[Snyk] Security upgrade eslint from 8.57.1 to 10.0.0

[mnk-blr]

Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• package.json

⚠️ Warning

Failed to update the pnpm-lock.yaml, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AJV-15274295	157

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[mnk-blr]

⛔ Snyk checks have failed. 18 issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (18)
⛔	Open Source Security	2	16	0	0	18 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[claude]

Critical compatibility issue: ESLint 10.0.0 requires @typescript-eslint v8.x or later, but this project uses v5.59.5. This combination will cause runtime errors and break the linting pipeline.

You'll need to also upgrade:

• @typescript-eslint/eslint-plugin from ^5.59.5 to ^8.0.0
• @typescript-eslint/parser from ^5.59.5 to ^8.0.0

This is a breaking change that requires testing of the entire ESLint configuration.

[claude]

Lock file inconsistency: The PR mentions "Failed to update pnpm-lock.yaml" but this project uses package-lock.json (npm), not pnpm. After merging, you must run npm install to update the lock file, otherwise the dependency resolution will be incomplete.

[claude]

Code Review Summary

Status: ⚠️ NOT READY TO MERGE

This Snyk security upgrade to ESLint 10.0.0 addresses vulnerability SNYK-JS-AJV-15274295 (ReDoS with severity score 157), but introduces critical compatibility issues that will break the build.

🚨 Blocking Issues

1. @typescript-eslint Incompatibility: ESLint 10.x requires @typescript-eslint v8+, but this project uses v5.59.5. This will cause runtime errors.

2. Lock File Mismatch: The PR mentions failing to update "pnpm-lock.yaml" but this project uses npm with package-lock.json.

🛠️ Required Actions Before Merge

1. Upgrade TypeScript ESLint packages:

   "@typescript-eslint/eslint-plugin": "^8.0.0",
   "@typescript-eslint/parser": "^8.0.0"

2. Test ESLint configuration - The upgrade to @typescript-eslint v8 may introduce breaking changes to rule configurations.

3. Update lock file - Run npm install after the dependency changes to properly update package-lock.json.

4. Verify CI pipeline - Test that npm run lint and npm run ci still work after the upgrades.

✅ Positive Aspects

• Important security fix for a high-severity ReDoS vulnerability
• Test suite is isolated and won't be affected by ESLint changes
• Documentation is accurate and doesn't need updates for this change
• Core functionality unaffected - this is purely a dev dependency upgrade

💡 Recommendation

Consider upgrading this as a coordinated change that includes all necessary dependency updates, or investigate if the AJV vulnerability can be mitigated through other means that don't require breaking the ESLint setup.