Skip to content

[Snyk] Security upgrade eslint from 8.42.0 to 9.1.0#214

Open
mnk-blr wants to merge 1 commit into
mainfrom
snyk-fix-4c83f7c7649a05aa3a6ee3e978ca16db
Open

[Snyk] Security upgrade eslint from 8.42.0 to 9.1.0#214
mnk-blr wants to merge 1 commit into
mainfrom
snyk-fix-4c83f7c7649a05aa3a6ee3e978ca16db

Conversation

@mnk-blr

@mnk-blr mnk-blr commented Feb 28, 2026

Copy link
Copy Markdown

snyk-top-banner

Snyk has created this PR to fix 2 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

  • playground/app/package.json
⚠️ Warning 
Failed to update the pnpm-lock.yaml, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Inefficient Algorithmic Complexity
SNYK-JS-MINIMATCH-15353389		   170  
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-AJV-15274295		   155  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

@github-actions

github-actions Bot commented Feb 28, 2026

Copy link
Copy Markdown

File Coverage
All files 88%
src/main/custom-chart-context.ts 86%
src/main/logger.ts 88%
src/main/post-message-event-bridge.ts 77%
src/react/use-custom-chart-context.tsx 86%
src/react/mocks/custom-chart-context-mock.ts 96%
src/utils/chart-config.ts 82%
src/utils/date-formatting.ts 82%
src/utils/formatting-util.ts 89%
src/utils/conditional-formatting/conditional-formatting.ts 92%
src/utils/globalize-Initializer/globalize-utils.ts 95%
src/utils/number-formatting/number-formatting-utils.ts 98%
src/utils/number-formatting/number-formatting.ts 90%

Minimum allowed coverage is 0%

Generated by 🐒 cobertura-action against 58553f7

claude[bot]
claude Bot reviewed Feb 28, 2026
View reviewed changes
Comment thread playground/app/package.json
"@vitejs/plugin-react": "^4.0.0",
"autoprefixer": "^10.4.14",
"eslint": "^8.38.0",
"eslint": "^9.1.0",

@claude claude Bot Feb 28, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 Critical: ESLint v9 upgrade requires additional changes to work properly:

  1. Configuration incompatibility: The existing .eslintrc.cjs uses legacy format that's incompatible with ESLint v9. ESLint v9 requires the new flat config format (eslint.config.js).

  2. Plugin version conflicts: The TypeScript ESLint plugins (@typescript-eslint/eslint-plugin: ^5.59.0 and @typescript-eslint/parser: ^5.59.0) are not compatible with ESLint v9. They need to be updated to v6.x or v7.x.

  3. Monorepo version conflict: The main project still uses ESLint v8.56.0, creating inconsistent linting behavior across the codebase.

  4. Missing lock file update: The warning about pnpm-lock.yaml failing to update will cause dependency resolution issues.

Suggested change
"eslint": "^9.1.0",
"eslint": "^8.42.0",

Recommendation: Hold this PR until the ESLint configuration is migrated to flat config format and plugin versions are updated.

@claude

claude Bot commented Feb 28, 2026

Copy link
Copy Markdown
Contributor

❌ PR Review Summary - NOT MERGEABLE

This Snyk security upgrade PR attempts to fix 2 high-severity vulnerabilities by updating ESLint from v8.42.0 to v9.1.0. However, several critical issues prevent this PR from being safely merged:

🚨 Critical Issues

  1. ESLint Configuration Incompatibility: ESLint v9 dropped support for legacy .eslintrc.* config files. The playground app's .eslintrc.cjs won't work with v9 and must be migrated to the new flat config format (eslint.config.js).

  2. Plugin Version Conflicts: TypeScript ESLint plugins are pinned to v5.59.0 but require v6+ for ESLint v9 compatibility. This will cause linting to fail entirely.

  3. Monorepo Version Mismatch: Main project uses ESLint v8.56.0 while playground would use v9.1.0, creating inconsistent linting behavior.

  4. Lock File Update Failure: The warning about pnpm-lock.yaml failing to update creates dependency resolution inconsistencies.

⚠️ Additional Issues

  • No testing coverage for playground app means these breaking changes won't be caught in CI
  • The --ext flag in lint scripts is deprecated in ESLint v9
  • Missing validation that the playground app can still build and run

🔧 Required Actions Before Merge

  1. Update ESLint configuration to flat config format
  2. Upgrade TypeScript ESLint plugins to v6+ or v7+
  3. Fix the lock file update issue
  4. Align ESLint versions across the monorepo
  5. Add playground app testing to CI pipeline
  6. Test the playground app builds and runs successfully

🎯 Recommendation

DO NOT MERGE until the configuration migration and plugin updates are completed. Consider creating a separate PR to handle the ESLint v9 migration properly, then rebase this security fix on top of those changes.

The security vulnerabilities are important to fix, but this upgrade will break the playground app's development workflow if merged as-is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mnk-blr @snyk-bot