🚨 [security] Update eslint 9.0.0 → 9.15.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ eslint (9.0.0 → 9.15.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​eslint/eslintrc (indirect, 3.0.2 → 3.2.0) · Repo · Changelog

Release Notes

3.2.0

3.2.0 (2024-11-14)

Features

• merge rule.meta.defaultOptions before validation (#166) (d02f914)

3.1.0

3.1.0 (2024-05-17)

Features

• Expose loadConfigFile() function (#160) (59e890f)

Chores

• run tests in Node.js 22 (#154) (5e526f2)
• update dependency shelljs to ^0.8.5 (#156) (903b887)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

• chore: release 3.2.0 (#174)
• feat: merge rule.meta.defaultOptions before validation (#166)
• docs: add `compat.extends` example with plugin config (#173)
• ci: run tests in Node.js 23 (#170)
• ci: reduce list of releasable tags to `feat`, `fix` and `perf` (#161)
• chore: release 3.1.0 (#155)
• feat: Expose loadConfigFile() function (#160)
• chore: update dependency shelljs to ^0.8.5 (#156)
• ci: run tests in Node.js 22 (#154)

↗️ @​types/estree (indirect, 1.0.1 → 1.0.6) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ acorn (indirect, 8.11.3 → 8.14.0) · Repo

Commits

See the full diff on Github. The new version differs by 36 commits:

• Mark version 8.14.0
• Add missing unicode properties
• Add support for ES2025 RegExp Modifiers
• Add support for ES2025 Import Attributes
• Mark version 8.13.0
• Remove unused eslint-plugin-promise package
• Add Unicode v16 support
• Fix whitelist, unsupported features
• Bump test262
• Mark acorn-walk version 8.3.4
• Walk SwitchCase nodes as separate nodes in the base walker for SwitchStatement
• Mark version 8.12.1
• Don't use an /s regexp
• Simplify imports
• Bump actions/setup-node v4
• Bump test262
• Mark acorn-walk version 8.3.3
• Mark version 8.12.0
• Specify a direct dependency on acorn in acorn-walk
• Add VariableDeclarator to AnyNode type
• Actually initialize branchID in RegExpValidationState constuctor
• refactor to remove unnecessary code
• Add 2025 to ecmaVersion type
• Allow duplicate regexp capture group names in different branches
• Fix parsing of an "async of" edge case in for loop (#1286)
• Properly handle line breaks when looking for directives (#1283)
• Mark Parser constructor as protected so plugins can extend it
• Fix minor ParenthesizedExpression-related issues (#1277)
• Fix minor line terminator/line number tracking issues
• Properly account for crlf line breaks in readInvalidTemplateToken
• Properly tack line numbers in readInvalidTemplateToken
• Add missing changelog entry
• Mark acorn-walk 8.3.2
• Delete trailing whitespace
• Export type for findNodeBefore
• Adjust package.json

↗️ cross-spawn (indirect, 7.0.3 → 7.0.6) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service (ReDoS) in cross-spawn

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Release Notes

7.0.6 (from changelog)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (from changelog)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (from changelog)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

• chore(release): 7.0.6
• chore: upgrade standard-version
• fix: update cross-spawn version to 7.0.5 in package-lock.json
• chore: fix build status badge
• chore(release): 7.0.5
• fix: fix escaping bug introduced by backtracking
• chore: remove codecov
• chore: replace travis with github workflows
• chore(release): 7.0.4
• fix: disable regexp backtracking (#160)
• chore: fix tests in recent node js versions
• chore: convert package lock
• chore: remove unused argument (#156)
• chore: add travis jobs on ppc64le (#142)
• chore: fix audit warning

↗️ debug (indirect, 4.3.4 → 4.3.7) · Repo · Changelog

Release Notes

4.3.7

What's Changed

• Upgrade ms to version 2.1.3 by @realityking in #819

Full Changelog: 4.3.6...4.3.7

4.3.6

What's Changed

• Avoid using deprecated RegExp.$1 by @bluwy in #969

New Contributors

• @bluwy made their first contribution in #969

Full Changelog: 4.3.5...4.3.6

4.3.5

Patch

• cac39b1 Fix/debug depth (#926)

Thank you @calvintwr for the fix.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

• 4.3.7
• Upgrade ms to version 2.1.3 (#819)
• remove archaic badges from readme
• 4.3.6
• Avoid using deprecated RegExp.$1
• 4.3.5
• update authorship contact info
• Fix/debug depth (#926)
• remove .github folder (and the outdated issue templates)
• Update ISSUE_TEMPLATE.md
• Update ISSUE_TEMPLATE.md

↗️ eslint-scope (indirect, 8.0.1 → 8.2.0) · Repo · Changelog

Release Notes

8.0.2

8.0.2 (2024-07-08)

Bug Fixes

• Definition#name in catch patterns should be Identifier node (#127) (8082caa)

Does any of this look wrong? Please let us know.

↗️ eslint-visitor-keys (indirect, 4.0.0 → 4.2.0) · Repo · Changelog

↗️ espree (indirect, 10.0.1 → 10.3.0) · Repo · Changelog

Release Notes

10.3.0 (from changelog)

Features

• add support for Import Attributes and RegExp Modifiers (#639) (2fd4222)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • eslint-visitor-keys bumped from ^4.1.0 to ^4.2.0

10.2.0 (from changelog)

Features

• add the eslint-scope package (#615) (2ecfb8b)

Bug Fixes

• Update dependencies to avoid build failure (#631) (e8cd107)
• update links to eslint/js repo (#619) (956389a)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • eslint-visitor-keys bumped from ^4.0.0 to ^4.1.0

10.1.0

10.1.0 (2024-06-17)

Features

• Support ES2025 and RegExp duplicate named capturing groups (#608) (3059713)

Does any of this look wrong? Please let us know.

↗️ ignore (indirect, 5.3.1 → 5.3.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 7 commits:

• 5.3.2: fixes #130, fixes consequent escaped backslashes
• Merge pull request #128 from kaelzhang/dependabot/npm_and_yarn/rimraf-6.0.1
• dependabot.yml: ignore eslint
• Bump rimraf from 5.0.9 to 6.0.1
• dependabot: ignore tap
• Merge pull request #110 from kaelzhang/dependabot/npm_and_yarn/tmp-0.2.3
• Bump tmp from 0.2.1 to 0.2.3

↗️ ms (indirect, 2.1.2 → 2.1.3) · Repo

Release Notes

2.1.3

Patches

• Rename zeit to vercel: #151
• Bump eslint from 4.12.1 to 4.18.2: #122
• Add prettier as a dev dependency: #135 #153
• Use GitHub Actions CI: #154

Credits

Huge thanks to @getsnoopy for helping!

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

• 2.1.3
• Use GitHub Actions CI (#154)
• Run prettier 2.x (#153)
• Add prettier as a dev dependency (#135)
• Rename zeit to vercel (#151)
• Bump eslint from 4.12.1 to 4.18.2 (#122)

🆕 @​eslint/config-array (added, 0.19.0)

🆕 @​eslint/core (added, 0.9.0)

🆕 @​eslint/object-schema (added, 2.1.4)

🆕 @​eslint/plugin-kit (added, 0.2.3)

🆕 @​humanfs/core (added, 0.19.1)

🆕 @​humanfs/node (added, 0.16.6)

🆕 @​humanwhocodes/retry (added, 0.3.1)

🆕 @​humanwhocodes/retry (added, 0.4.1)

🆕 @​types/json-schema (added, 7.0.15)

🆕 @​eslint/js (added, 9.15.0)

🗑️ @​humanwhocodes/config-array (removed)

🗑️ @​humanwhocodes/object-schema (removed)

🗑️ ansi-regex (removed)

🗑️ graphemer (removed)

🗑️ is-path-inside (removed)

🗑️ strip-ansi (removed)

🗑️ text-table (removed)

🗑️ @​eslint/js (removed)

🗑️ @​eslint/js (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #435.