Bump eslint from 8.1.0 to 9.39.1

[dependabot]

Bumps eslint from 8.1.0 to 9.39.1.

Release notes

Sourced from eslint's releases.

v9.39.1

Bug Fixes

• 650753e fix: Only pass node to JS lang visitor methods (#20283) (Nicholas C. Zakas)

Documentation

• 51b51f4 docs: add a section on when to use extends vs cascading (#20268) (Tanuj Kanti)
• b44d426 docs: Update README (GitHub Actions Bot)

Chores

• 92db329 chore: update @eslint/js version to 9.39.1 (#20284) (Francesco Trotta)
• c7ebefc chore: package.json update for @​eslint/js release (Jenkins)
• 61778f6 chore: update eslint-config-eslint dependency @​eslint/js to ^9.39.0 (#20275) (renovate[bot])
• d9ca2fc ci: Add rangeStrategy to eslint group in renovate config (#20266) (唯然)
• 009e507 test: fix version tests for ESLint v10 (#20274) (Milos Djermanovic)

v9.39.0

Features

• cc57d87 feat: update error loc to key in no-dupe-class-members (#20259) (Tanuj Kanti)
• 126552f feat: update error location in for-direction and no-dupe-args (#20258) (Tanuj Kanti)
• 167d097 feat: update complexity rule to highlight only static block header (#20245) (jaymarvelz)

Bug Fixes

• 15f5c7c fix: forward traversal step.args to visitors (#20253) (jaymarvelz)
• 5a1a534 fix: allow JSDoc comments in object-shorthand rule (#20167) (Nitin Kumar)
• e86b813 fix: Use more types from @​eslint/core (#20257) (Nicholas C. Zakas)
• 927272d fix: correct Scope typings (#20198) (jaymarvelz)
• 37f76d9 fix: use AST.Program type for Program node (#20244) (Francesco Trotta)
• ae07f0b fix: unify timing report for concurrent linting (#20188) (jaymarvelz)
• b165d47 fix: correct Rule typings (#20199) (jaymarvelz)
• fb97cda fix: improve error message for missing fix function in suggestions (#20218) (jaymarvelz)

Documentation

• d3e81e3 docs: Always recommend to include a files property (#20158) (Percy Ma)
• 0f0385f docs: use consistent naming recommendation (#20250) (Alex M. Spieslechner)
• a3b1456 docs: Update README (GitHub Actions Bot)
• cf5f2dd docs: fix correct tag of no-useless-constructor (#20255) (Tanuj Kanti)
• 10b995c docs: add TS options and examples for nofunc in no-use-before-define (#20249) (Tanuj Kanti)
• 2584187 docs: remove repetitive word in comment (#20242) (reddaisyy)
• 637216b docs: update CLI flags migration instructions (#20238) (jaymarvelz)
• e7cda3b docs: Update README (GitHub Actions Bot)
• 7b9446f docs: handle empty flags sections on the feature flags page (#20222) (sethamus)

Chores

• dfe3c1b chore: update @eslint/js version to 9.39.0 (#20270) (Francesco Trotta)
• 2375a6d chore: package.json update for @​eslint/js release (Jenkins)
• a1f4e52 chore: update @eslint dependencies (#20265) (Francesco Trotta)
• c7d3229 chore: update dependency @​eslint/core to ^0.17.0 (#20256) (renovate[bot])
• 27549bc chore: update fuzz testing to not error if code sample minimizer fails (#20252) (Milos Djermanovic)
• a1370ee ci: bump actions/setup-node from 5 to 6 (#20230) (dependabot[bot])
• 9e7fad4 chore: add script to auto-generate eslint:recommended configuration (#20208) (唯然)

... (truncated)

Commits

• e277281 9.39.1
• 4cdf397 Build: changelog update for 9.39.1
• 92db329 chore: update @eslint/js version to 9.39.1 (#20284)
• c7ebefc chore: package.json update for @​eslint/js release
• 650753e fix: Only pass node to JS lang visitor methods (#20283)
• 51b51f4 docs: add a section on when to use extends vs cascading (#20268)
• 61778f6 chore: update eslint-config-eslint dependency @​eslint/js to ^9.39.0 (#20275)
• d9ca2fc ci: Add rangeStrategy to eslint group in renovate config (#20266)
• 009e507 test: fix version tests for ESLint v10 (#20274)
• b44d426 docs: Update README
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by eslintbot, a new releaser for eslint since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[cx-ben-alvo]

Checkmarx One – Scan Summary & Details – beb46d77-f336-4715-8e2b-141d06a5a1b2

New Issues (35)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	Cx6057d4e5-4760	Npm-coa-3.1.3	details Description: This package was manually inspected by a security researcher and flagged as malicious ### About Classifying malicious packages is an internal proc... ID: FhOQ1gke59pXUhbAItbJsproInYo5v1XX1OXfRj1NVg%3D Vulnerable Package
	Cx657a3ff1-7b92	Npm-coa-3.1.3	details Description: This package downloads a harmful file. File hash: ```7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5``` ### About Using a dynamic... ID: dyxAiVqWKpYhgsiZVjBHuz2Yu%2BD12thWLWT3BuNQvaA%3D Vulnerable Package
	Cxa079aba6-fc3c	Npm-coa-3.1.3	details Description: This package exfiltrates stored credentials and sensitive information ### About Data exfiltration may be done in numerous ways such as through HTT... ID: SHMN5qMDUYz3buadyJTTdBMQx3GKqCP8QSBApVKO3z0%3D Vulnerable Package
	Cxb34b508c-969f	Npm-coa-3.1.3	details Description: This package exfiltrates computer and operating system information ### About Data exfiltration may be done in numerous ways such as through HTTP r... ID: oE2Rg2S6HtRqWq7o3mqXmRSGOT26Jlv1XEjwqec%2BOdg%3D Vulnerable Package
	Cxb5dfb167-23a8	Npm-coa-3.1.3	details Description: The npm package coa had versions published with malicious code. Users of affected versions (2.0.3 and above) should downgrade to 2.0.2 as soon as p... Attack Vector: NETWORK Attack Complexity: LOW ID: FciguKgUe8H0ABplynJH0nGQr2dUkkCJsf3bX22cwvE%3D Vulnerable Package
	Cxbd621f75-d5df	Npm-coa-3.1.3	details Description: This package downloads a harmful file. File hash: ```ea131cc5ccf6aa6544d6cb29cdb78130feed061d2097c6903215be1499464c2e``` ### About Using a dynamic... ID: bzt09Fkts6ej%2By7nZMKhNVMDDN%2FqAvpFl7yoveQdM2U%3D Vulnerable Package
	Cxc2338b3a-b052	Npm-coa-3.1.3	details Description: This package downloads a harmful file. File hash: ```2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd``` ### About Using a dynamic... ID: llYe49ToI2l%2Bn0NfQh2KSopX9LNCwfA%2FeDI2B1ahrgg%3D Vulnerable Package
	Cxc56b90ed-4804	Npm-coa-3.1.3	details Description: This package executes a crypto mining software ### About Using a dynamic analysis environment (also known as a Sandbox) we can monitor filesystem ... ID: JIFhCJNNsIWn0RCrqvzZtgWD39BkAqrJe%2BfIlmJ41ig%3D Vulnerable Package
	CVE-2024-12905	Npm-tar-fs-1.16.3	details Recommended version: 1.16.6 Description: An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"... Attack Vector: NETWORK Attack Complexity: LOW ID: kewMxEbWh0WZXRSSXfC2Tdpw7hxKKSD77iC0EPHL%2FVs%3D Vulnerable Package
	CVE-2024-12905	Npm-tar-fs-2.1.1	details Recommended version: 2.1.4 Description: An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"... Attack Vector: NETWORK Attack Complexity: LOW ID: YmUt4pZ45J%2FNBrJuD2yFQl%2BUDTS%2BN%2Fb5rXNxIfZWRb8%3D Vulnerable Package
	CVE-2024-21538	Npm-cross-spawn-6.0.5	details Recommended version: 6.0.6 Description: Versions of the package cross-spawn prior to 6.0.6 and 7.x prior to 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS), due to im... Attack Vector: NETWORK Attack Complexity: LOW ID: A5vJNmpxo%2Ff7YKqZr15VzH6aTjQH9DMK3n2fh4%2FpQIc%3D Vulnerable Package
	CVE-2024-21538	Npm-cross-spawn-7.0.3	details Recommended version: 7.0.5 Description: Versions of the package cross-spawn prior to 6.0.6 and 7.x prior to 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS), due to im... Attack Vector: NETWORK Attack Complexity: LOW ID: KFztkrKvs%2BmVPM0lejtBrEQ2DADhkPbMcWMIxapB%2BjY%3D Vulnerable Package
	CVE-2025-48387	Npm-tar-fs-2.1.1	details Recommended version: 2.1.4 Description: The package tar-fs provides filesystem bindings for tar-stream. In versions prior to 1.16.5, 2.0.x prior to 2.1.3, and 3.0.x prior to 3.0.9, there ... Attack Vector: NETWORK Attack Complexity: LOW ID: odKh1SKhF5dr3Ud13QPGWpFO0Df5t3iRZI69xU4noSA%3D Vulnerable Package
	CVE-2025-48387	Npm-tar-fs-1.16.3	details Recommended version: 1.16.6 Description: The package tar-fs provides filesystem bindings for tar-stream. In versions prior to 1.16.5, 2.0.x prior to 2.1.3, and 3.0.x prior to 3.0.9, there ... Attack Vector: NETWORK Attack Complexity: LOW ID: wpqImX3ZKAXC8yJ%2BWVn%2FSyJbvEXaIX0qMzOZXNmMvt0%3D Vulnerable Package
	CVE-2025-59343	Npm-tar-fs-2.1.1	details Recommended version: 2.1.4 Description: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.4, and 1.16.6 are vulnerable to symlink validation bypass if the d... Attack Vector: NETWORK Attack Complexity: LOW ID: 9dWEQ6itamlFby6lRacbD6rTDUjXfiQKEiSR6vOdiP0%3D Vulnerable Package
	CVE-2025-59343	Npm-tar-fs-1.16.3	details Recommended version: 1.16.6 Description: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.4, and 1.16.6 are vulnerable to symlink validation bypass if the d... Attack Vector: NETWORK Attack Complexity: LOW ID: KZPc6QrzIjz5zEZcEKUt2bcYaJvpnfbVH%2BUFK6iDulk%3D Vulnerable Package
	Cx687dda59-2e3a	Npm-unzip-stream-0.3.1	details Recommended version: 0.3.2 Description: The unzip-stream allows Arbitrary File Write via artifact extraction. When using the "Extract()" method of unzip-stream, malicious zip files were a... Attack Vector: NETWORK Attack Complexity: LOW ID: fV9HWuotoj6uepnL9n9W9oON5tO45x4jSC7pqX0tLMg%3D Vulnerable Package
	Cxc7705965-e0f0	Npm-@babel/core-7.15.0	details Recommended version: 7.18.6 Description: The @babel/core package versions prior to 7.18.6 were discovered to contain a memory leak vulnerability. Attack Vector: NETWORK Attack Complexity: LOW ID: 0MlYWa45vwm0jY00wwasMwyGOq1GDxu8AqYalnSY5ZY%3D Vulnerable Package
	Cxdca8e59f-8bfe	Npm-inflight-1.0.6	details Description: In NPM `inflight` there is a Memory Leak because some resources are not freed correctly after being used. It appears to affect all versions, as the... Attack Vector: NETWORK Attack Complexity: LOW ID: dVRRx%2Bb5H04LUCfyoyyVBv1qFmvSq6Asf4LyZp%2Fm4xc%3D Vulnerable Package
	ALB Listening on HTTP	/positive1.tf: 9	details AWS Application Load Balancer (alb) should not listen on HTTP ID: yZXbrnwNo%2FZnfgvlzkJfobryAGE%3D
	CVE-2023-0842	Npm-xml2js-0.4.23	details Recommended version: 0.5.0 Description: The xml2js in versions prior to 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the applicat... Attack Vector: NETWORK Attack Complexity: LOW ID: KnbuV2loSRnFjQsOzFGlrkCcg5SoVjA04k6dJ%2B%2FJucc%3D Vulnerable Package
	CVE-2024-11831	Npm-serialize-javascript-6.0.0	details Recommended version: 6.0.2 Description: A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain i... Attack Vector: NETWORK Attack Complexity: LOW ID: fBNI64mLeOY%2B%2B%2BxO3KHZEEOjGItSid2OzvHfH%2BdfJRQ%3D Vulnerable Package
	CVE-2024-4067	Npm-micromatch-4.0.5	details Recommended version: 4.0.8 Description: The NPM package "micromatch" prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in "micromatch.... Attack Vector: NETWORK Attack Complexity: LOW ID: c2G0%2FXWI4p1MXtx59DCYg%2FvgDo9%2Br%2BIAiNGNkqHD6mk%3D Vulnerable Package
	CVE-2024-43788	Npm-webpack-5.90.1	details Recommended version: 5.94.0 Description: Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundlin... Attack Vector: NETWORK Attack Complexity: LOW ID: aV6B0nX%2BfzAD0eC4p92rSUazQTHebWoerdEPS0XNz3Y%3D Vulnerable Package
	CVE-2024-55565	Npm-nanoid-3.3.3	details Recommended version: 3.3.8 Description: The package nanoid versions through 3.3.7 and 4.0.0 through 5.0.8 mishandle non-integer values. Attack Vector: NETWORK Attack Complexity: LOW ID: SiHE7hbAzjQ8vbBac%2Bje4CXqQgR8QNukvSm7XPvIEW8%3D Vulnerable Package
	CVE-2025-54798	Npm-tmp-0.2.1	details Recommended version: 0.2.4 Description: tmp is a temporary file and directory creator for node.js. In versions prior to 0.2.4, tmp is vulnerable to an arbitrary temporary file "/" directo... Attack Vector: NETWORK Attack Complexity: LOW ID: LbPdfQrn9aw8kAqL88COPpGiCduPtmG0m0OoXYOwlDE%3D Vulnerable Package
	CVE-2025-54798	Npm-tmp-0.0.30	details Recommended version: 0.2.4 Description: tmp is a temporary file and directory creator for node.js. In versions prior to 0.2.4, tmp is vulnerable to an arbitrary temporary file "/" directo... Attack Vector: NETWORK Attack Complexity: LOW ID: vtrV9vV3xBfM2bXSzSTyU22yLXq%2B0OfDGkZhaTikDQM%3D Vulnerable Package
	ELBv2 LB Access Log Disabled	/positive1.tf: 15	details ELBv2 LBs should have access log enabled to capture detailed information about requests sent to your load balancer. ID: T6F6kPHYKPFyDpB87WgOa6ulhic%3D
	APT-GET Missing Flags To Avoid Manual Input	/Dockerfile: 5	details Check if apt-get calls use flags to avoid user manual input. ID: PP9WHiBQsCBajZJkTBnbeQ%2FWmoo%3D
	CVE-2025-5889	Npm-brace-expansion-1.1.11	details Recommended version: 1.1.12 Description: A vulnerability was found in juliangruber brace-expansion. It has been rated as problematic. Affected by this issue is the function "expand" of the... Attack Vector: NETWORK Attack Complexity: HIGH ID: GFXIwa%2BGRRU%2FVHIA%2B9GeHVcA6%2F6j46VDPvz3KFp9Koo%3D Vulnerable Package
	CVE-2025-5889	Npm-brace-expansion-2.0.1	details Recommended version: 2.0.2 Description: A vulnerability was found in juliangruber brace-expansion. It has been rated as problematic. Affected by this issue is the function "expand" of the... Attack Vector: NETWORK Attack Complexity: HIGH ID: xfjS0LEKSe4IeklUQjNx0fPgRiTYGWXUDsC0Gg1rdxE%3D Vulnerable Package
	Cx8bc4df28-fcf5	Npm-debug-4.3.4	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH ID: 7kbGQsqzqGMFAx5vOgJSvgiXa46j1p05R6rvz%2FxoWtA%3D Vulnerable Package
	Healthcheck Instruction Missing	/Dockerfile: 1	details Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working ID: GFv7YpwPyFMEfyTpNssycczyYxE%3D
	IAM Access Analyzer Not Enabled	/positive1.tf: 1	details IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions ID: lBtOCwOL2iHuQvGMcYE7rViwtdM%3D
	Shield Advanced Not In Use	/positive1.tf: 15	details AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing,... ID: uksw0A3tt%2BuOK%2Bie011Hp%2FcD5Dk%3D

---

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR