Bump @eslint/js from 9.39.4 to 10.0.1

[dependabot]

Bumps @eslint/js from 9.39.4 to 10.0.1.

Release notes

Sourced from @​eslint/js's releases.

v10.0.1

Bug Fixes

• c87d5bd fix: update eslint (#20531) (renovate[bot])
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir)
• 04c2147 fix: update error message for unused suppressions (#20496) (fnx)
• 38b089c fix: update dependency @​eslint/config-array to ^0.23.1 (#20484) (renovate[bot])

Documentation

• 5b3dbce docs: add AI acknowledgement section to templates (#20431) (루밀LuMir)
• 6f23076 docs: toggle nav in no-JS mode (#20476) (Tanuj Kanti)
• b69cfb3 docs: Update README (GitHub Actions Bot)

Chores

• e5c281f chore: updates for v9.39.3 release (Jenkins)
• 8c3832a chore: update @​typescript-eslint/parser to ^8.56.0 (#20514) (Milos Djermanovic)
• 8330d23 test: add tests for config-api (#20493) (Milos Djermanovic)
• 37d6e91 chore: remove eslint v10 prereleases from eslint-config-eslint deps (#20494) (Milos Djermanovic)
• da7cd0e refactor: cleanup error message templates (#20479) (Francesco Trotta)
• 84fb885 chore: package.json update for @​eslint/js release (Jenkins)
• 1f66734 chore: add eslint to peerDependencies of @eslint/js (#20467) (Milos Djermanovic)

v10.0.0

Breaking Changes

• f9e54f4 feat!: estimate rule-tester failure location (#20420) (ST-DDT)
• a176319 feat!: replace chalk with styleText and add color to ResultsMeta (#20227) (루밀LuMir)
• c7046e6 feat!: enable JSX reference tracking (#20152) (Pixel998)
• fa31a60 feat!: add name to configs (#20015) (Kirk Waiblinger)
• 3383e7e fix!: remove deprecated SourceCode methods (#20137) (Pixel998)
• 501abd0 feat!: update dependency minimatch to v10 (#20246) (renovate[bot])
• ca4d3b4 fix!: stricter rule tester assertions for valid test cases (#20125) (唯然)
• 96512a6 fix!: Remove deprecated rule context methods (#20086) (Nicholas C. Zakas)
• c69fdac feat!: remove eslintrc support (#20037) (Francesco Trotta)
• 208b5cc feat!: Use ScopeManager#addGlobals() (#20132) (Milos Djermanovic)
• a2ee188 fix!: add uniqueItems: true in no-invalid-regexp option (#20155) (Tanuj Kanti)
• a89059d feat!: Program range span entire source text (#20133) (Pixel998)
• 39a6424 fix!: assert 'text' is a string across all RuleFixer methods (#20082) (Pixel998)
• f28fbf8 fix!: Deprecate "always" and "as-needed" options of the radix rule (#20223) (Milos Djermanovic)
• aa3fb2b fix!: tighten func-names schema (#20119) (Pixel998)
• f6c0ed0 feat!: report eslint-env comments as errors (#20128) (Francesco Trotta)
• 4bf739f fix!: remove deprecated LintMessage#nodeType and TestCaseError#type (#20096) (Pixel998)
• 523c076 feat!: drop support for jiti < 2.2.0 (#20016) (michael faith)
• 454a292 feat!: update eslint:recommended configuration (#20210) (Pixel998)
• 4f880ee feat!: remove v10_* and inactive unstable_* flags (#20225) (sethamus)
• f18115c feat!: no-shadow-restricted-names report globalThis by default (#20027) (sethamus)
• c6358c3 feat!: Require Node.js ^20.19.0 || ^22.13.0 || >=24 (#20160) (Milos Djermanovic)

Features

• bff9091 feat: handle Array.fromAsync in array-callback-return (#20457) (Francesco Trotta)
• 290c594 feat: add self to no-implied-eval rule (#20468) (sethamus)
• 43677de feat: fix handling of function and class expression names in no-shadow (#20432) (Milos Djermanovic)

... (truncated)

Commits

• 84fb885 chore: package.json update for @​eslint/js release
• 1f66734 chore: add eslint to peerDependencies of @eslint/js (#20467)
• f3fbc2f chore: set @eslint/js version to 10.0.0 to skip releasing it (#20466)
• b4b3127 chore: package.json update for @​eslint/js release
• 0b14059 chore: package.json update for @​eslint/js release
• fa31a60 feat!: add name to configs (#20015)
• 1e2cad5 chore: package.json update for @​eslint/js release
• 454a292 feat!: update eslint:recommended configuration (#20210)
• c6358c3 feat!: Require Node.js ^20.19.0 || ^22.13.0 || >=24 (#20160)
• See full diff in compare view

[fossabot]

[fossabot]

Needs Review

I recommend reviewing this upgrade before merging because it introduces several high-impact breaking changes that directly affect this project's ESLint configuration. Most critically, @​eslint/js v10 has a peer dependency on eslint ^10.0.0, but the project currently pins eslint at ^9.38.0 — this is an officially unsupported pairing that could cause unpredictable linting behavior or runtime errors. Three new rules (no-unassigned-vars, no-useless-assignment, preserve-caught-error) have been added to eslint:recommended, which is loaded via FlatCompat in eslint.config.mjs using js.configs.recommended — meaning these rules will immediately activate and may surface new lint failures across the codebase. Additionally, @​eslint/js v10 requires Node.js ^20.19.0 || ^22.13.0 || >=24, while the project's engines field allows >= 20.16.0, creating a gap where older patch versions of Node 20 would be silently unsupported. The project's .nvmrc is pinned to v20.19.0 (which is compatible), but the engines constraint should be tightened. The upgrade also changes ESLint's config file lookup strategy, which could alter behavior in certain directory layouts. On the positive side, this upgrade bundles multiple high-severity security patches (fixing minimatch, ajv, @​eslint/plugin-kit, and js-yaml vulnerabilities), so upgrading is desirable once the ESLint v9/v10 mismatch is resolved by also upgrading eslint to v10.

Tip: Comment @​fossabot fix to attempt automatic fixes.

Fix Suggestions

We identified 5 fixable issues in this upgrade.

• Upgrade eslint from ^9.38.0 to ^10.0.0 in package.json to match the @​eslint/js v10 peer dependency requirement. In package.json, find the line with '"eslint": "^9.38.0"' and change it to '"eslint": "^10.0.0"'. Then run 'npm install' to update the lockfile.
  Run: cd . && sed -i 's/"eslint": "\^9.38.0"/"eslint": "^10.0.0"/' package.json && npm install
  Files: package.json
• Upgrade @​eslint/eslintrc to the latest version compatible with ESLint v10. In package.json, find '"@​eslint/eslintrc": "^3.3.3"' and update it to '"@​eslint/eslintrc": "^4.0.0"' (the ESLint v10 migration guide requires upgrading @​eslint/eslintrc for FlatCompat compatibility). Then run 'npm install'. If ^4.0.0 does not exist, check npm for the latest version with 'npm view @​eslint/eslintrc versions' and use the appropriate major.
  Run: cd . && npm view @​eslint/eslintrc versions --json | tail -5
  Files: package.json
• Update the Node.js engines field in package.json from '>= 20.16.0' to '>= 20.19.0' to match @​eslint/js v10's minimum Node.js requirement of ^20.19.0 || ^22.13.0 || >=24. Search for '"node": ">= 20.16.0"' in package.json and replace with '"node": ">= 20.19.0"'.
  Run: cd . && sed -i 's/"node": ">= 20.16.0"/"node": ">= 20.19.0"/' package.json
  Files: package.json
• Search all source files for variables that are assigned but never read (will be flagged by new no-unassigned-vars rule), useless assignments where the value is overwritten before being read (flagged by no-useless-assignment), and catch clauses that discard the error object (flagged by preserve-caught-error). Run eslint after upgrading to identify all new violations: 'npx eslint . 2>&1 | grep -E "no-unassigned-vars|no-useless-assignment|preserve-caught-error"'. Fix each violation, OR if the rules are too noisy, explicitly disable them in eslint.config.mjs by adding rule overrides: { rules: { 'no-unassigned-vars': 'off', 'no-useless-assignment': 'off', 'preserve-caught-error': 'off' } }.
  Run: cd . && npx eslint . 2>&1 | grep -E 'no-unassigned-vars|no-useless-assignment|preserve-caught-error' || echo 'No violations found for new rules'
  Files: eslint.config.mjs
• After upgrading eslint to v10, check if any eslint plugins used in the project need corresponding major version bumps for eslint v10 compatibility. Run 'npm ls eslint-plugin-* @​typescript-eslint/*' to list all eslint plugins and their versions, then check each for v10 compatibility. Common ones that need upgrading: @​typescript-eslint/eslint-plugin and @​typescript-eslint/parser may need updates.
  Run: cd . && cat package.json | grep -E '(eslint-plugin|@​typescript-eslint|eslint-config)' && npm ls --depth=0 2>&1 | grep -i eslint
  Files: package.json

AI Assistant Prompt

Copy prompt for AI assistant

Help me fix breaking changes from upgrading `@​eslint/js` to v10 in the `fossa-action` repository (PR #280). All CI checks currently pass, but the dependency graph is inconsistent and will cause issues. Here's what needs to be done, in priority order:

## Context
`@​eslint/js` was upgraded to v10 (primarily for 16 security fixes), but `eslint` itself is still on v9. `@​eslint/js` v10 has a peer dependency on `eslint ^10.0.0`, so these must be upgraded together. The project uses `FlatCompat` from `@​eslint/eslintrc` in `eslint.config.mjs` to load `js.configs.recommended`.

---

## Fix 1: Upgrade `eslint` to v10 (CRITICAL)
In `package.json`, change:
```
"eslint": "^9.38.0"
```
to:
```
"eslint": "^10.0.0"
```
**Why:** `@​eslint/js` v10 requires `eslint ^10.0.0` as a peer dependency. Mixing v10 config with v9 runtime is unsupported.

## Fix 2: Upgrade `@​eslint/eslintrc` for FlatCompat compatibility
In `package.json`, change:
```
"@​eslint/eslintrc": "^3.3.3"
```
to:
```
"@​eslint/eslintrc": "^4.0.0"
```
If `^4.0.0` doesn't exist yet, run `npm view @​eslint/eslintrc versions` and use the latest compatible version. **Why:** ESLint v10 migration guide requires upgrading `@​eslint/eslintrc` for `FlatCompat` to work correctly.

## Fix 3: Tighten Node.js `engines` field
In `package.json`, change:
```
"node": ">= 20.16.0"
```
to:
```
"node": ">= 20.19.0"
```
**Why:** `@​eslint/js` v10 requires `^20.19.0 || ^22.13.0 || >=24`. The current range allows Node 20.16.0–20.18.x which is unsupported. The `.nvmrc` already pins `v20.19.0`, so this just aligns the constraint.

## Fix 4: Check ESLint plugin compatibility
After the above changes, run:
```bash
npm ls eslint-plugin-* @​typescript-eslint/*
```
Check if any listed plugins need major version bumps for ESLint v10 compatibility. Common ones that may need updating:
- `@​typescript-eslint/eslint-plugin`
- `@​typescript-eslint/parser`
- Any other `eslint-plugin-*` packages

Update their versions in `package.json` as needed.

## Fix 5: Run `npm install` and regenerate lockfile
```bash
npm install
```

## Fix 6: Handle new `eslint:recommended` rules
`@​eslint/js` v10 adds three new rules to `eslint:recommended` that will activate automatically via `FlatCompat`:
- `no-unassigned-vars` — flags variables assigned but never read
- `no-useless-assignment` — flags assignments overwritten before being read  
- `preserve-caught-error` — flags catch clauses that discard the error

Run ESLint to check for new violations:
```bash
npx eslint . 2>&1 | grep -E "no-unassigned-vars|no-useless-assignment|preserve-caught-error"
```

If there are violations, either:

**Option A (preferred):** Fix each violation in the source code.

**Option B:** Disable the rules in `eslint.config.mjs` by adding a rule override object to the config array:
```js
{
  rules: {
    'no-unassigned-vars': 'off',
    'no-useless-assignment': 'off',
    'preserve-caught-error': 'off',
  }
}
```

## Fix 7: Verify everything works
```bash
npx eslint .
npm test
```

---

**Files to modify:**
- `package.json` (fixes 1–4)
- `package-lock.json` (regenerated by `npm install`)
- `eslint.config.mjs` (only if disabling new rules in fix 6)
- Various source files (only if fixing lint violations from fix 6)

Please apply these changes in order and stop to report if any step fails.

What we checked

• @​eslint/js is declared as ^10.0.1 (v10) while eslint on line 26 is ^9.38.0 (v9). @​eslint/js v10 carries a peer dependency on eslint ^10.0.0. Mixing @​eslint/js v10 with ESLint v9 is an unsupported pairing per the official migration guide and may cause runtime linting failures. ^[1]
• eslint is pinned to ^9.38.0, but @​eslint/js v10's peer dependency requires eslint ^10.0.0. Both packages must be upgraded together to ensure a supported configuration. ^[2]
• FlatCompat is constructed with recommendedConfig: js.configs.recommended. In @​eslint/js v10, this recommended config now includes three new error-level rules: no-unassigned-vars, no-useless-assignment, and preserve-caught-error. These rules will become active for all files linted via compat.extends('eslint:recommended') on line 22, potentially triggering new lint errors across the codebase. ^[3]
• FlatCompat is imported from @​eslint/eslintrc (declared as ^3.3.3 in package.json). The ESLint v10 migration guide requires upgrading @​eslint/eslintrc to the latest version when using FlatCompat with v10, to ensure compatibility with the name property re-added to core configs. Verify ^3.3.3 satisfies this requirement. ^[4]
• The engines field specifies >= 20.16.0, which permits Node.js versions 20.16.0–20.18.x that do not satisfy @​eslint/js v10's minimum requirement of ^20.19.0 || ^22.13.0 || >=24. While .nvmrc and CI are pinned to v20.19.0 (compatible), the engines constraint should be tightened to prevent accidental use on unsupported Node.js versions. ^[5]
• .nvmrc pins the runtime to v20.19.0, which satisfies @​eslint/js v10's Node.js requirement of ^20.19.0. The local development environment is compatible, but the broader engines constraint in package.json does not reflect this lower bound. ^[6]
• Official ESLint v10 migration guide confirms: (1) eslint:recommended now includes no-unassigned-vars, no-useless-assignment, and preserve-caught-error at error level; (2) config file lookup now starts from the linted file's directory rather than cwd, which could affect projects with non-root config files; (3) multiple deprecated context/SourceCode methods were removed; (4) FlatCompat users must upgrade @​eslint/eslintrc to the latest version. ^[7]
• ESLint v10.0.0 release announcement confirms complete removal of the legacy .eslintrc config system (not directly impactful since the project uses flat config), new built-in type definitions from Espree v11.1.0 and ESLint Scope v9.1.0 that may affect TypeScript consumers, and that ESLINT_USE_FLAT_CONFIG is no longer honored. ^[8]
• Multiple high-severity security vulnerabilities are fixed by this upgrade, including patches for minimatch (PRISMA-2022-0039 and a later patch via #20549), ajv updated to 6.14.0, @​eslint/plugin-kit bumped to 0.3.4, and js-yaml upgraded to v4. These security fixes are a strong positive signal supporting the upgrade, once the ESLint v9/v10 mismatch is resolved. ^[9]

Dependency Usage

@​eslint/js is used exclusively within the project's developer tooling layer, with its sole runtime reference in eslint.config.mjs where it provides the recommended JavaScript linting ruleset for the entire codebase. It is declared as a direct development dependency in package.json and pulled transitively via eslint as well, confirming it underpins the project's static code analysis pipeline. This dependency does not touch any application business logic; instead, it enforces code quality standards across the team, reducing bugs and maintaining consistent coding conventions during development.

• FlatCompat is constructed with recommendedConfig: js.configs.recommended. In @​eslint/js v10, this recommended config now includes three new error-level rules: no-unassigned-vars, no-useless-assignment, and preserve-caught-error. These rules will become active for all files linted via compat.extends('eslint:recommended') on line 22, potentially triggering new lint errors across the codebase.
  eslint.config.mjs:17
• FlatCompat is imported from @​eslint/eslintrc (declared as ^3.3.3 in package.json). The ESLint v10 migration guide requires upgrading @​eslint/eslintrc to the latest version when using FlatCompat with v10, to ensure compatibility with the name property re-added to core configs. Verify ^3.3.3 satisfies this requirement.
  eslint.config.mjs:11

View 1 more usage

• .nvmrc pins the runtime to v20.19.0, which satisfies @​eslint/js v10's Node.js requirement of ^20.19.0. The local development environment is compatible, but the broader engines constraint in package.json does not reflect this lower bound.
  .nvmrc:1

Less Important Usages (1)

These usages were analyzed but no breaking changes were detected:

@​eslint/js

• eslint.config.mjs:10

Changes

@​eslint/js was updated with 16 security fixes, patching vulnerabilities in minimatch, ajv, lodash, js-yaml, and @​eslint/plugin-kit. This patch-level update also carries a large backlog of historical breaking changes in the changelog (including eslint:recommended rule set changes, removed context methods, dropped legacy config formats, and stricter RuleTester validation) that accumulated across many prior major versions — these do not represent new breaking changes introduced by this update.

• 7ab77a2 fix: correct breaking deprecation of FlatConfig type (#19826) (Logicer) (v9.39.3-9.39.4, changelog)
• 5687ce7 fix: correct mismatched removed rules (#19734) (루밀LuMir) (v9.39.3-9.39.4, changelog)
• 959d360 build: Support updates to previous major versions (#18871) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)

View 7404 more changes

• 234d005 fix: minimatch security vulnerability patch for v9.x (#20549) (Andrej Beles) (v9.39.3-9.39.4, changelog)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#20538) (루밀LuMir) (v9.39.3-9.39.4, changelog)
• d498887 fix: bump @​eslint/plugin-kit to 0.3.4 to resolve vulnerability (#19965) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• 50a8efd docs: report a sec vulnerability page (#16808) (Ben Perlmutter) (v9.39.3-9.39.4, changelog)
• 8167aa7 chore: bump version of minimatch due to security issue PRISMA-2022-0039 (#15774) (Jan Opravil) (v9.39.3-9.39.4, changelog)
• 9250d16 Upgrade: Bump lodash to fix security issue (#13993) (Frederik Prijck) (v9.39.3-9.39.4, changelog)
• 0f1f5ed Docs: Add security policy link to README (#13403) (Nicholas C. Zakas) (v9.39.3-9.39.4, changelog)
• 3396c3e Upgrade: karma@^4.0.1, drops Node 6 support, fixes vulnerability (#11570) (Kevin Partington) (v9.39.3-9.39.4, changelog)
• afe3d25 Upgrade: Bump js-yaml dependency to fix Denial of Service vulnerability (#11550) (Vernon de Goede) (v9.39.3-9.39.4, changelog)
• d3f3994 Docs: add information about reporting security issues (#10889) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019) (Jamie Davis) (v9.39.3-9.39.4, changelog)
• Upgrade: Handlebars to >= 4.0.5 for security reasons (fixes #4642) (Jacques Favreau) (v9.39.3-9.39.4, changelog)
• 113f51e docs: Mention package.json config support dropped (#18305) (Nicholas C. Zakas) (v9.39.3-9.39.4, changelog)
• 7c78576 docs: Add more removed context methods to migrate to v9 guide (#17951) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• 3a877d6 docs: Update removed CLI flags migration (#17939) (Nicholas C. Zakas) (v9.39.3-9.39.4, changelog)
• 74794f5 chore: removed unused eslintrc modules (#17938) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• fffca5c docs: remove "Open in Playground" buttons for removed rules (#17791) (Francesco Trotta) (v9.39.3-9.39.4, changelog)
• becfdd3 docs: Make clear when rules are removed (#17728) (Nicholas C. Zakas) (v9.39.3-9.39.4, changelog)
• ce4f5ff docs: Replace removed related rules with a valid rule (#16800) (Ville Saalo) (v9.39.3-9.39.4, changelog)
• c9efb5f Fix: preserve formatting when rules are removed from disable directives (#15081) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• 7cf96cf Breaking: Disallow reserved words in ES3 (fixes #15017) (#15046) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• 305e14a Breaking: remove meta.docs.category in core rules (fixes #13398) (#14594) (薛定谔的猫) (v9.39.3-9.39.4, changelog)
• 24c9f2a Breaking: Strict package exports (refs #13654) (#14706) (Nicholas C. Zakas) (v9.39.3-9.39.4, changelog)
• 86d31a4 Breaking: disallow SourceCode#getComments() in RuleTester (refs #14744) (#14769) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• 1d2213d Breaking: Fixable disable directives (fixes #11815) (#14617) (Josh Goldberg) (v9.39.3-9.39.4, changelog)
• 4a7aab7 Breaking: require meta for fixable rules (fixes #13349) (#14634) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• d6a761f Breaking: Require meta.hasSuggestions for rules with suggestions (#14573) (Bryan Mishkin) (v9.39.3-9.39.4, changelog)
• 6bd747b Breaking: support new regex d flag (fixes #14640) (#14653) (Yosuke Ota) (v9.39.3-9.39.4, changelog)
• 8b4f3ab Breaking: fix comma-dangle schema (fixes #13739) (#14030) (Joakim Nilsson) (v9.39.3-9.39.4, changelog)
• b953a4e Breaking: upgrade espree and support new class features (refs #14343) (#14591) (Toru Nagashima) (v9.39.3-9.39.4, changelog)
• 8cce06c Breaking: add some rules to eslint:recommended (refs #14673) (#14691) (薛定谔的猫) (v9.39.3-9.39.4, changelog)
• 86bb63b Breaking: Drop codeframe and table formatters (#14316) (Federico Brigante) (v9.39.3-9.39.4, changelog)
• f3cb320 Breaking: drop node v10/v13/v15 (fixes #14023) (#14592) (薛定谔的猫) (v9.39.3-9.39.4, changelog)
• 4c841b8 Breaking: allow all directives in line comments (fixes #14575) (#14656) (薛定谔的猫) (v9.39.3-9.39.4, changelog)
• c29bd9f Chore: Add breaking/core change link to issue templates (#13344) (Kai Cataldo) (v9.39.3-9.39.4, changelog)
• 4ef6158 Breaking: espree@​7.0.0 (#13270) (Kai Cataldo) (v9.39.3-9.39.4, changelog)
• 78c8cda Breaking: RuleTester Improvements (refs Update: RuleTester Improvements eslint/rfcs#25) (#12955) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• 185982d Breaking: improve plugin resolving (refs New: Plugin Loading Improvement eslint/rfcs#47) (#12922) (Toru Nagashima) (v9.39.3-9.39.4, changelog)
• 48b122f Breaking: change relative paths with --config (refs New: Changing Base Path of overrides and ignorePatterns eslint/rfcs#37) (#12887) (Toru Nagashima) (v9.39.3-9.39.4, changelog)
• 0de91f3 Docs: removed correct code from incorrect eg (#13060) (Anix) (v9.39.3-9.39.4, changelog)
• 4af06fc Breaking: Test with an unknown error property should fail in RuleTester (#12096) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• afa9aac Breaking: class default true computed-property-spacing (fixes #12812) (#12915) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• 7d52151 Breaking: classes default true in accessor-pairs (fixes #12811) (#12919) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• 78182e4 Breaking: Add new rules to eslint:recommended (fixes #12911) (#12920) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• 6423e11 Breaking: check unnamed default export in func-names (fixes #12194) (#12195) (Chiawen Chen) (v9.39.3-9.39.4, changelog)
• 4293229 Breaking: use-isnan enforceForSwitchCase default true (fixes #12810) (#12913) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• cf38d0d Breaking: change default ignore pattern (refs New: Update Default Ignore Patterns eslint/rfcs#51) (#12888) (Toru Nagashima) (v9.39.3-9.39.4, changelog)
• bfe1dc4 Breaking: no-dupe-class-members checks some computed keys (fixes #12808) (#12837) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• 95e0586 Fix: id-blacklist false positives on renamed imports (#12831) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• c2217c0 Breaking: make radix rule stricter (#12608) (fisker Cheung) (v9.39.3-9.39.4, changelog)
• 1aa021d Breaking: lint overrides files (fixes #10828, refs New: Configuring Additional Lint Targets with .eslintrc eslint/rfcs#20) (#12677) (Toru Nagashima) (v9.39.3-9.39.4, changelog)
• b50179d Breaking: Check assignment targets in no-extra-parens (#12490) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• d86a5bb Breaking: Check flatMap in array-callback-return (fixes #12235) (#12765) (Milos Djermanovic) (v9.39.3-9.39.4, changelog)
• cf46df7 Breaking: description in directive comments (refs New: Description in directive comments eslint/rfcs#33) (#12699) (Toru Nagashima) (v9.39.3-9.39.4, changelog)
• 7350589 Breaking: some rules recognize bigint literals (fixes #11803) (#12701) (Toru Nagashima) (v9.39.3-9.39.4, changelog)
• 1118fce Breaking: runtime-deprecation on '~/.eslintrc' (refs Update: Deprecating Personal Config eslint/rfcs#32) (#12678) (Toru Nagashima) (v9.39.3-9.39.4, changelog)
• 2c28fbb Breaking: drop Node.js 8 support (refs New: Drop supports for Node.js 8.x and 11.x eslint/rfcs#44) (#12700) (Toru Nagashima) (v9.39.3-9.39.4, changelog)
• 20908a3 Docs: removed '>' prefix from docs/working-with-rules (#11818) (Alok Takshak) (v9.39.3-9.39.4, changelog)
• 2d32a9e Breaking: stricter rule config validating (fixes #9505) (#11742) (薛定谔的猫) (v9.39.3-9.39.4, changelog)
• 6ae21a4 Breaking: fix config loading (fixes #11510, fixes #11559, fixes #11586) (#11546) (Toru Nagashima) (v9.39.3-9.39.4, changelog)
• adc6585 Docs: update status of breaking changes in migration guide (#11652) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• 0fc8e62 Breaking: eslint:recommended changes (fixes #10768) (#11518) (薛定谔的猫) (v9.39.3-9.39.4, changelog)
• 20364cc Breaking: make no-redeclare stricter (fixes #11370, fixes #11405) (#11509) (Toru Nagashima) (v9.39.3-9.39.4, changelog)
• 9e49b56 Breaking: upgrade espree to 6.0.0-alpha.0 (fixes #9687) (#11610) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• ef7801e Breaking: disallow invalid rule defaults in RuleTester (fixes #11473) (#11599) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• 4e7cdca Breaking: comma-dangle enable functions: "never" (fixes #11502) (#11519) (薛定谔的猫) (v9.39.3-9.39.4, changelog)
• 12f256f Breaking: no-confusing-arrow enable allowParens: true (fixes #11503) (#11520) (薛定谔的猫) (v9.39.3-9.39.4, changelog)
• 25cc63d Breaking: simplify config/plugin/parser resolution (fixes #10125) (#11388) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• fd1c91b Breaking: throw an error for invalid global configs (refs #11338) (#11517) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• be83322 Breaking: Remove extra rules from eslint:recommended (fixes #10873) (#11357) (Kevin Partington) (v9.39.3-9.39.4, changelog)
• 2543f11 Breaking: remove deprecated experimentalObjectRestSpread option (#11420) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• 0fb5fd4 Breaking: interpret rule options as unicode regexes (fixes #11423) (#11516) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• 6e7da57 Breaking: drop Node.js 6 support (fixes #11456) (#11557) (Toru Nagashima) (v9.39.3-9.39.4, changelog)
• 258b654 Upgrade: require-uncached renamed to import-fresh (#11066) (薛定谔的猫) (v9.39.3-9.39.4, changelog)
• d56c39d Fix: ESLint cache no longer stops autofix (fixes #10679) (#10694) (Kevin Partington) (v9.39.3-9.39.4, changelog)
• 41f0f6e Breaking: report multiline eslint-disable-line directives (fixes #10334) (#10335) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• 09dde26 Breaking: new object-curly-newline/no-self-assign default (fixes #10215) (#10337) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• 02e44a5 Breaking: remove TDZ scopes (fixes #10245) (#10270) (Toru Nagashima) (v9.39.3-9.39.4, changelog)
• c74933b Breaking: remove extra check in getScope (fixes #10246, fixes #10247) (#10252) (Toru Nagashima) (v9.39.3-9.39.4, changelog)
• 8b7c6ea Breaking: report fatal error for linting nonexistent files (fixes #7390) (#10143) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• 9100819 Breaking: fix plugin resolver in extends (fixes #9904) (#10236) (Toru Nagashima) (v9.39.3-9.39.4, changelog)
• c45f1d0 Breaking: add rules to recommended (fixes #8865) (#10158) (薛定谔的猫) (v9.39.3-9.39.4, changelog)
• b2a48a9 Breaking: stop using fake context._linter property (fixes #10140) (#10209) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• a039956 Breaking: remove deprecated browser/jest/node globals (fixes #10141) (#10210) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• 2324570 Breaking: no-unused-vars reports all after-used params (fixes #9909) (#10119) (Kevin Partington) (v9.39.3-9.39.4, changelog)
• b77846d Breaking: drop supporting Node.js 4 (fixes #10052) (#10074) (薛定谔的猫) (v9.39.3-9.39.4, changelog)
• f4b3af5 Breaking: Upgrade to Espree v4 alpha (refs #9990) (#10152) (Brandon Mills) (v9.39.3-9.39.4, changelog)
• d440e84 Breaking: support @​scope shorthand in plugins (fixes #9903) (#9905) (Toru Nagashima) (v9.39.3-9.39.4, changelog)
• a9ee9ae Breaking: require rules to provide report messages (fixes #10011) (#10057) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• c383bc5 Breaking: Make require('eslint').linter non-enumerable (fixes #9270) (#9692) (Jed Fox) (v9.39.3-9.39.4, changelog)
• 4eaebe5 Breaking: set parent of AST nodes before rules run (fixes #9122) (#10014) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• 91ece32 Breaking: remove special exception for linting empty files (fixes #9534) (#10013) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• 27e3f24 Breaking: remove source property from linting messages (fixes #7358) (#10012) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• e4c3b3c Breaking: use an exit code of 2 for fatal config problems (fixes #9384) (#10009) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• 2a7ecaa Breaking: Use strict equality in RuleTester comparisons (fixes #9417) (#10008) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• 1bbac51 Fix: avoid breaking eslint-plugin-eslint-comments (fixes #9193) (#9196) (Teddy Katz) (v9.39.3-9.39.4, changelog)
• f00854e Fix: --quiet no longer fixes warnings (fixes #8675) (#8858) (Kevin Partington) (v9.39.3-9.39.4, changelog)

View 7307 more changes in the full analysis

References (9)

[1]: @​eslint/js is declared as ^10.0.1 (v10) while eslint on line 26 is ^9.38.0 (v9). @​eslint/js v10 carries a peer dependency on eslint ^10.0.0. Mixing @​eslint/js v10 with ESLint v9 is an unsupported pairing per the official migration guide and may cause runtime linting failures.

fossa-action/package.json

Line 21 in 5631eae

"@eslint/js": "^10.0.1",

[2]: eslint is pinned to ^9.38.0, but @​eslint/js v10's peer dependency requires eslint ^10.0.0. Both packages must be upgraded together to ensure a supported configuration.

fossa-action/package.json

Line 26 in 5631eae

"eslint": "^9.38.0",

[3]: FlatCompat is constructed with recommendedConfig: js.configs.recommended. In @​eslint/js v10, this recommended config now includes three new error-level rules: no-unassigned-vars, no-useless-assignment, and preserve-caught-error. These rules will become active for all files linted via compat.extends('eslint:recommended') on line 22, potentially triggering new lint errors across the codebase.

fossa-action/eslint.config.mjs

Line 17 in 5631eae

recommendedConfig: js.configs.recommended,

[4]: FlatCompat is imported from @​eslint/eslintrc (declared as ^3.3.3 in package.json). The ESLint v10 migration guide requires upgrading @​eslint/eslintrc to the latest version when using FlatCompat with v10, to ensure compatibility with the name property re-added to core configs. Verify ^3.3.3 satisfies this requirement.

fossa-action/eslint.config.mjs

Line 11 in 5631eae

import { FlatCompat } from "@eslint/eslintrc";

[5]: The engines field specifies >= 20.16.0, which permits Node.js versions 20.16.0–20.18.x that do not satisfy @​eslint/js v10's minimum requirement of ^20.19.0 || ^22.13.0 || >=24. While .nvmrc and CI are pinned to v20.19.0 (compatible), the engines constraint should be tightened to prevent accidental use on unsupported Node.js versions.

fossa-action/package.json

Line 11 in 5631eae

"node": ">= 20.16.0"

[6]: .nvmrc pins the runtime to v20.19.0, which satisfies @​eslint/js v10's Node.js requirement of ^20.19.0. The local development environment is compatible, but the broader engines constraint in package.json does not reflect this lower bound.

fossa-action/.nvmrc

Line 1 in 5631eae

v20.19.0

[7]: Official ESLint v10 migration guide confirms: (1) eslint:recommended now includes no-unassigned-vars, no-useless-assignment, and preserve-caught-error at error level; (2) config file lookup now starts from the linted file's directory rather than cwd, which could affect projects with non-root config files; (3) multiple deprecated context/SourceCode methods were removed; (4) FlatCompat users must upgrade @​eslint/eslintrc to the latest version. (source link)

[8]: ESLint v10.0.0 release announcement confirms complete removal of the legacy .eslintrc config system (not directly impactful since the project uses flat config), new built-in type definitions from Espree v11.1.0 and ESLint Scope v9.1.0 that may affect TypeScript consumers, and that ESLINT_USE_FLAT_CONFIG is no longer honored. (source link)

[9]: Multiple high-severity security vulnerabilities are fixed by this upgrade, including patches for minimatch (PRISMA-2022-0039 and a later patch via #20549), ajv updated to 6.14.0, @​eslint/plugin-kit bumped to 0.3.4, and js-yaml upgraded to v4. These security fixes are a strong positive signal supporting the upgrade, once the ESLint v9/v10 mismatch is resolved. (source link)

---

fossabot analyzed this PR using static analysis and dependency research. View this analysis on the web

[spatten]

Closing this — @eslint/js v10 has a peer dependency on eslint ^10.0.0, so
bumping it alone creates an unsupported split (v10 configs with a v9 runtime).
CI passes only because the peer dep is marked optional, but the lockfile ends
up with two copies of @eslint/js (v9 for eslint internals, v10 for our
config).

The security fixes mentioned by fossabot (minimatch, ajv, plugin-kit, js-yaml)
were backported to v9.39.x and are already in our dependency tree — this PR
doesn't add any incremental security value.

We'll do the eslint 9→10 upgrade as a coordinated effort that includes eslint,
@eslint/js, @eslint/eslintrc, and plugin compatibility checks.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.