patterns eslint/rfcs#51) (#12888) (Toru Nagashima) (v10.0.1-10.0.2, changelog)
• bfe1dc4 Breaking: no-dupe-class-members checks some computed keys (fixes #12808) (#12837) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 95e0586 Fix: id-blacklist false positives on renamed imports (#12831) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• c2217c0 Breaking: make radix rule stricter (#12608) (fisker Cheung) (v10.0.1-10.0.2, changelog)
• 1aa021d Breaking: lint overrides files (fixes #10828, refs New: Configuring Additional Lint Targets with .eslintrc eslint/rfcs#20) (#12677) (Toru Nagashima) (v10.0.1-10.0.2, changelog)
• b50179d Breaking: Check assignment targets in no-extra-parens (#12490) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• d86a5bb Breaking: Check flatMap in array-callback-return (fixes #12235) (#12765) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)

View 29495 more changes in the full analysis

References (13)

[1]: Target version declared as "eslint": "^10.2.0" in devDependencies — a major version upgrade. ESLint v10 is a dev-only tool with no runtime impact.

fossa-action/package.json

Line 27 in b417163

"eslint": "^10.2.0",

[2]: Project engines field specifies "node": ">= 24.0.0", satisfying ESLint v10's minimum Node.js requirement of v24+. No Node.js compatibility issue.

fossa-action/package.json

Line 12 in b417163

"node": ">= 24.0.0"

[3]: Project already uses flat config format (eslint.config.mjs) — the mandatory ESLint v10 configuration format. No .eslintrc.* files are present, so the legacy-config removal is not an issue here.

fossa-action/eslint.config.mjs

Line 1 in b417163

import { defineConfig, globalIgnores } from "eslint/config";

[4]: eslint-plugin-standard v5 is directly imported (import standard from "eslint-plugin-standard") and registered as a plugin on line 33. This package is archived and unmaintained; its peer-dependency declarations target older ESLint major versions and its compatibility with ESLint v10 is not guaranteed.

fossa-action/eslint.config.mjs

Line 4 in b417163

import standard from "eslint-plugin-standard";

[5]: eslint-plugin-node v11 is listed as a devDependency. This package is deprecated — eslint-plugin-n is its actively maintained successor. It is consumed transitively through eslint-config-standard and wrapped via FlatCompat, but v11 may emit peer-dependency warnings or fail rule resolution under ESLint v10.

fossa-action/package.json

Line 32 in b417163

"eslint-plugin-node": "^11.1.0",

[6]: The config extends "eslint:recommended" via FlatCompat. ESLint v10 adds three new rules to eslint:recommended: no-unassigned-vars, no-useless-assignment, and preserve-caught-error. These are not explicitly disabled in the rule overrides block, meaning they will be enforced and may introduce new lint errors across src/.

fossa-action/eslint.config.mjs

Line 22 in b417163

extends: fixupConfigRules(compat.extends(

[7]: eslint-config-airbnb-base v15 is used via FlatCompat. This configuration was authored for the legacy eslintrc system. While FlatCompat wraps it, some rules it enables (e.g., deprecated rule context API usages in plugins it activates) could conflict with ESLint v10 stricter enforcement.

fossa-action/eslint.config.mjs

Line 27 in b417163

"eslint-config-airbnb-base",

[8]: eslint-plugin-react v7.37.5 is in devDependencies. ESLint v10 changes JSX reference tracking (now correctly tracked in scope analysis for no-unused-vars/no-undef). Upstream compatibility issues between eslint-plugin-react and ESLint v10 are actively reported.

fossa-action/package.json

Line 34 in b417163

"eslint-plugin-react": "^7.37.5",

[9]: @​eslint/eslintrc v3.3.3 is present as a devDependency, providing the FlatCompat utility used in eslint.config.mjs to wrap legacy configs. This is the correct approach for bridging legacy plugins, but its effectiveness depends on each plugin's internal API usage.

fossa-action/package.json

Line 21 in b417163

"@eslint/eslintrc": "^3.3.3",

[10]: Official ESLint v10 migration guide confirms: legacy .eslintrc format removed, /* eslint-env */ comments now cause errors, context.getCwd()/context.getFilename() and other deprecated rule context methods removed, fixer methods require string arguments, and LintMessage.nodeType removed. These affect custom rules and plugins — relevant to eslint-plugin-node v11 and eslint-plugin-standard v5. (source link)

[11]: ESLint v10 adds no-unassigned-vars, no-useless-assignment, and preserve-caught-error to eslint:recommended. Projects extending eslint:recommended without explicitly disabling these rules will receive new lint errors. (source link)

[12]: Reported compatibility issues between eslint-plugin-react and ESLint v10 stemming from API changes. The plugin's compatibility status with ESLint v10 should be verified before merging. (source link)

[13]: All 18 listed security vulnerabilities (ajv, minimatch, js-yaml, @​eslint/plugin-kit, lodash.merge, etc.) are historical fixes that are included in the target version — they are positive signals supporting upgrade safety, not new risks introduced by this upgrade. (source link)

---

fossabot analyzed this PR using static analysis and dependency research. View this analysis on the web