Update linters (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@typescript-eslint/eslint-plugin (source)	^7.0.0 → ^8.0.0
@typescript-eslint/parser (source)	^7.0.0 → ^8.0.0
eslint (source)	^8.0.0 → ^10.0.0
eslint-config-prettier	^9.0.0 → ^10.0.0
eslint-plugin-unicorn	^51.0.0 → ^64.0.0

---

Release Notes

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.58.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-unused-vars] fix false negative for type predicate parameter (#​12004)

❤️ Thank You

• MinJae @​Ju-MINJAE

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.58.0

Compare Source

🚀 Features

• support TypeScript 6 (#​12124)

🩹 Fixes

• eslint-plugin: [prefer-regexp-exec] avoid fixing unknown RegExp flags (#​12161)
• eslint-plugin: [no-extraneous-class] handle index signatures (#​12142)
• eslint-plugin: crash in no-unnecessary-type-arguments (#​12163)

❤️ Thank You

• ej shafran @​ej-shafran
• Evyatar Daud @​StyleShit
• GG ZIBLAKING
• milkboy2564 @​SeolJaeHyeok
• teee32 @​teee32

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.57.2

Compare Source

🩹 Fixes

• eslint-plugin: [prefer-readonly-parameter-types] preserve type alias infomation (#​11954)
• eslint-plugin: [no-useless-default-assignment] skip reporting false positives for unresolved type parameters (#​12127)
• eslint-plugin: [no-unsafe-return] false positive on unwrapping generic (#​12125)
• eslint-plugin: [no-restricted-types] flag banned generics in extends or implements (#​12120)
• eslint-plugin: [array-type] ignore Array and ReadonlyArray without type arguments (#​11971)
• eslint-plugin: [prefer-optional-chain] remove dangling closing parenthesis (#​11865)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger
• Konv Suu
• mdm317
• Newton Yuan @​NewtonYuan
• SungHyun627 @​SungHyun627
• Tamashoo @​Tamashoo

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.57.1

Compare Source

🩹 Fixes

• eslint-plugin: [prefer-optional-chain] no report for property on intersection type (#​12126)

❤️ Thank You

• Newton Yuan @​NewtonYuan

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.57.0

Compare Source

🚀 Features

• eslint-plugin: [no-unnecessary-condition] allow literal loop conditions in for/do loops (#​12080)

🩹 Fixes

• eslint-plugin: [no-base-to-string] fix false positive for toString with overloads (#​12089)
• eslint-plugin: [prefer-promise-reject-errors] add allow TypeOrValueSpecifier to prefer-promise-reject-errors (#​12094)
• typescript-estree: if the template literal is tagged and the text has an invalid escape, cooked will be null (#​11355)
• eslint-plugin: guard against negative paramIndex in no-useless-default-assignment (#​12077)
• eslint-plugin: handle statically analyzable computed keys in prefer-readonly (#​12079)
• eslint-plugin: [strict-void-return] false positives with overloads (#​12055)

❤️ Thank You

• Brad Zacher @​bradzacher
• Brian Schlenker @​bschlenk
• Evyatar Daud @​StyleShit
• James Henry @​JamesHenry
• Josh Goldberg
• Kirk Waiblinger @​kirkwaiblinger
• Moses Odutusin @​thebolarin
• Newton Yuan @​NewtonYuan
• SungHyun627 @​SungHyun627
• Younsang Na @​nayounsang

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.56.1

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.56.0

Compare Source

🚀 Features

• support ESLint v10 (#​12057)

🩹 Fixes

• use parser options from context.languageOptions (#​12043)

❤️ Thank You

• Brad Zacher @​bradzacher
• fnx @​DMartens
• Joshua Chen

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.55.0

Compare Source

🚀 Features

• utils: deprecate defaultOptions in favor of meta.defaultOptions (#​11992)

🩹 Fixes

• eslint-plugin: [no-useless-default-assignment] reduce param index to ts this handling (#​11949)
• eslint-plugin: [no-useless-default-assignment] report unnecessary defaults in ternary expressions (#​11984)
• eslint-plugin: [no-useless-default-assignment] require strictNullChecks (#​11966, #​12000)
• eslint-plugin: [no-unused-vars] remove trailing newline when removing entire import (#​11990)

❤️ Thank You

• Christian Rose @​chrros95
• Josh Goldberg
• Maria Solano @​MariaSolOs
• Minyeong Kim @​minyeong981
• SungHyun627 @​SungHyun627
• Yukihiro Hasegawa @​y-hsgw

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.54.0

Compare Source

🚀 Features

• eslint-plugin-internal: add prefer-tsutils-methods rule (#​11974, #​11625)
• typescript-estree: add shortcut methods to ParserServicesWithTypeInformation (#​11965, #​11955)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] check both base constraint and actual type for non-null assertions (#​11967, #​11559)
• deps: update dependency prettier to v3.8.0 (#​11991)
• scope-manager: fix catch clause scopes def.name (#​11982)
• eslint-plugin: [no-unused-private-class-members] private destructured class member is defined but used (#​11785)

❤️ Thank You

• Brad Zacher @​bradzacher
• Josh Goldberg
• MinJae @​Ju-MINJAE
• Minyeong Kim @​minyeong981
• overlookmotel
• Yuya Yoshioka @​YuyaYoshioka
• 김현수 @​Kimsoo0119

You can read about our versioning strategy and releases on our website.

v8.53.1

Compare Source

🩹 Fixes

• utils: make RuleCreator root defaultOptions optional (#​11956)
• eslint-plugin: [consistent-indexed-object-style] skip fixer if interface is a default export (#​11951)

❤️ Thank You

• Cameron
• Yukihiro Hasegawa @​y-hsgw

You can read about our versioning strategy and releases on our website.

v8.53.0

Compare Source

🚀 Features

• eslint-plugin: add rule [strict-void-return] (#​9707)
• eslint-plugin: [no-unused-vars] add a fixer to remove unused imports (#​11922)

🩹 Fixes

• eslint-plugin: [no-useless-default-assignment] fix false positive for parameters corresponding to a rest parameter (#​11916)
• eslint-plugin: replace unclear "error typed" with more helpful description (#​11704)
• typescript-estree: forbid invalid extends and implements in interface declaration (#​11935)
• typescript-estree: forbid invalid class implements (#​11934)
• typescript-estree: forbid type-only import with both default and named specifiers (#​11930)

❤️ Thank You

• Brad Zacher @​bradzacher
• fisker Cheung @​fisker
• Josh Goldberg
• Josh Goldberg ✨
• Kirk Waiblinger
• Niki @​phaux
• Nikita
• SungHyun627 @​SungHyun627
• Will Harney @​wjhsf

You can read about our versioning strategy and releases on our website.

v8.52.0

Compare Source

🚀 Features

• eslint-plugin-internal: [no-multiple-lines-of-errors] add rule (#​11899)

🩹 Fixes

• eslint-plugin: [no-base-to-string] detect @​@​toPrimitive and valueOf (#​11901)
• eslint-plugin: [no-useless-default-assignment] handle conditional initializer (#​11908)

❤️ Thank You

• Josh Goldberg ✨
• Ulrich Stark

You can read about our versioning strategy and releases on our website.

v8.51.0

Compare Source

🚀 Features

• eslint-plugin: add namespace to plugin meta (#​11885)
• eslint-plugin: [no-useless-default-assignment] fix some cases to optional syntax (#​11871)

🩹 Fixes

• eslint-plugin: [prefer-optional-chain] handle MemberExpression in final chain position (#​11835)
• eslint-plugin: bump ts-api-utils to 2.2.0 (#​11881)
• eslint-plugin: remove fixable from no-dynamic-delete rule (#​11876)
• eslint-plugin: fix crash and false positives in no-useless-default-assignment (#​11845)

❤️ Thank You

• Josh Goldberg ✨
• Kirk Waiblinger @​kirkwaiblinger
• mdm317
• Ulrich Stark
• Yannick Decat @​mho22

You can read about our versioning strategy and releases on our website.

v8.50.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] correct handling of undefined vs. void (#​11826)
• eslint-plugin: [method-signature-style] ignore methods that return this (#​11813)

❤️ Thank You

• Josh Goldberg ✨
• Tamashoo @​Tamashoo

You can read about our versioning strategy and releases on our website.

v8.50.0

Compare Source

🚀 Features

• eslint-plugin: [no-useless-default-assignment] add rule (#​11720)

❤️ Thank You

• Josh Goldberg ✨
• Ulrich Stark

You can read about our versioning strategy and releases on our website.

v8.49.0

Compare Source

🚀 Features

• eslint-plugin: use Intl.Segmenter instead of graphemer (#​11804)

🩹 Fixes

• deps: update dependency prettier to v3.7.2 (#​11820)

❤️ Thank You

• Justin McBride
• Kirk Waiblinger @​kirkwaiblinger

You can read about our versioning strategy and releases on our website.

v8.48.1

Compare Source

🩹 Fixes

• eslint-plugin: [restrict-template-expressions] check base types in allow list (#​11764, #​11759)
• eslint-plugin: honor ignored base types on generic classes (#​11767)
• eslint-plugin: [consistent-type-exports] check value flag before resolving alias (#​11769)

❤️ Thank You

• Josh Goldberg
• OleksandraKordonets
• SangheeSon @​Higangssh
• tao

You can read about our versioning strategy and releases on our website.

v8.48.0

Compare Source

🚀 Features

• eslint-plugin: [no-redundant-type-constituents] use assignability checking for redundancy checks (#​10744)

🩹 Fixes

• typescript-estree: disallow binding patterns in parameter properties (#​11760)
• eslint-plugin: [consistent-generic-constructors] ignore when constructor is typed array (#​10477)

❤️ Thank You

• Dima Barabash @​dbarabashh
• JamesHenry @​JamesHenry
• Josh Goldberg
• mdm317 @​gen-ip-1

You can read about our versioning strategy and releases on our website.

v8.47.0

Compare Source

🚀 Features

• eslint-plugin: [no-unused-private-class-members] new extension rule (#​10913)

❤️ Thank You

• Brad Zacher @​bradzacher

You can read about our versioning strategy and releases on our website.

v8.46.4

Compare Source

🩹 Fixes

• parser: error when both projectService and project are set (#​11333)
• eslint-plugin: handle override modifier in promise-function-async fixer (#​11730)
• eslint-plugin: [no-deprecated] fix double-report on computed literal identifiers (#​11006, #​10958)

❤️ Thank You

• Evgeny Stepanovych @​undsoft
• Kentaro Suzuki @​sushichan044
• Maria Solano @​MariaSolOs

You can read about our versioning strategy and releases on our website.

v8.46.3

Compare Source

🩹 Fixes

• eslint-plugin: [no-duplicate-enum-values] support signed numbers (#​11722, #​11723)
• eslint-plugin: [no-misused-promises] expand union type to retrieve target property (#​11706)

❤️ Thank You

• Evgeny Stepanovych @​undsoft
• tao

You can read about our versioning strategy and releases on our website.

v8.46.2

Compare Source

🩹 Fixes

• eslint-plugin: [prefer-optional-chain] skip optional chaining when it could change the result (#​11702)

❤️ Thank You

• mdm317

You can read about our versioning strategy and releases on our website.

v8.46.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-misused-promises] special-case .finally not to report when a promise returning function is provided as an argument (#​11667)
• eslint-plugin: [prefer-optional-chain] include mixed "nullish comparison style" chains in checks (#​11533)

❤️ Thank You

• mdm317
• Ronen Amiel

You can read about our versioning strategy and releases on our website.

v8.46.0

Compare Source

🚀 Features

• eslint-plugin: [no-unsafe-member-access] add allowOptionalChaining option (#​11659)
• rule-schema-to-typescript-types: clean up and make public (#​11633)

🩹 Fixes

• eslint-plugin: [prefer-readonly-parameter-types] ignore tagged primitives (#​11660)
• typescript-estree: forbid abstract method and accessor to have implementation (#​11657)
• eslint-plugin: removed error type previously deprecated (#​11674)
• eslint-plugin: [no-deprecated] ignore deprecated export imports (#​11603)
• eslint-plugin: [unbound-method] improve wording around this: void and binding (#​11634)
• rule-tester: deprecate TestCaseError#type and LintMessage#nodeType (#​11628)
• eslint-plugin: [no-floating-promises] remove excess parentheses in suggestions (#​11487)

❤️ Thank You

• fisker Cheung @​fisker
• Josh Goldberg ✨
• Kirk Waiblinger @​kirkwaiblinger
• Mark de Dios @​peanutenthusiast
• Richard Torres @​richardtorres314
• Victor Genaev @​mainframev

You can read about our versioning strategy and releases on our website.

v8.45.0

Compare Source

🚀 Features

• eslint-plugin: expose rule name via RuleModule interface (#​11616)

🩹 Fixes

• eslint-plugin: [prefer-nullish-coalescing] ignoreBooleanCoercion should not apply to top-level ternary expressions (#​11614)
• eslint-plugin: [no-base-to-string] check if superclass is ignored (#​11617)

❤️ Thank You

• mdm317
• Moses Odutusin @​thebolarin
• Yukihiro Hasegawa @​y-hsgw

You can read about our versioning strategy and releases on our website.

v8.44.1

Compare Source

🩹 Fixes

• eslint-plugin: [await-thenable] should not report passing values to promise aggregators which may be a promise in an array literal (#​11611)
• eslint-plugin: [no-unsafe-enum-comparison] support unions of literals (#​11599)
• eslint-plugin: [no-base-to-string] make ignoredTypeNames match type names without generics (#​11597)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger
• mdm317
• Ronen Amiel

You can read about our versioning strategy and releases on our website.

v8.44.0

Compare Source

🚀 Features

• eslint-plugin: [await-thenable] report invalid (non-promise) values passed to promise aggregator methods (#​11267)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-conversion] ignore enum members (#​11490)

❤️ Thank You

• Moses Odutusin @​thebolarin
• Ronen Amiel

You can read about our versioning strategy and releases on our website.

v8.43.0

Compare Source

🚀 Features

• typescript-estree: disallow empty type parameter/argument lists (#​11563)

🩹 Fixes

• eslint-plugin: [prefer-return-this-type] don't report an error when returning a union type that includes a classType (#​11432)
• eslint-plugin: [no-deprecated] should report deprecated exports and reexports (#​11359)
• eslint-plugin: [no-floating-promises] allowForKnownSafeCalls now supports function names (#​11423, #​11430)
• eslint-plugin: [consistent-type-exports] fix declaration shadowing (#​11457)
• eslint-plugin: [no-unnecessary-type-conversion] only report ~~ on integer literal types (#​11517)
• scope-manager: exclude Program from DefinitionBase node types (#​11469)
• eslint-plugin: [no-non-null-assertion] do not suggest optional chain on LHS of assignment (#​11489)
• type-utils: add union type support to TypeOrValueSpecifier (#​11526)

❤️ Thank You

• Dima @​dbarabashh
• Kirk Waiblinger @​kirkwaiblinger
• mdm317
• tao
• Victor Genaev @​mainframev
• Yukihiro Hasegawa @​y-hsgw
• 민감자(Minji Kim) @​mouse0429
• 송재욱

You can read about our versioning strategy and releases on our website.

v8.42.0

Compare Source

🩹 Fixes

• deps: update eslint monorepo to v9.33.0 (#​11482)

You can read about our versioning strategy and releases on our website.

v8.41.0

Compare Source

🩹 Fixes

• deps: update dependency prettier to v3.6.2 (#​11496)

You can read about our versioning strategy and releases on our website.

v8.40.0

Compare Source

🚀 Features

• typescript-estree: forbid invalid keys in EnumMember (#​11232)

❤️ Thank You

• fisker Cheung @​fisker

You can read about our versioning strategy and releases on our website.

v8.39.1

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.39.0

Compare Source

🚀 Features

• eslint-plugin: [only-throw-error] support yield/await expressions (#​11417)
• eslint-plugin: add no-unnecessary-type-conversion to strict-type-checked ruleset (#​11427)
• update to TypeScript 5.9.2 (#​11445)
• eslint-plugin: [naming-convention] add enumMember PascalCase default option (#​11127)

🩹 Fixes

• eslint-plugin: [no-unsafe-assignment] add an unsafeObjectPattern message (#​11403)
• eslint-plugin: [prefer-optional-chain] ignore check option for most RHS of a chain (#​11272)

❤️ Thank You

• Brad Zacher @​bradzacher
• James Garbutt @​43081j
• Kim Sang Du @​developer-bandi
• Sasha Kondrashov
• tao
• Younsang Na @​nayounsang

You can read about our versioning strategy and releases on our website.

v8.38.0

Compare Source

🩹 Fixes

• disallow extra properties in rule options (#​11397)
• eslint-plugin: [consistent-generic-constructors] resolve conflict with isolatedDeclarations if enabled in constructor option (#​11351)

❤️ Thank You

• Andrew Kazakov @​andreww2012
• Younsang Na @​nayounsang

You can read about our versioning strategy and releases on our website.

v8.37.0

Compare Source

🩹 Fixes

• eslint-plugin: [unified-signatures] fix false positives for ignoreOverloadsWithDifferentJSDoc option (#​11381)

❤️ Thank You

• Yukihiro Hasegawa @​y-hsgw

You can read about our versioning strategy and releases on our website.

v8.36.0

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.35.1

Compare Source

🩹 Fixes

• remove prettier from eslint-plugin (#​11339)

❤️ Thank You

• Abhijeet Singh @​cseas

You can read about our versioning strategy and releases on our website.

v8.35.0

Compare Source

🚀 Features

• eslint-plugin: [no-base-to-string] add checkUnknown Option (#​11128)

❤️ Thank You

• Kim Sang Du @​developer-bandi

You can read about our versioning strategy and releases on our website.

v8.34.1

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.34.0

Compare Source

🩹 Fixes

• typescript-estree: add validation to interface extends (#​11271)

❤️ Thank You

• Tao

You can read about our versioning strategy and releases on our website.

v8.33.1

Compare Source

🩹 Fixes

• exclude docs/ directory from eslint-plugin package (#​11251)

❤️ Thank You

• roottool

You can read about our versioning strategy and releases on our website.

v8.33.0

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.32.1

Compare Source

🩹 Fixes

• eslint-plugin: [consistent-indexed-object-style] check for indirect circular types in aliased mapped types (#​11177)
• eslint-plugin: [consistent-indexed-object-style] adjust auto-fixer to generate valid syntax for TSMappedType with no type annotation (#​11180)
• eslint-plugin: [no-deprecated] support computed member access (#​10867)
• eslint-plugin: [no-unnecessary-type-conversion] shouldn't have fixable property (#​11194)

❤️ Thank You

• Azat S. @​azat-io
• Dima Barabash @​dbarabashh
• Ronen Amiel

You can read about our versioning strategy and releases on our website.

v8.32.0

Compare Source

🚀 Features

• eslint-plugin: [only-throw-error] add option allowRethrowing (#​11075)
• eslint-plugin: [no-unnecessary-type-conversion] add rule (#​10182)

🩹 Fixes

• eslint-plugin: [prefer-nullish-coalescing] fix parenthesization bug in suggestion (#​11098)
• eslint-plugin: [unified-signatures] exempt this from optional parameter overload check (#​11005)
• eslint-plugin: [no-unnecessary-type-parameters] should parenthesize type in suggestion fixer if necessary (#​10907)

❤️ Thank You

• Andy Edwards
• Kirk Waiblinger @​kirkwaiblinger
• mdm317
• Sasha Kondrashov
• Yukihiro Hasegawa @​y-hsgw

You can read about our versioning strategy and releases on our website.

v8.31.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-unnecessary-condition] downgrade fix to suggestion (#​11081)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

You can read about our versioning strategy and releases on our website.

v8.31.0

Compare Source

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] add option to ignore string const assertions (#​10979)

❤️ Thank You

• Nicolas Le Cam

You can read about our versioning strategy and releases on our website.

v8.30.1

Compare Source

🩹 Fixes

• eslint-plugin: fix mistake with eslintrc config generation (#​11072)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

You can read about our versioning strategy and releases on our website.

[v8.30.0](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/eslint-plugin/CHANGELOG.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​typescript-eslint/​parser@​7.18.0 ⏵ 8.58.1			+1	+1
	eslint-config-prettier@​9.1.0 ⏵ 10.1.8	+1		+29
	eslint@​8.57.0 ⏵ 10.2.0	+1		+1	+47
	eslint-plugin-unicorn@​51.0.1 ⏵ 64.0.0	-1		+1
	@​typescript-eslint/​eslint-plugin@​7.18.0 ⏵ 8.58.1	+2		+21	+3

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code is a straightforward build script to bundle and minify a specified package using Browserify and UglifyJS. The primary security concern is potential path manipulation: json.main is used to form a require path without validating that it stays within the target package directory. If a malicious or misconfigured package.json includes an absolute path or traversal outside the package, the script could bundle unintended files. Otherwise, the script does not perform network access, data exfiltration, or backdoor actions, and there is no hard-coded secrets or dynamic code execution beyond standard bundling/minification. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@10.2.0 → npm/ajv@6.14.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code augments a meta-schema to permit remote dereferencing of keyword schemas via a hardcoded data.json resource. This introduces network dependency and potential changes to validation semantics at runtime. While not inherently malicious, the remote reference constitutes a notable security and reliability risk that should be mitigated with local fallbacks, input validation, and explicit remote-resource governance. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@10.2.0 → npm/ajv@6.14.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm chownr is 100.0% likely to have a medium risk anomaly Notes: The code represents a standard, well-scoped recursive ownership utility with deliberate cross-version compatibility. No evidence of malicious activity, data leakage, or external communications. The main risk is the potential for broad permission changes if invoked with untrusted uid/gid values; usage should be restricted to trusted contexts. Confidence: 1.00 Severity: 0.60 From: ? → npm/ava@6.1.3 → npm/chownr@2.0.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chownr@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm delayed-stream is 100.0% likely to have a medium risk anomaly Notes: The DelayedStream module intercepts and buffers events from a source stream. While the core functionality appears to be for stream delay and management, two aspects raise concern: the overriding of the source's emit method and the attachment of a silent error handler (source.on('error', function() {})). The silent error handler is particularly suspicious as it can mask underlying problems or potential malicious activity originating from the source stream. Without further context on why errors are being suppressed, this behavior warrants caution. The code itself does not exhibit direct malware patterns like network exfiltration or reverse shells, but the error suppression could be a component of a larger, more covert operation. Confidence: 1.00 Severity: 0.60 From: ? → npm/@openzeppelin/defender-sdk-deploy-client@2.1.0 → npm/@openzeppelin/defender-sdk-network-client@2.1.0 → npm/delayed-stream@1.0.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/delayed-stream@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Low CVE: Elliptic allows BER-encoded signatures CVE: GHSA-49q7-c7j4-3p7m Elliptic allows BER-encoded signatures (LOW) Affected versions: >= 5.2.1 < 6.5.7 Patched version: 6.5.7 From: ? → npm/hardhat@2.22.9 → npm/@nomicfoundation/hardhat-verify@2.0.14 → npm/elliptic@6.5.4 ℹ Read more on: This package | This alert | What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/elliptic@6.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Low CVE: Elliptic's ECDSA missing check for whether leading bit of r and s is zero CVE: GHSA-977x-g7h5-7qgw Elliptic's ECDSA missing check for whether leading bit of r and s is zero (LOW) Affected versions: >= 2.0.0 < 6.5.7 Patched version: 6.5.7 From: ? → npm/hardhat@2.22.9 → npm/@nomicfoundation/hardhat-verify@2.0.14 → npm/elliptic@6.5.4 ℹ Read more on: This package | This alert | What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/elliptic@6.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Low CVE: Elliptic's EDDSA missing signature length check CVE: GHSA-f7q4-pwc6-w24p Elliptic's EDDSA missing signature length check (LOW) Affected versions: >= 4.0.0 < 6.5.7 Patched version: 6.5.7 From: ? → npm/hardhat@2.22.9 → npm/@nomicfoundation/hardhat-verify@2.0.14 → npm/elliptic@6.5.4 ℹ Read more on: This package | This alert | What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/elliptic@6.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Low CVE: Elliptic's verify function omits uniqueness validation CVE: GHSA-434g-2637-qmqr Elliptic's verify function omits uniqueness validation (LOW) Affected versions: < 6.5.6 Patched version: 6.5.6 From: ? → npm/hardhat@2.22.9 → npm/@nomicfoundation/hardhat-verify@2.0.14 → npm/elliptic@6.5.4 ℹ Read more on: This package | This alert | What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/elliptic@6.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm flat-cache is 100.0% likely to have a medium risk anomaly Notes: The code implements a filesystem-backed cache with potential path traversal vulnerabilities due to unvalidated docId/cacheDir inputs that influence file paths. While not inherently malicious, the lack of input sanitization creates risk of reading/writing/deleting arbitrary files, especially in a public package context where inputs could be user-controlled. No evidence of deliberate malware or obfuscated logic is present, but the security risk due to path handling is non-trivial and should be mitigated by validating and constraining input paths, using safe defaults, and isolating cache storage. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@10.2.0 → npm/flat-cache@4.0.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/flat-cache@4.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ignore is 100.0% likely to have a medium risk anomaly Notes: The code fragment represents a conventional, well-structured path-ignore utility with caching and recursive parent-directory evaluation. Windows path normalization is present for compatibility but does not indicate malicious intent. No indicators of data leakage, external communication, or covert backdoors were found. Security impact primarily revolves around correct ignore semantics rather than intrinsic vulnerabilities. The component remains appropriate for use in a broader security-conscious pipeline if used with careful awareness of what is being ignored. Confidence: 1.00 Severity: 0.60 From: ? → npm/@typescript-eslint/eslint-plugin@8.58.1 → npm/ignore@7.0.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ignore@7.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coderabbitai]

Walkthrough

The pull request upgrades ESLint and related TypeScript linting devDependencies to newer major versions: @typescript-eslint/eslint-plugin and parser to v8, ESLint to v9, eslint-config-prettier to v10, and eslint-plugin-unicorn to v62.

Changes

Cohort / File(s)	Summary
ESLint and TypeScript linting toolchain package.json	Upgraded major versions: @typescript-eslint/eslint-plugin and @typescript-eslint/parser (^7 → ^8), ESLint (^8 → ^9), eslint-config-prettier (^9 → ^10), eslint-plugin-unicorn (^51 → ^62)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hop along with cleaner code!
ESLint's upgraded down the road,
Version nine and eight so fine,
Linting rules now more divine,
Unicorn prances, prettier shines bright! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Update linters (major)' directly and clearly summarizes the main change: upgrading multiple linting-related devDependencies to major versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/major-linters

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

10-11: The --ignore-path CLI flag has been removed in ESLint 9.

The lint script on line 11 uses --ignore-path .gitignore, but "'ignorePath' has been removed. 'rulePaths' has been removed. Please define your rules using plugins."

In ESLint 9 with flat config, "you can use the ignores property in a config object with no other properties. The ignores property accepts an array of glob patterns."

🔧 Suggested fix: Update lint script and migrate ignore patterns to flat config

Remove the --ignore-path flag from the script:

-    "lint:path": "eslint --ignore-path .gitignore --max-warnings 0",
+    "lint:path": "eslint --max-warnings 0",

Then in your new eslint.config.js, add the ignore patterns:

export default [
  {
    ignores: [
      'node_modules/**',
      'dist/**',
      // ... other patterns from .gitignore that should be ignored by ESLint
    ]
  },
  // ... rest of config
];

🤖 Fix all issues with AI agents

In `@package.json`:
- Around line 19-24: The current ESLint 9 upgrade will break the existing
.eslintrc.js + lint:path script that uses --ignore-path; either migrate to flat
config by running the migration tool to produce eslint.config.js (npx
`@eslint/migrate-config` .eslintrc.js), update the new eslint.config.js to call
includeIgnoreFile() from `@eslint/compat` to load .gitignore patterns, and remove
--ignore-path from the lint:path npm script, or temporarily toggle legacy
behavior by setting ESLINT_USE_FLAT_CONFIG=false in the lint:path script
environment so the existing .eslintrc.js continues to work; also ensure Node.js
engine in package.json meets ESLint 9 minimum (≥18.18.0).

🧹 Nitpick comments (1)

package.json (1)

17-31: Consider adding dependencies required for ESLint 9 flat config migration.

"The migrator will prompt you to install additional packages... @eslint/js: ESLint team start to make a core rewrite the ESLint, all the rules, documentations will move to the new package... @eslint/compat: This package allow you to wrap existing previous ESLint rules, plugins and configurations."

Depending on your configuration, you may need to add:

• @eslint/js - for ESLint's built-in recommended rules
• globals - for defining global variables in flat config
• @eslint/compat or @eslint/eslintrc - if plugins don't fully support flat config yet

  "devDependencies": {
    "@openzeppelin/docs-utils": "^0.1.0",
+   "@eslint/js": "^9.0.0",
    "@typescript-eslint/eslint-plugin": "^8.0.0",
    "@typescript-eslint/parser": "^8.0.0",
    "eslint": "^9.0.0",
    "eslint-config-prettier": "^10.0.0",
    "eslint-plugin-prettier": "^5.0.0",
    "eslint-plugin-unicorn": "^62.0.0",
    "ethers": "^6.8.1",
+   "globals": "^16.0.0",

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find existing ESLint configuration files
echo "=== Existing ESLint config files ==="
find . -maxdepth 2 -name '.eslintrc*' -o -name 'eslint.config.*' 2>/dev/null | head -20

# Check for .eslintignore
echo -e "\n=== .eslintignore files ==="
find . -maxdepth 2 -name '.eslintignore' 2>/dev/null

# Check Node.js version requirements
echo -e "\n=== Node.js version constraints ==="
jq '.engines' package.json 2>/dev/null || echo "No engines field in package.json"

# Check the lint script in package.json
echo -e "\n=== Lint script in package.json ==="
jq '.scripts.lint' package.json

Repository: OpenZeppelin/openzeppelin-upgrades

Length of output: 256

---

🏁 Script executed:

#!/bin/bash
# Let's check the full scripts section and lines around 11 in package.json
echo "=== Full package.json scripts section ==="
jq '.scripts' package.json

echo -e "\n=== Lines 1-30 of package.json for context ==="
head -n 30 package.json | cat -n

Repository: OpenZeppelin/openzeppelin-upgrades

Length of output: 1949

---

🏁 Script executed:

#!/bin/bash
# Check the .eslintrc.js configuration
echo "=== Contents of .eslintrc.js ==="
cat .eslintrc.js

# Verify ESLint v9 breaking change documentation
echo -e "\n=== Checking for flat config usage ==="
if grep -q "eslint.config" package.json; then
  echo "Uses flat config"
else
  echo "Does not use flat config"
fi

Repository: OpenZeppelin/openzeppelin-upgrades

Length of output: 1302

---

🏁 Script executed:

#!/bin/bash
# Double-check for eslint.config.js file
echo "=== Searching for eslint.config files ==="
find . -maxdepth 2 -name 'eslint.config.*' 2>/dev/null | head -20

# Verify the --ignore-path flag issue by checking ESLint 9 documentation
echo -e "\n=== ESLint version and config format check ==="
echo "ESLint version in package.json:"
jq '.devDependencies.eslint' package.json

# Check if .gitignore exists (referenced in lint:path)
echo -e "\n=== Checking .gitignore ==="
ls -la .gitignore 2>/dev/null | head -1

Repository: OpenZeppelin/openzeppelin-upgrades

Length of output: 296

---

🌐 Web query:

ESLint 9.0.0 --ignore-path CLI flag removed breaking change

💡 Result:

In ESLint v9.0.0, when using the new flat config (eslint.config.js), the CLI no longer supports several legacy flags, including --ignore-path. This is because flat config does not read .eslintignore files, so there’s no “ignore file path” concept to point ESLint at via CLI. (eslint.org)

What to do instead

• Move ignore patterns into eslint.config.js (preferred in v9 flat config), e.g. use flat-config ignores or import ignore files.
• If you previously did --ignore-path .gitignore, ESLint recommends importing it via includeIgnoreFile() from @eslint/compat in eslint.config.js. (eslint.org)

(If you’re seeing advice that this flag is “removed from ESLint entirely,” note it’s specifically unsupported with flat config in v9; ESLint’s v9 migration docs and config migration guide call this out under flat-config CLI flag changes.) (eslint.org)

Citations:

• 1: https://eslint.org/docs/latest/use/configure/migration-guide?utm_source=openai
• 2: https://eslint.org/docs/latest/use/configure/migration-guide?utm_source=openai
• 3: https://eslint.org/docs/latest/use/configure/migration-guide?utm_source=openai

---

🌐 Web query:

ESLint 9 legacy .eslintrc.js support --ignore-path flag compatibility

💡 Result:

In ESLint 9, flat config (eslint.config.*) is the default, and --ignore-path is not supported in flat-config mode. ESLint also doesn’t read .eslintignore in flat-config mode. (eslint.org)

What works (and what doesn’t)

• Default ESLint 9 (flat config):

  • --ignore-path does not work. (eslint.org)
  • Use instead:
    • ignores: [...] in eslint.config.*, or
    • includeIgnoreFile() from @eslint/compat to import .gitignore/ignore files. (eslint.org)

• Legacy .eslintrc.* mode (ESLint 9):

  • Legacy config is still available if you set ESLINT_USE_FLAT_CONFIG=false. (eslint.org)
  • In that legacy mode, --ignore-path is part of the eslintrc-era CLI behavior (it’s specifically called out as removed only for flat config), so it’s the mode you must be in if you need --ignore-path. (eslint.org)

Common “gotcha” (integrations/tools)

If you’re using an integration that passes options like ignorePath programmatically (not via the CLI), ESLint 9’s newer API path may reject it; such tools typically need updating to ESLint 9 / flat config, or to explicitly use the legacy API (LegacyESLint). (github.com)

Citations:

• 1: https://eslint.org/docs/latest/use/configure/migration-guide?utm_source=openai
• 2: https://eslint.org/docs/latest/use/configure/migration-guide?utm_source=openai
• 3: https://eslint.org/docs/latest/use/configure/migration-guide?utm_source=openai
• 4: https://eslint.org/blog/2024/04/eslint-v9.0.0-released/?utm_source=openai
• 5: https://eslint.org/docs/latest/use/configure/migration-guide?utm_source=openai
• 6: Incompatible with eslint@9 fi3ework/vite-plugin-checker#320

---

Migrate ESLint configuration to flat config format or explicitly enable legacy mode—the current setup will fail with ESLint 9.

ESLint 9 defaults to flat config mode, which no longer reads .eslintrc.js files or supports the --ignore-path CLI flag. The current lint:path script uses --ignore-path .gitignore, which will fail with ESLint 9's default flat config.

To resolve this, choose one of:

1. Migrate to flat config (recommended): Create eslint.config.js using the ESLint migration tool:

   npx `@eslint/migrate-config` .eslintrc.js
   

   Then update the lint:path script to remove --ignore-path and instead use includeIgnoreFile() from @eslint/compat in the flat config to load .gitignore patterns.

2. Enable legacy mode temporarily: Set the environment variable ESLINT_USE_FLAT_CONFIG=false to keep using the .eslintrc.js format, though this is not recommended long-term as ESLint is phasing out legacy config support.

Also consider specifying Node.js version constraints (ESLint 9 requires Node.js ≥ v18.18.0).

🤖 Prompt for AI Agents

In `@package.json` around lines 19 - 24, The current ESLint 9 upgrade will break
the existing .eslintrc.js + lint:path script that uses --ignore-path; either
migrate to flat config by running the migration tool to produce eslint.config.js
(npx `@eslint/migrate-config` .eslintrc.js), update the new eslint.config.js to
call includeIgnoreFile() from `@eslint/compat` to load .gitignore patterns, and
remove --ignore-path from the lint:path npm script, or temporarily toggle legacy
behavior by setting ESLINT_USE_FLAT_CONFIG=false in the lint:path script
environment so the existing .eslintrc.js continues to work; also ensure Node.js
engine in package.json meets ESLint 9 minimum (≥18.18.0).