Update dependency eslint to v10.4.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
eslint (source)	10.2.0 → 10.4.0

---

Release Notes

eslint/eslint (eslint)

v10.4.0

Compare Source

v10.3.0

Compare Source

v10.2.1

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[fossabot]

Needs Review

I recommend reviewing this upgrade before merging because the project's ESLint configuration uses the legacy .eslintrc.js format, which is incompatible with ESLint v10 — the flat config system (eslint.config.js) is now mandatory in this major version. While ESLint is a developer-only dependency and is not invoked in CI (so tests continue to pass), running eslint manually in this project would fail entirely due to the missing flat config file, rendering the linting toolchain non-functional. Additionally, there is a blocking CI failure caused by an expired or misconfigured SONAR_TOKEN that must be resolved independently. On the positive side, the upgrade bundles multiple high-severity security fixes for transitive dependencies (minimatch, ajv, js-yaml, lodash), making the upgrade desirable once the configuration incompatibility is addressed by migrating to eslint.config.js.

Tip: Comment @​fossabot fix to attempt automatic fixes.

Fix Suggestions

We identified 4 fixable issues in this upgrade.

• Migrate from legacy .eslintrc.js to flat config eslint.config.js. Create a new eslint.config.js file with the following content:

const js = require('@​eslint/js');

module.exports = [
  js.configs.recommended,
  {
    rules: {
      // Copy any custom rules from .eslintrc.js here
    }
  }
];

Then delete .eslintrc.js. To do this: 1) Read .eslintrc.js to capture any custom rules, env settings, or parser options. 2) Create eslint.config.js using the flat config format. 3) For env: { node: true, es2021: true }, add languageOptions: { ecmaVersion: 2021, sourceType: 'commonjs', globals: { ...require('globals').node } } (install globals as a devDependency if needed via npm install --save-dev globals). 4) For extends: 'eslint:recommended', use js.configs.recommended from @​eslint/js (install via npm install --save-dev @​eslint/js). 5) Delete .eslintrc.js.
Files: .eslintrc.js, eslint.config.js

• Install required flat config dependencies. Run: npm install --save-dev @​eslint/js globals OR manually add "@​eslint/js": "^10.0.0" and "globals": "^16.0.0" to devDependencies in package.json and run npm install.
  Run: npm install --save-dev @​eslint/js globals
  Files: package.json, package-lock.json
• Regenerate the SONAR_TOKEN in SonarCloud (Account → Security → Generate Token) and update the GitHub repository secret at Settings → Secrets and Variables → Actions → SONAR_TOKEN with the new value. The current token is expired, revoked, or misconfigured, causing the SonarCloud scan step to fail with 'Failed to query JRE metadata'.
  Files: .github/workflows/node.js.yml
• Consider migrating from the deprecated SonarSource/sonarcloud-github-action@​master to SonarSource/sonarqube-scan-action@​v5 (or latest) in .github/workflows/node.js.yml at line 33. Change uses: SonarSource/sonarcloud-github-action@​master to uses: SonarSource/sonarqube-scan-action@​v5. This depends on the SONAR_TOKEN being fixed first, so it should be done after the token is regenerated and verified.
  Files: .github/workflows/node.js.yml

AI Assistant Prompt

Copy prompt for AI assistant

# Fix ESLint v10 Upgrade Issues in anyroute.js

## Context
ESLint has been upgraded to v10, which **completely removed support for the legacy `.eslintrc.js` config format**. The project must migrate to the new flat config system (`eslint.config.js`). All 58 unit tests pass — the only CI failure is an unrelated expired `SONAR_TOKEN`.

## Task 1: Migrate `.eslintrc.js` → `eslint.config.js` (flat config)

Please do the following:

### 1a. Read `.eslintrc.js`
Read the current `.eslintrc.js` file and note all:
- `extends` (likely `eslint:recommended`)
- `env` settings (likely `node: true`, `es2021: true`)
- `parserOptions` (likely `ecmaVersion: 2021` or similar)
- Custom `rules`

### 1b. Create `eslint.config.js`
Create a new `eslint.config.js` in the project root using the ESLint v10 flat config format. Map the legacy config as follows:

| Legacy `.eslintrc.js` | Flat config `eslint.config.js` |
|---|---|
| `extends: 'eslint:recommended'` | `js.configs.recommended` from `@​eslint/js` |
| `env: { node: true }` | `languageOptions: { globals: { ...require('globals').node } }` |
| `env: { es2021: true }` | `languageOptions: { ecmaVersion: 2021 }` |
| `parserOptions: { sourceType: 'module' }` | `languageOptions: { sourceType: 'module' }` (or `'commonjs'` if that's what's used) |
| `rules: { ... }` | `rules: { ... }` (copy as-is) |

Example structure:
```js
const js = require('@​eslint/js');
const globals = require('globals');

module.exports = [
  js.configs.recommended,
  {
    languageOptions: {
      ecmaVersion: 2021,
      sourceType: 'commonjs', // adjust based on what .eslintrc.js uses
      globals: {
        ...globals.node,
        // add ...globals.browser if env.browser was true
      },
    },
    rules: {
      // Copy ALL custom rules from .eslintrc.js here exactly
    },
  },
];
```

### 1c. Delete `.eslintrc.js`
Remove the old `.eslintrc.js` file after the new config is created.

## Task 2: Install required dependencies

Add these devDependencies to `package.json` and install them:

```bash
npm install --save-dev @​eslint/js globals
```

These are required for the flat config:
- `@​eslint/js` — provides `js.configs.recommended` (replaces `extends: 'eslint:recommended'`)
- `globals` — provides environment global variable definitions (replaces `env: { node: true }`)

## Task 3: Verify the migration

After making the changes, run:
```bash
npx eslint .
```
to confirm the new config works. Fix any errors that come up. Common issues:
- Rules that were removed in ESLint v9/v10 (check error messages and remove or replace them)
- `eslint:recommended` rule changes may surface new warnings — these are fine to address later

## Important Notes
- Do NOT modify any source code or test files — only config and package files
- The CI also has a failing SonarCloud step due to an expired `SONAR_TOKEN` — ignore that, it requires manual secret rotation in GitHub/SonarCloud and cannot be fixed in code
- The `.github/workflows/node.js.yml` references `SonarSource/sonarcloud-github-action@​master` which is deprecated in favor of `SonarSource/sonarqube-scan-action@​v5`, but do NOT change this until the token issue is resolved manually

## Files to modify
1. **`.eslintrc.js`** — DELETE after migration
2. **`eslint.config.js`** — CREATE (new flat config)
3. **`package.json`** — ADD `@​eslint/js` and `globals` to devDependencies

What we checked

• The project uses the legacy .eslintrc.js configuration format (module.exports = { ... }). ESLint v10 completely removed support for the eslintrc system — this file will be silently ignored or cause a fatal config-not-found error when eslint is invoked. A migration to eslint.config.js (flat config) is required. ^[1]
• The config uses "extends": "eslint:recommended", a legacy eslintrc-style directive. In flat config, this must be replaced with import js from '@​eslint/js'; export default [js.configs.recommended, ...];. ^[2]
• eslint is declared as "^10.0.0" in devDependencies. The lockfile resolves this to 10.3.0. ESLint v10 is the first release to fully remove eslintrc compatibility, making the upgrade a breaking change for the project's lint workflow. ^[3]
• The lockfile resolves eslint to version 10.3.0, confirming the upgrade target. This version requires flat config — no compatibility wrapper for .eslintrc.js is available without explicitly opting in via @​eslint/eslintrc compatibility utilities. ^[4]
• The test script is nyc tape ./t/*.test.js — ESLint is not invoked in CI. This means the .eslintrc.js incompatibility does not break CI (all 58 tests pass), but it does break the local developer linting workflow entirely. ^[5]
• The CI workflow uses SonarSource/sonarcloud-github-action@​master, which is failing due to an expired or revoked SONAR_TOKEN. This is a pre-existing infrastructure issue unrelated to the ESLint upgrade, but it represents a blocking CI failure. The token should be regenerated in SonarCloud (Account → Security → Generate Token) and updated at Settings → Secrets and Variables → Actions → SONAR_TOKEN. ^[6]
• ESLint's official migration guide documents that the eslintrc configuration system (.eslintrc.js, .eslintrc.json, etc.) was completely removed in v10. Projects must migrate to eslint.config.js (flat config). For a smooth transition, @​eslint/eslintrc can provide a FlatCompat utility to adapt old eslintrc configs incrementally. ^[7]
• Security fix: ajv updated to 6.14.0 to address known vulnerabilities — this is a positive signal bundled in the upgrade target, fixing a high-severity transitive dependency vulnerability. ^[8]
• Security fix: minimatch updated to 10.2.1 to address security vulnerabilities — another high-severity transitive fix making this upgrade desirable once the config migration is complete. ^[9]

Dependency Usage

eslint serves as a developer tooling dependency in this project, with no runtime application code importing it directly — its usage is entirely confined to the development workflow. The project has a dedicated .eslintrc.js configuration file that enforces a comprehensive set of code style and quality rules (indentation, semicolons, quote style, arrow function conventions, unused variable detection, and more) targeting Node.js and browser environments, with eslint:recommended as its baseline ruleset. This dependency supports code consistency and early bug detection across the codebase during development and CI, but carries zero footprint in production bundles or runtime execution.

• The project uses the legacy .eslintrc.js configuration format (module.exports = { ... }). ESLint v10 completely removed support for the eslintrc system — this file will be silently ignored or cause a fatal config-not-found error when eslint is invoked. A migration to eslint.config.js (flat config) is required.
  .eslintrc.js:1
• The config uses "extends": "eslint:recommended", a legacy eslintrc-style directive. In flat config, this must be replaced with import js from '@​eslint/js'; export default [js.configs.recommended, ...];.
  .eslintrc.js:10

View 1 more usage

• The CI workflow uses SonarSource/sonarcloud-github-action@​master, which is failing due to an expired or revoked SONAR_TOKEN. This is a pre-existing infrastructure issue unrelated to the ESLint upgrade, but it represents a blocking CI failure. The token should be regenerated in SonarCloud (Account → Security → Generate Token) and updated at Settings → Secrets and Variables → Actions → SONAR_TOKEN.
  .github/workflows/node.js.yml:33

Changes

eslint was updated with 28 security fixes, including patches to transitive dependencies minimatch, ajv, js-yaml, lodash, and @​eslint/plugin-kit to address known vulnerabilities. This update also carries a large number of accumulated breaking changes spanning multiple major versions, including removed rules, dropped legacy config file formats (.eslintrc), stricter rule validation, removed deprecated context methods, and changes to eslint:recommended rule sets that may affect existing lint configurations.

• 2b44966 docs: add Major Releases section to Manage Releases (#20269) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 53e9522 fix: strict removed formatters check (#20241) (ntnyq) (v10.2.0-10.2.1, changelog)
• 7ab77a2 fix: correct breaking deprecation of FlatConfig type (#19826) (Logicer) (v10.2.0-10.2.1, changelog)

View 14761 more changes

• 234d005 fix: minimatch security vulnerability patch for v9.x (#20549) (Andrej Beles) (v10.2.0-10.2.1, changelog)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#20538) (루밀LuMir) (v10.2.0-10.2.1, changelog)
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir) (v10.2.0-10.2.1, changelog)
• a463e7b chore: update dependency js-yaml to v4 [security] (#20319) (renovate[bot]) (v10.2.0-10.2.1, changelog)
• d498887 fix: bump @​eslint/plugin-kit to 0.3.4 to resolve vulnerability (#19965) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 50a8efd docs: report a sec vulnerability page (#16808) (Ben Perlmutter) (v10.2.0-10.2.1, changelog)
• 8167aa7 chore: bump version of minimatch due to security issue PRISMA-2022-0039 (#15774) (Jan Opravil) (v10.2.0-10.2.1, changelog)
• 9250d16 Upgrade: Bump lodash to fix security issue (#13993) (Frederik Prijck) (v10.2.0-10.2.1, changelog)
• 0f1f5ed Docs: Add security policy link to README (#13403) (Nicholas C. Zakas) (v10.2.0-10.2.1, changelog)
• 3396c3e Upgrade: karma@^4.0.1, drops Node 6 support, fixes vulnerability (#11570) (Kevin Partington) (v10.2.0-10.2.1, changelog)
• afe3d25 Upgrade: Bump js-yaml dependency to fix Denial of Service vulnerability (#11550) (Vernon de Goede) (v10.2.0-10.2.1, changelog)
• d3f3994 Docs: add information about reporting security issues (#10889) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019) (Jamie Davis) (v10.2.0-10.2.1, changelog)
• Upgrade: Handlebars to >= 4.0.5 for security reasons (fixes #4642) (Jacques Favreau) (v10.2.0-10.2.1, changelog)
• 234d005 fix: minimatch security vulnerability patch for v9.x (#20549) (Andrej Beles) (v10.2.1-10.3.0, changelog)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#20538) (루밀LuMir) (v10.2.1-10.3.0, changelog)
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir) (v10.2.1-10.3.0, changelog)
• a463e7b chore: update dependency js-yaml to v4 [security] (#20319) (renovate[bot]) (v10.2.1-10.3.0, changelog)
• d498887 fix: bump @​eslint/plugin-kit to 0.3.4 to resolve vulnerability (#19965) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• 50a8efd docs: report a sec vulnerability page (#16808) (Ben Perlmutter) (v10.2.1-10.3.0, changelog)
• 8167aa7 chore: bump version of minimatch due to security issue PRISMA-2022-0039 (#15774) (Jan Opravil) (v10.2.1-10.3.0, changelog)
• 9250d16 Upgrade: Bump lodash to fix security issue (#13993) (Frederik Prijck) (v10.2.1-10.3.0, changelog)
• 0f1f5ed Docs: Add security policy link to README (#13403) (Nicholas C. Zakas) (v10.2.1-10.3.0, changelog)
• 3396c3e Upgrade: karma@^4.0.1, drops Node 6 support, fixes vulnerability (#11570) (Kevin Partington) (v10.2.1-10.3.0, changelog)
• afe3d25 Upgrade: Bump js-yaml dependency to fix Denial of Service vulnerability (#11550) (Vernon de Goede) (v10.2.1-10.3.0, changelog)
• d3f3994 Docs: add information about reporting security issues (#10889) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019) (Jamie Davis) (v10.2.1-10.3.0, changelog)
• Upgrade: Handlebars to >= 4.0.5 for security reasons (fixes #4642) (Jacques Favreau) (v10.2.1-10.3.0, changelog)
• 5687ce7 fix: correct mismatched removed rules (#19734) (루밀LuMir) (v10.2.0-10.2.1, changelog)
• 959d360 build: Support updates to previous major versions (#18871) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 113f51e docs: Mention package.json config support dropped (#18305) (Nicholas C. Zakas) (v10.2.0-10.2.1, changelog)
• 7c78576 docs: Add more removed context methods to migrate to v9 guide (#17951) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 3a877d6 docs: Update removed CLI flags migration (#17939) (Nicholas C. Zakas) (v10.2.0-10.2.1, changelog)
• 74794f5 chore: removed unused eslintrc modules (#17938) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• fffca5c docs: remove "Open in Playground" buttons for removed rules (#17791) (Francesco Trotta) (v10.2.0-10.2.1, changelog)
• becfdd3 docs: Make clear when rules are removed (#17728) (Nicholas C. Zakas) (v10.2.0-10.2.1, changelog)
• ce4f5ff docs: Replace removed related rules with a valid rule (#16800) (Ville Saalo) (v10.2.0-10.2.1, changelog)
• c9efb5f Fix: preserve formatting when rules are removed from disable directives (#15081) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 7cf96cf Breaking: Disallow reserved words in ES3 (fixes #15017) (#15046) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 305e14a Breaking: remove meta.docs.category in core rules (fixes #13398) (#14594) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• 24c9f2a Breaking: Strict package exports (refs #13654) (#14706) (Nicholas C. Zakas) (v10.2.0-10.2.1, changelog)
• 86d31a4 Breaking: disallow SourceCode#getComments() in RuleTester (refs #14744) (#14769) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 1d2213d Breaking: Fixable disable directives (fixes #11815) (#14617) (Josh Goldberg) (v10.2.0-10.2.1, changelog)
• 4a7aab7 Breaking: require meta for fixable rules (fixes #13349) (#14634) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• d6a761f Breaking: Require meta.hasSuggestions for rules with suggestions (#14573) (Bryan Mishkin) (v10.2.0-10.2.1, changelog)
• 6bd747b Breaking: support new regex d flag (fixes #14640) (#14653) (Yosuke Ota) (v10.2.0-10.2.1, changelog)
• 8b4f3ab Breaking: fix comma-dangle schema (fixes #13739) (#14030) (Joakim Nilsson) (v10.2.0-10.2.1, changelog)
• b953a4e Breaking: upgrade espree and support new class features (refs #14343) (#14591) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 8cce06c Breaking: add some rules to eslint:recommended (refs #14673) (#14691) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• 86bb63b Breaking: Drop codeframe and table formatters (#14316) (Federico Brigante) (v10.2.0-10.2.1, changelog)
• f3cb320 Breaking: drop node v10/v13/v15 (fixes #14023) (#14592) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• 4c841b8 Breaking: allow all directives in line comments (fixes #14575) (#14656) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• c29bd9f Chore: Add breaking/core change link to issue templates (#13344) (Kai Cataldo) (v10.2.0-10.2.1, changelog)
• 4ef6158 Breaking: espree@​7.0.0 (#13270) (Kai Cataldo) (v10.2.0-10.2.1, changelog)
• 78c8cda Breaking: RuleTester Improvements (refs Update: RuleTester Improvements eslint/rfcs#25) (#12955) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 185982d Breaking: improve plugin resolving (refs New: Plugin Loading Improvement eslint/rfcs#47) (#12922) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 48b122f Breaking: change relative paths with --config (refs New: Changing Base Path of overrides and ignorePatterns eslint/rfcs#37) (#12887) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 0de91f3 Docs: removed correct code from incorrect eg (#13060) (Anix) (v10.2.0-10.2.1, changelog)
• 4af06fc Breaking: Test with an unknown error property should fail in RuleTester (#12096) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• afa9aac Breaking: class default true computed-property-spacing (fixes #12812) (#12915) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 7d52151 Breaking: classes default true in accessor-pairs (fixes #12811) (#12919) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 78182e4 Breaking: Add new rules to eslint:recommended (fixes #12911) (#12920) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 6423e11 Breaking: check unnamed default export in func-names (fixes #12194) (#12195) (Chiawen Chen) (v10.2.0-10.2.1, changelog)
• 4293229 Breaking: use-isnan enforceForSwitchCase default true (fixes #12810) (#12913) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• cf38d0d Breaking: change default ignore pattern (refs New: Update Default Ignore Patterns eslint/rfcs#51) (#12888) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• bfe1dc4 Breaking: no-dupe-class-members checks some computed keys (fixes #12808) (#12837) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 95e0586 Fix: id-blacklist false positives on renamed imports (#12831) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• c2217c0 Breaking: make radix rule stricter (#12608) (fisker Cheung) (v10.2.0-10.2.1, changelog)
• 1aa021d Breaking: lint overrides files (fixes #10828, refs New: Configuring Additional Lint Targets with .eslintrc eslint/rfcs#20) (#12677) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• b50179d Breaking: Check assignment targets in no-extra-parens (#12490) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• d86a5bb Breaking: Check flatMap in array-callback-return (fixes #12235) (#12765) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• cf46df7 Breaking: description in directive comments (refs New: Description in directive comments eslint/rfcs#33) (#12699) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 7350589 Breaking: some rules recognize bigint literals (fixes #11803) (#12701) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 1118fce Breaking: runtime-deprecation on '~/.eslintrc' (refs Update: Deprecating Personal Config eslint/rfcs#32) (#12678) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 2c28fbb Breaking: drop Node.js 8 support (refs New: Drop supports for Node.js 8.x and 11.x eslint/rfcs#44) (#12700) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 20908a3 Docs: removed '>' prefix from docs/working-with-rules (#11818) (Alok Takshak) (v10.2.0-10.2.1, changelog)
• 2d32a9e Breaking: stricter rule config validating (fixes #9505) (#11742) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• 6ae21a4 Breaking: fix config loading (fixes #11510, fixes #11559, fixes #11586) (#11546) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• adc6585 Docs: update status of breaking changes in migration guide (#11652) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• 0fc8e62 Breaking: eslint:recommended changes (fixes #10768) (#11518) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• 20364cc Breaking: make no-redeclare stricter (fixes #11370, fixes #11405) (#11509) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 9e49b56 Breaking: upgrade espree to 6.0.0-alpha.0 (fixes #9687) (#11610) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• ef7801e Breaking: disallow invalid rule defaults in RuleTester (fixes #11473) (#11599) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• 4e7cdca Breaking: comma-dangle enable functions: "never" (fixes #11502) (#11519) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• 12f256f Breaking: no-confusing-arrow enable allowParens: true (fixes #11503) (#11520) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• 25cc63d Breaking: simplify config/plugin/parser resolution (fixes #10125) (#11388) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• fd1c91b Breaking: throw an error for invalid global configs (refs #11338) (#11517) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• be83322 Breaking: Remove extra rules from eslint:recommended (fixes #10873) (#11357) (Kevin Partington) (v10.2.0-10.2.1, changelog)
• 2543f11 Breaking: remove deprecated experimentalObjectRestSpread option (#11420) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• 0fb5fd4 Breaking: interpret rule options as unicode regexes (fixes #11423) (#11516) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• 6e7da57 Breaking: drop Node.js 6 support (fixes #11456) (#11557) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 258b654 Upgrade: require-uncached renamed to import-fresh (#11066) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• d56c39d Fix: ESLint cache no longer stops autofix (fixes #10679) (#10694) (Kevin Partington) (v10.2.0-10.2.1, changelog)
• 41f0f6e Breaking: report multiline eslint-disable-line directives (fixes #10334) (#10335) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• 09dde26 Breaking: new object-curly-newline/no-self-assign default (fixes #10215) (#10337) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• 02e44a5 Breaking: remove TDZ scopes (fixes #10245) (#10270) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• c74933b Breaking: remove extra check in getScope (fixes #10246, fixes #10247) (#10252) (Toru Nagashima) (v10.2.0-10.2.1, changelog)

View 14664 more changes in the full analysis

References (9)

[1]: The project uses the legacy .eslintrc.js configuration format (module.exports = { ... }). ESLint v10 completely removed support for the eslintrc system — this file will be silently ignored or cause a fatal config-not-found error when eslint is invoked. A migration to eslint.config.js (flat config) is required.

anyroute.js/.eslintrc.js

Line 1 in 8d1b64b

module.exports = {

[2]: The config uses "extends": "eslint:recommended", a legacy eslintrc-style directive. In flat config, this must be replaced with import js from '@​eslint/js'; export default [js.configs.recommended, ...];.

anyroute.js/.eslintrc.js

Line 10 in 8d1b64b

"extends": "eslint:recommended",

[3]: eslint is declared as "^10.0.0" in devDependencies. The lockfile resolves this to 10.3.0. ESLint v10 is the first release to fully remove eslintrc compatibility, making the upgrade a breaking change for the project's lint workflow.

anyroute.js/package.json

Line 31 in 8d1b64b

"eslint": "^10.0.0",

[4]: The lockfile resolves eslint to version 10.3.0, confirming the upgrade target. This version requires flat config — no compatibility wrapper for .eslintrc.js is available without explicitly opting in via @​eslint/eslintrc compatibility utilities.

anyroute.js/package-lock.json

Line 1449 in 8d1b64b

"version": "10.3.0",

[5]: The test script is nyc tape ./t/*.test.js — ESLint is not invoked in CI. This means the .eslintrc.js incompatibility does not break CI (all 58 tests pass), but it does break the local developer linting workflow entirely.

anyroute.js/package.json

Line 7 in 8d1b64b

"test": "nyc tape ./t/*.test.js"

[6]: The CI workflow uses SonarSource/sonarcloud-github-action@​master, which is failing due to an expired or revoked SONAR_TOKEN. This is a pre-existing infrastructure issue unrelated to the ESLint upgrade, but it represents a blocking CI failure. The token should be regenerated in SonarCloud (Account → Security → Generate Token) and updated at Settings → Secrets and Variables → Actions → SONAR_TOKEN.

anyroute.js/.github/workflows/node.js.yml

Line 33 in 8d1b64b

uses: SonarSource/sonarcloud-github-action@master

[7]: ESLint's official migration guide documents that the eslintrc configuration system (.eslintrc.js, .eslintrc.json, etc.) was completely removed in v10. Projects must migrate to eslint.config.js (flat config). For a smooth transition, @​eslint/eslintrc can provide a FlatCompat utility to adapt old eslintrc configs incrementally. (source link)

[8]: Security fix: ajv updated to 6.14.0 to address known vulnerabilities — this is a positive signal bundled in the upgrade target, fixing a high-severity transitive dependency vulnerability. (source link)

[9]: Security fix: minimatch updated to 10.2.1 to address security vulnerabilities — another high-severity transitive fix making this upgrade desirable once the config migration is complete. (source link)

---

fossabot analyzed this PR using dependency research. View this analysis on the web

[fossabot]

App impact analysis skipped — out of credits

Breaking change detection completed but more credits are needed to enable usage detection, impact analysis, fix suggestions, and get your final upgrade determination.

eslint 10.2.0 → 10.3.0

We found 394 breaking changes, 28 security fixes, and 136 deprecations.

• 2b44966 docs: add Major Releases section to Manage Releases (#20269) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 53e9522 fix: strict removed formatters check (#20241) (ntnyq) (v10.2.0-10.2.1, changelog)
• 7ab77a2 fix: correct breaking deprecation of FlatConfig type (#19826) (Logicer) (v10.2.0-10.2.1, changelog)

View more changes for eslint

• c1621b9 docs: fix typos in code-path-analyzer.js (#20700) (Ayush Shukla) (v10.2.0-10.2.1, changelog)
• 14be92b fix: model generator yield resumption paths in code path analysis (#20665) (sethamus) (v10.2.0-10.2.1, changelog)
• 84a19d2 fix: no-async-promise-executor false positives for shadowed Promise (#20740) (xbinaryx) (v10.2.0-10.2.1, changelog)
• af764af fix: clarify language and processor validation errors (#20729) (Pixel998) (v10.2.0-10.2.1, changelog)
• e251b89 fix: update eslint (#20715) (renovate[bot]) (v10.2.0-10.2.1, changelog)
• e7e1889 chore: remove stale babel-eslint10 fixture and test (#20727) (kuldeep kumar) (v10.2.0-10.2.1, changelog)
• 71e0469 docs: fix incomplete JSDoc param description in no-shadow rule (#20728) (kuldeep kumar) (v10.2.0-10.2.1, changelog)
• 542cb3e fix: update first-party dependencies (#20714) (Francesco Trotta) (v10.2.0-10.2.1, changelog)
• ff4382b feat: apply fix for no-var in TSModuleBlock (#20638) (Tanuj Kanti) (v10.2.0-10.2.1, changelog)
• c672a2a test: fix CLI test for empty output file (#20640) (kuldeep kumar) (v10.2.0-10.2.1, changelog)

...and 14332 more in the full analysis

---

You have no credits left. Reach out to autoupdates@fossa.com and we'll top you up.

Credits are consumed when dependency updates are reviewed or proposed.

Re-run with @fossabot analyze.

Mute out-of-credit notifications until next month (expires 2026-06-01T00:00:00.000Z)

[fossabot]

Needs Review

I recommend reviewing this upgrade before merging because it introduces a fundamental incompatibility with the project's existing ESLint configuration. ESLint v10 completely removed support for the legacy .eslintrc.* configuration format — which this project relies on exclusively via .eslintrc.js. Without migrating to the new flat config format (eslint.config.js), ESLint will fail to run entirely after this upgrade, breaking the linting step for all developers. Additionally, several rules currently configured in .eslintrc.js (e.g., no-confusing-arrow, no-throw-literal) were deprecated or removed in the v9/v10 cycle. The upgrade does carry significant positive signals — 14 high-severity security vulnerabilities are fixed, including patches for minimatch, ajv, js-yaml, and @​eslint/plugin-kit — but the mandatory migration from eslintrc to flat config must be completed before this upgrade can safely land. CI failures are present but are unrelated to the upgrade itself (invalid SONAR_TOKEN secret and a deprecated CI action), and the full test suite of 58 tests passes successfully.

Tip: Comment @​fossabot fix to attempt automatic fixes.

Fix Suggestions

We identified 7 fixable issues in this upgrade.

• Create a new eslint.config.js flat config file to replace the legacy .eslintrc.js. The new file should: (1) import @​eslint/js and use its recommended config instead of extends: 'eslint:recommended', (2) define languageOptions.globals for node, mocha, and es6 environments (using the globals npm package) instead of env blocks, (3) remove the no-confusing-arrow rule (removed in ESLint v10), (4) replace no-throw-literal with no-useless-throw if available or simply remove it, (5) remove the requireConfigFile: false parserOption (Babel-specific, not needed with espree), (6) drop the mongo env reference (not a built-in ESLint environment). Then delete .eslintrc.js. The equivalent flat config structure is: const js = require('@​eslint/js'); const globals = require('globals'); module.exports = [js.configs.recommended, { languageOptions: { ecmaVersion: 2018, globals: { ...globals.node, ...globals.mocha } }, rules: { /* copy rules from .eslintrc.js minus no-confusing-arrow and no-throw-literal */ } }];
  Files: .eslintrc.js, eslint.config.js
• Install the globals npm package as a devDependency (needed for flat config to define environment globals). Run: npm install --save-dev globals @​eslint/js OR manually add "globals": "^16.0.0" and "@​eslint/js": "^10.0.0" to devDependencies in package.json and run npm install.
  Run: cd . && npm install --save-dev globals @​eslint/js
  Files: package.json
• In .eslintrc.js (or the new eslint.config.js), remove the no-confusing-arrow rule at line 43. This rule was removed in ESLint v10 and will cause an 'unknown rule' error. Search for no-confusing-arrow in all files and remove or comment out the rule configuration. The inline directive in example.js (/* eslint-disable no-console */) is unaffected and can stay.
  Files: .eslintrc.js
• In .eslintrc.js (or the new eslint.config.js), remove the no-throw-literal rule at line 48. This rule was deprecated in ESLint v9 and removed in v10. If desired, replace it with the built-in no-useless-throw rule (if available in ESLint v10) or simply remove it. Search for no-throw-literal in all config files.
  Files: .eslintrc.js
• Add or update the SONAR_TOKEN secret in the GitHub repository settings. Go to Settings → Secrets and variables → Actions, and either create or update the SONAR_TOKEN secret with a valid token generated from SonarCloud (Account → Security → Generate Token). The current secret is missing, empty, or invalid, causing the SonarCloud scan step to fail with 'EXECUTION FAILURE'.
• In the CI workflow YAML file, replace SonarSource/sonarcloud-github-action@​master with SonarSource/sonarqube-scan-action@​v5.0.0 (or @​v5). Search all .github/workflows/*.yml and .github/workflows/*.yaml files for SonarSource/sonarcloud-github-action and replace with SonarSource/sonarqube-scan-action@​v5.0.0. This is a documented drop-in replacement.
  Run: grep -rl 'SonarSource/sonarcloud-github-action' ./.github/workflows/
  Files: .github/workflows/
• Monitor actions/cache@​v4 for a Node.js 24-compatible release (likely v5). GitHub Actions will force Node.js 24 starting June 2, 2026, and remove Node.js 20 on September 16, 2026. When a compatible version is available, update the workflow to use it. Alternatively, set FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true as a workflow environment variable to test compatibility early.
  Files: .github/workflows/

AI Assistant Prompt

Copy prompt for AI assistant

# Fix ESLint v10 Upgrade Issues in anyroute.js

I'm upgrading ESLint to v10 in this project. ESLint v10 completely removed support for the legacy `.eslintrc.*` config format, so the project's `.eslintrc.js` must be migrated to the new flat config format (`eslint.config.js`). Several rules were also removed. The test suite (58 tests) passes fine — the issues are all in linting config and CI.

## Task 1: Install required new dependencies

Run:
```bash
npm install --save-dev globals @​eslint/js
```

These packages are required for ESLint v10 flat config:
- `globals` — provides environment global variable definitions (replaces `env` blocks)
- `@​eslint/js` — provides the `recommended` ruleset (replaces `extends: 'eslint:recommended'`)

## Task 2: Migrate `.eslintrc.js` → `eslint.config.js`

Read the existing `.eslintrc.js` and create a new `eslint.config.js` flat config file. Then delete `.eslintrc.js`.

Key migration rules:

| Old (eslintrc) | New (flat config) |
|---|---|
| `extends: 'eslint:recommended'` | Import `@​eslint/js` and spread `js.configs.recommended` in the config array |
| `env: { node: true, mocha: true, es6: true }` | `languageOptions.globals: { ...globals.node, ...globals.mocha }` using the `globals` package. ES6 is handled by `ecmaVersion`. |
| `env: { mongo: true }` | Remove entirely — `mongo` is not a built-in ESLint environment |
| `parserOptions.ecmaVersion` | `languageOptions.ecmaVersion` |
| `parserOptions.requireConfigFile` | Remove — this was Babel-specific and not needed with espree |
| `rules: { 'no-confusing-arrow': ... }` | **Remove entirely** — this rule was removed in ESLint v10 |
| `rules: { 'no-throw-literal': ... }` | **Remove entirely** — this rule was deprecated/removed in v9/v10 |
| All other rules | Copy as-is into the `rules` object |

The new file should look approximately like this:

```js
const js = require('@​eslint/js');
const globals = require('globals');

module.exports = [
  js.configs.recommended,
  {
    languageOptions: {
      ecmaVersion: 2018,
      globals: {
        ...globals.node,
        ...globals.mocha,
      },
    },
    rules: {
      // Copy ALL rules from .eslintrc.js EXCEPT:
      //   - no-confusing-arrow (removed in v10)
      //   - no-throw-literal (removed in v10)
      // Keep everything else exactly as-is.
    },
  },
];
```

IMPORTANT: Read `.eslintrc.js` carefully and copy every rule that isn't `no-confusing-arrow` or `no-throw-literal` into the new config, preserving the exact values.

## Task 3: Update CI workflow — replace deprecated SonarCloud action

Search all files in `.github/workflows/` for `SonarSource/sonarcloud-github-action@​master` and replace it with:
```
SonarSource/sonarqube-scan-action@​v5.0.0
```

This is a documented drop-in replacement. The old action is deprecated.

## Task 4: Verify

After making all changes:
1. Run `npx eslint .` (or whatever the project's lint command is) to verify the new config works
2. Run `npm test` to confirm all 58 tests still pass
3. Check that `.eslintrc.js` has been deleted
4. Check that `eslint.config.js` exists and is valid

## Notes
- The `SONAR_TOKEN` secret is missing/invalid in GitHub repo settings — that's a manual fix I'll handle separately (not a code change)
- The `actions/cache@​v4` Node.js 24 deprecation warning is future-dated (Sept 2026) — no action needed now
- The inline `/* eslint-disable no-console */` directive in `example.js` is fine and should NOT be changed
- Do NOT modify any source code files or test files — only config files and CI workflows

What we checked

• ESLint is declared as "eslint": "^10.0.0" in devDependencies. ESLint v10 fully removed the legacy eslintrc configuration system, making the project's existing .eslintrc.js unreadable by the upgraded binary. ^[1]
• The project uses the legacy .eslintrc.js configuration format (module.exports = { ... }). ESLint v10 dropped all eslintrc support — this file will be silently ignored or cause a hard failure. Migration to eslint.config.js (flat config) is required. ^[2]
• "extends": "eslint:recommended" uses the legacy eslintrc extends syntax, which is not valid in flat config. The equivalent in flat config is import { defineConfig } from 'eslint' with recommended from @​eslint/js. ^[3]
• The "mongo" environment is referenced in the env block. This is not a built-in ESLint environment and likely came from a third-party plugin not listed in devDependencies. In flat config this would require explicit plugin registration. ^[4]
• no-confusing-arrow rule is configured. This rule was deprecated in ESLint v9 and removed in v10, meaning it will cause an unknown rule error when ESLint runs. ^[5]
• no-throw-literal rule is configured. This rule was deprecated in ESLint v9 (replaced by @​typescript-eslint/no-throw-literal or the new no-useless-throw) and may generate a deprecation warning or error in v10. ^[6]
• requireConfigFile: false is set under parserOptions. This is a Babel-specific parser option that is not recognized by ESLint's default espree parser and will emit an unknown option warning in newer ESLint versions. ^[7]
• /* eslint-disable no-console */ inline directive is present and functional. This will continue to work in flat config as inline directives are unchanged across ESLint versions. ^[8]
• ESLint's official migration guide for moving from .eslintrc.* to flat config (eslint.config.js). Covers equivalents for env, extends, parserOptions, and all legacy options used in this project's .eslintrc.js. ^[9]
• Commit 74794f5 — chore: removed unused eslintrc modules — confirms that internal eslintrc support code was physically removed from the ESLint package, making the legacy config format permanently unavailable in v10+. ^[10]
• Security fix: minimatch updated to 10.2.1 to address high-severity ReDoS vulnerabilities. This is a positive signal — the upgrade resolves, not introduces, these CVEs. ^[11]
• Security fix: ajv updated to 6.14.0 to address high-severity security vulnerabilities. Positive signal for the upgrade. ^[12]

Dependency Usage

eslint is used exclusively as a developer tooling dependency within this project's code quality infrastructure. It is configured via a dedicated .eslintrc.js file that enforces a comprehensive set of style and correctness rules — covering indentation, quoting, semicolons, arrow function usage, and async/await patterns — applied across Node.js, browser, and Jest environments. The example.js file also references an inline eslint-disable directive, confirming active developer engagement with linting during day-to-day development, while package.json lists it as a devDependency with no runtime impact on application functionality.

• The project uses the legacy .eslintrc.js configuration format (module.exports = { ... }). ESLint v10 dropped all eslintrc support — this file will be silently ignored or cause a hard failure. Migration to eslint.config.js (flat config) is required.
  .eslintrc.js:1
• "extends": "eslint:recommended" uses the legacy eslintrc extends syntax, which is not valid in flat config. The equivalent in flat config is import { defineConfig } from 'eslint' with recommended from @​eslint/js.
  .eslintrc.js:10

View 5 more usages

• The "mongo" environment is referenced in the env block. This is not a built-in ESLint environment and likely came from a third-party plugin not listed in devDependencies. In flat config this would require explicit plugin registration.
  .eslintrc.js:8
• no-confusing-arrow rule is configured. This rule was deprecated in ESLint v9 and removed in v10, meaning it will cause an unknown rule error when ESLint runs.
  .eslintrc.js:43
• no-throw-literal rule is configured. This rule was deprecated in ESLint v9 (replaced by @​typescript-eslint/no-throw-literal or the new no-useless-throw) and may generate a deprecation warning or error in v10.
  .eslintrc.js:48
• requireConfigFile: false is set under parserOptions. This is a Babel-specific parser option that is not recognized by ESLint's default espree parser and will emit an unknown option warning in newer ESLint versions.
  .eslintrc.js:14
• /* eslint-disable no-console */ inline directive is present and functional. This will continue to work in flat config as inline directives are unchanged across ESLint versions.
  example.js:1

Changes

eslint was updated with 28 security fixes, including patching vulnerabilities in its bundled minimatch, ajv, js-yaml, and @​eslint/plugin-kit dependencies, plus a fix removing a catastrophic backtracking regex vulnerability. This update also carries 394 breaking changes accumulated across multiple major versions, including removal of legacy context methods, dropped support for old Node.js versions, stricter rule validation, removal of the codeframe and table formatters, and significant eslint:recommended ruleset changes — a full review of the migration guides is strongly recommended before merging.

• 2b44966 docs: add Major Releases section to Manage Releases (#20269) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 53e9522 fix: strict removed formatters check (#20241) (ntnyq) (v10.2.0-10.2.1, changelog)
• 7ab77a2 fix: correct breaking deprecation of FlatConfig type (#19826) (Logicer) (v10.2.0-10.2.1, changelog)

View 14761 more changes

• 234d005 fix: minimatch security vulnerability patch for v9.x (#20549) (Andrej Beles) (v10.2.0-10.2.1, changelog)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#20538) (루밀LuMir) (v10.2.0-10.2.1, changelog)
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir) (v10.2.0-10.2.1, changelog)
• a463e7b chore: update dependency js-yaml to v4 [security] (#20319) (renovate[bot]) (v10.2.0-10.2.1, changelog)
• d498887 fix: bump @​eslint/plugin-kit to 0.3.4 to resolve vulnerability (#19965) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 50a8efd docs: report a sec vulnerability page (#16808) (Ben Perlmutter) (v10.2.0-10.2.1, changelog)
• 8167aa7 chore: bump version of minimatch due to security issue PRISMA-2022-0039 (#15774) (Jan Opravil) (v10.2.0-10.2.1, changelog)
• 9250d16 Upgrade: Bump lodash to fix security issue (#13993) (Frederik Prijck) (v10.2.0-10.2.1, changelog)
• 0f1f5ed Docs: Add security policy link to README (#13403) (Nicholas C. Zakas) (v10.2.0-10.2.1, changelog)
• 3396c3e Upgrade: karma@^4.0.1, drops Node 6 support, fixes vulnerability (#11570) (Kevin Partington) (v10.2.0-10.2.1, changelog)
• afe3d25 Upgrade: Bump js-yaml dependency to fix Denial of Service vulnerability (#11550) (Vernon de Goede) (v10.2.0-10.2.1, changelog)
• d3f3994 Docs: add information about reporting security issues (#10889) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019) (Jamie Davis) (v10.2.0-10.2.1, changelog)
• Upgrade: Handlebars to >= 4.0.5 for security reasons (fixes #4642) (Jacques Favreau) (v10.2.0-10.2.1, changelog)
• 234d005 fix: minimatch security vulnerability patch for v9.x (#20549) (Andrej Beles) (v10.2.1-10.3.0, changelog)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#20538) (루밀LuMir) (v10.2.1-10.3.0, changelog)
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir) (v10.2.1-10.3.0, changelog)
• a463e7b chore: update dependency js-yaml to v4 [security] (#20319) (renovate[bot]) (v10.2.1-10.3.0, changelog)
• d498887 fix: bump @​eslint/plugin-kit to 0.3.4 to resolve vulnerability (#19965) (Milos Djermanovic) (v10.2.1-10.3.0, changelog)
• 50a8efd docs: report a sec vulnerability page (#16808) (Ben Perlmutter) (v10.2.1-10.3.0, changelog)
• 8167aa7 chore: bump version of minimatch due to security issue PRISMA-2022-0039 (#15774) (Jan Opravil) (v10.2.1-10.3.0, changelog)
• 9250d16 Upgrade: Bump lodash to fix security issue (#13993) (Frederik Prijck) (v10.2.1-10.3.0, changelog)
• 0f1f5ed Docs: Add security policy link to README (#13403) (Nicholas C. Zakas) (v10.2.1-10.3.0, changelog)
• 3396c3e Upgrade: karma@^4.0.1, drops Node 6 support, fixes vulnerability (#11570) (Kevin Partington) (v10.2.1-10.3.0, changelog)
• afe3d25 Upgrade: Bump js-yaml dependency to fix Denial of Service vulnerability (#11550) (Vernon de Goede) (v10.2.1-10.3.0, changelog)
• d3f3994 Docs: add information about reporting security issues (#10889) (Teddy Katz) (v10.2.1-10.3.0, changelog)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019) (Jamie Davis) (v10.2.1-10.3.0, changelog)
• Upgrade: Handlebars to >= 4.0.5 for security reasons (fixes #4642) (Jacques Favreau) (v10.2.1-10.3.0, changelog)
• 5687ce7 fix: correct mismatched removed rules (#19734) (루밀LuMir) (v10.2.0-10.2.1, changelog)
• 959d360 build: Support updates to previous major versions (#18871) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 113f51e docs: Mention package.json config support dropped (#18305) (Nicholas C. Zakas) (v10.2.0-10.2.1, changelog)
• 7c78576 docs: Add more removed context methods to migrate to v9 guide (#17951) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 3a877d6 docs: Update removed CLI flags migration (#17939) (Nicholas C. Zakas) (v10.2.0-10.2.1, changelog)
• 74794f5 chore: removed unused eslintrc modules (#17938) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• fffca5c docs: remove "Open in Playground" buttons for removed rules (#17791) (Francesco Trotta) (v10.2.0-10.2.1, changelog)
• becfdd3 docs: Make clear when rules are removed (#17728) (Nicholas C. Zakas) (v10.2.0-10.2.1, changelog)
• ce4f5ff docs: Replace removed related rules with a valid rule (#16800) (Ville Saalo) (v10.2.0-10.2.1, changelog)
• c9efb5f Fix: preserve formatting when rules are removed from disable directives (#15081) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 7cf96cf Breaking: Disallow reserved words in ES3 (fixes #15017) (#15046) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 305e14a Breaking: remove meta.docs.category in core rules (fixes #13398) (#14594) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• 24c9f2a Breaking: Strict package exports (refs #13654) (#14706) (Nicholas C. Zakas) (v10.2.0-10.2.1, changelog)
• 86d31a4 Breaking: disallow SourceCode#getComments() in RuleTester (refs #14744) (#14769) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 1d2213d Breaking: Fixable disable directives (fixes #11815) (#14617) (Josh Goldberg) (v10.2.0-10.2.1, changelog)
• 4a7aab7 Breaking: require meta for fixable rules (fixes #13349) (#14634) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• d6a761f Breaking: Require meta.hasSuggestions for rules with suggestions (#14573) (Bryan Mishkin) (v10.2.0-10.2.1, changelog)
• 6bd747b Breaking: support new regex d flag (fixes #14640) (#14653) (Yosuke Ota) (v10.2.0-10.2.1, changelog)
• 8b4f3ab Breaking: fix comma-dangle schema (fixes #13739) (#14030) (Joakim Nilsson) (v10.2.0-10.2.1, changelog)
• b953a4e Breaking: upgrade espree and support new class features (refs #14343) (#14591) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 8cce06c Breaking: add some rules to eslint:recommended (refs #14673) (#14691) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• 86bb63b Breaking: Drop codeframe and table formatters (#14316) (Federico Brigante) (v10.2.0-10.2.1, changelog)
• f3cb320 Breaking: drop node v10/v13/v15 (fixes #14023) (#14592) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• 4c841b8 Breaking: allow all directives in line comments (fixes #14575) (#14656) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• c29bd9f Chore: Add breaking/core change link to issue templates (#13344) (Kai Cataldo) (v10.2.0-10.2.1, changelog)
• 4ef6158 Breaking: espree@​7.0.0 (#13270) (Kai Cataldo) (v10.2.0-10.2.1, changelog)
• 78c8cda Breaking: RuleTester Improvements (refs Update: RuleTester Improvements eslint/rfcs#25) (#12955) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 185982d Breaking: improve plugin resolving (refs New: Plugin Loading Improvement eslint/rfcs#47) (#12922) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 48b122f Breaking: change relative paths with --config (refs New: Changing Base Path of overrides and ignorePatterns eslint/rfcs#37) (#12887) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 0de91f3 Docs: removed correct code from incorrect eg (#13060) (Anix) (v10.2.0-10.2.1, changelog)
• 4af06fc Breaking: Test with an unknown error property should fail in RuleTester (#12096) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• afa9aac Breaking: class default true computed-property-spacing (fixes #12812) (#12915) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 7d52151 Breaking: classes default true in accessor-pairs (fixes #12811) (#12919) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 78182e4 Breaking: Add new rules to eslint:recommended (fixes #12911) (#12920) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 6423e11 Breaking: check unnamed default export in func-names (fixes #12194) (#12195) (Chiawen Chen) (v10.2.0-10.2.1, changelog)
• 4293229 Breaking: use-isnan enforceForSwitchCase default true (fixes #12810) (#12913) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• cf38d0d Breaking: change default ignore pattern (refs New: Update Default Ignore Patterns eslint/rfcs#51) (#12888) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• bfe1dc4 Breaking: no-dupe-class-members checks some computed keys (fixes #12808) (#12837) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• 95e0586 Fix: id-blacklist false positives on renamed imports (#12831) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• c2217c0 Breaking: make radix rule stricter (#12608) (fisker Cheung) (v10.2.0-10.2.1, changelog)
• 1aa021d Breaking: lint overrides files (fixes #10828, refs New: Configuring Additional Lint Targets with .eslintrc eslint/rfcs#20) (#12677) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• b50179d Breaking: Check assignment targets in no-extra-parens (#12490) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• d86a5bb Breaking: Check flatMap in array-callback-return (fixes #12235) (#12765) (Milos Djermanovic) (v10.2.0-10.2.1, changelog)
• cf46df7 Breaking: description in directive comments (refs New: Description in directive comments eslint/rfcs#33) (#12699) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 7350589 Breaking: some rules recognize bigint literals (fixes #11803) (#12701) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 1118fce Breaking: runtime-deprecation on '~/.eslintrc' (refs Update: Deprecating Personal Config eslint/rfcs#32) (#12678) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 2c28fbb Breaking: drop Node.js 8 support (refs New: Drop supports for Node.js 8.x and 11.x eslint/rfcs#44) (#12700) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 20908a3 Docs: removed '>' prefix from docs/working-with-rules (#11818) (Alok Takshak) (v10.2.0-10.2.1, changelog)
• 2d32a9e Breaking: stricter rule config validating (fixes #9505) (#11742) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• 6ae21a4 Breaking: fix config loading (fixes #11510, fixes #11559, fixes #11586) (#11546) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• adc6585 Docs: update status of breaking changes in migration guide (#11652) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• 0fc8e62 Breaking: eslint:recommended changes (fixes #10768) (#11518) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• 20364cc Breaking: make no-redeclare stricter (fixes #11370, fixes #11405) (#11509) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 9e49b56 Breaking: upgrade espree to 6.0.0-alpha.0 (fixes #9687) (#11610) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• ef7801e Breaking: disallow invalid rule defaults in RuleTester (fixes #11473) (#11599) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• 4e7cdca Breaking: comma-dangle enable functions: "never" (fixes #11502) (#11519) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• 12f256f Breaking: no-confusing-arrow enable allowParens: true (fixes #11503) (#11520) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• 25cc63d Breaking: simplify config/plugin/parser resolution (fixes #10125) (#11388) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• fd1c91b Breaking: throw an error for invalid global configs (refs #11338) (#11517) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• be83322 Breaking: Remove extra rules from eslint:recommended (fixes #10873) (#11357) (Kevin Partington) (v10.2.0-10.2.1, changelog)
• 2543f11 Breaking: remove deprecated experimentalObjectRestSpread option (#11420) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• 0fb5fd4 Breaking: interpret rule options as unicode regexes (fixes #11423) (#11516) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• 6e7da57 Breaking: drop Node.js 6 support (fixes #11456) (#11557) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• 258b654 Upgrade: require-uncached renamed to import-fresh (#11066) (薛定谔的猫) (v10.2.0-10.2.1, changelog)
• d56c39d Fix: ESLint cache no longer stops autofix (fixes #10679) (#10694) (Kevin Partington) (v10.2.0-10.2.1, changelog)
• 41f0f6e Breaking: report multiline eslint-disable-line directives (fixes #10334) (#10335) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• 09dde26 Breaking: new object-curly-newline/no-self-assign default (fixes #10215) (#10337) (Teddy Katz) (v10.2.0-10.2.1, changelog)
• 02e44a5 Breaking: remove TDZ scopes (fixes #10245) (#10270) (Toru Nagashima) (v10.2.0-10.2.1, changelog)
• c74933b Breaking: remove extra check in getScope (fixes #10246, fixes #10247) (#10252) (Toru Nagashima) (v10.2.0-10.2.1, changelog)

View 14664 more changes in the full analysis

References (12)

[1]: ESLint is declared as "eslint": "^10.0.0" in devDependencies. ESLint v10 fully removed the legacy eslintrc configuration system, making the project's existing .eslintrc.js unreadable by the upgraded binary.

anyroute.js/package.json

Line 31 in 8d1b64b

"eslint": "^10.0.0",

[2]: The project uses the legacy .eslintrc.js configuration format (module.exports = { ... }). ESLint v10 dropped all eslintrc support — this file will be silently ignored or cause a hard failure. Migration to eslint.config.js (flat config) is required.

anyroute.js/.eslintrc.js

Line 1 in 8d1b64b

module.exports = {

[3]: "extends": "eslint:recommended" uses the legacy eslintrc extends syntax, which is not valid in flat config. The equivalent in flat config is import { defineConfig } from 'eslint' with recommended from @​eslint/js.

anyroute.js/.eslintrc.js

Line 10 in 8d1b64b

"extends": "eslint:recommended",

[4]: The "mongo" environment is referenced in the env block. This is not a built-in ESLint environment and likely came from a third-party plugin not listed in devDependencies. In flat config this would require explicit plugin registration.

anyroute.js/.eslintrc.js

Line 8 in 8d1b64b

"mongo": true,

[5]: no-confusing-arrow rule is configured. This rule was deprecated in ESLint v9 and removed in v10, meaning it will cause an unknown rule error when ESLint runs.

anyroute.js/.eslintrc.js

Line 43 in 8d1b64b

"no-confusing-arrow": ["error", { "allowParens": false }],

[6]: no-throw-literal rule is configured. This rule was deprecated in ESLint v9 (replaced by @​typescript-eslint/no-throw-literal or the new no-useless-throw) and may generate a deprecation warning or error in v10.

anyroute.js/.eslintrc.js

Line 48 in 8d1b64b

"no-throw-literal": "warn",

[7]: requireConfigFile: false is set under parserOptions. This is a Babel-specific parser option that is not recognized by ESLint's default espree parser and will emit an unknown option warning in newer ESLint versions.

anyroute.js/.eslintrc.js

Line 14 in 8d1b64b

"requireConfigFile": false,

[8]: /* eslint-disable no-console */ inline directive is present and functional. This will continue to work in flat config as inline directives are unchanged across ESLint versions.

anyroute.js/example.js

Line 1 in 8d1b64b

/* eslint-disable no-console */

[9]: ESLint's official migration guide for moving from .eslintrc.* to flat config (eslint.config.js). Covers equivalents for env, extends, parserOptions, and all legacy options used in this project's .eslintrc.js. (source link)

[10]: Commit 74794f5 — chore: removed unused eslintrc modules — confirms that internal eslintrc support code was physically removed from the ESLint package, making the legacy config format permanently unavailable in v10+. (source link)

[11]: Security fix: minimatch updated to 10.2.1 to address high-severity ReDoS vulnerabilities. This is a positive signal — the upgrade resolves, not introduces, these CVEs. (source link)

[12]: Security fix: ajv updated to 6.14.0 to address high-severity security vulnerabilities. Positive signal for the upgrade. (source link)

---

fossabot analyzed this PR using dependency research. View this analysis on the web

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud