🚨 [security] Update eslint 8.57.0 → 9.24.0 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ @​ungap/structured-clone (indirect, 1.2.0 → 1.3.0) · Repo

Commits

See the full diff on Github. The new version differs by 47 commits:

• 1.3.0
• Fixed unrecognized ArrayBuffer + DataView
• 1.2.1
• Updated dev/dependencies
• Merge pull request #20 from denisx/patch-1
• Update package.json
• 1.2.0
• Rolled back all types shenanigans
• Merge pull request #14 from andrew-pyle/main
• Update README.md to indicate explicitly that the polyfill doesn't require monkey patching the glocal
• Add example for global polyfill to README.md
• 1.0.2
• Added badge about downloads
• 1.0.1
• Added JSDoc for json export
• 1.0.0
• Fix #4 - Breaking change: undefined values are stored as -1 type now, and without value
• 0.3.4
• Merge pull request #2 from ungap/deserializer
• using similar serializer pattern
• 0.3.3
• minified structured-json
• 0.3.2
• Added StructuredJSON file
• 0.3.1
• Added json export too
• Improved README
• Added json option too.
• 0.3.0
• Added `lossy` JSON-like ability to avoid throwing
• 0.2.3
• use real structuredClone when available
• Added better explainer for supported types and current limitations
• 0.2.2
• Fixed BigInt as Object
• 0.2.1
• added test with coverage link
• Changed badges name
• 0.2.0
• Merge pull request #1 from ungap/packed-release
• Packed all the strings
• improved README
• 0.1.0
• 0.0.2
• 0.0.1
• using an array instead of an object
• First commit

↗️ acorn (indirect, 8.12.1 → 8.14.1) · Repo

Commits

See the full diff on Github. The new version differs by 21 commits:

• Mark version 8.14.1
• Make sure `ExportNamedDeclaration` nodes always have an `attributes` property
• Consistent field order in `Property` in tests
• Consistent field order in `Property`
• Include file name in `SyntaxError` message if present
• Remove empty @param declarations from acorn-walk type declarations
• Allow null in types of optional params to findNodeAt and findNodeAround
• Change approach to field init scope tracking
• Further refine handling of await in class fields
• Make sure await in class field initializers is checked properly
• Mark version 8.14.0
• Add missing unicode properties
• Add support for ES2025 RegExp Modifiers
• Add support for ES2025 Import Attributes
• Mark version 8.13.0
• Remove unused eslint-plugin-promise package
• Add Unicode v16 support
• Fix whitelist, unsupported features
• Bump test262
• Mark acorn-walk version 8.3.4
• Walk SwitchCase nodes as separate nodes in the base walker for SwitchStatement

↗️ cross-spawn (indirect, 7.0.3 → 7.0.6) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service (ReDoS) in cross-spawn

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Release Notes

7.0.6 (from changelog)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (from changelog)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (from changelog)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

• chore(release): 7.0.6
• chore: upgrade standard-version
• fix: update cross-spawn version to 7.0.5 in package-lock.json
• chore: fix build status badge
• chore(release): 7.0.5
• fix: fix escaping bug introduced by backtracking
• chore: remove codecov
• chore: replace travis with github workflows
• chore(release): 7.0.4
• fix: disable regexp backtracking (#160)
• chore: fix tests in recent node js versions
• chore: convert package lock
• chore: remove unused argument (#156)
• chore: add travis jobs on ppc64le (#142)
• chore: fix audit warning

↗️ eslint-visitor-keys (indirect, 4.0.0 → 4.2.0) · Repo · Changelog

↗️ espree (indirect, 10.1.0 → 10.3.0) · Repo · Changelog

Release Notes

10.3.0 (from changelog)

Features

• add support for Import Attributes and RegExp Modifiers (#639) (2fd4222)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • eslint-visitor-keys bumped from ^4.1.0 to ^4.2.0

10.2.0 (from changelog)

Features

• add the eslint-scope package (#615) (2ecfb8b)

Bug Fixes

• Update dependencies to avoid build failure (#631) (e8cd107)
• update links to eslint/js repo (#619) (956389a)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • eslint-visitor-keys bumped from ^4.0.0 to ^4.1.0

Does any of this look wrong? Please let us know.

🆕 @​eslint/config-array (added, 0.20.0)

🆕 @​eslint/config-helpers (added, 0.2.1)

🆕 @​eslint/core (added, 0.12.0)

🆕 @​eslint/core (added, 0.13.0)

🆕 @​eslint/object-schema (added, 2.1.6)

🆕 @​eslint/plugin-kit (added, 0.2.8)

🆕 @​humanfs/core (added, 0.19.1)

🆕 @​humanfs/node (added, 0.16.6)

🆕 @​humanwhocodes/retry (added, 0.3.1)

🆕 @​humanwhocodes/retry (added, 0.4.2)

🆕 @​eslint/eslintrc (added, 3.3.1)

🆕 globals (added, 14.0.0)

🆕 @​eslint/js (added, 9.24.0)

🆕 @​eslint/js (added, 8.57.1)

🆕 @​types/estree (added, 1.0.7)

🆕 eslint (added, 9.24.0)

🆕 eslint (added, 8.57.1)

🆕 eslint-scope (added, 8.3.0)

🆕 file-entry-cache (added, 8.0.0)

🆕 flat-cache (added, 4.0.1)

🗑️ archiver (removed)

🗑️ archiver-utils (removed)

🗑️ archiver-utils (removed)

🗑️ compress-commons (removed)

🗑️ crc-32 (removed)

🗑️ crc32-stream (removed)

🗑️ electron-builder-squirrel-windows (removed)

🗑️ lazystream (removed)

🗑️ lodash.defaults (removed)

🗑️ lodash.difference (removed)

🗑️ lodash.flatten (removed)

🗑️ lodash.union (removed)

🗑️ react-native-url-polyfill (removed)

🗑️ readdir-glob (removed)

🗑️ whatwg-url-without-unicode (removed)

🗑️ zip-stream (removed)

🗑️ @​eslint/js (removed)

🗑️ eslint (removed)

🗑️ webidl-conversions (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #6998.