🚨 [security] [js] Update eslint 10.1.0 → 10.2.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ eslint (10.1.0 → 10.2.0) · Repo · Changelog

Release Notes

10.2.0

Features

• 586ec2f feat: Add meta.languages support to rules (#20571) (Copilot)
• 14207de feat: add Temporal to no-obj-calls (#20675) (Pixel998)
• bbb2c93 feat: add Temporal to ES2026 globals (#20672) (Pixel998)

Bug Fixes

• 542cb3e fix: update first-party dependencies (#20714) (Francesco Trotta)

Documentation

• a2af743 docs: add language to configuration objects (#20712) (Francesco Trotta)
• 845f23f docs: Update README (GitHub Actions Bot)
• 5fbcf59 docs: remove sourceType from ts playground link (#20477) (Tanuj Kanti)
• 8702a47 docs: Update README (GitHub Actions Bot)
• ddeaded docs: Update README (GitHub Actions Bot)
• 2b44966 docs: add Major Releases section to Manage Releases (#20269) (Milos Djermanovic)
• eab65c7 docs: update eslint versions in examples (#20664) (루밀LuMir)
• 3e4a299 docs: update ESM Dependencies policies with note for own-usage packages (#20660) (Milos Djermanovic)

Chores

• 8120e30 refactor: extract no unmodified loop condition (#20679) (kuldeep kumar)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#20697) (renovate[bot])
• 01ed3aa test: add unit tests for unicode utilities (#20622) (Manish chaudhary)
• 811f493 ci: remove --legacy-peer-deps from types integration tests (#20667) (Milos Djermanovic)
• 6b86fcf chore: update dependency npm-run-all2 to v8 (#20663) (renovate[bot])
• 632c4f8 chore: add prettier update commit to .git-blame-ignore-revs (#20662) (루밀LuMir)
• b0b0f21 chore: update dependency eslint-plugin-regexp to ^3.1.0 (#20659) (Milos Djermanovic)
• 228a2dd chore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#20661) (Milos Djermanovic)
• 3ab4d7e test: Add tests for eslintrc-style keys (#20645) (kuldeep kumar)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 23 commits:

• 10.2.0
• Build: changelog update for 10.2.0
• fix: update first-party dependencies (#20714)
• docs: add `language` to configuration objects (#20712)
• docs: Update README
• docs: remove `sourceType` from ts playground link (#20477)
• docs: Update README
• docs: Update README
• refactor: extract no unmodified loop condition (#20679)
• chore: update dependency markdownlint-cli2 to ^0.22.0 (#20697)
• docs: add Major Releases section to Manage Releases (#20269)
• feat: Add `meta.languages` support to rules (#20571)
• feat: add `Temporal` to `no-obj-calls` (#20675)
• feat: add Temporal to ES2026 globals (#20672)
• test: add unit tests for unicode utilities (#20622)
• ci: remove `--legacy-peer-deps` from types integration tests (#20667)
• docs: update `eslint` versions in examples (#20664)
• chore: update dependency npm-run-all2 to v8 (#20663)
• chore: add `prettier` update commit to `.git-blame-ignore-revs` (#20662)
• chore: update dependency eslint-plugin-regexp to ^3.1.0 (#20659)
• docs: update ESM Dependencies policies with note for own-usage packages (#20660)
• chore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#20661)
• test: Add tests for eslintrc-style keys (#20645)

↗️ @​eslint/plugin-kit (indirect, 0.6.1 → 0.7.0) · Repo · Changelog

Release Notes

0.7.0 (from changelog)

Features

• add languages and docs.dialects to rule meta types (#421) (7680f69)

Bug Fixes

• re-export ESM types in CommonJS (#416) (ef16f80)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @eslint/core bumped from ^1.1.1 to ^1.2.0

Does any of this look wrong? Please let us know.

↗️ brace-expansion (indirect, 5.0.4 → 5.0.5) · Repo

Security Advisories 🚨

🚨 brace-expansion: Zero-step sequence causes process hang and memory exhaustion

Impact

A brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.

The loop in question:

brace-expansion/src/index.ts

Line 184 in daa71bc

    <tbody>

for (let i = x; test(i, y); i += incr) {

test() is one of

brace-expansion/src/index.ts

Lines 107 to 113 in daa71bc

    <tbody>

    <tr class="border-0">
      <td id="L108" class="blob-num border-0 tmp-px-3 py-0 color-bg-default" data-line-number="108"></td>
      <td id="LC108" class="blob-code border-0 tmp-px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-k">return</span> <span class="pl-s1">i</span> <span class="pl-c1">&lt;=</span> <span class="pl-s1">y</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L109" class="blob-num border-0 tmp-px-3 py-0 color-bg-default" data-line-number="109"></td>
      <td id="LC109" class="blob-code border-0 tmp-px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-kos">}</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L110" class="blob-num border-0 tmp-px-3 py-0 color-bg-default" data-line-number="110"></td>
      <td id="LC110" class="blob-code border-0 tmp-px-3 py-0 color-bg-default blob-code-inner js-file-line">  </td>
    </tr>

    <tr class="border-0">
      <td id="L111" class="blob-num border-0 tmp-px-3 py-0 color-bg-default" data-line-number="111"></td>
      <td id="LC111" class="blob-code border-0 tmp-px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-k">function</span> <span class="pl-en">gte</span><span class="pl-kos">(</span><span class="pl-s1">i</span>: <span class="pl-smi">number</span><span class="pl-kos">,</span> <span class="pl-s1">y</span>: <span class="pl-smi">number</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L112" class="blob-num border-0 tmp-px-3 py-0 color-bg-default" data-line-number="112"></td>
      <td id="LC112" class="blob-code border-0 tmp-px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-k">return</span> <span class="pl-s1">i</span> <span class="pl-c1">&gt;=</span> <span class="pl-s1">y</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L113" class="blob-num border-0 tmp-px-3 py-0 color-bg-default" data-line-number="113"></td>
      <td id="LC113" class="blob-code border-0 tmp-px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-kos">}</span> </td>
    </tr>
</tbody>

function lte(i: number, y: number) {

The increment is computed as Math.abs(0) = 0, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a RangeError. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.

This affects any application that passes untrusted strings to expand(), or by error sets a step value of 0. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.

Patches

Upgrade to versions

• 5.0.5+

A step increment of 0 is now sanitized to 1, which matches bash behavior.

Workarounds

Sanitize strings passed to expand() to ensure a step value of 0 is not used.

Commits

See the full diff on Github. The new version differs by 4 commits:

• 5.0.5
• Merge commit from fork
• Bump tar from 7.5.10 to 7.5.11 (#92)
• Bump tar from 7.5.9 to 7.5.10 (#90)

↗️ minimatch (indirect, 10.2.4 → 10.2.5) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 5 commits:

• 10.2.5
• do not allow .. to consume drive letter on Windows
• lint and format
• ignore docs
• update deps etc

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)