Skip to content

Bump @eslint/js from 9.39.0 to 9.39.1 #239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 4, 2025
Merged

Bump @eslint/js from 9.39.0 to 9.39.1 #239

merged 1 commit into from
Nov 4, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 4, 2025

Bumps @eslint/js from 9.39.0 to 9.39.1.

Release notes

Sourced from @​eslint/js's releases.

v9.39.1

Bug Fixes

  • 650753e fix: Only pass node to JS lang visitor methods (#20283) (Nicholas C. Zakas)

Documentation

  • 51b51f4 docs: add a section on when to use extends vs cascading (#20268) (Tanuj Kanti)
  • b44d426 docs: Update README (GitHub Actions Bot)

Chores

  • 92db329 chore: update @eslint/js version to 9.39.1 (#20284) (Francesco Trotta)
  • c7ebefc chore: package.json update for @​eslint/js release (Jenkins)
  • 61778f6 chore: update eslint-config-eslint dependency @​eslint/js to ^9.39.0 (#20275) (renovate[bot])
  • d9ca2fc ci: Add rangeStrategy to eslint group in renovate config (#20266) (唯然)
  • 009e507 test: fix version tests for ESLint v10 (#20274) (Milos Djermanovic)
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump @eslint/js from 9.39.0 to 9.39.1
833c481 
Bumps [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) from 9.39.0 to 9.39.1.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](https://github.com/eslint/eslint/commits/v9.39.1/packages/js)

---
updated-dependencies:
- dependency-name: "@eslint/js"
  dependency-version: 9.39.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Nov 4, 2025
@dependabot dependabot bot requested a review from a team as a code owner November 4, 2025 04:16
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Nov 4, 2025
@dependabot dependabot bot requested a review from tjugdev November 4, 2025 04:16
@dependabot dependabot bot added the javascript Pull requests that update javascript code label Nov 4, 2025
@fossabot
Copy link

fossabot bot commented Nov 4, 2025
edited
Loading

fossabot is Thinking

@fossabot
Copy link

fossabot bot commented Nov 4, 2025
edited
Loading

✓ Safe to upgrade

I recommend merging this upgrade because it's a patch release that fixes critical bugs including crashes with TypeScript ESLint rules. The upgrade is from a development-only linting dependency with no breaking changes, and the reported malicious packages are unrelated typosquatting attacks on different package names that are not present in this project. The project does not use the affected unified-signatures rule, so this upgrade provides stability improvements without introducing any risks.

What we checked

  • Dependency upgraded from ^9.39.0 to ^9.39.1 - patch version bump indicating bug fixes only [1]
  • Package is imported and used only for ESLint configuration (js.configs.recommended and js.configs.all), confirming development-time only usage [2]
  • Official ESLint release notes confirm this is a bug fix release addressing crashes with TypeScript ESLint unified-signatures rule [3]
  • Project does not use the unified-signatures rule that was causing crashes in 9.39.0, so the bug did not affect this codebase [4]

Dependency Usage

The @​eslint/js package is used exclusively in the project's linting infrastructure, specifically within the ESLint configuration file where it provides the base recommended and all-rules configurations that serve as the foundation for the project's code quality standards. This development-time dependency enables the FOSSA Action GitHub project to enforce consistent TypeScript and JavaScript coding standards across the codebase, supporting code quality and maintainability for this license compliance and security scanning tool. The package follows a standard architectural pattern where build-time tooling is isolated to configuration files and npm scripts, ensuring zero runtime dependencies for the production application.

Changes

This update to @​eslint/js fixes a bug where incorrect data was being passed to JavaScript language visitor methods, correcting the visitor API contract. The package also adds CI improvements for dependency management and documentation updates for configuration best practices.

  • docs: add a section on when to use extends vs cascading (#20268) (51b51f4) (v9.39.1, changelog)
  • Only pass node to JS lang visitor methods (#20283) (650753e) (v9.39.1, changelog)
  • chore: package.json update for @​eslint/js release (c7ebefc) (v9.39.1, changelog)
View 11 more changes
  • chore: update @​eslint/js version to 9.39.1 (#20284) (92db329) (v9.39.1, changelog)
  • Build: changelog update for 9.39.1 (4cdf397) (v9.39.1, changelog)
  • 9.39.1 (e277281) (v9.39.1, changelog)
  • 650753e fix: Only pass node to JS lang visitor methods (#20283) (Nicholas C. Zakas) (vv9.39.1, release notes)
  • 51b51f4 docs: add a section on when to use extends vs cascading (#20268) (Tanuj Kanti) (vv9.39.1, release notes)
  • b44d426 docs: Update README (GitHub Actions Bot) (vv9.39.1, release notes)
  • 92db329 chore: update @​eslint/js version to 9.39.1 (#20284) (Francesco Trotta) (vv9.39.1, release notes)
  • c7ebefc chore: package.json update for @​eslint/js release (Jenkins) (vv9.39.1, release notes)
  • 61778f6 chore: update eslint-config-eslint dependency @​eslint/js to ^9.39.0 (#20275) (renovate[bot]) (vv9.39.1, release notes)
  • d9ca2fc ci: Add rangeStrategy to eslint group in renovate config (#20266) (唯然) (vv9.39.1, release notes)
  • 009e507 test: fix version tests for ESLint v10 (#20274) (Milos Djermanovic) (vv9.39.1, release notes)
References (4)

[1]: Dependency upgraded from ^9.39.0 to ^9.39.1 - patch version bump indicating bug fixes only

fossa-action/package.json

Line 20 in 833c481

"@eslint/js": "^9.39.1",

[2]: Package is imported and used only for ESLint configuration (js.configs.recommended and js.configs.all), confirming development-time only usage

fossa-action/eslint.config.mjs

Line 10 in 833c481

import js from "@eslint/js";

[3]: Official ESLint release notes confirm this is a bug fix release addressing crashes with TypeScript ESLint unified-signatures rule (source link)

[4]: Project does not use the unified-signatures rule that was causing crashes in 9.39.0, so the bug did not affect this codebase
https://github.com/fossas/fossa-action/blob/833c481d519b8f6f1cc0d5bd8014cc85de9eca98/eslint.config.mjs

fossabot analyzed this PR using dependency research.

@tjugdev tjugdev merged commit c2c5bca into main Nov 4, 2025
2 checks passed
@tjugdev tjugdev deleted the dependabot/npm_and_yarn/eslint/js-9.39.1 branch November 4, 2025 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tjugdev tjugdev tjugdev approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tjugdev