chore(deps): bump the npm-dependencies group across 2 directories with 2 updates

[dependabot]

Bumps the npm-dependencies group with 1 update in the /docs/docusaurus directory: eslint.
Bumps the npm-dependencies group with 1 update in the /evals/beval directory: @github/copilot.

Updates eslint from 9.39.4 to 10.6.0

Release notes

Sourced from eslint's releases.

v10.6.0

Features

• b1f9106 feat: detect Symbol() and BigInt() in no-constant-binary-expression (#20981) (Taejin Kim)
• f291007 feat: add checkRelationalComparisons to no-constant-binary-expression (#20948) (sethamus)

Bug Fixes

• 6b05784 fix: prefer-exponentiation-operator invalid autofix at statement start (#20997) (Milos Djermanovic)
• bb9eb2a fix: account for shadowed Boolean in no-extra-boolean-cast (#21013) (den$)
• 8fd8741 fix: don't report shadowed undefined in radix rule (#21011) (Pixel)
• 5784980 fix: don't report shadowed undefined in no-throw-literal (#21010) (Pixel)
• 9cd1e6d fix: suppress invalid class suggestion in no-promise-executor-return (#21008) (Pixel)
• d4eb2dc fix: don't report shadowed undefined in prefer-promise-reject-errors (#21006) (Pixel)
• 2360464 fix: prefer-promise-reject-errors false positives for shadowed Promise (#21003) (den$)
• 63d52d2 fix: restore max-classes-per-file report range (#21002) (Pixel)
• 7feaff0 fix: callback detection logic for IIFEs in max-nested-callbacks (#20979) (fnx)
• 399a2ec fix: don't report inner non-callbacks in max-nested-callbacks (#20995) (Milos Djermanovic)

Documentation

• a83683d docs: Update README (GitHub Actions Bot)
• f5449f9 docs: document userland patterns for global assertionOptions in RuleT… (#20986) (playgirl)
• bea49f7 docs: Update README (GitHub Actions Bot)
• e5f70f9 docs: update code-path diagrams (#20984) (Tanuj Kanti)
• 8890c2d docs: add TypeScript config guidance for MCP server (#20796) (Pierluigi Lenoci)
• 3eb3d9b docs: Update README (GitHub Actions Bot)
• c5bb59c docs: Update README (GitHub Actions Bot)
• eb3c97c docs: fix grammar in prefer-const rule description (#20983) (lumir)

Chores

• 6a42034 ci: run ecosystem tests on main branch (#20891) (sethamus)
• 3dbacdb ci: bump actions/checkout from 6 to 7 (#21014) (dependabot[bot])
• c3abfca chore: correct JSDoc param types in html formatter (#21018) (Minseon Kim)
• a832320 ci: split ecosystem tests into separate jobs (#21001) (xbinaryx)
• 27166e7 chore: update ecosystem plugins (#21005) (ESLint Bot)
• 865d76e ci: bump pnpm/action-setup from 6.0.8 to 6.0.9 (#20989) (dependabot[bot])
• 27a88c9 chore: update dependency markdown-it to v14 in root (#20994) (Milos Djermanovic)
• 970cea6 chore: update dependency markdown-it to v14 (#20993) (Milos Djermanovic)
• b482120 chore: update dependency prettier to v3.8.4 (#20990) (renovate[bot])
• 6993fb3 chore: update ecosystem plugins (#20985) (ESLint Bot)

v10.5.0

Features

• 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#20973) (Pixel998)
• b565783 feat: report no-with violations at the with keyword (#20971) (Pixel998)
• 2ce032f feat: report max-lines-per-function violations at function head (#20966) (Pixel998)
• 732cb3e feat: report max-nested-callbacks violations at function head (#20967) (Pixel998)
• f9c138a feat: report max-depth violations on keywords (#20943) (Pixel998)
• bdb496c feat: correct max-depth handling for else-if chains (#20944) (Pixel998)
• c296873 feat: update error loc in max-statements to function header (#20907) (Taejin Kim)

Documentation

... (truncated)

Commits

• 5d12a04 10.6.0
• f7ca54b Build: changelog update for 10.6.0
• 6a42034 ci: run ecosystem tests on main branch (#20891)
• b1f9106 feat: detect Symbol() and BigInt() in no-constant-binary-expression (#20981)
• 3dbacdb ci: bump actions/checkout from 6 to 7 (#21014)
• c3abfca chore: correct JSDoc param types in html formatter (#21018)
• a83683d docs: Update README
• a832320 ci: split ecosystem tests into separate jobs (#21001)
• 6b05784 fix: prefer-exponentiation-operator invalid autofix at statement start (#20997)
• bb9eb2a fix: account for shadowed Boolean in no-extra-boolean-cast (#21013)
• Additional commits viewable in compare view

Updates @github/copilot from 1.0.63 to 1.0.65

Release notes

Sourced from @​github/copilot's releases.

1.0.65

2026-06-24

• /cd now persists the working directory so resuming a session returns to it, and discovers custom agents in the new directory
• Commands with slash-prefixed string arguments (e.g. --body "/azp run") no longer trigger spurious filesystem permission prompts
• Fullscreen timeline stays anchored when older content is trimmed
• Resume open canvases automatically after restarting the CLI
• Add an opt-in status bar item showing CI check status (passing/running/failing) for the current branch
• Add a copilot skill subcommand (and a /skill alias for /skills) to list, add, and remove skills from a file, URL, or directory
• Prevent the GitHub background from flashing on startup with non-GitHub themes
• Prevent brief console windows from flashing on Windows when the agent runs hook commands or resolves command paths
• Include userPromptSubmitted hook additionalContext in the model-facing prompt
• Keep Windows paths intact when adding stdio MCP servers
• Stop MCP shutdown from waiting on in-flight server connects
• Restart the CLI without shutdown timeouts
• Remove syntax highlighting from shell commands in the timeline
• Keep custom-agent subagent model selections when using BYOK providers
• Parse /every schedules on the session's main model
• Render inline images reliably in tmux
• The ask_user freeform option wraps text and keeps the cursor aligned
• Save custom status line commands in /settings
• Show the streaming byte count separately from the cancel hint
• Handle wakeup misfires with a graceful message when no self-paced schedule is active
• Silent MCP OAuth refresh reuses the granted scope so reconnects stay signed in
• Up/down history and Ctrl+R reverse search now include past shell commands while in normal mode, so you can recall and re-run a shell command without first typing ! to enter shell mode

1.0.64

2026-06-23

• Path access prompt shows resolved symlink targets so you can see exactly what access is being granted
• Show the pay-as-you-go additional usage budget at launch, refresh it after a request is rejected for hitting the additional spend limit, and show a friendly message when the additional usage limit is reached
• Add websocket responses support for BYOK OpenAI-compatible providers
• Resumed sessions reproduce the original attached-file references even if those files later change on disk, avoiding prompt-cache resets
• Free-text search terms containing colons (e.g. CLI:) now return correct results in Issues and Pull requests search instead of being misread as invalid qualifiers by GitHub
• Support static OAuth client overrides, including client secrets, for MCP server authentication
• Preserve keystrokes typed while the CLI is still loading
• Add an option to bypass the sandbox for shell commands
• Add mouse click and double-click selection to paginated lists
• Link PR and issue references in markdown tables
• Use the GitHub theme by default and enable home tabs and prompt frame for all users
• Keep terminal output aligned after terminal resizes
• Content exclusion no longer blocks every file when the rules service is unreachable (offline or a transient network error). Access is allowed until rules can be fetched and retried in the background, matching the editor's behavior.
• Configure the rubber-duck subagent in /subagents, including a complementary model strategy that picks an opposite-family model
• /diff shows a session diff of Copilot's changes in non-git folders
• Set an HTTP(S) proxy with a user setting
• Resume sessions by name even when the name contains spaces
• Hide unsupported slash commands in remote-hosted sessions
• Add a setting to hide the conversation scrollbar
• Add inline image rendering in the CLI
• Add argument-hint frontmatter support for skills

... (truncated)

Changelog

Sourced from @​github/copilot's changelog.

1.0.65 - 2026-06-24

• /cd now persists the working directory so resuming a session returns to it, and discovers custom agents in the new directory
• Commands with slash-prefixed string arguments (e.g. --body "/azp run") no longer trigger spurious filesystem permission prompts
• Fullscreen timeline stays anchored when older content is trimmed
• Resume open canvases automatically after restarting the CLI
• Add an opt-in status bar item showing CI check status (passing/running/failing) for the current branch
• Add a copilot skill subcommand (and a /skill alias for /skills) to list, add, and remove skills from a file, URL, or directory
• Prevent the GitHub background from flashing on startup with non-GitHub themes
• Prevent brief console windows from flashing on Windows when the agent runs hook commands or resolves command paths
• Include userPromptSubmitted hook additionalContext in the model-facing prompt
• Keep Windows paths intact when adding stdio MCP servers
• Stop MCP shutdown from waiting on in-flight server connects
• Restart the CLI without shutdown timeouts
• Remove syntax highlighting from shell commands in the timeline
• Keep custom-agent subagent model selections when using BYOK providers
• Parse /every schedules on the session's main model
• Render inline images reliably in tmux
• The ask_user freeform option wraps text and keeps the cursor aligned
• Save custom status line commands in /settings
• Show the streaming byte count separately from the cancel hint
• Handle wakeup misfires with a graceful message when no self-paced schedule is active
• Silent MCP OAuth refresh reuses the granted scope so reconnects stay signed in
• Up/down history and Ctrl+R reverse search now include past shell commands while in normal mode, so you can recall and re-run a shell command without first typing ! to enter shell mode

1.0.64 - 2026-06-23

• Path access prompt shows resolved symlink targets so you can see exactly what access is being granted
• Show the pay-as-you-go additional usage budget at launch, refresh it after a request is rejected for hitting the additional spend limit, and show a friendly message when the additional usage limit is reached
• Add websocket responses support for BYOK OpenAI-compatible providers
• Resumed sessions reproduce the original attached-file references even if those files later change on disk, avoiding prompt-cache resets
• Free-text search terms containing colons (e.g. CLI:) now return correct results in Issues and Pull requests search instead of being misread as invalid qualifiers by GitHub
• Support static OAuth client overrides, including client secrets, for MCP server authentication
• Preserve keystrokes typed while the CLI is still loading
• Add an option to bypass the sandbox for shell commands
• Add mouse click and double-click selection to paginated lists
• Link PR and issue references in markdown tables
• Use the GitHub theme by default and enable home tabs and prompt frame for all users
• Keep terminal output aligned after terminal resizes
• Content exclusion no longer blocks every file when the rules service is unreachable (offline or a transient network error). Access is allowed until rules can be fetched and retried in the background, matching the editor's behavior.
• Configure the rubber-duck subagent in /subagents, including a complementary model strategy that picks an opposite-family model
• /diff shows a session diff of Copilot's changes in non-git folders
• Set an HTTP(S) proxy with a user setting
• Resume sessions by name even when the name contains spaces
• Hide unsupported slash commands in remote-hosted sessions
• Add a setting to hide the conversation scrollbar
• Add inline image rendering in the CLI
• Add argument-hint frontmatter support for skills
• OpenTelemetry: chat spans after a successful compaction carry gen_ai.conversation.compacted=true, and the summary is emitted as a CompactionPart in gen_ai.input.messages
• PowerShell cmdlets (Select-String, Where-Object, ForEach-Object) no longer trigger spurious directory access prompts

... (truncated)

Commits

• e7d294d Update changelog.md for version 1.0.64
• b71d117 Update changelog.md for version 1.0.63
• See full diff in compare view

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@eslint/config-array	0.23.5	Unknown	Unknown
npm/@eslint/config-helpers	0.6.0	Unknown	Unknown
npm/@eslint/core	1.2.1	Unknown	Unknown
npm/@eslint/object-schema	3.0.5	Unknown	Unknown
npm/@eslint/plugin-kit	0.7.2	Unknown	Unknown
npm/@types/esrecurse	4.3.1	🟢 6.5	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 25/28 approved changesets -- score normalized to 8 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed
npm/eslint	10.6.0	🟢 6.6	Details Check Score Reason Code-Review 🟢 8 Found 23/28 approved changesets -- score normalized to 8 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits
npm/eslint-scope	9.1.2	Unknown	Unknown
npm/@github/copilot	1.0.65	Unknown	Unknown
npm/@github/copilot	1.0.65	Unknown	Unknown
npm/@github/copilot-darwin-arm64	1.0.65	Unknown	Unknown
npm/@github/copilot-darwin-x64	1.0.65	Unknown	Unknown
npm/@github/copilot-linux-arm64	1.0.65	Unknown	Unknown
npm/@github/copilot-linux-x64	1.0.65	Unknown	Unknown
npm/@github/copilot-linuxmusl-arm64	1.0.65	Unknown	Unknown
npm/@github/copilot-linuxmusl-x64	1.0.65	Unknown	Unknown
npm/@github/copilot-win32-arm64	1.0.65	Unknown	Unknown
npm/@github/copilot-win32-x64	1.0.65	Unknown	Unknown

Scanned Files

• docs/docusaurus/package-lock.json
• evals/beval/package-lock.json
• package-lock.json

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.39%. Comparing base (4640d87) to head (cffd5ce).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2204      +/-   ##
==========================================
+ Coverage   81.32%   81.39%   +0.07%     
==========================================
  Files         130      120      -10     
  Lines       19140    19064      -76     
  Branches       12        0      -12     
==========================================
- Hits        15565    15517      -48     
+ Misses       3572     3547      -25     
+ Partials        3        0       -3     

Flag	Coverage Δ
docusaurus	?
pester	86.02% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 11 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Eval Execution

✅ Status: Passed

• Artifacts evaluated: 0
• Specs run: 0
• Assertions passed: 0
• Assertions failed (blocking): 0
• Assertions failed (advisory): 0
• Failed specs (merge-blocking): 0

No changed AI artifacts required evaluation.

[github-actions]

Dependency Review — Automated Safety Check

Two npm dependencies updated across two directories. No GitHub Actions, devcontainer, or copilot-setup-steps.yml files were changed, so SHA pinning and environment sync checks are not applicable.

---

Dependencies Updated

Package	Directory	From	To	Classification
eslint	docs/docusaurus/	9.39.4	10.6.0	⚠️ Major
@github/copilot	evals/beval/	1.0.63	1.0.65	✅ Patch

---

@github/copilot 1.0.63 → 1.0.65 — ✅ PASS

Patch bump. Release notes (1.0.64–1.0.65) show only new features and bug fixes—no breaking changes, no deprecations. License unchanged (proprietary GitHub tooling, already a project dependency). All safety checks pass for this update.

---

eslint 9.39.4 → 10.6.0 — ⚠️ Human Review Required

This is a major version bump (v9 → v10). ESLint v10 introduced breaking changes from v9, including:

• Removal of several deprecated rule options and APIs
• Changes to the Linter class API
• Stricter requirements for flat config (eslint.config.js) compliance
• Dropped support for older Node.js versions

The Dependabot PR body includes release notes starting at v10.0.0 only; it does not link to the [ESLint v9 → v10 migration guide]((eslint.org/redacted)

Recommended human review steps for docs/docusaurus/:

1. Confirm the Docusaurus project uses flat config (eslint.config.js) — if it still uses .eslintrc.*, that format was removed in v10.
2. Verify that eslint-plugin-jsx-a11y, eslint-plugin-mdx, and @typescript-eslint/parser (all present in the project) are compatible with eslint v10.
3. Run the linter locally (npm run lint:md or the project's eslint command in docs/docusaurus/) to confirm no new errors.

License remains MIT — compatible with the project. No vulnerabilities reported by Dependabot.

---

Summary

Check	Result
License compatibility	✅ Pass
SHA pinning (GitHub Actions)	✅ N/A — no workflow files changed
Devcontainer / setup sync	✅ N/A — no environment files changed
New dependencies introduced	✅ None (existing deps bumped only)
Dependabot vulnerability report	✅ None reported
Major version bump	⚠️ eslint v9 → v10 — see above

The eslint major bump requires a human to verify config and plugin compatibility before merging. The @github/copilot patch is safe to merge independently.

Generated by Dependabot PR Review for issue #2204 · 247.6 AIC · ⌖ 12.7 AIC · ⊞ 46.4K

[github-actions]

Dependency Review — Safety Check Results

Two dependency groups updated across three directories. All licensing and SHA-pinning checks passed; one item needs human attention before merge.

---

eslint · docs/docusaurus · 9.39.4 → 10.6.0 — ⚠️ Major version bump

Check	Result
License	✅ MIT — compatible
SHA pinning	N/A (npm)
Vulnerability	✅ Dependabot reports none
Breaking changes	⚠️ See below

ESLint 10 breaking changes to verify before merging:

1. Node.js engine raised: v10 requires ^20.19.0 || ^22.13.0 || >=24. Node 18 and Node 21.x are no longer supported. Confirm the docs site CI runner and any local tooling meet this constraint.
2. @eslint/eslintrc removed: Legacy .eslintrc.* configuration format is no longer bundled. ESLint 10 requires flat config (eslint.config.*). If the docs/docusaurus tree still uses an .eslintrc.* file, linting will break after this bump.
3. Transitive package reshuffling: Several @eslint/* packages moved to new major versions (e.g. @eslint/config-array 0.21 → 0.23, @eslint/core 0.17 → 1.2). These are internal to eslint and should be transparent, but worth a quick npm run lint pass in the docusaurus directory post-merge.

Recommended action: Confirm that docs/docusaurus uses flat config and that CI builds on Node ≥ 20.19. Then merge.

---

@github/copilot · /evals/beval and root package-lock.json · 1.0.63 → 1.0.65 (evals), 1.0.62 → 1.0.65 (root) — ✅ Patch bump

Check	Result
License	✅ Existing dependency, proprietary GitHub license — no change in kind
SHA pinning	N/A (npm)
Vulnerability	✅ Dependabot reports none
Breaking changes	None — patch release, os-theme transitive dep removed (cleanup)

Changelog highlights (1.0.63 → 1.0.65): new copilot skill subcommand, /diff for non-git folders, inline image rendering, OTLP compaction span attributes. No breaking changes. Clean to merge.

---

Summary

Dependency	Directory	Bump	Verdict
eslint	docs/docusaurus	9.39.4 → 10.6.0 (major)	⚠️ Human review required
@github/copilot	evals/beval	1.0.63 → 1.0.65 (patch)	✅ Safe
@github/copilot	root package-lock.json	1.0.62 → 1.0.65 (patch)	✅ Safe

No GitHub Actions references were changed. No .devcontainer / copilot-setup-steps.yml synchronization issues. All license checks pass.

Generated by Dependabot PR Review for issue #2204 · 178.5 AIC · ⌖ 12.7 AIC · ⊞ 46.4K

[github-actions]

Dependency Review — Safety Check Results

Summary of Updates

Package	Directory	Old Version	New Version	Bump Type
eslint	docs/docusaurus/	9.39.4	10.6.0	MAJOR ⚠️
@github/copilot	evals/beval/ + root	1.0.62/1.0.63	1.0.65	patch ✅

---

⚠️ eslint 9.39.4 → 10.6.0 — Major Version Bump (human review required)

This is a major version bump crossing the v9 → v10 boundary. ESLint v10 introduces breaking changes that require human verification before merging:

• Legacy config system removed: ESLint v10 drops support for the legacy .eslintrc.* / .eslintrc.js / .eslintrc.json configuration format. Only flat config (eslint.config.js / eslint.config.mjs) is supported. If docs/docusaurus/ uses a legacy config file, linting will break.
• Node.js compatibility: ESLint v10 requires Node.js ≥ 18.18.0. Verify the CI environment and Docusaurus build pipeline meet this requirement.
• License: MIT — compatible ✅

Action required: Verify that docs/docusaurus/ uses flat config format and that the Node.js version constraint is satisfied before merging.

---

✅ @github/copilot 1.0.62/1.0.63 → 1.0.65 — Patch Bump

Clean patch-level update with no breaking changes noted in the Dependabot changelog. The os-theme optional dependency was removed in this update (visible in the root lockfile diff), which is a reduction in the dependency surface — a positive change.

License note: The package declares "SEE LICENSE IN LICENSE.md" rather than an SPDX identifier. As a GitHub-owned package already present in the repository, this is expected and not a new licensing concern.

---

Remaining Safety Checks

Check	Result
New dependencies introduced	None — bumps only ✅
SHA pinning (GitHub Actions)	N/A — no workflow files changed ✅
Environment sync (devcontainer / setup-steps)	N/A — no devcontainer changes ✅
Known vulnerabilities (per Dependabot)	None reported ✅

---

Verdict: COMMENT — The @github/copilot patch bump is safe to merge. The eslint major version bump requires a human to confirm flat config compatibility in docs/docusaurus/ before merging.

Generated by Dependabot PR Review for issue #2204 · 170.3 AIC · ⌖ 12.6 AIC · ⊞ 46.4K

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.