Skip to content

⬆️ Bump eslint from 8.57.0 to 10.0.2#86

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/eslint-10.0.2
Closed

⬆️ Bump eslint from 8.57.0 to 10.0.2#86
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/eslint-10.0.2

:arrow_up: Bump eslint from 8.57.0 to 10.0.2

e1ee162
Select commit
Loading
Failed to load commit list.
Socket Security / Socket Security: Pull Request Alerts failed Feb 23, 2026 in 5s

Pull Request #86 Alerts: Complete with warnings

Report Status Message
PR #86 Alerts ⚠️ Found 23 project alerts

Pull request alerts notify when new issues are detected between the diff of the pull request and it's target branch.

Details

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Medium
Dynamic code execution: npm eslint-scope

Eval Type: eval

Location: Package overview

From: package-lock.jsonnpm/eslint@10.0.2npm/eslint-scope@9.1.1

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint-scope@9.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm eslint in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: package-lock.jsonnpm/eslint@10.0.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint@10.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Embedded URLs or IPs: npm @eslint/config-array

URLs: https://facelessuser.github.io/wcmatch/glob/#posix-character-classes, https://www.linuxjournal.com/content/bash-extended-globbing., https://www.linuxjournal.com/content/globstar-new-bash-globbing-option., https://deno.land/std/path/mod.ts, https://deno.land/std/path/mod.ts?a=b, https://deno.land/std/path/mod.ts#header, https://deno.land/std/path, https://deno.land, https://deno.land/std/assert/mod.ts, https://deno.land/std/async/retry.ts

Location: Package overview

From: package-lock.jsonnpm/eslint@10.0.2npm/@eslint/config-array@0.23.2

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@eslint/config-array@0.23.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Dynamic module loading: npm @eslint/config-array

Location: Package overview

From: package-lock.jsonnpm/eslint@10.0.2npm/@eslint/config-array@0.23.2

ℹ Read more on: This package | This alert | What is dynamic require?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@eslint/config-array@0.23.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Embedded URLs or IPs: npm @eslint/core

URLs: https://eslint.org/docs/latest/use/configure/language-options#specifying-parser-options, meta.name, https://eslint.org/docs/latest/use/configure/language-options-deprecated#specifying-parser-options, https://eslint.org/docs/latest/use/configure/, https://eslint.org/docs/latest/use/configure/language-options-deprecated#specifying-environments, https://eslint.org/docs/latest/use/configure/configuration-files-deprecated#extending-configuration-files, https://eslint.org/docs/latest/use/configure/language-options-deprecated#specifying-globals, https://eslint.org/docs/latest/use/configure/rules-deprecated#disabling-inline-comments, https://eslint.org/docs/latest/use/configure/configuration-files-deprecated#how-do-overrides-work, https://eslint.org/docs/latest/extend/custom-parsers, https://eslint.org/docs/latest/use/configure/parser-deprecated, https://eslint.org/docs/latest/use/configure/plugins-deprecated#configure-plugins, https://eslint.org/docs/latest/use/configure/plugins-deprecated#specify-a-processor, https://eslint.org/docs/latest/use/configure/rules-deprecated#report-unused-eslint-disable-comments, https://eslint.org/docs/latest/use/configure/configuration-files-deprecated#adding-shared-settings, https://eslint.org/docs/latest/use/configure/ignore-deprecated#ignorepatterns-in-config-files, https://eslint.org/docs/latest/use/configure/configuration-files-deprecated#using-configuration-files

Location: Package overview

From: package-lock.jsonnpm/eslint@10.0.2npm/@eslint/core@1.1.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@eslint/core@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Embedded URLs or IPs: npm @types/json-schema

URLs: http://json-schema.org/schema#, http://json-schema.org/hyper-schema#, http://json-schema.org/draft-04/schema#, http://json-schema.org/draft-04/hyper-schema#, http://json-schema.org/draft-03/schema#, http://json-schema.org/draft-03/hyper-schema#, https://tools.ietf.org/html/draft-zyp-json-schema-03#section-5.3, https://tools.ietf.org/html/draft-zyp-json-schema-03#section-5.19, https://tools.ietf.org/html/draft-zyp-json-schema-03#section-5.26, https://tools.ietf.org/html/draft-zyp-json-schema-04#section-5.6, https://github.com/microsoft/TypeScript/issues/3496#issuecomment-128553540, https://tools.ietf.org/html/draft-handrews-json-schema-validation-01#section-5, https://tools.ietf.org/html/draft-wright-json-schema-validation-01, https://tools.ietf.org/html/draft-wright-json-schema-validation-01#section-6.18, http://json-schema.org/draft-07/schema#, http://json-schema.org/draft-07/hyper-schema#

Location: Package overview

From: package-lock.jsonnpm/eslint@10.0.2npm/@types/json-schema@7.0.15

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@types/json-schema@7.0.15. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Embedded URLs or IPs: npm ajv

URLs: https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#, schema.id, https://github.com/ajv-validator/ajv/blob/master/lib/definition_schema.js, http://json-schema.org/draft-07/schema#, http://json-schema.org/draft-07/schema, http://json-schema.org/schema, https://gist.github.com/dperini/729294, https://mathiasbynens.be/demo/url-regex, https://github.com/eslint/eslint/issues/7983., http://tools.ietf.org/html/rfc3339#section-5.6, https://github.com/mafintosh/is-my-json-valid/blob/master/formats.js, http://stackoverflow.com/questions/201323/using-a-regular-expression-to-validate-an-email-address#answer-8829363, http://www.w3.org/TR/html5/forms.html#valid-e-mail-address, https://www.safaribooksonline.com/library/view/regular-expressions-cookbook/9780596802837/ch07s16.html, http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses, http://tools.ietf.org/html/rfc4122, https://tools.ietf.org/html/rfc6901, https://tools.ietf.org/html/rfc3986#appendix-A, http://tools.ietf.org/html/draft-luff-relative-json-pointer-00, https://tools.ietf.org/html/rfc3339#appendix-C, http://jmrware.com/articles/2009/uri_regexp/URI_regex.html, https://mathiasbynens.be/notes/javascript-encoding, https://github.com/bestiejs/punycode.js, https://tools.ietf.org/html/rfc3492#section-3.4, gary.court@gmail.com, https://github.com/epoberezkin/fast-json-stable-stringify, min.js.map

Location: Package overview

From: package-lock.jsonnpm/eslint@10.0.2npm/ajv@6.14.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly

Notes: The code augments a meta-schema to permit remote dereferencing of keyword schemas via a hardcoded data.json resource. This introduces network dependency and potential changes to validation semantics at runtime. While not inherently malicious, the remote reference constitutes a notable security and reliability risk that should be mitigated with local fallbacks, input validation, and explicit remote-resource governance.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/eslint@10.0.2npm/ajv@6.14.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly

Notes: The code is a straightforward build script to bundle and minify a specified package using Browserify and UglifyJS. The primary security concern is potential path manipulation: json.main is used to form a require path without validating that it stays within the target package directory. If a malicious or misconfigured package.json includes an absolute path or traversal outside the package, the script could bundle unintended files. Otherwise, the script does not perform network access, data exfiltration, or backdoor actions, and there is no hard-coded secrets or dynamic code execution beyond standard bundling/minification.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/eslint@10.0.2npm/ajv@6.14.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Embedded URLs or IPs: npm eslint-scope

URLs: node.id, https://github.com/estools/escope/pull/69, https://github.com/estree/estree/pull/20#issuecomment-74584758, http://people.mozilla.org/~jorendorff/es6-draft.html#sec-moduledeclarationinstantiation, https://github.com/estree/estree/blob/master/es6.md#importdeclaration, https://github.com/estools/esrecurse, https://github.com/estools/escope, http://www.ecma-international.org/publications/standards/Ecma-262.htm, https://github.com/estools/esmangle, https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API, https://github.com/eslint/espree

Location: Package overview

From: package-lock.jsonnpm/eslint@10.0.2npm/eslint-scope@9.1.1

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint-scope@9.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Embedded URLs or IPs: npm eslint-visitor-keys

URLs: https://github.com/jsdoc-type-pratt-parser/jsdoc-type-pratt-parser/issues/164

Location: Package overview

From: package-lock.jsonnpm/eslint@10.0.2npm/eslint-visitor-keys@5.0.1

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint-visitor-keys@5.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Embedded URLs or IPs: npm eslint

URLs: https://github.com/nodejs/node/blob/master/doc/api/process.md#processstdin, https://github.com/nodejs/node/blob/master/doc/api/process.md#a-note-on-process-io, https://lists.gnu.org/archive/html/bug-gnu-emacs/2016-01/msg00419.html, https://github.com/nodejs/node/issues/7439, https://eslint.org/blog/2023/10/deprecating-formatting-rules/, https://eslint.style/guide/migration, https://eslint.style, https://eslint.style/rules/function-call-argument-newline, https://eslint.org/docs/latest/rules/function-call-argument-newline, http://www.graphviz.org, http://www.webgraphviz.com, https://eslint.style/rules/array-element-newline, https://eslint.org/docs/latest/rules/array-element-newline, https://eslint.org/docs/latest/rules/accessor-pairs, https://eslint.org/docs/latest/rules/default-case, https://eslint.style/rules/arrow-parens, https://eslint.org/docs/latest/rules/arrow-parens, https://eslint.org/docs/latest/rules/capitalized-comments, https://eslint.org/docs/latest/rules/id-denylist, https://eslint.style/rules/comma-dangle, https://eslint.org/docs/latest/rules/comma-dangle, https://eslint.style/rules/brace-style, https://eslint.org/docs/latest/rules/brace-style, https://eslint.org/docs/latest/rules/curly, https://eslint.style/rules/array-bracket-spacing, https://eslint.org/docs/latest/rules/array-bracket-spacing, https://eslint.org/docs/latest/rules/camelcase, Identifier.property, https://eslint.org/docs/latest/rules/array-callback-return, https://eslint.org/blog/2020/07/eslint-v7.5.0-released/#deprecating-id-blacklist, https://eslint.org/docs/rules/id-denylist, https://eslint.org/docs/latest/rules/id-blacklist, https://eslint.style/rules/function-call-spacing, https://eslint.org/docs/latest/rules/func-call-spacing, https://eslint.style/rules/block-spacing, https://eslint.org/docs/latest/rules/block-spacing, https://eslint.style/rules/dot-location, https://eslint.org/docs/latest/rules/dot-location, https://eslint.style/rules/computed-property-spacing, https://eslint.org/docs/latest/rules/computed-property-spacing, https://eslint.style/rules/arrow-spacing, https://eslint.org/docs/latest/rules/arrow-spacing, https://eslint.org/docs/latest/rules/arrow-body-style, https://eslint.org/docs/latest/rules/id-match, https://eslint.style/rules/array-bracket-newline, https://eslint.org/docs/latest/rules/array-bracket-newline, https://eslint.org/docs/latest/rules/consistent-return, https://eslint.org/docs/latest/rules/constructor-super, https://eslint.org/docs/latest/extend/custom-rules#options-schemas, https://eslint.org/docs/latest/integrate/nodejs-api#customizing-ruletester, https://eslint.style/rules/comma-style, https://eslint.org/docs/latest/rules/comma-style, https://eslint.org/docs/latest/rules/default-param-last, https://eslint.org/docs/latest/rules/func-name-matching, https://eslint.org/docs/latest/rules/logical-assignment-operators, context.report, https://eslint.org/docs/latest/use/migrating-to-7.0.0#deprecate-node-rules, https://github.com/eslint-community/eslint-plugin-n, https://github.com/eslint-community/eslint-plugin-n/tree/master/docs/rules/callback-return.md, https://eslint.org/docs/latest/rules/callback-return, https://eslint.org/docs/latest/rules/grouped-accessor-pairs, https://eslint.org/docs/latest/rules/for-direction, https://eslint.org/docs/latest/rules/eqeqeq, https://eslint.org/docs/latest/rules/func-style, https://eslint.org/docs/latest/rules/default-case-last, https://eslint.org/docs/latest/rules/consistent-this, https://eslint.org/docs/latest/rules/id-length, https://eslint.org/docs/latest/rules/class-methods-use-this, https://eslint.style/rules/generator-star-spacing, https://eslint.org/docs/latest/rules/generator-star-spacing, https://eslint.org/docs/latest/rules/no-async-promise-executor, https://eslint.style/rules/function-paren-newline, https://eslint.org/docs/latest/rules/function-paren-newline, https://eslint.org/docs/latest/rules/complexity, https://eslint.org/docs/latest/rules/getter-return, https://eslint.org/docs/latest/rules/dot-notation, https://eslint.org/docs/latest/rules/init-declarations, https://eslint.style/rules/comma-spacing, https://eslint.org/docs/latest/rules/comma-spacing, https://github.com/eslint-community/eslint-plugin-n/tree/master/docs/rules/handle-callback-err.md, https://eslint.org/docs/latest/rules/handle-callback-err, https://eslint.org/docs/latest/rules/lines-around-directive, https://eslint.org/blog/2017/06/eslint-v4.0.0-released/, https://eslint.org/docs/latest/rules/padding-line-between-statements#examples, https://eslint.style/rules/padding-line-between-statements, https://eslint.style/rules/implicit-arrow-linebreak, https://eslint.org/docs/latest/rules/implicit-arrow-linebreak, https://eslint.style/rules/lines-between-class-members, https://eslint.org/docs/latest/rules/lines-between-class-members, https://eslint.org/docs/latest/rules/indent-legacy, https://eslint.style/rules/indent, https://eslint.style/rules/multiline-comment-style, https://eslint.org/docs/latest/rules/multiline-comment-style, https://eslint.style/rules/linebreak-style, https://eslint.org/docs/latest/rules/linebreak-style, https://eslint.style/rules/eol-last, https://eslint.org/docs/latest/rules/eol-last, https://eslint.style/rules/new-parens, https://eslint.org/docs/latest/rules/new-parens, https://eslint.org/docs/latest/rules/indent, https://eslint.style/rules/keyword-spacing, https://eslint.org/docs/latest/rules/keyword-spacing, https://eslint.org/docs/latest/rules/max-nested-callbacks, https://eslint.org/docs/latest/rules/max-params, https://eslint.org/docs/latest/rules/guard-for-in, https://eslint.org/docs/latest/rules/max-classes-per-file, https://eslint.style/rules/max-statements-per-line, https://eslint.org/docs/latest/rules/max-statements-per-line, https://eslint.style/rules/max-len, https://eslint.org/docs/latest/rules/max-len, https://eslint.org/docs/latest/rules/max-statements, https://eslint.org/docs/latest/rules/new-cap, https://eslint.org/docs/latest/rules/no-const-assign, https://eslint.org/docs/latest/rules/max-depth, https://eslint.org/docs/latest/rules/newline-after-var, https://eslint.org/docs/latest/rules/no-catch-shadow, https://eslint.org/blog/2018/07/eslint-v5.1.0-released/, https://eslint.org/docs/rules/no-shadow, https://eslint.org/docs/latest/rules/max-lines, https://eslint.org/docs/latest/rules/no-bitwise, https://eslint.style/rules/lines-around-comment, https://eslint.org/docs/latest/rules/lines-around-comment, https://eslint.org/docs/latest/rules/no-await-in-loop, https://eslint.style/rules/key-spacing, https://eslint.org/docs/latest/rules/key-spacing, https://eslint.style/rules/no-confusing-arrow, https://eslint.org/docs/latest/rules/no-confusing-arrow, https://eslint.org/docs/latest/rules/no-alert, https://eslint.org/docs/latest/rules/newline-before-return, https://eslint.org/docs/latest/rules/max-lines-per-function, https://eslint.org/docs/latest/rules/no-compare-neg-zero, https://eslint.org/docs/latest/rules/no-class-assign, https://eslint.org/docs/latest/rules/no-constant-condition, https://eslint.org/docs/latest/rules/no-div-regex, https://eslint.org/docs/latest/rules/no-case-declarations, https://eslint.style/rules/multiline-ternary, https://eslint.org/docs/latest/rules/multiline-ternary, https://eslint.style/rules/newline-per-chained-call, https://eslint.org/docs/latest/rules/newline-per-chained-call, https://eslint.style/rules/line-comment-position, https://eslint.org/docs/latest/rules/line-comment-position, https://eslint.org/docs/latest/rules/no-dupe-class-members, https://eslint.org/docs/latest/rules/no-cond-assign, https://eslint.org/docs/latest/rules/no-array-constructor, https://eslint.org/docs/latest/rules/no-continue, https://eslint.org/docs/latest/rules/no-control-regex, https://eslint.org/docs/latest/rules/no-extra-boolean-cast, https://eslint.org/docs/latest/rules/no-duplicate-case, https://eslint.org/docs/latest/rules/no-constructor-return, https://eslint.org/docs/latest/rules/no-delete-var, https://eslint.org/docs/latest/rules/no-caller, https://eslint.org/docs/latest/rules/no-extend-native, https://eslint.org/docs/latest/rules/no-eq-null, https://eslint.org/docs/latest/rules/no-empty-pattern, https://eslint.org/docs/latest/rules/no-extra-label, https://eslint.org/docs/latest/rules/no-empty-static-block, https://eslint.org/docs/latest/rules/no-dupe-keys, https://eslint.org/docs/latest/rules/no-debugger, https://eslint.org/docs/latest/rules/no-implied-eval, https://eslint.org/docs/latest/rules/no-ex-assign, https://eslint.org/docs/latest/rules/no-empty-character-class, https://eslint.org/docs/latest/rules/no-param-reassign, https://262.ecma-international.org/5.1/#sec-11.9.3, https://eslint.org/docs/latest/rules/no-constant-binary-expression, https://eslint.style/rules/no-floating-decimal, https://eslint.org/docs/latest/rules/no-floating-decimal, https://eslint.org/docs/latest/rules/no-implicit-globals, https://eslint.org/docs/latest/rules/no-implicit-coercion, https://eslint.org/docs/latest/rules/no-irregular-whitespace, https://eslint.org/docs/latest/rules/no-dupe-else-if, https://eslint.org/docs/latest/rules/no-func-assign, https://eslint.org/docs/latest/rules/no-empty, https://eslint.org/docs/latest/rules/no-extra-bind, https://eslint.org/docs/latest/rules/no-empty-function, https://eslint.org/docs/latest/rules/no-iterator, https://eslint.org/docs/latest/rules/no-nested-ternary, https://eslint.org/docs/latest/rules/no-global-assign, https://eslint.org/docs/latest/rules/no-labels, https://eslint.org/docs/latest/rules/no-inline-comments, https://eslint.style/rules/no-extra-parens, https://eslint.org/docs/latest/rules/no-extra-parens, foo.name, https://eslint.style/rules/no-extra-semi, https://eslint.org/docs/latest/rules/no-extra-semi, https://github.com/eslint-community/eslint-plugin-n/tree/master/docs/rules/no-mixed-requires.md, https://eslint.org/docs/latest/rules/no-mixed-requires, https://eslint.org/docs/latest/rules/no-lone-blocks, https://eslint.org/docs/latest/rules/no-inner-declarations, https://eslint.org/docs/latest/rules/no-label-var, https://eslint.style/rules/no-multiple-empty-lines, https://eslint.org/docs/latest/rules/no-multiple-empty-lines, https://eslint.style/rules/no-mixed-spaces-and-tabs, https://eslint.org/docs/latest/rules/no-mixed-spaces-and-tabs, https://eslint.org/docs/latest/rules/no-obj-calls, https://eslint.org/docs/latest/rules/no-duplicate-imports, https://eslint.org/docs/latest/rules/no-invalid-regexp, https://eslint.org/docs/latest/rules/no-multi-str, https://eslint.org/docs/latest/rules/no-fallthrough, https://eslint.org/docs/latest/rules/no-negated-in-lhs, https://eslint.org/blog/2016/08/eslint-v3.3.0-released/#deprecated-rules, https://eslint.org/docs/rules/no-unsafe-negation, https://eslint.org/docs/latest/rules/no-invalid-this, https://eslint.org/docs/latest/rules/no-native-reassign, https://eslint.org/docs/rules/no-global-assign, https://eslint.style/rules/no-mixed-operators, https://eslint.org/docs/latest/rules/no-mixed-operators, https://eslint.style/rules/no-multi-spaces, https://eslint.org/docs/latest/rules/no-multi-spaces, https://eslint.org/docs/latest/rules/no-lonely-if, https://eslint.org/docs/latest/rules/no-new, https://eslint.org/docs/latest/rules/no-negated-condition, https://eslint.org/docs/latest/rules/no-misleading-character-class, https://github.com/eslint/eslint/pull/17515, https://eslint.org/docs/latest/rules/no-import-assign, https://github.com/eslint-community/eslint-plugin-n/tree/master/docs/rules/no-new-require.md, https://eslint.org/docs/latest/rules/no-new-require, https://eslint.org/docs/latest/rules/no-octal, https://eslint.org/docs/latest/rules/no-proto, https://eslint.org/docs/latest/rules/no-multi-assign, https://eslint.org/docs/latest/rules/no-new-native-nonconstructor, https://eslint.org/docs/latest/rules/no-octal-escape, https://eslint.org/docs/latest/rules/no-script-url, https://eslint.org/docs/latest/rules/no-new-wrappers, https://eslint.org/docs/latest/rules/no-return-await, https://eslint.org/docs/latest/rules/no-new-func, https://eslint.org/docs/latest/rules/no-nonoctal-decimal-escape, https://eslint.org/docs/latest/rules/no-regex-spaces, https://eslint.org/docs/latest/rules/no-plusplus, https://eslint.org/docs/latest/rules/no-restricted-exports, https://eslint.org/docs/latest/rules/no-restricted-imports, https://eslint.org/docs/latest/rules/no-prototype-builtins, https://github.com/eslint-community/eslint-plugin-n/tree/master/docs/rules/no-process-env.md, https://eslint.org/docs/latest/rules/no-process-env, https://eslint.org/docs/latest/rules/no-new-object, https://eslint.org/blog/2023/09/eslint-v8.50.0-released/, https://eslint.org/docs/rules/no-object-constructor, https://eslint.org/docs/latest/rules/no-object-constructor, https://eslint.org/docs/latest/rules/no-shadow-restricted-names, https://eslint.org/docs/latest/rules/no-redeclare, https://eslint.org/docs/latest/rules/no-return-assign, https://eslint.org/docs/latest/rules/no-setter-return, https://github.com/eslint/eslint/pull/17282#issuecomment-1592795923, https://eslint.org/docs/latest/rules/no-promise-executor-return, https://github.com/eslint-community/eslint-plugin-n/tree/master/docs/rules/no-process-exit.md, https://eslint.org/docs/latest/rules/no-process-exit, https://eslint.org/docs/latest/rules/no-sequences, https://eslint.org/docs/latest/rules/no-restricted-properties, https://eslint.style/rules/no-tabs, https://eslint.org/docs/latest/rules/no-tabs, https://github.com/eslint-community/eslint-plugin-n/tree/master/docs/rules/no-sync.md, https://eslint.org/docs/latest/rules/no-sync, https://eslint.org/docs/latest/rules/no-spaced-func, https://eslint.org/docs/latest/rules/no-restricted-syntax, https://eslint.org/docs/latest/rules/no-ternary, https://eslint.org/docs/latest/rules/no-self-assign, https://eslint.org/docs/latest/rules/no-template-curly-in-string, https://eslint.org/docs/latest/rules/prefer-named-capture-group, https://eslint.org/docs/latest/rules/no-throw-literal, https://eslint.org/docs/latest/rules/no-undef-init, https://eslint.org/docs/latest/rules/no-this-before-super, https://eslint.org/docs/latest/rules/no-unused-labels, https://eslint.org/docs/latest/rules/no-unsafe-optional-chaining, https://eslint.org/docs/latest/rules/no-unreachable, https://eslint.org/docs/latest/rules/no-useless-backreference, https://eslint.style/rules/no-trailing-spaces, https://eslint.org/docs/latest/rules/no-trailing-spaces, https://eslint.org/docs/latest/rules/no-useless-computed-key, https://eslint.org/docs/latest/rules/no-unused-private-class-members, https://eslint.org/docs/latest/rules/no-sparse-arrays, https://eslint.org/docs/latest/rules/no-useless-catch, https://eslint.org/docs/latest/rules/no-useless-rename, https://eslint.org/docs/latest/rules/no-unassigned-vars, https://eslint.org/docs/latest/rules/no-unneeded-ternary, https://eslint.org/docs/latest/rules/no-underscore-dangle, https://eslint.org/docs/latest/rules/no-undef, https://eslint.org/docs/latest/rules/no-useless-escape, https://eslint.org/docs/latest/rules/no-self-compare, https://eslint.org/docs/latest/rules/no-useless-concat, https://eslint.org/docs/latest/rules/no-void, https://eslint.org/docs/latest/rules/no-warning-comments, https://eslint.style/rules/nonblock-statement-body-position, https://eslint.org/docs/latest/rules/nonblock-statement-body-position, https://eslint.org/docs/latest/rules/no-with, https://eslint.org/docs/latest/rules/no-useless-call, https://eslint.org/docs/latest/rules/no-unsafe-negation, https://eslint.style/rules/no-whitespace-before-property, https://eslint.org/docs/latest/rules/no-whitespace-before-property, https://eslint.style/rules/object-curly-newline, https://eslint.org/docs/latest/rules/object-curly-newline, https://eslint.org/docs/latest/rules/no-unused-expressions, https://eslint.org/docs/latest/rules/no-useless-constructor, https://eslint.org/docs/latest/rules/object-shorthand, https://eslint.org/docs/latest/rules/no-unreachable-loop, https://eslint.org/docs/latest/rules/no-unexpected-multiline, https://eslint.style/rules/object-property-newline, https://eslint.org/docs/latest/rules/object-property-newline, https://eslint.org/docs/latest/rules/no-useless-assignment, https://eslint.org/docs/latest/rules/preserve-caught-error, https://typescript-eslint.io/packages/type-utils/type-or-value-specifier/, https://github.com/eslint/eslint/pull/19913#discussion_r2192608593, https://github.com/eslint/eslint/discussions/16540, https://github.com/microsoft/TypeScript/blob/main/src/lib/es2022.error.d.ts, https://eslint.org/docs/latest/rules/operator-assignment, https://eslint.org/docs/latest/rules/prefer-object-has-own, https://eslint.org/docs/latest/rules/no-useless-return, https://eslint.style/rules/one-var-declaration-per-line, https://eslint.org/docs/latest/rules/one-var-declaration-per-line, https://eslint.style/rules/padded-blocks, https://eslint.org/docs/latest/rules/padded-blocks, https://eslint.style/rules/object-curly-spacing, https://eslint.org/docs/latest/rules/object-curly-spacing, https://eslint.org/docs/latest/rules/prefer-exponentiation-operator, https://eslint.org/docs/latest/rules/prefer-destructuring, https://eslint.org/docs/latest/rules/prefer-promise-reject-errors, https://eslint.org/docs/latest/rules/prefer-numeric-literals, https://eslint.style/rules/operator-linebreak, https://eslint.org/docs/latest/rules/operator-linebreak, https://eslint.org/docs/latest/rules/prefer-template, https://eslint.org/docs/latest/rules/block-scoped-var, https://eslint.org/docs/latest/rules/no-unsafe-finally, https://eslint.org/docs/latest/rules/prefer-reflect, Function.prototype.call, https://eslint.org/docs/latest/rules/require-await, https://eslint.style/rules/semi, https://eslint.org/docs/latest/rules/semi, https://eslint.org/docs/latest/rules/prefer-regex-literals, https://eslint.style/rules/semi-spacing, https://eslint.org/docs/latest/rules/semi-spacing, https://eslint.org/docs/latest/rules/one-var, https://eslint.org/docs/latest/rules/sort-imports, https://eslint.org/docs/latest/rules/sort-keys, https://eslint.org/docs/latest/rules/strict, https://eslint.style/rules/rest-spread-spacing, https://eslint.org/docs/latest/rules/rest-spread-spacing, https://jex.im/regulex/#, https://eslint.style/rules/spaced-comment, https://eslint.org/docs/latest/rules/spaced-comment, https://eslint.style/rules/quote-props, https://eslint.org/docs/latest/rules/quote-props, https://eslint.org/docs/latest/rules/require-atomic-updates, https://eslint.org/docs/latest/rules/sort-vars, https://eslint.org/docs/latest/rules/prefer-spread, https://eslint.org/docs/latest/rules/prefer-object-spread, https://eslint.style/rules/template-curly-spacing, https://eslint.org/docs/latest/rules/template-curly-spacing, https://eslint.org/docs/latest/rules/padding-line-between-statements, https://eslint.org/docs/latest/rules/use-isnan, https://eslint.org/docs/latest/rules/unicode-bom, http://www.ecma-international.org/ecma-262/6.0/#sec-directive-prologues-and-the-use-strict-directive, https://eslint.style/rules/space-before-blocks, https://eslint.org/docs/latest/rules/space-before-blocks, https://eslint.style/rules/switch-colon-spacing, https://eslint.org/docs/latest/rules/switch-colon-spacing, https://eslint.style/rules/semi-style, https://eslint.org/docs/latest/rules/semi-style, https://eslint.style/rules/space-in-parens, https://eslint.org/docs/latest/rules/space-in-parens, https://eslint.style/rules/space-before-function-paren, https://eslint.org/docs/latest/rules/space-before-function-paren, https://eslint.org/docs/latest/rules/symbol-description, https://eslint.style/rules/wrap-regex, https://eslint.org/docs/latest/rules/wrap-regex, https://eslint.org/docs/latest/rules/require-unicode-regexp, https://eslint.style/rules/space-infix-ops, https://eslint.org/docs/latest/rules/space-infix-ops, https://eslint.style/rules/space-unary-ops, https://eslint.org/docs/latest/rules/space-unary-ops, https://eslint.style/rules/template-tag-spacing, https://eslint.org/docs/latest/rules/template-tag-spacing, https://github.com/eslint-community/eslint-plugin-n/tree/master/docs/rules/global-require.md, https://eslint.org/docs/latest/rules/global-require, https://eslint.org/docs/latest/rules/no-loop-func, https://github.com/eslint-community/eslint-plugin-n/tree/master/docs/rules/no-path-concat.md, https://eslint.org/docs/latest/rules/no-path-concat, https://eslint.org/docs/latest/rules/no-dupe-args, https://eslint.org/docs/latest/rules/no-shadow, https://eslint.org/docs/latest/rules/vars-on-top, https://eslint.org/docs/latest/rules/no-magic-numbers, https://github.com/eslint-community/eslint-plugin-n/tree/master/docs/rules/no-deprecated-api.md, https://eslint.org/docs/latest/rules/no-buffer-constructor, https://eslint.org/docs/latest/rules/no-eval, https://eslint.org/docs/latest/rules/no-else-return, https://eslint.style/rules/wrap-iife, https://eslint.org/docs/latest/rules/wrap-iife, https://eslint.org/docs/latest/rules/yoda, https://eslint.org/docs/latest/rules/no-console, https://eslint.org/docs/latest/rules/prefer-const, https://eslint.org/docs/latest/rules/require-yield, https://eslint.org/docs/latest/rules/no-var, https://eslint.org/docs/latest/rules/no-undefined, https://eslint.org/docs/latest/rules/no-restricted-globals, https://eslint.org/docs/latest/rules/no-loss-of-precision, https://eslint.org/docs/latest/rules/no-unmodified-loop-condition, https://eslint.org/docs/latest/rules/no-unused-vars, https://github.com/eslint-community/eslint-plugin-n/tree/master/docs/rules/no-restricted-require.md, https://eslint.org/docs/latest/rules/no-restricted-modules, https://eslint.org/docs/latest/rules/no-use-before-define, https://eslint.org/docs/latest/rules/no-new-symbol, https://eslint.org/docs/latest/use/migrate-to-9.0.0#eslint-recommended, https://eslint.org/docs/latest/rules/func-names, https://eslint.org/docs/latest/use/configure/migration-guide#ignore-files, MetaProperty.property, https://eslint.org/docs/latest/rules/prefer-arrow-callback, https://eslint.org/docs/latest/rules/prefer-rest-params, https://eslint.org/docs/latest/rules/radix, https://eslint.org/docs/latest/rules/valid-typeof, https://eslint.org/docs/latest/use/configure/rules#rule-severities, https://eslint.org/docs/latest/use/configure/rules, https://eslint.org/docs/latest/use/configure/, https://github.com/eslint/eslint/blob/v8.57.0/conf/config-schema.js, https://eslint.org/docs/latest/use/configure/language-options#specifying-parser-options, https://eslint.style/rules/yield-star-spacing, https://eslint.org/docs/latest/rules/yield-star-spacing, https://github.com/eslint/eslint/issues/8020, https://github.com/estree/estree/blob/14df8a024956ea289bd55b9c2226a1d5b8a473ee/es5.md#regexpliteral, https://github.com/estree/estree/blob/14df8a024956ea289bd55b9c2226a1d5b8a473ee/es2020.md#bigintliteral, https://github.com/tc39/proposal-static-class-features, https://eslint.org/docs/latest/use/configure/migration-guide, https://eslint.org/chat/help, https://eslint.org/docs/latest/use/troubleshooting., https://eslint.org/docs/latest/use/configure/rules#use-configuration-files, https://eslint.org/docs/latest/extend/custom-parsers#meta-data-in-custom-parsers, https://eslint.org/chat, https://eslint.org/docs/latest/use/configure/migration-guide#configure-language-options, https://eslint.org/docs/latest/use/configure/migration-guide#use-eslintrc-configs-in-flat-config, https://eslint.org/docs/latest/use/configure/migration-guide#predefined-and-shareable-configs, https://eslint.org/docs/latest/use/configure/migration-guide#linter-options, https://eslint.org/docs/latest/use/configure/migration-guide#glob-based-configs, https://eslint.org/docs/latest/use/configure/migration-guide#custom-parsers, https://eslint.org/docs/latest/use/configure/migration-guide#import-plugins-and-custom-parsers, https://eslint.org/docs/latest/use/configure/ignore, https://eslint.org/docs/latest/use/configure/configuration-files#specify-files-with-arbitrary-extensions, https://eslint.style/rules/quotes, https://eslint.org/docs/latest/rules/quotes

Location: Package overview

From: package-lock.jsonnpm/eslint@10.0.2

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint@10.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm flat-cache is 100.0% likely to have a medium risk anomaly

Notes: The code implements a filesystem-backed cache with potential path traversal vulnerabilities due to unvalidated docId/cacheDir inputs that influence file paths. While not inherently malicious, the lack of input sanitization creates risk of reading/writing/deleting arbitrary files, especially in a public package context where inputs could be user-controlled. No evidence of deliberate malware or obfuscated logic is present, but the security risk due to path handling is non-trivial and should be mitigated by validating and constraining input paths, using safe defaults, and isolating cache storage.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/eslint@10.0.2npm/flat-cache@4.0.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/flat-cache@4.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

See 4 more rows in the dashboard

View full report