Bump eslint from 9.39.4 to 10.1.0

[dependabot]

Bumps eslint from 9.39.4 to 10.1.0.

Release notes

Sourced from eslint's releases.

v10.1.0

Features

• ff4382b feat: apply fix for no-var in TSModuleBlock (#20638) (Tanuj Kanti)
• 0916995 feat: Implement api support for bulk-suppressions (#20565) (Blake Sager)

Bug Fixes

• 2b8824e fix: Prevent no-var autofix when a variable is used before declaration (#20464) (Amaresh S M)
• e58b4bf fix: update eslint (#20597) (renovate[bot])

Documentation

• b7b57fe docs: use correct JSDoc link in require-jsdoc.md (#20641) (mkemna-clb)
• 58e4cfc docs: add deprecation notice partial (#20639) (Milos Djermanovic)
• 7143dbf docs: update v9 migration guide for @eslint/js usage (#20540) (fnx)
• 035fc4f docs: note that globalReturn applies only with sourceType: "script" (#20630) (Milos Djermanovic)
• e972c88 docs: merge ESLint option descriptions into type definitions (#20608) (Francesco Trotta)
• 7f10d84 docs: Update README (GitHub Actions Bot)
• aeed007 docs: open playground link in new tab (#20602) (Tanuj Kanti)
• a0d1a37 docs: Add AI Usage Policy (#20510) (Nicholas C. Zakas)

Chores

• a9f9cce chore: update dependency eslint-plugin-unicorn to ^63.0.0 (#20584) (Milos Djermanovic)
• 1f42bd7 chore: update prettier to 3.8.1 (#20651) (루밀LuMir)
• c0a6f4a chore: update dependency @​eslint/json to ^1.2.0 (#20652) (renovate[bot])
• cc43f79 chore: update dependency c8 to v11 (#20650) (renovate[bot])
• 2ce4635 chore: update dependency @​eslint/json to v1 (#20649) (renovate[bot])
• f0406ee chore: update dependency markdownlint-cli2 to ^0.21.0 (#20646) (renovate[bot])
• dbb4c95 chore: remove trunk (#20478) (sethamus)
• c672a2a test: fix CLI test for empty output file (#20640) (kuldeep kumar)
• c7ada24 ci: bump pnpm/action-setup from 4.3.0 to 4.4.0 (#20636) (dependabot[bot])
• 07c4b8b test: fix RuleTester test without test runners (#20631) (Francesco Trotta)
• 079bba7 test: Add tests for isValidWithUnicodeFlag (#20601) (Manish chaudhary)
• 5885ae6 ci: unpin Node.js 25.x in CI (#20615) (Copilot)
• f65e5d3 chore: update pnpm/action-setup digest to b906aff (#20610) (renovate[bot])

v10.0.3

Bug Fixes

• e511b58 fix: update eslint (#20595) (renovate[bot])
• f4c9cf9 fix: include variable name in no-useless-assignment message (#20581) (sethamus)
• ee9ff31 fix: update dependency minimatch to ^10.2.4 (#20562) (Milos Djermanovic)

Documentation

• 9fc31b0 docs: Update README (GitHub Actions Bot)
• 4efaa36 docs: add info box for eslint-plugin-eslint-comments (#20570) (DesselBane)
• 23b2759 docs: add v10 migration guide link to Use docs index (#20577) (Pixel998)
• 80259a9 docs: Remove deprecated eslintrc documentation files (#20472) (Copilot)
• 9b9b4ba docs: fix typo in no-await-in-loop documentation (#20575) (Pixel998)
• e7d72a7 docs: document TypeScript 5.3 minimum supported version (#20547) (sethamus)

Chores

• ef8fb92 chore: package.json update for eslint-config-eslint release (Jenkins)

... (truncated)

Commits

• 8351ec7 10.1.0
• 3270bc1 Build: changelog update for 10.1.0
• a9f9cce chore: update dependency eslint-plugin-unicorn to ^63.0.0 (#20584)
• 1f42bd7 chore: update prettier to 3.8.1 (#20651)
• c0a6f4a chore: update dependency @​eslint/json to ^1.2.0 (#20652)
• cc43f79 chore: update dependency c8 to v11 (#20650)
• 2ce4635 chore: update dependency @​eslint/json to v1 (#20649)
• f0406ee chore: update dependency markdownlint-cli2 to ^0.21.0 (#20646)
• dbb4c95 chore: remove trunk (#20478)
• ff4382b feat: apply fix for no-var in TSModuleBlock (#20638)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[fossabot]

[fossabot]

Needs Review

I recommend reviewing this upgrade before merging because two CI jobs are failing in GitHub Actions due to the fossa-action step being unable to download FOSSA CLI 3.15.0 from its download URL — after which the version-check step (./fossa/fossa --version | grep '3.15.0') also fails. These failures are unrelated to the ESLint upgrade itself, but they are blocking pipeline jobs that must be resolved before merge. On the ESLint side, the upgrade carries substantial positive signals: the project already uses flat config (eslint.config.mjs) with defineConfig/globalIgnores, no legacy .eslintrc.* files exist, no /* eslint-env */ comments are present, and the project runs Node.js 24 which fully satisfies the updated engine requirement. All 18 security findings are vulnerabilities fixed by this upgrade (patching ajv, minimatch, js-yaml, and lodash sub-dependencies), not introduced by it. One version alignment concern exists: @​eslint/js is pinned at ^9.39.1 while eslint is at ^10.1.0 — this potential major-version mismatch for the recommended config baseline should be verified. Additionally, three new rules (no-unassigned-vars, no-useless-assignment, preserve-caught-error) are now enabled in eslint:recommended which could surface new lint errors in the TypeScript source.

Tip: Comment @​fossabot fix to attempt automatic fixes.

Fix Suggestions

We identified 3 fixable issues in this upgrade.

• Update the pinned FOSSA CLI version from '3.15.0' to '3.16.6' in the test workflow, and update the corresponding grep pattern. In '.github/workflows/test.yml', find 'pinned-cli-version: 3.15.0' and replace with 'pinned-cli-version: 3.16.6', then find "grep '3.15.0'" and replace with "grep '3.16.6'".
  Run: sed -i "s/pinned-cli-version: 3.15.0/pinned-cli-version: 3.16.6/g" .github/workflows/test.yml && sed -i "s/grep '3.15.0'/grep '3.16.6'/g" .github/workflows/test.yml
  Files: .github/workflows/test.yml
• Upgrade @​eslint/js from ^9.39.1 to ^10.1.0 to align with eslint v10. In 'package.json', find '"@​eslint/js": "^9.39.1"' and replace with '"@​eslint/js": "^10.1.0"'. Then run 'yarn install' to update the lockfile.
  Run: sed -i 's/"@​eslint\/js": "\^9.39.1"/"@​eslint\/js": "^10.1.0"/' package.json && yarn install
  Files: package.json
• Run ESLint on the codebase to check for new lint errors from the three rules added to eslint:recommended in v10 (no-unassigned-vars, no-useless-assignment, preserve-caught-error). Run 'npx eslint src/' and fix any errors. If errors are found that cannot be auto-fixed, search for: (1) variables assigned but never read (no-unassigned-vars), (2) variables assigned then immediately reassigned or overwritten before being read (no-useless-assignment), (3) catch clauses that discard or ignore the caught error (preserve-caught-error). Either fix the code or add targeted eslint-disable comments.
  Run: npx eslint src/ --fix
  Files: src/index.ts

AI Assistant Prompt

Copy prompt for AI assistant

# Fix ESLint v10 Upgrade & CI Failures in fossa-action (PR #286)

This PR upgrades `eslint` to v10. The upgrade itself is sound (flat config already in use, Node.js 24 compatible, 18 security vulns fixed), but three issues need resolving before merge.

---

## Fix 1: Update pinned FOSSA CLI version in CI workflow

**Problem:** The `fossa-scan` CI job fails because FOSSA CLI `3.15.0` is no longer available for download. The runner has `3.16.6` cached, but the pinned version and grep check still reference `3.15.0`.

**File:** `.github/workflows/test.yml`

**Changes:**
1. Find `pinned-cli-version: 3.15.0` and replace with `pinned-cli-version: 3.16.6`
2. Find `grep '3.15.0'` and replace with `grep '3.16.6'`

This is a straightforward text replacement — two occurrences to update.

---

## Fix 2: Align @​eslint/js major version with eslint v10

**Problem:** `@​eslint/js` is pinned at `^9.39.1` while `eslint` is now at `^10.1.0`. These should share the same major version for compatible recommended config and APIs.

**File:** `package.json`

**Changes:**
1. Find `"@​eslint/js": "^9.39.1"` and replace with `"@​eslint/js": "^10.1.0"`
2. Run `yarn install` to update the lockfile

---

## Fix 3: Check and fix new eslint:recommended rule violations

**Problem:** ESLint v10 adds three new rules to `eslint:recommended` that may flag existing code:
- `no-unassigned-vars` — variables assigned but never read
- `no-useless-assignment` — variables assigned then immediately overwritten before being read
- `preserve-caught-error` — catch clauses that discard the caught error

**Steps:**
1. Run `npx eslint src/` to identify any new errors
2. Run `npx eslint src/ --fix` to auto-fix what's possible
3. For remaining errors, either:
   - Fix the code directly (preferred), OR
   - Add targeted `// eslint-disable-next-line <rule-name>` comments with a brief justification

**Primary file to check:** `src/index.ts` (has existing eslint-disable comments for naming conventions)

---

## Important Context
- The project uses flat config (`eslint.config.mjs`) with `defineConfig`/`globalIgnores` — no migration needed
- No legacy `.eslintrc.*` files or `/* eslint-env */` comments exist
- Plugin ecosystem: `@​typescript-eslint`, `eslint-config-airbnb-base`, `eslint-plugin-import`, `eslint-plugin-standard`
- The CI failures (Fix 1) are unrelated to the ESLint upgrade but block the pipeline

Please apply these three fixes in order. After each fix, briefly confirm what was changed.

What we checked

• The failing CI step uses pinned-cli-version: 3.15.0. FOSSA CLI 3.15.0 fails to download, causing a fallback to 3.16.6 from cache, and the subsequent grep '3.15.0' version check at line 123 exits with code 1. This failure is entirely unrelated to the ESLint upgrade. ^[1]
• Post-download version check ./fossa/fossa --version | grep '3.15.0' fails because the 3.15.0 binary was never placed at ./fossa/fossa — only the cached 3.16.6 fallback is available. Fixing the root download failure or updating the pinned version to 3.16.6 will resolve both CI failures. ^[2]
• eslint is declared as "eslint": "^10.1.0" in devDependencies, confirming this is a developer-only tooling dependency with no impact on runtime behavior or end-user functionality. ^[3]
• @​eslint/js is pinned at "^9.39.1" while eslint is at "^10.1.0". This is a major-version mismatch — @​eslint/js is typically expected to align with the major version of eslint. The eslint.config.mjs uses js.configs.recommended from this package via FlatCompat, so a version mismatch could produce unexpected behavior or stale rule definitions. ^[4]
• The engines field specifies "node": ">= 24.0.0", and .nvmrc confirms v24.14.1 is used. ESLint v10 requires ^20.19.0, ^22.13.0, or >=24 — Node.js 24 is fully compatible, so no runtime version incompatibility exists. ^[5]
• The config file already uses the flat config format (defineConfig, globalIgnores imported from eslint/config). ESLint v10's mandatory removal of legacy .eslintrc config format does not affect this project — no .eslintrc.* files were found anywhere in the repository. ^[6]
• The config extends "eslint:recommended" via FlatCompat. ESLint v10 adds three new rules to this ruleset: no-unassigned-vars, no-useless-assignment, and preserve-caught-error. These new rules may flag existing code in src/index.ts and related files, causing the yarn lint CI step to fail. ^[7]
• Existing // eslint-disable-next-line @​typescript-eslint/naming-convention suppression is valid and will continue to work normally — it is not affected by any v10 breaking changes. No eslint-env comments are present in the codebase. ^[8]
• Official ESLint v10 migration guide confirms: flat config is mandatory (already satisfied), eslint-env comments now error (none found), three new rules added to eslint:recommended, and deprecated context methods removed. None of the removed APIs are used in this project's source code. ^[9]
• ESLint v10 release post confirms Node.js >=24 is a supported version and that FlatESLint/LegacyESLint exports from /use-at-your-own-risk are removed. Neither of these exports is referenced in this project's eslint.config.mjs or source files. ^[10]

Dependency Usage

eslint serves exclusively as a developer tooling dependency, centralized in eslint.config.mjs and invoked via the lint script in package.json. It enforces code quality across the TypeScript codebase using a rich plugin ecosystem — including @​typescript-eslint, eslint-config-airbnb-base, eslint-plugin-import, and eslint-plugin-standard — with inline // eslint-disable-next-line suppressions applied selectively in src/index.ts for naming convention exceptions. This dependency has no impact on runtime application behavior or end-user functionality; its sole business value is maintaining consistent, standards-compliant code quality during development and CI workflows.

• The failing CI step uses pinned-cli-version: 3.15.0. FOSSA CLI 3.15.0 fails to download, causing a fallback to 3.16.6 from cache, and the subsequent grep '3.15.0' version check at line 123 exits with code 1. This failure is entirely unrelated to the ESLint upgrade.
  .github/workflows/test.yml:119
• Post-download version check ./fossa/fossa --version | grep '3.15.0' fails because the 3.15.0 binary was never placed at ./fossa/fossa — only the cached 3.16.6 fallback is available. Fixing the root download failure or updating the pinned version to 3.16.6 will resolve both CI failures.
  .github/workflows/test.yml:123

View 3 more usages

• The config file already uses the flat config format (defineConfig, globalIgnores imported from eslint/config). ESLint v10's mandatory removal of legacy .eslintrc config format does not affect this project — no .eslintrc.* files were found anywhere in the repository.
  eslint.config.mjs:1
• The config extends "eslint:recommended" via FlatCompat. ESLint v10 adds three new rules to this ruleset: no-unassigned-vars, no-useless-assignment, and preserve-caught-error. These new rules may flag existing code in src/index.ts and related files, causing the yarn lint CI step to fail.
  eslint.config.mjs:22
• Existing // eslint-disable-next-line @​typescript-eslint/naming-convention suppression is valid and will continue to work normally — it is not affected by any v10 breaking changes. No eslint-env comments are present in the codebase.
  src/index.ts:74

Changes

eslint was updated, bundling security fixes for its transitive dependencies ajv, minimatch, js-yaml, lodash, and @​eslint/plugin-kit, along with a fix removing a catastrophic backtracking regex vulnerability. This update also carries a large volume of accumulated breaking changes, including removal of deprecated context methods, dropped support for legacy config formats (including package.json config and ~/.eslintrc), removed formatters (codeframe, table), stricter RuleTester validation, removal of meta.docs.category from core rules, and multiple eslint:recommended ruleset updates that may trigger new lint errors.

• 53e9522 fix: strict removed formatters check (#20241) (ntnyq) (v10.0.1-10.0.2, changelog)
• 7ab77a2 fix: correct breaking deprecation of FlatConfig type (#19826) (Logicer) (v10.0.1-10.0.2, changelog)
• 5687ce7 fix: correct mismatched removed rules (#19734) (루밀LuMir) (v10.0.1-10.0.2, changelog)

View 22242 more changes

• 2b72361 fix: update ajv to 6.14.0 to address security vulnerabilities (#20537) (루밀LuMir) (v10.0.1-10.0.2, changelog)
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir) (v10.0.1-10.0.2, changelog)
• a463e7b chore: update dependency js-yaml to v4 [security] (#20319) (renovate[bot]) (v10.0.1-10.0.2, changelog)
• d498887 fix: bump @​eslint/plugin-kit to 0.3.4 to resolve vulnerability (#19965) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 50a8efd docs: report a sec vulnerability page (#16808) (Ben Perlmutter) (v10.0.1-10.0.2, changelog)
• 8167aa7 chore: bump version of minimatch due to security issue PRISMA-2022-0039 (#15774) (Jan Opravil) (v10.0.1-10.0.2, changelog)
• 9250d16 Upgrade: Bump lodash to fix security issue (#13993) (Frederik Prijck) (v10.0.1-10.0.2, changelog)
• 0f1f5ed Docs: Add security policy link to README (#13403) (Nicholas C. Zakas) (v10.0.1-10.0.2, changelog)
• 3396c3e Upgrade: karma@^4.0.1, drops Node 6 support, fixes vulnerability (#11570) (Kevin Partington) (v10.0.1-10.0.2, changelog)
• afe3d25 Upgrade: Bump js-yaml dependency to fix Denial of Service vulnerability (#11550) (Vernon de Goede) (v10.0.1-10.0.2, changelog)
• d3f3994 Docs: add information about reporting security issues (#10889) (Teddy Katz) (v10.0.1-10.0.2, changelog)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019) (Jamie Davis) (v10.0.1-10.0.2, changelog)
• Upgrade: Handlebars to >= 4.0.5 for security reasons (fixes #4642) (Jacques Favreau) (v10.0.1-10.0.2, changelog)
• 234d005 fix: minimatch security vulnerability patch for v9.x (#20549) (Andrej Beles) (v10.0.2-10.0.3, changelog)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#20538) (루밀LuMir) (v10.0.2-10.0.3, changelog)
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir) (v10.0.2-10.0.3, changelog)
• a463e7b chore: update dependency js-yaml to v4 [security] (#20319) (renovate[bot]) (v10.0.2-10.0.3, changelog)
• d498887 fix: bump @​eslint/plugin-kit to 0.3.4 to resolve vulnerability (#19965) (Milos Djermanovic) (v10.0.2-10.0.3, changelog)
• 50a8efd docs: report a sec vulnerability page (#16808) (Ben Perlmutter) (v10.0.2-10.0.3, changelog)
• 8167aa7 chore: bump version of minimatch due to security issue PRISMA-2022-0039 (#15774) (Jan Opravil) (v10.0.2-10.0.3, changelog)
• 9250d16 Upgrade: Bump lodash to fix security issue (#13993) (Frederik Prijck) (v10.0.2-10.0.3, changelog)
• 0f1f5ed Docs: Add security policy link to README (#13403) (Nicholas C. Zakas) (v10.0.2-10.0.3, changelog)
• 3396c3e Upgrade: karma@^4.0.1, drops Node 6 support, fixes vulnerability (#11570) (Kevin Partington) (v10.0.2-10.0.3, changelog)
• afe3d25 Upgrade: Bump js-yaml dependency to fix Denial of Service vulnerability (#11550) (Vernon de Goede) (v10.0.2-10.0.3, changelog)
• d3f3994 Docs: add information about reporting security issues (#10889) (Teddy Katz) (v10.0.2-10.0.3, changelog)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019) (Jamie Davis) (v10.0.2-10.0.3, changelog)
• Upgrade: Handlebars to >= 4.0.5 for security reasons (fixes #4642) (Jacques Favreau) (v10.0.2-10.0.3, changelog)
• 234d005 fix: minimatch security vulnerability patch for v9.x (#20549) (Andrej Beles) (v10.0.3-10.1.0, changelog)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#20538) (루밀LuMir) (v10.0.3-10.1.0, changelog)
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir) (v10.0.3-10.1.0, changelog)
• a463e7b chore: update dependency js-yaml to v4 [security] (#20319) (renovate[bot]) (v10.0.3-10.1.0, changelog)
• d498887 fix: bump @​eslint/plugin-kit to 0.3.4 to resolve vulnerability (#19965) (Milos Djermanovic) (v10.0.3-10.1.0, changelog)
• 50a8efd docs: report a sec vulnerability page (#16808) (Ben Perlmutter) (v10.0.3-10.1.0, changelog)
• 8167aa7 chore: bump version of minimatch due to security issue PRISMA-2022-0039 (#15774) (Jan Opravil) (v10.0.3-10.1.0, changelog)
• 9250d16 Upgrade: Bump lodash to fix security issue (#13993) (Frederik Prijck) (v10.0.3-10.1.0, changelog)
• 0f1f5ed Docs: Add security policy link to README (#13403) (Nicholas C. Zakas) (v10.0.3-10.1.0, changelog)
• 3396c3e Upgrade: karma@^4.0.1, drops Node 6 support, fixes vulnerability (#11570) (Kevin Partington) (v10.0.3-10.1.0, changelog)
• afe3d25 Upgrade: Bump js-yaml dependency to fix Denial of Service vulnerability (#11550) (Vernon de Goede) (v10.0.3-10.1.0, changelog)
• d3f3994 Docs: add information about reporting security issues (#10889) (Teddy Katz) (v10.0.3-10.1.0, changelog)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019) (Jamie Davis) (v10.0.3-10.1.0, changelog)
• Upgrade: Handlebars to >= 4.0.5 for security reasons (fixes #4642) (Jacques Favreau) (v10.0.3-10.1.0, changelog)
• 959d360 build: Support updates to previous major versions (#18871) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 113f51e docs: Mention package.json config support dropped (#18305) (Nicholas C. Zakas) (v10.0.1-10.0.2, changelog)
• 7c78576 docs: Add more removed context methods to migrate to v9 guide (#17951) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 3a877d6 docs: Update removed CLI flags migration (#17939) (Nicholas C. Zakas) (v10.0.1-10.0.2, changelog)
• 74794f5 chore: removed unused eslintrc modules (#17938) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• fffca5c docs: remove "Open in Playground" buttons for removed rules (#17791) (Francesco Trotta) (v10.0.1-10.0.2, changelog)
• becfdd3 docs: Make clear when rules are removed (#17728) (Nicholas C. Zakas) (v10.0.1-10.0.2, changelog)
• ce4f5ff docs: Replace removed related rules with a valid rule (#16800) (Ville Saalo) (v10.0.1-10.0.2, changelog)
• c9efb5f Fix: preserve formatting when rules are removed from disable directives (#15081) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 7cf96cf Breaking: Disallow reserved words in ES3 (fixes #15017) (#15046) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 305e14a Breaking: remove meta.docs.category in core rules (fixes #13398) (#14594) (薛定谔的猫) (v10.0.1-10.0.2, changelog)
• 24c9f2a Breaking: Strict package exports (refs #13654) (#14706) (Nicholas C. Zakas) (v10.0.1-10.0.2, changelog)
• 86d31a4 Breaking: disallow SourceCode#getComments() in RuleTester (refs #14744) (#14769) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 1d2213d Breaking: Fixable disable directives (fixes #11815) (#14617) (Josh Goldberg) (v10.0.1-10.0.2, changelog)
• 4a7aab7 Breaking: require meta for fixable rules (fixes #13349) (#14634) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• d6a761f Breaking: Require meta.hasSuggestions for rules with suggestions (#14573) (Bryan Mishkin) (v10.0.1-10.0.2, changelog)
• 6bd747b Breaking: support new regex d flag (fixes #14640) (#14653) (Yosuke Ota) (v10.0.1-10.0.2, changelog)
• 8b4f3ab Breaking: fix comma-dangle schema (fixes #13739) (#14030) (Joakim Nilsson) (v10.0.1-10.0.2, changelog)
• b953a4e Breaking: upgrade espree and support new class features (refs #14343) (#14591) (Toru Nagashima) (v10.0.1-10.0.2, changelog)
• 8cce06c Breaking: add some rules to eslint:recommended (refs #14673) (#14691) (薛定谔的猫) (v10.0.1-10.0.2, changelog)
• 86bb63b Breaking: Drop codeframe and table formatters (#14316) (Federico Brigante) (v10.0.1-10.0.2, changelog)
• f3cb320 Breaking: drop node v10/v13/v15 (fixes #14023) (#14592) (薛定谔的猫) (v10.0.1-10.0.2, changelog)
• 4c841b8 Breaking: allow all directives in line comments (fixes #14575) (#14656) (薛定谔的猫) (v10.0.1-10.0.2, changelog)
• c29bd9f Chore: Add breaking/core change link to issue templates (#13344) (Kai Cataldo) (v10.0.1-10.0.2, changelog)
• 4ef6158 Breaking: espree@​7.0.0 (#13270) (Kai Cataldo) (v10.0.1-10.0.2, changelog)
• 78c8cda Breaking: RuleTester Improvements (refs Update: RuleTester Improvements eslint/rfcs#25) (#12955) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 185982d Breaking: improve plugin resolving (refs New: Plugin Loading Improvement eslint/rfcs#47) (#12922) (Toru Nagashima) (v10.0.1-10.0.2, changelog)
• 48b122f Breaking: change relative paths with --config (refs New: Changing Base Path of overrides and ignorePatterns eslint/rfcs#37) (#12887) (Toru Nagashima) (v10.0.1-10.0.2, changelog)
• 0de91f3 Docs: removed correct code from incorrect eg (#13060) (Anix) (v10.0.1-10.0.2, changelog)
• 4af06fc Breaking: Test with an unknown error property should fail in RuleTester (#12096) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• afa9aac Breaking: class default true computed-property-spacing (fixes #12812) (#12915) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 7d52151 Breaking: classes default true in accessor-pairs (fixes #12811) (#12919) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 78182e4 Breaking: Add new rules to eslint:recommended (fixes #12911) (#12920) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 6423e11 Breaking: check unnamed default export in func-names (fixes #12194) (#12195) (Chiawen Chen) (v10.0.1-10.0.2, changelog)
• 4293229 Breaking: use-isnan enforceForSwitchCase default true (fixes #12810) (#12913) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• cf38d0d Breaking: change default ignore pattern (refs New: Update Default Ignore Patterns eslint/rfcs#51) (#12888) (Toru Nagashima) (v10.0.1-10.0.2, changelog)
• bfe1dc4 Breaking: no-dupe-class-members checks some computed keys (fixes #12808) (#12837) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• 95e0586 Fix: id-blacklist false positives on renamed imports (#12831) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• c2217c0 Breaking: make radix rule stricter (#12608) (fisker Cheung) (v10.0.1-10.0.2, changelog)
• 1aa021d Breaking: lint overrides files (fixes #10828, refs New: Configuring Additional Lint Targets with .eslintrc eslint/rfcs#20) (#12677) (Toru Nagashima) (v10.0.1-10.0.2, changelog)
• b50179d Breaking: Check assignment targets in no-extra-parens (#12490) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• d86a5bb Breaking: Check flatMap in array-callback-return (fixes #12235) (#12765) (Milos Djermanovic) (v10.0.1-10.0.2, changelog)
• cf46df7 Breaking: description in directive comments (refs New: Description in directive comments eslint/rfcs#33) (#12699) (Toru Nagashima) (v10.0.1-10.0.2, changelog)
• 7350589 Breaking: some rules recognize bigint literals (fixes #11803) (#12701) (Toru Nagashima) (v10.0.1-10.0.2, changelog)
• 1118fce Breaking: runtime-deprecation on '~/.eslintrc' (refs Update: Deprecating Personal Config eslint/rfcs#32) (#12678) (Toru Nagashima) (v10.0.1-10.0.2, changelog)
• 2c28fbb Breaking: drop Node.js 8 support (refs New: Drop supports for Node.js 8.x and 11.x eslint/rfcs#44) (#12700) (Toru Nagashima) (v10.0.1-10.0.2, changelog)
• 20908a3 Docs: removed '>' prefix from docs/working-with-rules (#11818) (Alok Takshak) (v10.0.1-10.0.2, changelog)
• 2d32a9e Breaking: stricter rule config validating (fixes #9505) (#11742) (薛定谔的猫) (v10.0.1-10.0.2, changelog)
• 6ae21a4 Breaking: fix config loading (fixes #11510, fixes #11559, fixes #11586) (#11546) (Toru Nagashima) (v10.0.1-10.0.2, changelog)
• adc6585 Docs: update status of breaking changes in migration guide (#11652) (Teddy Katz) (v10.0.1-10.0.2, changelog)
• 0fc8e62 Breaking: eslint:recommended changes (fixes #10768) (#11518) (薛定谔的猫) (v10.0.1-10.0.2, changelog)
• 20364cc Breaking: make no-redeclare stricter (fixes #11370, fixes #11405) (#11509) (Toru Nagashima) (v10.0.1-10.0.2, changelog)
• 9e49b56 Breaking: upgrade espree to 6.0.0-alpha.0 (fixes #9687) (#11610) (Teddy Katz) (v10.0.1-10.0.2, changelog)
• ef7801e Breaking: disallow invalid rule defaults in RuleTester (fixes #11473) (#11599) (Teddy Katz) (v10.0.1-10.0.2, changelog)
• 4e7cdca Breaking: comma-dangle enable functions: "never" (fixes #11502) (#11519) (薛定谔的猫) (v10.0.1-10.0.2, changelog)
• 12f256f Breaking: no-confusing-arrow enable allowParens: true (fixes #11503) (#11520) (薛定谔的猫) (v10.0.1-10.0.2, changelog)

View 22145 more changes in the full analysis

References (10)

[1]: The failing CI step uses pinned-cli-version: 3.15.0. FOSSA CLI 3.15.0 fails to download, causing a fallback to 3.16.6 from cache, and the subsequent grep '3.15.0' version check at line 123 exits with code 1. This failure is entirely unrelated to the ESLint upgrade.

fossa-action/.github/workflows/test.yml

Line 119 in 54ecc80

pinned-cli-version: 3.15.0

[2]: Post-download version check ./fossa/fossa --version | grep '3.15.0' fails because the 3.15.0 binary was never placed at ./fossa/fossa — only the cached 3.16.6 fallback is available. Fixing the root download failure or updating the pinned version to 3.16.6 will resolve both CI failures.

fossa-action/.github/workflows/test.yml

Line 123 in 54ecc80

./fossa/fossa --version | grep '3.15.0'

[3]: eslint is declared as "eslint": "^10.1.0" in devDependencies, confirming this is a developer-only tooling dependency with no impact on runtime behavior or end-user functionality.

fossa-action/package.json

Line 27 in 54ecc80

"eslint": "^10.1.0",

[4]: @​eslint/js is pinned at "^9.39.1" while eslint is at "^10.1.0". This is a major-version mismatch — @​eslint/js is typically expected to align with the major version of eslint. The eslint.config.mjs uses js.configs.recommended from this package via FlatCompat, so a version mismatch could produce unexpected behavior or stale rule definitions.

fossa-action/package.json

Line 22 in 54ecc80

"@eslint/js": "^9.39.1",

[5]: The engines field specifies "node": ">= 24.0.0", and .nvmrc confirms v24.14.1 is used. ESLint v10 requires ^20.19.0, ^22.13.0, or >=24 — Node.js 24 is fully compatible, so no runtime version incompatibility exists.

fossa-action/package.json

Line 12 in 54ecc80

"node": ">= 24.0.0"

[6]: The config file already uses the flat config format (defineConfig, globalIgnores imported from eslint/config). ESLint v10's mandatory removal of legacy .eslintrc config format does not affect this project — no .eslintrc.* files were found anywhere in the repository.

fossa-action/eslint.config.mjs

Line 1 in 54ecc80

import { defineConfig, globalIgnores } from "eslint/config";

[7]: The config extends "eslint:recommended" via FlatCompat. ESLint v10 adds three new rules to this ruleset: no-unassigned-vars, no-useless-assignment, and preserve-caught-error. These new rules may flag existing code in src/index.ts and related files, causing the yarn lint CI step to fail.

fossa-action/eslint.config.mjs

Line 22 in 54ecc80

extends: fixupConfigRules(compat.extends(

[8]: Existing // eslint-disable-next-line @​typescript-eslint/naming-convention suppression is valid and will continue to work normally — it is not affected by any v10 breaking changes. No eslint-env comments are present in the codebase.

fossa-action/src/index.ts

Line 74 in 54ecc80

// eslint-disable-next-line @typescript-eslint/naming-convention

[9]: Official ESLint v10 migration guide confirms: flat config is mandatory (already satisfied), eslint-env comments now error (none found), three new rules added to eslint:recommended, and deprecated context methods removed. None of the removed APIs are used in this project's source code. (source link)

[10]: ESLint v10 release post confirms Node.js >=24 is a supported version and that FlatESLint/LegacyESLint exports from /use-at-your-own-risk are removed. Neither of these exports is referenced in this project's eslint.config.mjs or source files. (source link)

---

fossabot analyzed this PR using static analysis and dependency research. View this analysis on the web

[spatten]

Closing in favor of #284

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.