[Snyk] Security upgrade eslint from 8.57.1 to 10.0.0 (#14038)

posit-snyk-bot · snyk-bot · claude · web-flow · commit aaaba63c24e8 · 2026-02-16T14:41:54.000+01:00
* fix: tools/bundle-bug-finder/package.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AJV-15274295 * Migrate bundle-bug-finder to ESLint 10 flat config ESLint 10 dropped support for `.eslintrc` files. Replace with `eslint.config.js` flat config. Remove Babel parser dependencies since the default espree parser handles the `no-undef` use case. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix error masking in validate-bundle cleanup Wrap cleanup `Deno.removeSync` calls in try-catch so that failures to remove files that don't yet exist (e.g. when validation fails before creating them) don't mask the real error. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Use ecmaVersion "latest" for bundled JS parsing The bundled quarto.js contains import attributes (`with { type: "json" }`) which require ES2025+. Use "latest" so espree tracks the spec automatically. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Update package/src/common/validate-bundle.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: snyk-bot <snyk-bot@snyk.io> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Christophe Dervieux <cderv@posit.co> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
diff --git a/package/src/common/validate-bundle.ts b/package/src/common/validate-bundle.ts
@@ -66,8 +66,15 @@ export async function validateBundle(
   } finally {
     const cleanupFiles = [moveScriptDest, outFile, "package-lock.json", "node_modules"];
     cleanupFiles.forEach((file) => {
-      Deno.removeSync(file, {recursive: true});
+      try {
+        Deno.removeSync(file, {recursive: true});
+      } catch (e) {
+        if (e instanceof Deno.errors.NotFound) {
+          // File may not exist if validation failed early
+        } else {
+          info(`Failed to remove cleanup file '${file}': ${e instanceof Error ? e.message : String(e)}`);
+        }
+      }
     })
-
   }
 }
diff --git a/tools/bundle-bug-finder/.eslintrc b/tools/bundle-bug-finder/.eslintrc
diff --git a/tools/bundle-bug-finder/eslint.config.js b/tools/bundle-bug-finder/eslint.config.js
@@ -0,0 +1,12 @@
+export default [
+  {
+    files: ["**/*.js"],
+    languageOptions: {
+      ecmaVersion: "latest",
+      sourceType: "module",
+    },
+    rules: {
+      "no-undef": "error"
+    }
+  }
+];
diff --git a/tools/bundle-bug-finder/package.json b/tools/bundle-bug-finder/package.json
@@ -1,9 +1,8 @@
 {
   "name": "dummy",
   "version": "1.0.0",
+  "type": "module",
   "dependencies": {
-    "@babel/eslint-parser": "^7.23.3",
-    "@babel/plugin-syntax-import-assertions": "^7.23.3",
-    "eslint": "^8.53.0"
+    "eslint": "^10.0.0"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,8 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "dummy",`
`3`	`3`	`"version": "1.0.0",`
	`4`	`+ "type": "module",`
`4`	`5`	`"dependencies": {`
`5`		`- "@babel/eslint-parser": "^7.23.3",`
`6`		`- "@babel/plugin-syntax-import-assertions": "^7.23.3",`
`7`		`- "eslint": "^8.53.0"`
	`6`	`+ "eslint": "^10.0.0"`
`8`	`7`	`}`
`9`	`8`	`}`