chore(deps): update dependency eslint to v9.26.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
eslint (source)	9.22.0 → 9.26.0

GitHub Vulnerability Alerts

CVE-2025-50537

There is a Stack Overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a Stack Overflow.

---

Release Notes

eslint/eslint (eslint)

v9.26.0

Compare Source

Features

• e9754e7 feat: add reportGlobalThis to no-shadow-restricted-names (#​19670) (sethamus)
• 0fa2b7a feat: add suggestions for eqeqeq rule (#​19640) (Nitin Kumar)
• dcbdcc9 feat: Add MCP server (#​19592) (Nicholas C. Zakas)
• 2dfd83e feat: add ignoreDirectives option in no-unused-expressions (#​19645) (sethamus)

Bug Fixes

• 96e84de fix: check cache file existence before deletion (#​19648) (sethamus)
• d683aeb fix: don't crash on tests with circular references in RuleTester (#​19664) (Milos Djermanovic)
• 9736d5d fix: add namespace to Plugin.meta type (#​19661) (Milos Djermanovic)
• 17bae69 fix: update RuleTester.run() type (#​19634) (Nitin Kumar)

Documentation

• dd98d63 docs: Update README (GitHub Actions Bot)
• c25e858 docs: Update README (GitHub Actions Bot)
• b2397e9 docs: Update README (GitHub Actions Bot)
• addd0a6 docs: fix formatting of unordered lists in Markdown (#​19660) (Milos Djermanovic)
• a21b38d docs: Update README (GitHub Actions Bot)
• c0721a7 docs: fix double space in command (#​19657) (CamWass)

Chores

• 5b247c8 chore: upgrade to @eslint/js@9.26.0 (#​19681) (Francesco Trotta)
• d6fa4ac chore: package.json update for @​eslint/js release (Jenkins)
• 0958690 chore: disambiguate internal types LanguageOptions and Rule (#​19669) (Francesco Trotta)
• f1c858e chore: fix internal type references to Plugin and Rule (#​19665) (Francesco Trotta)
• 40dd299 refactor: One-shot ESQuery selector analysis (#​19652) (Nicholas C. Zakas)
• 1cfd702 chore: update dependency @​eslint/json to ^0.12.0 (#​19656) (renovate[bot])

v9.25.1

Compare Source

Bug Fixes

• cdc8e8c fix: revert directive detection in no-unused-expressions (#​19639) (sethamus)

Chores

• 1f2b057 chore: upgrade @​eslint/js@​9.25.1 (#​19642) (Milos Djermanovic)
• 771317f chore: package.json update for @​eslint/js release (Jenkins)

v9.25.0

Compare Source

Features

• dcd95aa feat: support TypeScript syntax in no-empty-function rule (#​19551) (sethamus)
• 77d6d5b feat: support TS syntax in no-unused-expressions (#​19564) (Sweta Tanwar)
• 90228e5 feat: support JSRuleDefinition type (#​19604) (루밀LuMir)
• 59ba6b7 feat: add allowObjects option to no-restricted-properties (#​19607) (sethamus)
• db650a0 feat: support TypeScript syntax in no-invalid-this rule (#​19532) (Tanuj Kanti)
• 9535cff feat: support TS syntax in no-loop-func (#​19559) (Nitin Kumar)

Bug Fixes

• 910bd13 fix: nodeTypeKey not being used in NodeEventGenerator (#​19631) (StyleShit)

Documentation

• ca7a735 docs: update no-undef-init when not to use section (#​19624) (Tanuj Kanti)
• 1b870c9 docs: use eslint-config-xo in the getting started guide (#​19629) (Nitin Kumar)
• 5d4af16 docs: add types for multiple rule options (#​19616) (Tanuj Kanti)
• e8f8d57 docs: Update README (GitHub Actions Bot)
• a40348f docs: no-use-before-define tweaks (#​19622) (Kirk Waiblinger)
• 0ba3ae3 docs: Update README (GitHub Actions Bot)
• 865dbfe docs: ensure "learn more" deprecation links point to useful resource (#​19590) (Kirk Waiblinger)
• f80b746 docs: add known limitations for no-self-compare (#​19612) (Nitin Kumar)
• 865aed6 docs: Update README (GitHub Actions Bot)

Chores

• 88dc196 chore: upgrade @​eslint/js@​9.25.0 (#​19636) (Milos Djermanovic)
• 345288d chore: package.json update for @​eslint/js release (Jenkins)
• affe6be chore: upgrade trunk (#​19628) (sethamus)
• dd20cf2 test: fix no-loop-func test with duplicate variable reports (#​19610) (Milos Djermanovic)
• bd05397 chore: upgrade @eslint/* dependencies (#​19606) (Milos Djermanovic)
• 22ea18b chore: replace invalid int type with number inside JSDocs. (#​19597) (Arya Emami)

v9.24.0

Compare Source

Features

• 556c25b feat: support loading TS config files using --experimental-strip-types (#​19401) (Arya Emami)
• 72650ac feat: support TS syntax in init-declarations (#​19540) (Nitin Kumar)
• 03fb0bc feat: normalize patterns to handle "./" prefix in files and ignores (#​19568) (Pixel998)
• 071dcd3 feat: support TS syntax in no-dupe-class-members (#​19558) (Nitin Kumar)
• cd72bcc feat: Introduce a way to suppress violations (#​19159) (Iacovos Constantinou)
• 2a81578 feat: support TS syntax in no-loss-of-precision (#​19560) (Nitin Kumar)
• 30ae4ed feat: add new options to class-methods-use-this (#​19527) (sethamus)
• b79ade6 feat: support TypeScript syntax in no-array-constructor (#​19493) (Tanuj Kanti)

Bug Fixes

• b23d1c5 fix: deduplicate variable names in no-loop-func error messages (#​19595) (Nitin Kumar)
• fb8cdb8 fix: use any[] type for context.options (#​19584) (Francesco Trotta)

Documentation

• f857820 docs: update documentation for --experimental-strip-types (#​19594) (Nikolas Schröter)
• 803e4af docs: simplify gitignore path handling in includeIgnoreFile section (#​19596) (Thomas Broyer)
• 6d979cc docs: Update README (GitHub Actions Bot)
• 82177e4 docs: Update README (GitHub Actions Bot)
• e849dc0 docs: replace existing var with const (#​19578) (Sweta Tanwar)
• 0c65c62 docs: don't pass filename when linting rule examples (#​19571) (Milos Djermanovic)
• 6be36c9 docs: Update custom-rules.md code example of fixer (#​19555) (Yifan Pan)

Build Related

• 366e369 build: re-enable Prettier formatting for package.json files (#​19569) (Francesco Trotta)

Chores

• ef67420 chore: upgrade @​eslint/js@​9.24.0 (#​19602) (Milos Djermanovic)
• 4946847 chore: package.json update for @​eslint/js release (Jenkins)
• a995acb chore: correct 'flter'/'filter' typo in package script (#​19587) (Josh Goldberg ✨)
• b9a5efa test: skip symlink test on Windows (#​19503) (fisker Cheung)
• 46eea6d chore: remove Rule & FormatterFunction from shared/types.js (#​19556) (Nitin Kumar)
• bdcc91d chore: modify .editorconfig to keep parity with prettier config (#​19577) (Sweta Tanwar)
• 7790d83 chore: fix some typos in comment (#​19576) (todaymoon)
• 76064a6 test: ignore package-lock.json for eslint-webpack-plugin (#​19572) (Francesco Trotta)

v9.23.0

Compare Source

Features

• 557a0d2 feat: support TypeScript syntax in no-useless-constructor (#​19535) (Josh Goldberg ✨)
• 8320241 feat: support TypeScript syntax in default-param-last (#​19431) (Josh Goldberg ✨)
• 833c4a3 feat: defineConfig() supports "flat/" config prefix (#​19533) (Nicholas C. Zakas)
• 4a0df16 feat: circular autofix/conflicting rules detection (#​19514) (Milos Djermanovic)
• be56a68 feat: support TypeScript syntax in class-methods-use-this (#​19498) (Josh Goldberg ✨)

Bug Fixes

• 0e20aa7 fix: move deprecated RuleContext methods to subtype (#​19531) (Francesco Trotta)
• cc3bd00 fix: reporting variable used in catch block in no-useless-assignment (#​19423) (Tanuj Kanti)
• d46ff83 fix: no-dupe-keys false positive with proto setter (#​19508) (Milos Djermanovic)
• e732773 fix: navigation of search results on pressing Enter (#​19502) (Tanuj Kanti)
• f4e9c5f fix: allow RuleTester to test files inside node_modules/ (#​19499) (fisker Cheung)

Documentation

• 5405939 docs: show red underlines in TypeScript examples in rules docs (#​19547) (Milos Djermanovic)
• 48b53d6 docs: replace var with const in examples (#​19539) (Nitin Kumar)
• c39d7db docs: Update README (GitHub Actions Bot)
• a4f8760 docs: revert accidental changes (#​19542) (Francesco Trotta)
• 280128f docs: add copy button (#​19512) (xbinaryx)
• cd83eaa docs: replace var with const in examples (#​19530) (Nitin Kumar)
• 7ff0cde docs: Update README (GitHub Actions Bot)
• 996cfb9 docs: migrate sass to module system (#​19518) (xbinaryx)
• 17cb958 docs: replace var with let and const in rule examples (#​19515) (Tanuj Kanti)
• 83e24f5 docs: Replace var with let or const (#​19511) (Jenna Toff)
• a59d0c0 docs: Update docs for defineConfig (#​19505) (Nicholas C. Zakas)
• fe92927 docs: require-unicode-regexp add note for i flag and \w (#​19510) (Chaemin-Lim)

Build Related

• 2357edd build: exclude autogenerated files from Prettier formatting (#​19548) (Francesco Trotta)

Chores

• 0ac8ea4 chore: update dependencies for v9.23.0 release (#​19554) (Francesco Trotta)
• 20591c4 chore: package.json update for @​eslint/js release (Jenkins)
• 901344f chore: update dependency @​eslint/json to ^0.11.0 (#​19552) (renovate[bot])
• 5228383 chore: fix update-readme formatting (#​19544) (Milos Djermanovic)
• 5439525 chore: format JSON files in Trunk (#​19541) (Francesco Trotta)
• 75adc99 chore: enabled Prettier in Trunk (#​19354) (Josh Goldberg ✨)
• 2395168 chore: added .git-blame-ignore-revs for Prettier via trunk fmt (#​19538) (Josh Goldberg ✨)
• 129882d chore: formatted files with Prettier via trunk fmt (#​19355) (Josh Goldberg ✨)
• 1738dbc chore: temporarily disable prettier in trunk (#​19537) (Josh Goldberg ✨)
• dc854fd chore: update dependency shelljs to ^0.9.0 (#​19524) (renovate[bot])
• 5d57496 chore: fix some comments (#​19525) (jimmycathy)
• 9c5c6ee test: fix an assertion failure (#​19500) (fisker Cheung)
• 7a699a6 chore: remove formatting-related lint rules internally (#​19473) (Josh Goldberg ✨)
• c99db89 test: replace WebdriverIO with Cypress (#​19465) (Pixel998)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/npm-eslint-vulnerability

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

_{To disable these notifications, a workspace admin can disable them in workspace settings.}

---

View your CI Pipeline Execution ↗ for commit d417e81

Command	Status	Duration	Result
nx affected --targets=test:eslint,test:unit,tes...	❌ Failed	4m 22s	View ↗
nx run-many --target=build --exclude=examples/*...	❌ Failed	1m 1s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-02-02 23:47:52 UTC