Bump eslint from 10.2.1 to 10.3.0

[dependabot]

Bumps eslint from 10.2.1 to 10.3.0.

Release notes

Sourced from eslint's releases.

v10.3.0

Features

• 379571a feat: add suggestions for no-unused-private-class-members (#20773) (sethamus)

Bug Fixes

• b6ae5cf fix: handle unavailable require cache (#20812) (Simon Podlipsky)
• 6fb3685 fix: rule suggestions cause continuation in class body (#20787) (Milos Djermanovic)

Documentation

• 32cc7ab docs: fix typos in docs and comments (#20809) (Tanuj Kanti)
• 7f47937 docs: Update README (GitHub Actions Bot)

Chores

• d32235e ci: use pnpm in eslint-flat-config-utils type integration test (#20826) (Francesco Trotta)
• 3ffb14e chore: clean up typos in comments and JSDoc (#20821) (Pixel998)
• 22eb58a chore: add missing continue-on-error to ecosystem-tests.yml (#20818) (Josh Goldberg ✨)
• 88bf002 ci: bump pnpm/action-setup from 6.0.1 to 6.0.3 (#20815) (dependabot[bot])
• 97c8c33 chore: update ilshidur/action-discord action to v0.4.0 (#20811) (renovate[bot])
• 2f58136 chore: pin peter-evans/create-pull-request action to 5f6978f (#20810) (renovate[bot])
• 77add7f chore: add initial ecosystem plugin tests workflow (#19643) (Josh Goldberg ✨)
• 4023b55 test: Add unit tests for SuppressionsService.prune() (#20797) (kuldeep kumar)
• 54080da test: add unit tests for ForkContext (#20778) (kuldeep kumar)
• f0e2bcc test: add unit tests for SuppressionsService.suppress() method (#20765) (kuldeep kumar)
• a7f0b94 chore: update dependency prettier to v3.8.3 (#20782) (renovate[bot])
• 7bf93d9 chore: update TypeScript to v6 (#20677) (sethamus)
• b42dd72 ci: bump pnpm/action-setup from 6.0.0 to 6.0.1 (#20781) (dependabot[bot])
• 2b252be test: add unit tests for IdGenerator (#20775) (kuldeep kumar)

Commits

• 7889204 10.3.0
• 5b69b4f Build: changelog update for 10.3.0
• d32235e ci: use pnpm in eslint-flat-config-utils type integration test (#20826)
• b6ae5cf fix: handle unavailable require cache (#20812)
• 3ffb14e chore: clean up typos in comments and JSDoc (#20821)
• 6fb3685 fix: rule suggestions cause continuation in class body (#20787)
• 22eb58a chore: add missing continue-on-error to ecosystem-tests.yml (#20818)
• 88bf002 ci: bump pnpm/action-setup from 6.0.1 to 6.0.3 (#20815)
• 379571a feat: add suggestions for no-unused-private-class-members (#20773)
• 97c8c33 chore: update ilshidur/action-discord action to v0.4.0 (#20811)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[fossabot]

[fossabot]

Needs Review

I recommend reviewing this upgrade before merging because two blocking CI failures exist in the fossa-scan GitHub Actions job — though critically, both failures are unrelated to the eslint upgrade itself. The first failure is a bash syntax error caused by directly interpolating the FOSSA attribution report JSON (which contains SPDX parentheses like (MIT OR Apache-2.0)) into a run: shell block at line 117 of .github/workflows/test.yml; this must be fixed by passing the output through an environment variable. The second is a non-fatal warning from actions/upload-artifact attempting to upload fossa.debug.json.gz when debug: false was in effect. The eslint upgrade itself is low risk: it is a devDependencies-only tool, the project already uses the modern flat config system (eslint.config.mjs) that is compatible with the target major version, the engines field declares Node.js >= 24.0.0 which satisfies the >= 20.19.0 requirement, and all 14 security findings are vulnerabilities fixed by this upgrade — not introduced. The 197 listed breaking changes span the entire ESLint version history and the project-relevant breaking changes (flat config adoption, Node.js floor) have already been addressed. Once the two workflow issues are resolved, this upgrade can be considered safe to merge.

Tip: Comment @​fossabot fix to attempt automatic fixes.

Fix Suggestions

We identified 2 fixable issues in this upgrade.

• Fix bash syntax error at .github/workflows/test.yml:117 by replacing direct interpolation of ${{ steps.example-generate-report.outputs.report }} in the run: block with an env: variable. Search for any run: block that contains ${{ steps.example-generate-report.outputs.report }} (or similar step output references for the report) and refactor to pass it via an environment variable. Specifically, change the step from:

- name: <step name>
  run: echo "${{ steps.example-generate-report.outputs.report }}"

to:

- name: <step name>
  env:
    FOSSA_REPORT: ${{ steps.example-generate-report.outputs.report }}
  run: echo "$FOSSA_REPORT"

This prevents SPDX expressions like (MIT OR Apache-2.0) from being literally embedded in the generated bash script, which causes syntax error near unexpected token '('.
Files: .github/workflows/test.yml

• Add a conditional to the actions/upload-artifact@​v7 step at .github/workflows/test.yml:47 so it only runs when debug mode is enabled. Search for the actions/upload-artifact step that uploads ./fossa.debug.json.gz and add an if: condition. For example, add if: inputs.debug == 'true' (or if: ${{ inputs.debug == 'true' }}) to the step so it is skipped when debug output is not generated. This eliminates the spurious ##[warning]No files were found with the provided path: ./fossa.debug.json.gz warning on every non-debug run.
  Files: .github/workflows/test.yml

AI Assistant Prompt

Copy prompt for AI assistant

# Fix CI Failures in fossa-action PR #302 (eslint upgrade)

The `eslint` dependency was upgraded across multiple major versions. The upgrade itself is safe (dev-only dependency, flat config already adopted, Node.js version satisfies requirements), but there are **two CI failures in the `fossa-scan` job** that need fixing — both in the same file.

## File to edit: `.github/workflows/test.yml`

### Fix 1 (BLOCKING): Bash syntax error from unsafe interpolation of FOSSA report output

**Problem:** Around line 117, a `run:` block directly interpolates `${{ steps.example-generate-report.outputs.report }}` into the shell script. The FOSSA attribution report JSON contains SPDX license expressions with parentheses like `(MIT OR Apache-2.0)`, which get embedded literally into the generated bash script, causing:
```
syntax error near unexpected token '('
```

**Fix:** Move the expression from the `run:` string into an `env:` mapping, then reference it as a shell variable.

Change this pattern:
```yaml
- name: <step name>
  run: echo "${{ steps.example-generate-report.outputs.report }}"
```

To this:
```yaml
- name: <step name>
  env:
    FOSSA_REPORT: ${{ steps.example-generate-report.outputs.report }}
  run: echo "$FOSSA_REPORT"
```

Search for **all** `run:` blocks that reference `steps.example-generate-report.outputs.report` (or any similar report output reference) and apply the same env-var pattern. This is a standard GitHub Actions best practice for outputs containing shell-special characters.

### Fix 2 (NON-BLOCKING WARNING): upload-artifact warns when debug file doesn't exist

**Problem:** Around line 47, an `actions/upload-artifact@​v7` step tries to upload `./fossa.debug.json.gz` on every run, but this file only exists when debug mode is enabled. On non-debug runs it produces:
```
##[warning]No files were found with the provided path: ./fossa.debug.json.gz
```

**Fix:** Add an `if:` condition to this step so it only runs when debug mode is active. Look at the workflow's `on:` trigger inputs or the action's input parameters to find the debug flag, then add something like:
```yaml
- name: Upload debug artifact
  if: inputs.debug == 'true'
  uses: actions/upload-artifact@​v7
  with:
    path: ./fossa.debug.json.gz
```

Verify the exact condition by checking how the debug flag is defined in the workflow (it may be `inputs.debug`, an env var, or a step output).

## Summary

1. **`.github/workflows/test.yml` ~line 117**: Replace direct `${{ }}` interpolation in `run:` with `env:` variable for the FOSSA report output
2. **`.github/workflows/test.yml` ~line 47**: Add `if:` condition to the debug artifact upload step

Both fixes are simple YAML edits. The eslint upgrade itself requires no code changes.

What we checked

• Direct interpolation of ${{ steps.example-generate-report.outputs.report }} into a run: block causes a bash syntax error (syntax error near unexpected token '(') because the FOSSA JSON report contains SPDX expressions like (MIT OR Apache-2.0). This is the root cause of the blocking fossa-scan CI failure and must be fixed by routing the output through an env: variable instead. ^[1]
• The actions/upload-artifact@​v7 step unconditionally attempts to upload ./fossa.debug.json.gz, but this file is only generated when debug: true is set on the fossa-action step. Since other steps in the workflow use debug: false, the artifact is absent and a warning is emitted on every non-debug run. The step should be wrapped with if: inputs.debug == 'true' or equivalent. ^[2]
• eslint is declared as "eslint": "^10.3.0" under devDependencies, confirming it is exclusively a developer tooling dependency with no impact on the production action runtime. ^[3]
• The project's engines field specifies node >= 24.0.0, which well exceeds the ESLint v10 minimum of >= 20.19.0. There is no Node.js compatibility conflict. ^[4]
• The project already uses ESLint's modern flat config API (defineConfig, globalIgnores from "eslint/config") — the primary breaking change from the ESLint v10.0.0 major release (removal of legacy .eslintrc format) does not affect this project. ^[5]
• The config uses defineConfig([globalIgnores(...), { extends: fixupConfigRules(...) }]) with @​eslint/compat's fixupConfigRules and fixupPluginRules wrappers, which is the correct pattern for consuming legacy plugins (like eslint-config-airbnb-base and eslint-plugin-import) under the flat config system. ^[6]
• Two // eslint-disable-next-line @​typescript-eslint/naming-convention directives exist (lines 74 and 141) for the FOSSA_API_KEY env variable assignment. These inline suppressions are standard and are not affected by the upgrade. ^[7]
• The official ESLint v10 migration guide confirms the major breaking changes are: dropping Node.js below v20.19.0, removing the legacy .eslintrc configuration format, and changes to the stylish formatter. None of these apply to this project — it runs Node.js 24, already uses flat config, and does not rely on the stylish formatter in CI. ^[8]

Dependency Usage

eslint serves exclusively as a developer tooling dependency, powering the project's code quality enforcement pipeline rather than any production application logic. It is configured via eslint.config.mjs using the modern flat config system, with a rich ecosystem of plugins including @​typescript-eslint, eslint-config-airbnb-base, eslint-plugin-import, and several others to enforce TypeScript-aware linting rules across the codebase. A dedicated lint script in package.json exposes this toolchain to the development workflow, and inline eslint-disable directives in src/index.ts indicate active developer interaction with linting rules during feature development.

• Direct interpolation of ${{ steps.example-generate-report.outputs.report }} into a run: block causes a bash syntax error (syntax error near unexpected token '(') because the FOSSA JSON report contains SPDX expressions like (MIT OR Apache-2.0). This is the root cause of the blocking fossa-scan CI failure and must be fixed by routing the output through an env: variable instead.
  .github/workflows/test.yml:117
• The actions/upload-artifact@​v7 step unconditionally attempts to upload ./fossa.debug.json.gz, but this file is only generated when debug: true is set on the fossa-action step. Since other steps in the workflow use debug: false, the artifact is absent and a warning is emitted on every non-debug run. The step should be wrapped with if: inputs.debug == 'true' or equivalent.
  .github/workflows/test.yml:47

View 3 more usages

• The project already uses ESLint's modern flat config API (defineConfig, globalIgnores from "eslint/config") — the primary breaking change from the ESLint v10.0.0 major release (removal of legacy .eslintrc format) does not affect this project.
  eslint.config.mjs:1
• The config uses defineConfig([globalIgnores(...), { extends: fixupConfigRules(...) }]) with @​eslint/compat's fixupConfigRules and fixupPluginRules wrappers, which is the correct pattern for consuming legacy plugins (like eslint-config-airbnb-base and eslint-plugin-import) under the flat config system.
  eslint.config.mjs:21
• Two // eslint-disable-next-line @​typescript-eslint/naming-convention directives exist (lines 74 and 141) for the FOSSA_API_KEY env variable assignment. These inline suppressions are standard and are not affected by the upgrade.
  src/index.ts:74

Changes

eslint was updated with 14 security fixes, patching vulnerabilities in its bundled dependencies minimatch, ajv, js-yaml, lodash, and @​eslint/plugin-kit. This update spans multiple major versions of eslint and includes 197 breaking changes, such as removal of deprecated context methods, removal of the codeframe and table formatters, strict package exports enforcement, flat config migration (dropping package.json config support), and updated eslint:recommended rule sets — all requiring careful review before adoption.

• 2b44966 docs: add Major Releases section to Manage Releases (#20269) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• 53e9522 fix: strict removed formatters check (#20241) (ntnyq) (v10.2.1-10.3.0, changelog)
• 7ab77a2 fix: correct breaking deprecation of FlatConfig type (#19826) (Logicer) (v10.2.1-10.3.0, changelog)

View 7394 more changes

• 234d005 fix: minimatch security vulnerability patch for v9.x (#20549) (Andrej Beles) (v10.2.1-10.3.0, changelog)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#20538) (루밀LuMir) (v10.2.1-10.3.0, changelog)
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir) (v10.2.1-10.3.0, changelog)
• a463e7b chore: update dependency js-yaml to v4 [security] (#20319) (renovate[bot]) (v10.2.1-10.3.0, changelog)
• d498887 fix: bump @​eslint/plugin-kit to 0.3.4 to resolve vulnerability (#19965) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• 50a8efd docs: report a sec vulnerability page (#16808) (Ben Perlmutter) (v10.2.1-10.3.0, changelog)
• 8167aa7 chore: bump version of minimatch due to security issue PRISMA-2022-0039 (#15774) (Jan Opravil) (v10.2.1-10.3.0, changelog)
• 9250d16 Upgrade: Bump lodash to fix security issue (#13993) (Frederik Prijck) (v10.2.1-10.3.0, changelog)
• 0f1f5ed Docs: Add security policy link to README (#13403) (Nicholas C. Zakas) (v10.2.1-10.3.0, changelog)
• 3396c3e Upgrade: karma@^4.0.1, drops Node 6 support, fixes vulnerability (#11570) (Kevin Partington) (v10.2.1-10.3.0, changelog)
• afe3d25 Upgrade: Bump js-yaml dependency to fix Denial of Service vulnerability (#11550) (Vernon de Goede) (v10.2.1-10.3.0, changelog)
• d3f3994 Docs: add information about reporting security issues (#10889) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019) (Jamie Davis) (v10.2.1-10.3.0, changelog)
• Upgrade: Handlebars to >= 4.0.5 for security reasons (fixes #4642) (Jacques Favreau) (v10.2.1-10.3.0, changelog)
• 5687ce7 fix: correct mismatched removed rules (#19734) (루밀LuMir) (v10.2.1-10.3.0, changelog)
• 959d360 build: Support updates to previous major versions (#18871) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• 113f51e docs: Mention package.json config support dropped (#18305) (Nicholas C. Zakas) (v10.2.1-10.3.0, changelog)
• 7c78576 docs: Add more removed context methods to migrate to v9 guide (#17951) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• 3a877d6 docs: Update removed CLI flags migration (#17939) (Nicholas C. Zakas) (v10.2.1-10.3.0, changelog)
• 74794f5 chore: removed unused eslintrc modules (#17938) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• fffca5c docs: remove "Open in Playground" buttons for removed rules (#17791) (Francesco Trotta) (v10.2.1-10.3.0, changelog)
• becfdd3 docs: Make clear when rules are removed (#17728) (Nicholas C. Zakas) (v10.2.1-10.3.0, changelog)
• ce4f5ff docs: Replace removed related rules with a valid rule (#16800) (Ville Saalo) (v10.2.1-10.3.0, changelog)
• c9efb5f Fix: preserve formatting when rules are removed from disable directives (#15081) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• 7cf96cf Breaking: Disallow reserved words in ES3 (fixes #15017) (#15046) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• 305e14a Breaking: remove meta.docs.category in core rules (fixes #13398) (#14594) (薛定谔的猫) (v10.2.1-10.3.0, changelog)
• 24c9f2a Breaking: Strict package exports (refs #13654) (#14706) (Nicholas C. Zakas) (v10.2.1-10.3.0, changelog)
• 86d31a4 Breaking: disallow SourceCode#getComments() in RuleTester (refs #14744) (#14769) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• 1d2213d Breaking: Fixable disable directives (fixes #11815) (#14617) (Josh Goldberg) (v10.2.1-10.3.0, changelog)
• 4a7aab7 Breaking: require meta for fixable rules (fixes #13349) (#14634) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• d6a761f Breaking: Require meta.hasSuggestions for rules with suggestions (#14573) (Bryan Mishkin) (v10.2.1-10.3.0, changelog)
• 6bd747b Breaking: support new regex d flag (fixes #14640) (#14653) (Yosuke Ota) (v10.2.1-10.3.0, changelog)
• 8b4f3ab Breaking: fix comma-dangle schema (fixes #13739) (#14030) (Joakim Nilsson) (v10.2.1-10.3.0, changelog)
• b953a4e Breaking: upgrade espree and support new class features (refs #14343) (#14591) (Toru Nagashima) (v10.2.1-10.3.0, changelog)
• 8cce06c Breaking: add some rules to eslint:recommended (refs #14673) (#14691) (薛定谔的猫) (v10.2.1-10.3.0, changelog)
• 86bb63b Breaking: Drop codeframe and table formatters (#14316) (Federico Brigante) (v10.2.1-10.3.0, changelog)
• f3cb320 Breaking: drop node v10/v13/v15 (fixes #14023) (#14592) (薛定谔的猫) (v10.2.1-10.3.0, changelog)
• 4c841b8 Breaking: allow all directives in line comments (fixes #14575) (#14656) (薛定谔的猫) (v10.2.1-10.3.0, changelog)
• c29bd9f Chore: Add breaking/core change link to issue templates (#13344) (Kai Cataldo) (v10.2.1-10.3.0, changelog)
• 4ef6158 Breaking: espree@​7.0.0 (#13270) (Kai Cataldo) (v10.2.1-10.3.0, changelog)
• 78c8cda Breaking: RuleTester Improvements (refs Update: RuleTester Improvements eslint/rfcs#25) (#12955) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• 185982d Breaking: improve plugin resolving (refs New: Plugin Loading Improvement eslint/rfcs#47) (#12922) (Toru Nagashima) (v10.2.1-10.3.0, changelog)
• 48b122f Breaking: change relative paths with --config (refs New: Changing Base Path of overrides and ignorePatterns eslint/rfcs#37) (#12887) (Toru Nagashima) (v10.2.1-10.3.0, changelog)
• 0de91f3 Docs: removed correct code from incorrect eg (#13060) (Anix) (v10.2.1-10.3.0, changelog)
• 4af06fc Breaking: Test with an unknown error property should fail in RuleTester (#12096) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• afa9aac Breaking: class default true computed-property-spacing (fixes #12812) (#12915) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• 7d52151 Breaking: classes default true in accessor-pairs (fixes #12811) (#12919) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• 78182e4 Breaking: Add new rules to eslint:recommended (fixes #12911) (#12920) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• 6423e11 Breaking: check unnamed default export in func-names (fixes #12194) (#12195) (Chiawen Chen) (v10.2.1-10.3.0, changelog)
• 4293229 Breaking: use-isnan enforceForSwitchCase default true (fixes #12810) (#12913) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• cf38d0d Breaking: change default ignore pattern (refs New: Update Default Ignore Patterns eslint/rfcs#51) (#12888) (Toru Nagashima) (v10.2.1-10.3.0, changelog)
• bfe1dc4 Breaking: no-dupe-class-members checks some computed keys (fixes #12808) (#12837) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• 95e0586 Fix: id-blacklist false positives on renamed imports (#12831) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• c2217c0 Breaking: make radix rule stricter (#12608) (fisker Cheung) (v10.2.1-10.3.0, changelog)
• 1aa021d Breaking: lint overrides files (fixes #10828, refs New: Configuring Additional Lint Targets with .eslintrc eslint/rfcs#20) (#12677) (Toru Nagashima) (v10.2.1-10.3.0, changelog)
• b50179d Breaking: Check assignment targets in no-extra-parens (#12490) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• d86a5bb Breaking: Check flatMap in array-callback-return (fixes #12235) (#12765) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• cf46df7 Breaking: description in directive comments (refs New: Description in directive comments eslint/rfcs#33) (#12699) (Toru Nagashima) (v10.2.1-10.3.0, changelog)
• 7350589 Breaking: some rules recognize bigint literals (fixes #11803) (#12701) (Toru Nagashima) (v10.2.1-10.3.0, changelog)
• 1118fce Breaking: runtime-deprecation on '~/.eslintrc' (refs Update: Deprecating Personal Config eslint/rfcs#32) (#12678) (Toru Nagashima) (v10.2.1-10.3.0, changelog)
• 2c28fbb Breaking: drop Node.js 8 support (refs New: Drop supports for Node.js 8.x and 11.x eslint/rfcs#44) (#12700) (Toru Nagashima) (v10.2.1-10.3.0, changelog)
• 20908a3 Docs: removed '>' prefix from docs/working-with-rules (#11818) (Alok Takshak) (v10.2.1-10.3.0, changelog)
• 2d32a9e Breaking: stricter rule config validating (fixes #9505) (#11742) (薛定谔的猫) (v10.2.1-10.3.0, changelog)
• 6ae21a4 Breaking: fix config loading (fixes #11510, fixes #11559, fixes #11586) (#11546) (Toru Nagashima) (v10.2.1-10.3.0, changelog)
• adc6585 Docs: update status of breaking changes in migration guide (#11652) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• 0fc8e62 Breaking: eslint:recommended changes (fixes #10768) (#11518) (薛定谔的猫) (v10.2.1-10.3.0, changelog)
• 20364cc Breaking: make no-redeclare stricter (fixes #11370, fixes #11405) (#11509) (Toru Nagashima) (v10.2.1-10.3.0, changelog)
• 9e49b56 Breaking: upgrade espree to 6.0.0-alpha.0 (fixes #9687) (#11610) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• ef7801e Breaking: disallow invalid rule defaults in RuleTester (fixes #11473) (#11599) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• 4e7cdca Breaking: comma-dangle enable functions: "never" (fixes #11502) (#11519) (薛定谔的猫) (v10.2.1-10.3.0, changelog)
• 12f256f Breaking: no-confusing-arrow enable allowParens: true (fixes #11503) (#11520) (薛定谔的猫) (v10.2.1-10.3.0, changelog)
• 25cc63d Breaking: simplify config/plugin/parser resolution (fixes #10125) (#11388) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• fd1c91b Breaking: throw an error for invalid global configs (refs #11338) (#11517) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• be83322 Breaking: Remove extra rules from eslint:recommended (fixes #10873) (#11357) (Kevin Partington) (v10.2.1-10.3.0, changelog)
• 2543f11 Breaking: remove deprecated experimentalObjectRestSpread option (#11420) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• 0fb5fd4 Breaking: interpret rule options as unicode regexes (fixes #11423) (#11516) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• 6e7da57 Breaking: drop Node.js 6 support (fixes #11456) (#11557) (Toru Nagashima) (v10.2.1-10.3.0, changelog)
• 258b654 Upgrade: require-uncached renamed to import-fresh (#11066) (薛定谔的猫) (v10.2.1-10.3.0, changelog)
• d56c39d Fix: ESLint cache no longer stops autofix (fixes #10679) (#10694) (Kevin Partington) (v10.2.1-10.3.0, changelog)
• 41f0f6e Breaking: report multiline eslint-disable-line directives (fixes #10334) (#10335) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• 09dde26 Breaking: new object-curly-newline/no-self-assign default (fixes #10215) (#10337) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• 02e44a5 Breaking: remove TDZ scopes (fixes #10245) (#10270) (Toru Nagashima) (v10.2.1-10.3.0, changelog)
• c74933b Breaking: remove extra check in getScope (fixes #10246, fixes #10247) (#10252) (Toru Nagashima) (v10.2.1-10.3.0, changelog)
• 8b7c6ea Breaking: report fatal error for linting nonexistent files (fixes #7390) (#10143) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• 9100819 Breaking: fix plugin resolver in extends (fixes #9904) (#10236) (Toru Nagashima) (v10.2.1-10.3.0, changelog)
• c45f1d0 Breaking: add rules to recommended (fixes #8865) (#10158) (薛定谔的猫) (v10.2.1-10.3.0, changelog)
• b2a48a9 Breaking: stop using fake context._linter property (fixes #10140) (#10209) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• a039956 Breaking: remove deprecated browser/jest/node globals (fixes #10141) (#10210) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• 2324570 Breaking: no-unused-vars reports all after-used params (fixes #9909) (#10119) (Kevin Partington) (v10.2.1-10.3.0, changelog)
• b77846d Breaking: drop supporting Node.js 4 (fixes #10052) (#10074) (薛定谔的猫) (v10.2.1-10.3.0, changelog)
• f4b3af5 Breaking: Upgrade to Espree v4 alpha (refs #9990) (#10152) (Brandon Mills) (v10.2.1-10.3.0, changelog)
• d440e84 Breaking: support @​scope shorthand in plugins (fixes #9903) (#9905) (Toru Nagashima) (v10.2.1-10.3.0, changelog)
• a9ee9ae Breaking: require rules to provide report messages (fixes #10011) (#10057) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• c383bc5 Breaking: Make require('eslint').linter non-enumerable (fixes #9270) (#9692) (Jed Fox) (v10.2.1-10.3.0, changelog)
• 4eaebe5 Breaking: set parent of AST nodes before rules run (fixes #9122) (#10014) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• 91ece32 Breaking: remove special exception for linting empty files (fixes #9534) (#10013) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• 27e3f24 Breaking: remove source property from linting messages (fixes #7358) (#10012) (Teddy Katz) (v10.2.1-10.3.0, changelog)

View 7297 more changes in the full analysis

References (8)

[1]: Direct interpolation of ${{ steps.example-generate-report.outputs.report }} into a run: block causes a bash syntax error (syntax error near unexpected token '(') because the FOSSA JSON report contains SPDX expressions like (MIT OR Apache-2.0). This is the root cause of the blocking fossa-scan CI failure and must be fixed by routing the output through an env: variable instead.

fossa-action/.github/workflows/test.yml

Line 117 in efa60bf

echo '${{ steps.example-generate-report.outputs.report }}' | jq

[2]: The actions/upload-artifact@​v7 step unconditionally attempts to upload ./fossa.debug.json.gz, but this file is only generated when debug: true is set on the fossa-action step. Since other steps in the workflow use debug: false, the artifact is absent and a warning is emitted on every non-debug run. The step should be wrapped with if: inputs.debug == 'true' or equivalent.

fossa-action/.github/workflows/test.yml

Line 47 in efa60bf

uses: actions/upload-artifact@v7

[3]: eslint is declared as "eslint": "^10.3.0" under devDependencies, confirming it is exclusively a developer tooling dependency with no impact on the production action runtime.

fossa-action/package.json

Line 27 in efa60bf

"eslint": "^10.3.0",

[4]: The project's engines field specifies node >= 24.0.0, which well exceeds the ESLint v10 minimum of >= 20.19.0. There is no Node.js compatibility conflict.

fossa-action/package.json

Line 12 in efa60bf

"node": ">= 24.0.0"

[5]: The project already uses ESLint's modern flat config API (defineConfig, globalIgnores from "eslint/config") — the primary breaking change from the ESLint v10.0.0 major release (removal of legacy .eslintrc format) does not affect this project.

fossa-action/eslint.config.mjs

Line 1 in efa60bf

import { defineConfig, globalIgnores } from "eslint/config";

[6]: The config uses defineConfig([globalIgnores(...), { extends: fixupConfigRules(...) }]) with @​eslint/compat's fixupConfigRules and fixupPluginRules wrappers, which is the correct pattern for consuming legacy plugins (like eslint-config-airbnb-base and eslint-plugin-import) under the flat config system.

fossa-action/eslint.config.mjs

Line 21 in efa60bf

export default defineConfig([globalIgnores(["**/dist/", "**/eslint.config.mjs"]), {

[7]: Two // eslint-disable-next-line @​typescript-eslint/naming-convention directives exist (lines 74 and 141) for the FOSSA_API_KEY env variable assignment. These inline suppressions are standard and are not affected by the upgrade.

fossa-action/src/index.ts

Line 74 in efa60bf

// eslint-disable-next-line @typescript-eslint/naming-convention

[8]: The official ESLint v10 migration guide confirms the major breaking changes are: dropping Node.js below v20.19.0, removing the legacy .eslintrc configuration format, and changes to the stylish formatter. None of these apply to this project — it runs Node.js 24, already uses flat config, and does not rely on the stylish formatter in CI. (source link)

---

fossabot analyzed this PR using static analysis and dependency research. View this analysis on the web