From f0c2c1b41b1a6a4cced7e393f4edcf159f13beb6 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sat, 14 Feb 2026 19:01:10 +0000 Subject: [PATCH 1/5] fix: tools/bundle-bug-finder/package.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AJV-15274295 --- tools/bundle-bug-finder/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/bundle-bug-finder/package.json b/tools/bundle-bug-finder/package.json index 385c8e6cd9f..fc8180aee94 100644 --- a/tools/bundle-bug-finder/package.json +++ b/tools/bundle-bug-finder/package.json @@ -4,6 +4,6 @@ "dependencies": { "@babel/eslint-parser": "^7.23.3", "@babel/plugin-syntax-import-assertions": "^7.23.3", - "eslint": "^8.53.0" + "eslint": "^10.0.0" } } From b18d48539943d0e2a1faee6c19e94f85b280e755 Mon Sep 17 00:00:00 2001 From: Christophe Dervieux Date: Mon, 16 Feb 2026 11:08:46 +0100 Subject: [PATCH 2/5] Migrate bundle-bug-finder to ESLint 10 flat config ESLint 10 dropped support for `.eslintrc` files. Replace with `eslint.config.js` flat config. Remove Babel parser dependencies since the default espree parser handles the `no-undef` use case. Co-Authored-By: Claude Opus 4.6 --- tools/bundle-bug-finder/.eslintrc | 9 --------- tools/bundle-bug-finder/eslint.config.js | 12 ++++++++++++ tools/bundle-bug-finder/package.json | 3 +-- 3 files changed, 13 insertions(+), 11 deletions(-) delete mode 100644 tools/bundle-bug-finder/.eslintrc create mode 100644 tools/bundle-bug-finder/eslint.config.js diff --git a/tools/bundle-bug-finder/.eslintrc b/tools/bundle-bug-finder/.eslintrc deleted file mode 100644 index 1a229cbc87f..00000000000 --- a/tools/bundle-bug-finder/.eslintrc +++ /dev/null @@ -1,9 +0,0 @@ -{ - "parser": "@babel/eslint-parser", - "parserOptions": { - "requireConfigFile": false, - "babelOptions": { - "plugins": ["@babel/plugin-syntax-import-assertions"] - } - } -} diff --git a/tools/bundle-bug-finder/eslint.config.js b/tools/bundle-bug-finder/eslint.config.js new file mode 100644 index 00000000000..0b1d5b075d2 --- /dev/null +++ b/tools/bundle-bug-finder/eslint.config.js @@ -0,0 +1,12 @@ +export default [ + { + files: ["**/*.js"], + languageOptions: { + ecmaVersion: 2022, + sourceType: "module", + }, + rules: { + "no-undef": "error" + } + } +]; diff --git a/tools/bundle-bug-finder/package.json b/tools/bundle-bug-finder/package.json index fc8180aee94..3ffc0a6156e 100644 --- a/tools/bundle-bug-finder/package.json +++ b/tools/bundle-bug-finder/package.json @@ -1,9 +1,8 @@ { "name": "dummy", "version": "1.0.0", + "type": "module", "dependencies": { - "@babel/eslint-parser": "^7.23.3", - "@babel/plugin-syntax-import-assertions": "^7.23.3", "eslint": "^10.0.0" } } From 4f991ca9a6b723926fb001366165144874194076 Mon Sep 17 00:00:00 2001 From: Christophe Dervieux Date: Mon, 16 Feb 2026 11:12:18 +0100 Subject: [PATCH 3/5] Fix error masking in validate-bundle cleanup Wrap cleanup `Deno.removeSync` calls in try-catch so that failures to remove files that don't yet exist (e.g. when validation fails before creating them) don't mask the real error. Co-Authored-By: Claude Opus 4.6 --- package/src/common/validate-bundle.ts | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/package/src/common/validate-bundle.ts b/package/src/common/validate-bundle.ts index 1bfda0ebaf7..da87e1dddd7 100644 --- a/package/src/common/validate-bundle.ts +++ b/package/src/common/validate-bundle.ts @@ -66,8 +66,11 @@ export async function validateBundle( } finally { const cleanupFiles = [moveScriptDest, outFile, "package-lock.json", "node_modules"]; cleanupFiles.forEach((file) => { - Deno.removeSync(file, {recursive: true}); + try { + Deno.removeSync(file, {recursive: true}); + } catch (_e) { + // File may not exist if validation failed early + } }) - } } From e705202b313aac7880e30ce7c9aaa6774a761ea2 Mon Sep 17 00:00:00 2001 From: Christophe Dervieux Date: Mon, 16 Feb 2026 12:20:16 +0100 Subject: [PATCH 4/5] Use ecmaVersion "latest" for bundled JS parsing The bundled quarto.js contains import attributes (`with { type: "json" }`) which require ES2025+. Use "latest" so espree tracks the spec automatically. Co-Authored-By: Claude Opus 4.6 --- tools/bundle-bug-finder/eslint.config.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/bundle-bug-finder/eslint.config.js b/tools/bundle-bug-finder/eslint.config.js index 0b1d5b075d2..33d0bf88ae2 100644 --- a/tools/bundle-bug-finder/eslint.config.js +++ b/tools/bundle-bug-finder/eslint.config.js @@ -2,7 +2,7 @@ export default [ { files: ["**/*.js"], languageOptions: { - ecmaVersion: 2022, + ecmaVersion: "latest", sourceType: "module", }, rules: { From ec15bab5faf7372446ffe1330cdea97604be8419 Mon Sep 17 00:00:00 2001 From: Christophe Dervieux Date: Mon, 16 Feb 2026 12:27:47 +0100 Subject: [PATCH 5/5] Update package/src/common/validate-bundle.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- package/src/common/validate-bundle.ts | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/package/src/common/validate-bundle.ts b/package/src/common/validate-bundle.ts index da87e1dddd7..0d046a22090 100644 --- a/package/src/common/validate-bundle.ts +++ b/package/src/common/validate-bundle.ts @@ -68,8 +68,12 @@ export async function validateBundle( cleanupFiles.forEach((file) => { try { Deno.removeSync(file, {recursive: true}); - } catch (_e) { - // File may not exist if validation failed early + } catch (e) { + if (e instanceof Deno.errors.NotFound) { + // File may not exist if validation failed early + } else { + info(`Failed to remove cleanup file '${file}': ${e instanceof Error ? e.message : String(e)}`); + } } }) }