Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BREAKING: Bump all ESLint dependencies #351

Merged
merged 8 commits into from
Jun 4, 2024
Merged

BREAKING: Bump all ESLint dependencies #351

merged 8 commits into from
Jun 4, 2024

Conversation

Mrtenz
Copy link
Member

@Mrtenz Mrtenz commented Mar 27, 2024
edited

This bumps all ESLint and related dependencies to the latest version which has support for Node 16. When we drop support for Node 16, some dependencies can be bumped again.

The exceptions are:

  • eslint-plugin-import, which has a regression since >=27.0.0. I'm planning to swap it out with eslint-plugin-import-x (a fork of eslint-plugin-import) since it has significantly better performance regardless.
  • Prettier and related dependencies, which has breaking changes which are incompatible with @metamask/auto-changelog.

Closes #349.
Closes #338.

Breaking changes

  • @typescript-eslint/eslint-plugin now requires a boolean for parserOptions.project, instead of a path to tsconfig.json.
  • @typescript-eslint/eslint-plugin now requires strictNullChecks to be enabled.

@socket-security Socket Security
Copy link

socket-security bot commented Mar 27, 2024
edited

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@es-joy/jsdoccomment@0.41.0 None 0 113 kB brettz9
npm/@eslint/eslintrc@3.1.0 filesystem, unsafe +1 785 kB eslintbot
npm/@isaacs/cliui@8.0.2 None 0 27.8 kB isaacs
npm/@lavamoat/aa@4.2.0 None 0 19.8 kB boneskull
npm/@lavamoat/allow-scripts@3.0.4 environment 0 45.8 kB boneskull
npm/@npmcli/agent@2.2.1 environment, network 0 17.7 kB npm-cli-ops
npm/@npmcli/fs@3.1.1 filesystem 0 26.5 kB lukekarrys
npm/@npmcli/git@5.0.4 filesystem 0 21.8 kB npm-cli-ops
npm/@npmcli/package-json@5.0.0 filesystem 0 37 kB npm-cli-ops
npm/@npmcli/promise-spawn@7.0.2 environment, shell 0 12.2 kB npm-cli-ops
npm/@npmcli/run-script@7.0.4 environment 0 18.4 kB npm-cli-ops
npm/@pkgjs/parseargs@0.11.0 None 0 74.2 kB oss-bot
npm/@pkgr/core@0.1.1 None 0 8.54 kB jounqin
npm/@typescript-eslint/eslint-plugin@6.21.0 Transitive: environment +5 4.54 MB jameshenry
npm/@typescript-eslint/parser@6.21.0 None +1 173 kB jameshenry
npm/@typescript-eslint/type-utils@6.21.0 None 0 109 kB jameshenry
npm/@ungap/structured-clone@1.2.0 None 0 26.2 kB webreflection
npm/abbrev@2.0.0 None 0 4.83 kB lukekarrys
npm/agentkeepalive@4.2.1 network 0 38.8 kB fengmk2
npm/bin-links@4.0.3 filesystem 0 20.6 kB npm-cli-ops
npm/builtin-modules@3.3.0 unsafe 0 4.51 kB sindresorhus
npm/cacache@18.0.3 filesystem +2 756 kB npm-cli-ops
npm/comment-parser@1.4.1 None 0 366 kB yavorskiys
npm/create-jest@29.7.0 None 0 15.9 kB simenb
npm/eastasianwidth@0.2.0 None 0 13.6 kB komagata
npm/eslint-compat-utils@0.5.0 filesystem 0 48.6 kB ota-meshi
npm/eslint-plugin-es-x@7.6.0 None 0 396 kB eslint-community-bot
npm/eslint-plugin-jsdoc@43.2.0 None +3 2.26 MB gajus
npm/eslint-plugin-jsdoc@47.0.2 filesystem 0 1.38 MB gajus
npm/eslint-plugin-mocha@10.4.1 None 0 94 kB lo1tuma
npm/eslint-plugin-n@16.6.2 filesystem +1 400 kB weiran.zsd
npm/espree@10.0.1 None +1 106 kB eslintbot
npm/exponential-backoff@3.1.1 None 0 37.3 kB sssayegh
npm/foreground-child@3.1.1 shell 0 60.4 kB isaacs
npm/fs-minipass@3.0.3 filesystem 0 14.4 kB npm-cli-ops
npm/get-stdin@9.0.0 None 0 4.54 kB sindresorhus
npm/get-tsconfig@4.7.3 filesystem, unsafe 0 101 kB hirokiosame
npm/globals@15.3.0 None 0 152 kB sindresorhus
npm/hasown@2.0.2 None 0 8.77 kB ljharb
npm/hosted-git-info@7.0.1 None 0 26.7 kB npm-cli-ops
npm/ip-address@9.0.5 None 0 177 kB beaugunderson
npm/is-builtin-module@3.2.1 None 0 3.88 kB sindresorhus
npm/jackspeak@2.3.6 environment 0 253 kB isaacs
npm/jsbn@1.1.0 None 0 46.9 kB andyperlitch
npm/make-fetch-happen@13.0.1 network 0 52.8 kB npm-cli-ops
npm/minipass-collect@2.0.1 None 0 4.96 kB isaacs
npm/minipass-fetch@3.0.5 environment, network 0 46.8 kB npm-cli-ops
npm/minipass@7.1.2 None 0 286 kB isaacs
npm/node-gyp@10.1.0 environment, shell +2 2.64 MB lukekarrys
npm/nopt@7.2.1 None 0 26.2 kB npm-cli-ops
npm/normalize-package-data@6.0.0 None 0 28.3 kB npm-cli-ops
npm/npm-install-checks@6.3.0 None 0 6.21 kB npm-cli-ops
npm/npm-package-arg@11.0.1 None 0 19.1 kB npm-cli-ops
npm/npm-pick-manifest@9.0.0 None 0 16.4 kB npm-cli-ops
npm/path-scurry@1.10.1 filesystem 0 529 kB isaacs
npm/proc-log@3.0.0 None 0 5.21 kB lukekarrys
npm/resolve-pkg-maps@1.0.0 None 0 15 kB hirokiosame
npm/spdx-correct@3.2.0 None 0 23.4 kB kemitchell
npm/spdx-expression-parse@4.0.0 None 0 12.3 kB kemitchell
npm/ssri@10.0.6 None 0 38.7 kB npm-cli-ops
npm/string-width-cjs@4.2.3 None 0 0 B
npm/strip-ansi-cjs@6.0.1 None 0 0 B
npm/ts-api-utils@1.3.0 None 0 828 kB joshuakgoldberg
npm/unique-filename@3.0.0 None 0 3.41 kB lukekarrys
npm/unique-slug@4.0.0 None 0 2.58 kB lukekarrys
npm/uuid@9.0.1 None 0 123 kB ctavan
npm/validate-npm-package-license@3.0.4 None 0 16.6 kB kemitchell
npm/validate-npm-package-name@5.0.0 None 0 7.88 kB lukekarrys
npm/which@4.0.0 environment Transitive: filesystem +1 50.5 kB npm-cli-ops
npm/wrap-ansi-cjs@7.0.0 None 0 0 B

🚮 Removed packages: npm/@es-joy/jsdoccomment@0.37.1, npm/@eslint/eslintrc@1.4.1, npm/@lavamoat/aa@3.1.5, npm/@lavamoat/allow-scripts@2.5.1, npm/@nicolo-ribaudo/semver-v6@6.3.3, npm/@npmcli/fs@2.1.2, npm/@npmcli/promise-spawn@6.0.2, npm/@npmcli/run-script@6.0.2, npm/@types/glob@7.2.0, npm/@types/minimatch@5.1.2, npm/@types/prettier@2.7.1, npm/@typescript-eslint/eslint-plugin@5.42.1, npm/@typescript-eslint/parser@5.62.0, npm/@typescript-eslint/type-utils@5.42.1, npm/abbrev@1.1.1, npm/agentkeepalive@4.5.0, npm/bin-links@4.0.1, npm/cacache@16.1.3, npm/eslint-plugin-es@4.1.0, npm/eslint-plugin-jsdoc@41.1.2, npm/eslint-plugin-mocha@10.1.0, npm/eslint-plugin-n@15.7.0, npm/ip@2.0.1, npm/make-fetch-happen@10.2.1, npm/minipass-collect@1.0.2, npm/minipass-fetch@2.1.2, npm/natural-compare-lite@1.4.0, npm/node-gyp@9.4.1, npm/nopt@6.0.0, npm/read-package-json-fast@3.0.2, npm/regexpp@3.2.0, npm/ssri@9.0.1, npm/typescript@5.1.6, npm/unique-filename@2.0.1, npm/unique-slug@3.0.0, npm/which@3.0.1, npm/yargs@16.2.0

View full report↗︎

@socket-security Socket Security
Copy link

socket-security bot commented Mar 27, 2024
edited

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package Note
New author npm/validate-npm-package-name@5.0.0
Shell access npm/foreground-child@3.1.1
Shell access npm/foreground-child@3.1.1
New author npm/abbrev@2.0.0
New author npm/exponential-backoff@3.1.1
New author npm/normalize-package-data@6.0.0
New author npm/create-jest@29.7.0
Network access npm/@npmcli/agent@2.2.1
Network access npm/@npmcli/agent@2.2.1
Network access npm/@npmcli/agent@2.2.1
Network access npm/@npmcli/agent@2.2.1
Network access npm/@npmcli/agent@2.2.1

View full report↗︎

Next steps

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

What is shell access?

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm/validate-npm-package-name@5.0.0
  • @SocketSecurity ignore npm/foreground-child@3.1.1
  • @SocketSecurity ignore npm/abbrev@2.0.0
  • @SocketSecurity ignore npm/exponential-backoff@3.1.1
  • @SocketSecurity ignore npm/normalize-package-data@6.0.0
  • @SocketSecurity ignore npm/create-jest@29.7.0
  • @SocketSecurity ignore npm/@npmcli/agent@2.2.1

Mrtenz
Mrtenz commented Mar 27, 2024
View reviewed changes
packages/base/package.json
"eslint-plugin-import": "~2.26.0",
"eslint-plugin-jsdoc": "^39.6.2 || ^41 || ^43.0.7",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure why we used this range before, but I replaced it with the latest (Node.js 16-compatible) version. I can revert if there's a good reason to have this range.

cc @legobeat

Copy link
Contributor

@legobeat legobeat Apr 15, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Context and previous discussion:

Mrtenz
Mrtenz commented Mar 27, 2024
View reviewed changes
packages/base/src/index.js
Comment on lines -101 to -106
'max-statements-per-line': [
'error',
{
max: 1,
},
],
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our validation script was complaining about this being handled by Prettier.

Mrtenz
Mrtenz commented Mar 27, 2024
View reviewed changes
packages/base/src/index.js
Comment on lines +389 to +395
'jsdoc/tag-lines': [
'error',
'any',
{
startLines: 1,
},
],
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK this matches the previous behaviour, where one line between the description and the first tag is required.

Mrtenz
Mrtenz commented Mar 27, 2024
View reviewed changes
packages/typescript/src/index.js
Comment on lines -35 to -36
// Should be disabled per Prettier
'@typescript-eslint/no-extra-semi': 'off',
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our validation script was complaining about this being handled by Prettier.

Mrtenz
Mrtenz commented Mar 27, 2024
View reviewed changes
packages/typescript/tsconfig.json
@@ -1,3 +1,6 @@
{
"compilerOptions": {
"strictNullChecks": true
Copy link
Member Author

@Mrtenz Mrtenz Mar 27, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now required by @typescript-eslint/eslint-plugin when type checking is enabled. I think most of our repos use strict which also enables this anyway.

@Mrtenz Mrtenz changed the title Bump all ESLint dependencies BREAKING: Bump all ESLint dependencies Mar 27, 2024
@Mrtenz Mrtenz marked this pull request as ready for review March 27, 2024 13:03
@Mrtenz Mrtenz requested a review from a team as a code owner March 27, 2024 13:03
@Mrtenz Mrtenz requested review from mcmire and legobeat March 27, 2024 13:03
@mcmire
Copy link
Contributor

mcmire commented Mar 27, 2024

Thanks so much for doing this work, this is super helpful. I'll try to take a look soon.

@Mrtenz Mrtenz requested review from a team as code owners March 28, 2024 11:35
@Mrtenz Mrtenz removed the request for review from a team March 28, 2024 11:36
@Mrtenz
Copy link
Member Author

Mrtenz commented Apr 13, 2024

Bumping to Prettier v3 will require some more changes, so we may want to do that separately.

  • Jest currently does not support Prettier v3 for snapshots.
  • auto-changelog and create-release-branch break because the API is now async.
  • Potentially more issues that I haven't found yet.

kanthesha
kanthesha reviewed Apr 15, 2024
View reviewed changes
Copy link

@kanthesha kanthesha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

mcmire
mcmire reviewed Apr 18, 2024
View reviewed changes
Copy link
Contributor

@mcmire mcmire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question about upgrading Prettier, but everything else looks pretty good to me.

packages/base/package.json Outdated Show resolved Hide resolved
packages/base/package.json Outdated Show resolved Hide resolved
packages/base/package.json Outdated Show resolved Hide resolved
@desi desi requested a review from a team May 23, 2024 19:18
@mcmire
Copy link
Contributor

mcmire commented May 28, 2024

@Mrtenz Ping on this PR when you get a chance.

@Mrtenz
Copy link
Member Author

Mrtenz commented May 29, 2024

@mcmire @legobeat I reverted the Prettier changes. Unsure what the other decisions are regarding the changes, though.

legobeat
legobeat approved these changes May 29, 2024
View reviewed changes
Copy link
Contributor

@legobeat legobeat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

mcmire
mcmire approved these changes May 30, 2024
View reviewed changes
Copy link
Contributor

@mcmire mcmire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

@mcmire mcmire merged commit 7fe37fe into main Jun 4, 2024
15 checks passed
@mcmire mcmire deleted the mrtenz/bump-dependencies branch June 4, 2024 16:59
@legobeat legobeat mentioned this pull request Jun 4, 2024
Draft
@Mrtenz Mrtenz mentioned this pull request Jun 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kanthesha kanthesha kanthesha left review comments

@mcmire mcmire mcmire approved these changes

@legobeat legobeat legobeat approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bump to eslint-plugin-jsdoc >= 44.0.0 Bump typescript-eslint to v6
4 participants
@Mrtenz @mcmire @kanthesha @legobeat