chore(deps): update devdependency eslint to v10

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
eslint (source)	8.53.0 → 10.3.0

---

Release Notes

eslint/eslint (eslint)

v10.3.0

Compare Source

v10.2.1

Compare Source

v10.2.0

Compare Source

Features

• 586ec2f feat: Add meta.languages support to rules (#​20571) (Copilot)
• 14207de feat: add Temporal to no-obj-calls (#​20675) (Pixel998)
• bbb2c93 feat: add Temporal to ES2026 globals (#​20672) (Pixel998)

Bug Fixes

• 542cb3e fix: update first-party dependencies (#​20714) (Francesco Trotta)

Documentation

• a2af743 docs: add language to configuration objects (#​20712) (Francesco Trotta)
• 845f23f docs: Update README (GitHub Actions Bot)
• 5fbcf59 docs: remove sourceType from ts playground link (#​20477) (Tanuj Kanti)
• 8702a47 docs: Update README (GitHub Actions Bot)
• ddeaded docs: Update README (GitHub Actions Bot)
• 2b44966 docs: add Major Releases section to Manage Releases (#​20269) (Milos Djermanovic)
• eab65c7 docs: update eslint versions in examples (#​20664) (루밀LuMir)
• 3e4a299 docs: update ESM Dependencies policies with note for own-usage packages (#​20660) (Milos Djermanovic)

Chores

• 8120e30 refactor: extract no unmodified loop condition (#​20679) (kuldeep kumar)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#​20697) (renovate[bot])
• 01ed3aa test: add unit tests for unicode utilities (#​20622) (Manish chaudhary)
• 811f493 ci: remove --legacy-peer-deps from types integration tests (#​20667) (Milos Djermanovic)
• 6b86fcf chore: update dependency npm-run-all2 to v8 (#​20663) (renovate[bot])
• 632c4f8 chore: add prettier update commit to .git-blame-ignore-revs (#​20662) (루밀LuMir)
• b0b0f21 chore: update dependency eslint-plugin-regexp to ^3.1.0 (#​20659) (Milos Djermanovic)
• 228a2dd chore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#​20661) (Milos Djermanovic)
• 3ab4d7e test: Add tests for eslintrc-style keys (#​20645) (kuldeep kumar)

v10.1.0

Compare Source

Features

• ff4382b feat: apply fix for no-var in TSModuleBlock (#​20638) (Tanuj Kanti)
• 0916995 feat: Implement api support for bulk-suppressions (#​20565) (Blake Sager)

Bug Fixes

• 2b8824e fix: Prevent no-var autofix when a variable is used before declaration (#​20464) (Amaresh S M)
• e58b4bf fix: update eslint (#​20597) (renovate[bot])

Documentation

• b7b57fe docs: use correct JSDoc link in require-jsdoc.md (#​20641) (mkemna-clb)
• 58e4cfc docs: add deprecation notice partial (#​20639) (Milos Djermanovic)
• 7143dbf docs: update v9 migration guide for @eslint/js usage (#​20540) (fnx)
• 035fc4f docs: note that globalReturn applies only with sourceType: "script" (#​20630) (Milos Djermanovic)
• e972c88 docs: merge ESLint option descriptions into type definitions (#​20608) (Francesco Trotta)
• 7f10d84 docs: Update README (GitHub Actions Bot)
• aeed007 docs: open playground link in new tab (#​20602) (Tanuj Kanti)
• a0d1a37 docs: Add AI Usage Policy (#​20510) (Nicholas C. Zakas)

Chores

• a9f9cce chore: update dependency eslint-plugin-unicorn to ^63.0.0 (#​20584) (Milos Djermanovic)
• 1f42bd7 chore: update prettier to 3.8.1 (#​20651) (루밀LuMir)
• c0a6f4a chore: update dependency @​eslint/json to ^1.2.0 (#​20652) (renovate[bot])
• cc43f79 chore: update dependency c8 to v11 (#​20650) (renovate[bot])
• 2ce4635 chore: update dependency @​eslint/json to v1 (#​20649) (renovate[bot])
• f0406ee chore: update dependency markdownlint-cli2 to ^0.21.0 (#​20646) (renovate[bot])
• dbb4c95 chore: remove trunk (#​20478) (sethamus)
• c672a2a test: fix CLI test for empty output file (#​20640) (kuldeep kumar)
• c7ada24 ci: bump pnpm/action-setup from 4.3.0 to 4.4.0 (#​20636) (dependabot[bot])
• 07c4b8b test: fix RuleTester test without test runners (#​20631) (Francesco Trotta)
• 079bba7 test: Add tests for isValidWithUnicodeFlag (#​20601) (Manish chaudhary)
• 5885ae6 ci: unpin Node.js 25.x in CI (#​20615) (Copilot)
• f65e5d3 chore: update pnpm/action-setup digest to b906aff (#​20610) (renovate[bot])

v10.0.3

Compare Source

v10.0.2

Compare Source

v10.0.1

Compare Source

Bug Fixes

• c87d5bd fix: update eslint (#​20531) (renovate[bot])
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#​20519) (루밀LuMir)
• 04c2147 fix: update error message for unused suppressions (#​20496) (fnx)
• 38b089c fix: update dependency @​eslint/config-array to ^0.23.1 (#​20484) (renovate[bot])

Documentation

• 5b3dbce docs: add AI acknowledgement section to templates (#​20431) (루밀LuMir)
• 6f23076 docs: toggle nav in no-JS mode (#​20476) (Tanuj Kanti)
• b69cfb3 docs: Update README (GitHub Actions Bot)

Chores

• e5c281f chore: updates for v9.39.3 release (Jenkins)
• 8c3832a chore: update @​typescript-eslint/parser to ^8.56.0 (#​20514) (Milos Djermanovic)
• 8330d23 test: add tests for config-api (#​20493) (Milos Djermanovic)
• 37d6e91 chore: remove eslint v10 prereleases from eslint-config-eslint deps (#​20494) (Milos Djermanovic)
• da7cd0e refactor: cleanup error message templates (#​20479) (Francesco Trotta)
• 84fb885 chore: package.json update for @​eslint/js release (Jenkins)
• 1f66734 chore: add eslint to peerDependencies of @eslint/js (#​20467) (Milos Djermanovic)

v10.0.0

Compare Source

v9.39.4

Compare Source

Bug Fixes

• f18f6c8 fix: update dependency minimatch to ^3.1.5 (#​20564) (Milos Djermanovic)
• a3c868f fix: update dependency @​eslint/eslintrc to ^3.3.4 (#​20554) (Milos Djermanovic)
• 234d005 fix: minimatch security vulnerability patch for v9.x (#​20549) (Andrej Beles)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#​20538) (루밀LuMir)

Documentation

• 4675152 docs: add deprecation notice partial (#​20520) (Milos Djermanovic)

Chores

• b8b4eb1 chore: update dependencies for ESLint v9.39.4 (#​20596) (Francesco Trotta)
• 71b2f6b chore: package.json update for @​eslint/js release (Jenkins)
• 1d16c2f ci: pin Node.js 25.6.1 (#​20563) (Milos Djermanovic)

v9.39.3

Compare Source

Bug Fixes

• 791bf8d fix: restore TypeScript 4.0 compatibility in types (#​20504) (sethamus)

Chores

• 8594a43 chore: upgrade @​eslint/js@​9.39.3 (#​20529) (Milos Djermanovic)
• 9ceef92 chore: package.json update for @​eslint/js release (Jenkins)
• af498c6 chore: ignore /docs/v9.x in link checker (#​20453) (Milos Djermanovic)

v9.39.2

Compare Source

v9.39.1

Compare Source

v9.39.0

Compare Source

v9.38.0

Compare Source

Features

• ce40f74 feat: update complexity rule to only highlight function header (#​20048) (Atul Nair)
• e37e590 feat: correct no-loss-of-precision false positives with e notation (#​20187) (Francesco Trotta)

Bug Fixes

• 50c3dfd fix: improve type support for isolated dependencies in pnpm (#​20201) (Francesco Trotta)
• a1f06a3 fix: correct SourceCode typings (#​20114) (Pixel998)

Documentation

• 462675a docs: improve web accessibility by hiding non-semantic character (#​20205) (루밀LuMir)
• c070e65 docs: correct formatting in no-irregular-whitespace rule documentation (#​20203) (루밀LuMir)
• b39e71a docs: Update README (GitHub Actions Bot)
• cd39983 docs: move custom-formatters type descriptions to nodejs-api (#​20190) (Percy Ma)

Chores

• d17c795 chore: upgrade @​eslint/js@​9.38.0 (#​20221) (Milos Djermanovic)
• 25d0e33 chore: package.json update for @​eslint/js release (Jenkins)
• c82b5ef refactor: Use types from @​eslint/core (#​20168) (Nicholas C. Zakas)
• ff31609 ci: add Node.js 25 to ci.yml (#​20220) (루밀LuMir)
• 004577e ci: bump github/codeql-action from 3 to 4 (#​20211) (dependabot[bot])
• eac71fb test: remove use of nodejsScope option of eslint-scope from tests (#​20206) (Milos Djermanovic)
• 4168a18 chore: fix typo in legacy-eslint.js (#​20202) (Sweta Tanwar)
• 205dbd2 chore: fix typos (#​20200) (ntnyq)
• dbb200e chore: use team member's username when name is not available in data (#​20194) (Milos Djermanovic)
• 8962089 chore: mark deprecated rules as available until v11.0.0 (#​20184) (Pixel998)

v9.37.0

Compare Source

Features

• 39f7fb4 feat: preserve-caught-error should recognize all static "cause" keys (#​20163) (Pixel998)
• f81eabc feat: support TS syntax in no-restricted-imports (#​19562) (Nitin Kumar)

Bug Fixes

• a129cce fix: correct no-loss-of-precision false positives for leading zeros (#​20164) (Francesco Trotta)
• 09e04fc fix: add missing AST token types (#​20172) (Pixel998)
• 861c6da fix: correct ESLint typings (#​20122) (Pixel998)

Documentation

• b950359 docs: fix typos across the docs (#​20182) (루밀LuMir)
• 42498a2 docs: improve ToC accessibility by hiding non-semantic character (#​20181) (Percy Ma)
• 29ea092 docs: Update README (GitHub Actions Bot)
• 5c97a04 docs: show availableUntil in deprecated rule banner (#​20170) (Pixel998)
• 90a71bf docs: update README files to add badge and instructions (#​20115) (루밀LuMir)
• 1603ae1 docs: update references from master to main (#​20153) (루밀LuMir)

Chores

• afe8a13 chore: update @eslint/js dependency to version 9.37.0 (#​20183) (Francesco Trotta)
• abee4ca chore: package.json update for @​eslint/js release (Jenkins)
• fc9381f chore: fix typos in comments (#​20175) (overlookmotel)
• e1574a2 chore: unpin jiti (#​20173) (renovate[bot])
• e1ac05e refactor: mark ESLint.findConfigFile() as async, add missing docs (#​20157) (Pixel998)
• 347906d chore: update eslint (#​20149) (renovate[bot])
• 0cb5897 test: remove tmp dir created for circular fixes in multithread mode test (#​20146) (Milos Djermanovic)
• bb99566 ci: pin jiti to version 2.5.1 (#​20151) (Pixel998)
• 177f669 perf: improve worker count calculation for "auto" concurrency (#​20067) (Francesco Trotta)
• 448b57b chore: Mark deprecated formatting rules as available until v11.0.0 (#​20144) (Milos Djermanovic)

v9.36.0

Compare Source

Features

• 47afcf6 feat: correct preserve-caught-error edge cases (#​20109) (Francesco Trotta)

Bug Fixes

• 75b74d8 fix: add missing rule option types (#​20127) (ntnyq)
• 1c0d850 fix: update eslint-all.js to use Object.freeze for rules object (#​20116) (루밀LuMir)
• 7d61b7f fix: add missing scope types to Scope.type (#​20110) (Pixel998)
• 7a670c3 fix: correct rule option typings in rules.d.ts (#​20084) (Pixel998)

Documentation

• b73ab12 docs: update examples to use defineConfig (#​20131) (sethamus)
• 31d9392 docs: fix typos (#​20118) (Pixel998)
• c7f861b docs: Update README (GitHub Actions Bot)
• 6b0c08b docs: Update README (GitHub Actions Bot)
• 91f97c5 docs: Update README (GitHub Actions Bot)

Chores

• 12411e8 chore: upgrade @​eslint/js@​9.36.0 (#​20139) (Milos Djermanovic)
• 488cba6 chore: package.json update for @​eslint/js release (Jenkins)
• bac82a2 ci: simplify renovate configuration (#​19907) (唯然)
• c00bb37 ci: bump actions/labeler from 5 to 6 (#​20090) (dependabot[bot])
• fee751d refactor: use defaultOptions in rules (#​20121) (Pixel998)
• 1ace67d chore: update example to use defineConfig (#​20111) (루밀LuMir)
• 4821963 test: add missing loc information to error objects in rule tests (#​20112) (루밀LuMir)
• b42c42e chore: disallow use of deprecated type property in core rule tests (#​20094) (Milos Djermanovic)
• 7bb498d test: remove deprecated type property from core rule tests (#​20093) (Pixel998)
• e10cf2a ci: bump actions/setup-node from 4 to 5 (#​20089) (dependabot[bot])
• 5cb0ce4 refactor: use meta.defaultOptions in preserve-caught-error (#​20080) (Pixel998)
• f9f7cb5 chore: package.json update for eslint-config-eslint release (Jenkins)
• 81764b2 chore: update eslint peer dependency in eslint-config-eslint (#​20079) (Milos Djermanovic)

v9.35.0

Compare Source

Features

• 42761fa feat: implement suggestions for no-empty-function (#​20057) (jaymarvelz)
• 102f444 feat: implement suggestions for no-empty-static-block (#​20056) (jaymarvelz)
• e51ffff feat: add preserve-caught-error rule (#​19913) (Amnish Singh Arora)

Bug Fixes

• 10e7ae2 fix: update uncloneable options error message (#​20059) (soda-sorcery)
• bfa4601 fix: ignore empty switch statements with comments in no-empty rule (#​20045) (jaymarvelz)
• dfd11de fix: add before and after to test case types (#​20049) (Francesco Trotta)
• dabbe95 fix: correct types for no-restricted-imports rule (#​20034) (Milos Djermanovic)
• ea789c7 fix: no-loss-of-precision false positive with uppercase exponent (#​20032) (sethamus)

Documentation

• d265515 docs: improve phrasing - "if" → "even if" from getting-started section (#​20074) (jjangga0214)
• a355a0e docs: invert comparison logic for example in no-var doc page (#​20064) (OTonGitHub)
• 5082fc2 docs: Update README (GitHub Actions Bot)
• 99cfd7e docs: add missing "the" in rule deprecation docs (#​20050) (Josh Goldberg ✨)
• 6ad8973 docs: update --no-ignore and --ignore-pattern documentation (#​20036) (Francesco Trotta)
• 8033b19 docs: add documentation for --no-config-lookup (#​20033) (Francesco Trotta)

Chores

• da87f2f chore: upgrade @​eslint/js@​9.35.0 (#​20077) (Milos Djermanovic)
• af2a087 chore: package.json update for @​eslint/js release (Jenkins)
• 7055764 test: remove tests/lib/eslint/eslint.config.js (#​20065) (Milos Djermanovic)
• 84ffb96 chore: update @eslint-community/eslint-utils (#​20069) (Francesco Trotta)
• d5ef939 refactor: remove deprecated context.parserOptions usage across rules (#​20060) (sethamus)
• 1b3881d chore: remove redundant word (#​20058) (pxwanglu)

v9.34.0

Compare Source

Features

• 0bb777a feat: multithread linting (#​19794) (Francesco Trotta)
• 43a5f9e feat: add eslint-plugin-regexp to eslint-config-eslint base config (#​19951) (Pixel998)

Bug Fixes

• 9b89903 fix: default value of accessor-pairs option in rule.d.ts file (#​20024) (Tanuj Kanti)
• 6c07420 fix: fix spurious failure in neostandard integration test (#​20023) (Kirk Waiblinger)
• 676f4ac fix: allow scientific notation with trailing zeros matching exponent (#​20002) (Sweta Tanwar)

Documentation

• 0b4a590 docs: make rulesdir deprecation clearer (#​20018) (Domenico Gemoli)
• 327c672 docs: Update README (GitHub Actions Bot)
• bf26229 docs: Fix typo in core-concepts/index.md (#​20009) (Tobias Hernstig)
• 2309327 docs: fix typo in the "Configuring Rules" section (#​20001) (ghazi-git)
• 2b87e21 docs: [no-else-return] clarify sample code. (#​19991) (Yuki Takada (Yukinosuke Takada))
• c36570c docs: Update README (GitHub Actions Bot)

Chores

• f19ad94 chore: upgrade to @eslint/js@9.34.0 (#​20030) (Francesco Trotta)
• b48fa20 chore: package.json update for @​eslint/js release (Jenkins)
• 4bce8a2 chore: package.json update for eslint-config-eslint release (Jenkins)
• 0c9999c refactor: prefer default options in grouped-accessor-pairs (#​20028) (루밀LuMir)
• d503f19 ci: fix stale.yml (#​20010) (루밀LuMir)
• e2dc67d ci: centralize stale.yml (#​19994) (루밀LuMir)
• 7093cb8 ci: bump actions/checkout from 4 to 5 (#​20005) (dependabot[bot])

v9.33.0

Compare Source

Features

• e07820e feat: add global object access detection to no-restricted-globals (#​19939) (sethamus)
• 90b050e feat: support explicit resource management in one-var (#​19941) (Sweta Tanwar)

Bug Fixes

• 732433c fix: allow any type for meta.docs.recommended in custom rules (#​19995) (Francesco Trotta)
• e8a6914 fix: Fixed potential bug in check-emfile-handling.js (#​19975) (諏訪原慶斗)

Documentation

• 34f0723 docs: playground button for TypeScript code example (#​19671) (Tanuj Kanti)
• dc942a4 docs: Update README (GitHub Actions Bot)
• 5a4b6f7 docs: Update no-multi-assign.md (#​19979) (Yuki Takada (Yukinosuke Takada))
• 247e156 docs: add missing let declarations in no-plusplus (#​19980) (Yuki Takada (Yukinosuke Takada))
• 0d17242 docs: Update README (GitHub Actions Bot)
• fa20b9d docs: Clarify when to open an issue for a PR (#​19974) (Nicholas C. Zakas)

Build Related

• 27fa865 build: use ESLint class to generate formatter examples (#​19972) (Milos Djermanovic)

Chores

• 4258046 chore: update dependency @​eslint/js to v9.33.0 (#​19998) (renovate[bot])
• ad28371 chore: package.json update for @​eslint/js release (Jenkins)
• 06a22f1 test: resolve flakiness in --mcp flag test (#​19993) (Pixel998)
• 54920ed test: switch to Linter.Config in ESLintRules type tests (#​19977) (Francesco Trotta)

v9.32.0

Compare Source

Features

• 1245000 feat: support explicit resource management in core rules (#​19828) (fnx)
• 0e957a7 feat: support typescript types in accessor rules (#​19882) (fnx)

Bug Fixes

• 960fd40 fix: Upgrade @​eslint/js (#​19971) (Nicholas C. Zakas)
• bbf23fa fix: Refactor reporting into FileReport (#​19877) (Nicholas C. Zakas)
• d498887 fix: bump @​eslint/plugin-kit to 0.3.4 to resolve vulnerability (#​19965) (Milos Djermanovic)
• f46fc6c fix: report only global references in no-implied-eval (#​19932) (Nitin Kumar)
• 7863d26 fix: remove outdated types in ParserOptions.ecmaFeatures (#​19944) (ntnyq)
• 3173305 fix: update execScript message in no-implied-eval rule (#​19937) (TKDev7)

Documentation

• 86e7426 docs: Update README (GitHub Actions Bot)

Chores

• 50de1ce chore: package.json update for @​eslint/js release (Jenkins)
• 74f01a3 ci: unpin jiti to version ^2.5.1 (#​19970) (루밀LuMir)
• 2ab1381 ci: pin jiti to version 2.4.2 (#​19964) (Francesco Trotta)
• b7f7545 test: switch to flat config mode in SourceCode tests (#​19953) (Milos Djermanovic)
• f5a35e3 test: switch to flat config mode in eslint-fuzzer (#​19960) (Milos Djermanovic)
• e22af8c refactor: use CustomRuleDefinitionType in JSRuleDefinition (#​19949) (Francesco Trotta)
• e855717 chore: switch performance tests to hyperfine (#​19919) (Francesco Trotta)
• 2f73a23 test: switch to flat config mode in ast-utils tests (#​19948) (Milos Djermanovic)
• c565a53 chore: exclude further_reading_links.json from Prettier formatting (#​19943) (Milos Djermanovic)

v9.31.0

Compare Source

Features

• 35cf44c feat: output full actual location in rule tester if different (#​19904) (ST-DDT)
• a6a6325 feat: support explicit resource management in no-loop-func (#​19895) (Milos Djermanovic)
• 4682cdc feat: support explicit resource management in no-undef-init (#​19894) (Milos Djermanovic)
• 5848216 feat: support explicit resource management in init-declarations (#​19893) (Milos Djermanovic)
• bb370b8 feat: support explicit resource management in no-const-assign (#​19892) (Milos Djermanovic)

Bug Fixes

• 07fac6c fix: retry on EMFILE when writing autofix results (#​19926) (TKDev7)
• 28cc7ab fix: Remove incorrect RuleContext types (#​19910) (Nicholas C. Zakas)

Documentation

• 664cb44 docs: Update README (GitHub Actions Bot)
• 40dbe2a docs: fix mismatch between globalIgnores() code and text (#​19914) (MaoShizhong)
• 5a0069d docs: Update README (GitHub Actions Bot)
• fef04b5 docs: Update working on issues info (#​19902) (Nicholas C. Zakas)

Chores

• 3ddd454 chore: upgrade to @eslint/js@9.31.0 (#​19935) (Francesco Trotta)
• d5054e5 chore: package.json update for @​eslint/js release (Jenkins)
• 0f4a378 chore: update eslint ([#​19933](https://redirect.github.com/eslint/e

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	nuxt@​2.17.2 ⏵ 2.15.8	+1		+1
	@​nuxt/​content-theme-docs@​0.11.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code in npm @babel/traverse CVE: GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code (CRITICAL) Affected versions: < 7.23.2; >= 8.0.0-alpha.0 < 8.0.0-alpha.4 Patched version: 7.23.2 From: ? → npm/nuxt@2.15.8 → npm/@nuxt/content-theme-docs@0.11.1 → npm/@babel/traverse@7.22.8 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/traverse@7.22.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm cipher-base is missing type checks, leading to hash rewind and passing on crafted data CVE: GHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted data (CRITICAL) Affected versions: < 1.0.5 Patched version: 1.0.5 From: ? → npm/cipher-base@1.0.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cipher-base@1.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) CVE: GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) (CRITICAL) Affected versions: < 6.6.1 Patched version: 6.6.1 From: ? → npm/elliptic@6.5.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/elliptic@6.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Inefficient Regular Expression Complexity in npm koa CVE: GHSA-593f-38f6-jp5m Inefficient Regular Expression Complexity in koa (CRITICAL) Affected versions: >= 2.0.0 < 2.15.4; >= 3.0.0-alpha.0 < 3.0.0-alpha.3; >= 1.0.0 < 1.7.1; < 0.21.2 Patched version: 2.15.4 From: ? → npm/koa@2.14.2 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/koa@2.14.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos CVE: GHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos (CRITICAL) Affected versions: >= 3.0.10 < 3.1.3 Patched version: 3.1.3 From: ? → npm/pbkdf2@3.1.2 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pbkdf2@3.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm pbkdf2 silently disregards Uint8Array input, returning static keys CVE: GHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keys (CRITICAL) Affected versions: >= 1.0.0 < 3.1.3 Patched version: 3.1.3 From: ? → npm/pbkdf2@3.1.2 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pbkdf2@3.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm buffer is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: ? → npm/buffer@4.9.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/buffer@4.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report