chore(deps-dev): bump eslint from 8.57.1 to 9.26.0#5680
chore(deps-dev): bump eslint from 8.57.1 to 9.26.0#5680dependabot[bot] wants to merge 1 commit intounstablefrom
Conversation
dependabot
bot
added
dependencies
rtibblesbot
left a comment
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: eslint 8.57.1 → 9.26.0
Semver risk: Major (8.x → 9.x)
Dependency type: devDependency
CI status: Passing (build, frontend tests, linting all green)
Changelog Analysis
Sources consulted:
- ESLint v9.0.0 release notes
- ESLint v9 migration guide
- PR body release notes (truncated, covering v9.0.0 through v9.26.0)
Breaking changes (v9.0.0):
- Flat config (
eslint.config.js) is now the default; legacy.eslintrc.*format requiresESLINT_USE_FLAT_CONFIG=falseor ESLint's backward-compatibility shim - Minimum Node.js version raised to
^18.18.0 || ^20.9.0 || >=21.1.0 FlatESLintrenamed toESLint; legacyESLintclass removed- Multiple formatters removed (only
html,json,json-with-metadata,stylishretained) - Rules removed:
valid-jsdoc,require-jsdoc; defaults changed forno-unused-vars,no-useless-computed-key - Function-style rules no longer supported; rules default to
schema: []
Security fixes: None noted in this version range.
Compatibility Assessment
- Project uses legacy
.eslintrc.jsconfig: Yes —.eslintrc.jsextendskolibri-format/.eslintrc - No
eslint.config.jsexists: Confirmed — no flat config migration was performed - No
ESLINT_USE_FLAT_CONFIGenv var set: Confirmed - Code changes required: No code migration was performed despite major breaking changes
- Why CI passes:
kolibri-format@1.0.1bundles its owneslint@8.57.1as a direct dependency. Thelint-frontendscript (the only way eslint is invoked) runs throughkolibri-format, which uses its bundled ESLint 8. The top-leveleslint@9.26.0is effectively unused for linting. - Split dependency result: After this PR, the lockfile contains both
eslint@8.57.1(insidekolibri-format) andeslint@9.26.0(top-level). The eslint plugins at the top level (eslint-plugin-vue,eslint-plugin-import, etc.) are resolved against ESLint 9, but the actual linting runs with ESLint 8 fromkolibri-format.
Recommendation
REQUEST_CHANGES — This major version bump includes breaking changes but no config migration was performed. While CI passes because kolibri-format bundles its own ESLint 8, the upgrade creates a misleading split-dependency state (top-level ESLint 9 is never actually used for linting). See inline comment for details.
| "circular-dependency-plugin": "^5.2.0", | ||
| "css-loader": "7.1.2", | ||
| "eslint": "^8.57.0", | ||
| "eslint": "^9.26.0", |
There was a problem hiding this comment.
blocking: This bumps eslint from 8.x to 9.x — a major version with significant breaking changes (flat config default, removed APIs, dropped formatters, changed rule defaults). No config migration was performed:
- The project uses legacy
.eslintrc.js(not the neweslint.config.jsflat config) - No
ESLINT_USE_FLAT_CONFIG=falseenvironment variable is set - No code changes accompany this version bump
CI passes only because kolibri-format@1.0.1 bundles its own eslint@8.57.1 — the top-level eslint@9.26.0 is never actually invoked. This creates a confusing split-dependency state where the declared version doesn't match what's used.
Recommend closing this PR. When the project is ready to migrate to ESLint 9, it should be done as a coordinated effort that includes:
- Updating
kolibri-formatto support ESLint 9 - Migrating
.eslintrc.jstoeslint.config.js(or settingESLINT_USE_FLAT_CONFIG=false) - Addressing any rule changes or removed APIs
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/eslint-9.26.0
branch
from
9a8c3bc to
d6823e1
Compare
rtibblesbot
left a comment
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: eslint 8.57.1 → 9.26.0
Semver risk: Major
Dependency type: devDependency
CI status: Linting, tests, and build passing (Python tests pending but unrelated)
Changelog Analysis
Sources consulted:
Breaking changes (ESLint 9):
- Flat config (
eslint.config.js) is now the default; legacy.eslintrcformat removed from the defaultESLintclass - Node.js minimum bumped to ^18.18.0 || ^20.9.0 || >=21.1.0
- Removed rules:
require-jsdoc,valid-jsdoc - Removed built-in formatters (all except
html,json,stylish) no-unused-varsdefaultcaughtErrorschanged to"all"- Function-style rules no longer supported
- Multiple other rule default changes
Security fixes: None noted.
Compatibility Assessment
- Project uses legacy
.eslintrc.jsconfig: Yes —.eslintrc.jsimports fromkolibri-format/.eslintrc - kolibri-format bundles its own eslint: Yes —
kolibri-format@1.0.1declareseslint@^8.57.0as a direct dependency, so pnpm installs eslint@8.57.1 separately for it - Project's eslint@9 is effectively unused: The linting pipeline runs through
kolibri-format(viapnpm run lint-frontend), which uses its own bundled eslint@8. The eslint@9 installed at the project root is not invoked by any script or CI check - CI passes because linting still runs eslint@8: The "All file linting" CI job runs
pre-commit→kolibri-format→ eslint@8.57.1 (kolibri-format's own copy). The version bump in this PR does not change the actual linting behavior - Peer dependency changes: eslint@9 introduces
jitias an optional peer dep; new transitive dependencies include@eslint/config-array,@eslint/core,@modelcontextprotocol/sdk,hono,express@5(from eslint's MCP server feature) - Code changes required: Yes — the project's
.eslintrc.jsis incompatible with eslint@9's flat config system. No migration was performed
Recommendation
REQUEST_CHANGES — This major bump installs eslint@9 but it goes unused since kolibri-format bundles its own eslint@8. The project's .eslintrc.js config is incompatible with eslint@9's flat config requirement, and no migration was performed. Merging would add ~15+ new transitive dependencies (including express@5, hono, MCP SDK) with no benefit. Recommend closing this PR and coordinating the eslint@9 upgrade together with a kolibri-format update and flat config migration.
| "circular-dependency-plugin": "^5.2.0", | ||
| "css-loader": "7.1.2", | ||
| "eslint": "^8.57.0", | ||
| "eslint": "^9.26.0", |
There was a problem hiding this comment.
blocking: This bumps eslint to v9 (major), but the project's linting pipeline runs through kolibri-format@1.0.1, which declares eslint@^8.57.0 as a direct dependency. pnpm installs a separate eslint@8.57.1 for kolibri-format, so this eslint@9 is never actually invoked by any lint script or CI check.
Meanwhile, the project's .eslintrc.js uses legacy eslintrc format (importing from kolibri-format/.eslintrc), which is incompatible with eslint@9's flat config default. No config migration was included.
This upgrade adds ~15+ new transitive dependencies (including @modelcontextprotocol/sdk, hono, express@5 from eslint 9's MCP server feature) with no practical benefit.
Recommend closing this PR. The eslint@9 migration should be coordinated with a kolibri-format update that also moves to flat config.
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/eslint-9.26.0
branch
from
d6823e1 to
f4fd24f
Compare
rtibblesbot
left a comment
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: eslint 8.57.1 → 9.26.0
Semver risk: Major (v8 → v9)
Dependency type: devDependency
CI status: Passing (linting, frontend tests, build all green)
Changelog Analysis
Sources consulted:
- ESLint v9.0.0 migration guide
- ESLint v9.0.0 release notes
- PR body (release notes for v9.0.0 through v9.26.0)
Breaking changes in v9 (key items):
- Flat config (
eslint.config.js) becomes the default; eslintrc (.eslintrc.js) is deprecated - Node.js <18.18.0 dropped
- Removed rules:
require-jsdoc,valid-jsdoc - Removed formatters: checkstyle, compact, jslint-xml, junit, tap, unix, visualstudio
FlatESLintrenamed toESLint; oldESLintrenamed toLegacyESLint- Multiple context methods moved to
SourceCode(affects plugin authors) - Rules added/removed from
eslint:recommended;no-unused-varsdefaults changed
Security fixes: None noted in the v8→v9 range.
Compatibility Assessment
- Project uses affected APIs: No — and here's why: this project's linting is entirely delegated to the
kolibri-formatCLI (v1.0.1), which bundles its own ESLint 8.57.1 internally. The project-leveleslint@9.26.0is not invoked for linting; it serves only as a peer dependency for plugins (eslint-plugin-import,eslint-plugin-vue,eslint-plugin-jest, etc.). - Plugin compatibility: All plugins declare
eslint >=8.0.0in their peerDependencies and resolve cleanly against v9. - Peer dependency changes: No new peer deps required.
- Code changes required: No — only
package.jsonandpnpm-lock.yamlare modified. - Prior failed attempts: None found.
- eslintrc format: The project still uses
.eslintrc.js. ESLint 9 still supports it (deprecated, not removed), butkolibri-formatreads it via its bundled ESLint 8, so this is a non-issue today.
Recommendation
COMMENT — CI passes and the upgrade is safe because the project-level eslint is not used for actual linting. However, this creates a version mismatch (project has ESLint 9, kolibri-format bundles ESLint 8) that could cause confusion. See inline comment.
| "circular-dependency-plugin": "^5.2.0", | ||
| "css-loader": "7.1.2", | ||
| "eslint": "^8.57.0", | ||
| "eslint": "^9.26.0", |
There was a problem hiding this comment.
suggestion: This major version bump (v8 → v9) is safe today because kolibri-format bundles its own ESLint 8.57.1 and all actual linting runs through that copy. The project-level eslint@9.26.0 effectively serves only as a peer dependency for the ESLint plugins.
However, this creates a latent version mismatch worth being aware of:
- If a developer runs
npx eslint .directly, ESLint 9 will look foreslint.config.js(flat config) by default and won't pick up.eslintrc.jswithoutESLINT_USE_FLAT_CONFIG=false. - When
kolibri-formateventually upgrades its bundled ESLint to v9+, the project will need to migrate.eslintrc.jsto flat config.
This is fine to merge as-is, but consider tracking the eslintrc → flat config migration as future work.
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/eslint-9.26.0
branch
2 times, most recently
from
6e9c02b to
e0ba8bb
Compare
rtibblesbot
left a comment
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: eslint 8.57.1 → 9.26.0
Semver risk: Major (crossing 8.x → 9.x boundary)
Dependency type: devDependency
CI status: Linting, frontend tests, and build all passing. Python tests still running (unrelated to this change).
Changelog Analysis
Sources consulted:
- ESLint v9 migration guide
- Compare v8.57.1...v9.26.0
- PR body release notes (truncated)
Breaking changes in ESLint 9 (selected highlights):
- Default config format changed from
.eslintrc.*to flat config (eslint.config.js). Legacy eslintrc format is deprecated and requiresESLINT_USE_FLAT_CONFIG=false. ESLintAPI class now expects flat config; legacy usage moved toLegacyESLint.- Dropped Node.js < 18.18.0 support.
- Removed
require-jsdocandvalid-jsdocrules. - Removed 7 built-in formatters.
- Various rule default changes (
no-unused-vars,no-useless-computed-key, etc.).
Deprecations: The entire eslintrc configuration system.
Security fixes: None noted.
Compatibility Assessment
- kolibri-format peer dependency violated:
kolibri-format@1.0.1declareseslint@^8.57.0as a peer dependency. This PR installs eslint 9.x, which falls outside that range. - pnpm isolation masks the problem: Because pnpm strictly isolates dependencies,
kolibri-formatresolves its owneslint@8.57.1internally. The lockfile confirms three separate eslint versions coexist (7.32.0, 8.57.1, 9.26.0). This is why CI passes — the actual linting tool never sees eslint 9. - Project uses legacy
.eslintrc.js: The project config at.eslintrc.jsusesrequire('kolibri-format/.eslintrc')— this is the legacy eslintrc format, incompatible with ESLint 9's default flat config mode. - No code migration performed: The PR only updates
package.jsonandpnpm-lock.yaml. No migration to flat config, noESLINT_USE_FLAT_CONFIG=falseflag set anywhere. - eslint 9.26.0 is effectively unused: All linting goes through
kolibri-format(viapnpm run lint-frontend), which bundles its own eslint 8.57.1. No CI step or npm script invokes the project-leveleslintbinary directly.
Recommendation
REQUEST_CHANGES — This major version bump creates a misleading state: package.json declares eslint 9.x, but the project actually uses eslint 8.x (bundled in kolibri-format). A proper ESLint 9 migration would require updating kolibri-format, migrating .eslintrc.js to flat config, and verifying all plugins support ESLint 9. Without that work, this PR just adds a redundant eslint 9 installation that nothing uses. Recommend closing in favor of a coordinated migration effort, or keeping eslint pinned to 8.x until kolibri-format is updated.
| "circular-dependency-plugin": "^5.2.0", | ||
| "css-loader": "7.1.2", | ||
| "eslint": "^8.57.0", | ||
| "eslint": "^9.26.0", |
There was a problem hiding this comment.
blocking: This bumps eslint from 8.x to 9.x (major version), but the project's linting infrastructure is not ready for it:
-
kolibri-format@1.0.1peer dependency violation — it requireseslint@^8.57.0. pnpm's strict isolation meanskolibri-formatbundles its own eslint 8.57.1 internally, so linting happens to still work, but this eslint 9.26.0 installation is effectively unused by any project tooling. -
No flat config migration — ESLint 9 defaults to flat config (
eslint.config.js), but the project still uses.eslintrc.jswith the legacy eslintrc format. Runningnpx eslintdirectly would fail to find the config. -
Misleading version declaration — Having
eslint@^9.26.0inpackage.jsonwhile actually linting with eslint 8.57.1 (viakolibri-format) creates confusion for contributors.
A proper ESLint 9 migration requires updating kolibri-format, migrating to flat config, and verifying all plugin compatibility. Recommend closing this PR and keeping eslint at 8.x until that coordinated effort is done.
rtibblesbot
left a comment
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: eslint 8.57.1 → 9.26.0
Semver risk: Major
Dependency type: devDependency
CI status: Passing (linting, frontend tests, build). Python tests pending but unrelated.
Changelog Analysis
Sources consulted:
Breaking changes:
.eslintrc.*config format deprecated — ESLint 9 defaults to flat config (eslint.config.js). Legacy format requiresESLINT_USE_FLAT_CONFIG=falseas a temporary escape hatch.- Several built-in formatters removed from core.
- All JSDoc rules removed from core.
- Node.js minimum raised to 18.18.0.
- Plugin/rule API changes (context methods restructured).
Security fixes: None noted.
Compatibility Assessment
- Project uses affected APIs: Yes —
.eslintrc.jsis the active config format, usingrequire('kolibri-format/.eslintrc')withmodule.exports. - No
eslint.config.js(flat config) exists — no migration was performed. - Code changes required: Yes — either migrate to flat config or set
ESLINT_USE_FLAT_CONFIG=falsein all eslint invocations. - CI passes because
kolibri-format@1.0.1bundles its own internaleslint@8.57.1— so the pre-commit linting hook is unaffected by the root-level eslint bump. This masks the incompatibility. - Root eslint 9 +
.eslintrc.jsconflict: Any directnpx eslintinvocation will fail or use flat config mode, ignoring.eslintrc.js.
Recommendation
REQUEST_CHANGES — This major version bump includes breaking changes (flat config migration) but no code migration was performed. The .eslintrc.js config is incompatible with eslint 9's default behavior. CI passes only because kolibri-format bundles its own eslint 8 internally, masking the issue. Merging this would leave the project with a non-functional root eslint 9 installation alongside a working-but-separate eslint 8 inside kolibri-format.
| "circular-dependency-plugin": "^5.2.0", | ||
| "css-loader": "7.1.2", | ||
| "eslint": "^8.57.0", | ||
| "eslint": "^9.26.0", |
There was a problem hiding this comment.
blocking: This is a major version bump (8.x → 9.x) that requires a config migration. ESLint 9 defaults to the new flat config format (eslint.config.js) and deprecates .eslintrc.*. This project uses .eslintrc.js (which extends kolibri-format/.eslintrc), and no migration to flat config was performed.
CI passes because kolibri-format@1.0.1 bundles its own internal eslint@8.57.1 — the pre-commit linting workflow (pnpm run lint-frontend:format) invokes kolibri-format, which uses its bundled eslint 8, not the root-level eslint. This masks the breaking change.
Merging this would result in:
- A root
eslint@9.26.0that cannot use the project's.eslintrc.jswithoutESLINT_USE_FLAT_CONFIG=false kolibri-formatcontinuing to use its own bundled eslint 8 regardless- Developer confusion when running
npx eslintdirectly
This update should be coordinated with a flat config migration (eslint.config.js) or deferred until kolibri-format supports eslint 9.
Bumps [eslint](https://github.com/eslint/eslint) from 8.57.1 to 9.26.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/v9.26.0/CHANGELOG.md) - [Commits](eslint/eslint@v8.57.1...v9.26.0) --- updated-dependencies: - dependency-name: eslint dependency-version: 9.26.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/eslint-9.26.0
branch
from
e0ba8bb to
25f499f
Compare
rtibblesbot
left a comment
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: eslint 8.57.1 → 9.26.0
Semver risk: Major
Dependency type: devDependency
CI status: Passing (All file linting, Frontend tests, Build frontend assets all green)
Changelog Analysis
Sources consulted:
Breaking changes (ESLint 9.0.0):
- Flat config (
eslint.config.js) is now the default; legacy.eslintrc.*is deprecated (still supported via backward compatibility) - Node.js minimum bumped to v18.18.0
- Removed rules:
require-jsdoc,valid-jsdoc - Removed built-in formatters:
checkstyle,compact,jslint-xml,junit,tap,unix,visualstudio no-unused-varscaughtErrorsdefault changed from"none"to"all"no-useless-computed-keyenforceForClassMembersdefault changed totrue- Context API removed (methods moved to
sourceCode) FlatRuleTesterrenamed toRuleTester; oldESLintclass renamed toLegacyESLint
Deprecations:
.eslintrc.*configuration format (superseded by flat config)
Security fixes: None noted.
Compatibility Assessment
- Project still uses legacy
.eslintrc.jsformat (importing config fromkolibri-format/.eslintrc) - Linting is not invoked via the top-level
eslintbinary — all linting goes throughkolibri-formatCLI (pnpm run lint-frontend→kolibri-format) kolibri-format@1.0.1bundles its owneslint@^8.57.0as a hard dependency (visible in the lockfile at thekolibri-format@1.0.1entry, which resolveseslint: 8.57.1independently)- The top-level
eslint@^9.26.0indevDependenciesis effectively unused for actual linting — it exists alongsidekolibri-format's bundled ESLint 8 - Peer dependency changes: none required
- Code changes required: none (no flat config migration performed)
- Prior failed attempts: none found
Recommendation
COMMENT — CI passes because the actual linting tool (kolibri-format) bundles its own ESLint 8 and is unaffected by this version change. The top-level eslint dependency appears unused for direct linting. This makes the upgrade low practical risk but also low practical value — the project isn't actually using ESLint 9 for anything.
suggestion: Consider whether this upgrade serves a purpose. If eslint is in devDependencies only because kolibri-format needs it (it doesn't — it bundles its own), it could be removed entirely. If it's kept for direct CLI usage or editor integration, the project should also migrate .eslintrc.js to flat config (eslint.config.js) since the legacy format is deprecated in ESLint 9.
| "circular-dependency-plugin": "^5.2.0", | ||
| "css-loader": "7.1.2", | ||
| "eslint": "^8.57.0", | ||
| "eslint": "^9.26.0", |
There was a problem hiding this comment.
suggestion: This bumps ESLint from 8.x to 9.x (major), but the project's linting is actually handled by kolibri-format (which bundles its own ESLint 8.57.1 internally). The top-level eslint dependency appears unused for actual linting — lint-frontend runs kolibri-format, not eslint directly.
Two options to consider:
- Remove the top-level
eslintdependency if it's truly unused (editor integrations may rely on it, though). - Accept this upgrade, but be aware the project's
.eslintrc.jsuses the legacy config format, which is deprecated in ESLint 9. A flat config migration would eventually be needed if you want to use ESLint 9 directly.
1 participant
Bumps eslint from 8.57.1 to 9.26.0.
Release notes
Sourced from eslint's releases.
... (truncated)
Changelog
Sourced from eslint's changelog.
... (truncated)
Commits
8bbabc49.26.016f5ff7Build: changelog update for 9.26.05b247c8chore: upgrade to@eslint/js@9.26.0(#19681)d6fa4acchore: package.json update for@eslint/jsreleasee9754e7feat: add reportGlobalThis to no-shadow-restricted-names (#19670)0fa2b7afeat: add suggestions foreqeqeqrule (#19640)dd98d63docs: Update README96e84defix: check cache file existence before deletion (#19648)c25e858docs: Update README0958690chore: disambiguate internal typesLanguageOptionsandRule(#19669)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.