Skip to content

[Snyk] Security upgrade eslint from 8.57.1 to 10.0.0#14038

Merged
cderv merged 5 commits intomainfrom
snyk-fix-b11f1fda589c1f9dc9a1f643ff1daa1a
Feb 16, 2026
Merged

[Snyk] Security upgrade eslint from 8.57.1 to 10.0.0#14038
cderv merged 5 commits intomainfrom
snyk-fix-b11f1fda589c1f9dc9a1f643ff1daa1a

Conversation

@posit-snyk-bot
Copy link
Copy Markdown
Collaborator

@posit-snyk-bot posit-snyk-bot commented Feb 14, 2026

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • tools/bundle-bug-finder/package.json

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-AJV-15274295		   157  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

@posit-snyk-bot
Copy link
Copy Markdown
Collaborator Author

posit-snyk-bot commented Feb 14, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@cderv cderv requested a review from Copilot February 16, 2026 08:51
Copilot AI reviewed Feb 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR is an automated security upgrade generated by Snyk to fix a high-severity Regular Expression Denial of Service (ReDoS) vulnerability (SNYK-JS-AJV-15274295) in the ajv dependency. The upgrade changes the ESLint version from 8.57.1 to 10.0.0 in the bundle-bug-finder tool, which is a development utility used to detect bugs in bundled JavaScript code.

Changes:

  • Upgrades ESLint from version ^8.53.0 to ^10.0.0 in tools/bundle-bug-finder/package.json

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tools/bundle-bug-finder/package.json Outdated
Comment thread tools/bundle-bug-finder/package.json
cderv and others added 2 commits February 16, 2026 11:08
@cderv @claude
Migrate bundle-bug-finder to ESLint 10 flat config
b18d485 
ESLint 10 dropped support for `.eslintrc` files. Replace with
`eslint.config.js` flat config. Remove Babel parser dependencies
since the default espree parser handles the `no-undef` use case.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@cderv @claude
Fix error masking in validate-bundle cleanup
4f991ca 
Wrap cleanup `Deno.removeSync` calls in try-catch so that failures
to remove files that don't yet exist (e.g. when validation fails
before creating them) don't mask the real error.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@cderv
Copy link
Copy Markdown
Member

cderv commented Feb 16, 2026

ESLint 10 dropped support for .eslintrc files entirely, so the test-bundle CI check was failing. These two commits fix it:

  • Migrate to flat config — replaced .eslintrc with eslint.config.js. Removed @babel/eslint-parser and @babel/plugin-syntax-import-assertions since the default parser (espree) handles our use case (just the no-undef rule on bundled JS). Added "type": "module" to package.json for the ES module export.

  • Fix cleanup bug in validate-bundle.ts — the finally block called Deno.removeSync() on files that may not exist when validation fails early, which masked the real ESLint error. Wrapped in try-catch.

Verified locally that flat config + default parser + /*global*/ comments work correctly for the no-undef check.

@cderv cderv requested a review from Copilot February 16, 2026 11:01
Copilot AI reviewed Feb 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package/src/common/validate-bundle.ts Outdated
cderv and others added 2 commits February 16, 2026 12:20
@cderv @claude
Use ecmaVersion "latest" for bundled JS parsing
e705202 
The bundled quarto.js contains import attributes (`with { type: "json" }`)
which require ES2025+. Use "latest" so espree tracks the spec automatically.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@cderv
Update package/src/common/validate-bundle.ts
ec15bab 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@cderv cderv merged commit aaaba63 into main Feb 16, 2026
92 of 93 checks passed
@cderv cderv deleted the snyk-fix-b11f1fda589c1f9dc9a1f643ff1daa1a branch February 16, 2026 13:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@posit-snyk-bot @cderv @snyk-bot