[Snyk] Security upgrade eslint-config-next from 14.2.6 to 15.0.0 #56
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230 - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR proposes a security upgrade of eslint-config-next from version 14.2.6 to 15.0.0 to address two ReDoS (Regular Expression Denial of Service) vulnerabilities in transitive dependencies: cross-spawn (high severity, score 756) and brace-expansion (low severity, score 436).
Changes:
- Upgrades eslint-config-next from 14.2.6 to 15.0.0
- Updates numerous transitive dependencies including eslint plugins, TypeScript ESLint packages, and various utility libraries
- Adds new dependencies (e.g., @rtsao/scc, async-function, generator-function) and removes others (e.g., deep-equal, es-get-iterator)
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates eslint-config-next to version 15.0.0 |
| package-lock.json | Comprehensive dependency tree updates including major version bumps for eslint-plugin-react-hooks (4.6.2 → 5.2.0), eslint-plugin-jsx-a11y (6.9.0 → 6.10.2), eslint-plugin-import (2.29.1 → 2.32.0), and hundreds of other transitive dependency updates |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "autoprefixer": "10.4.20", | ||
| "eslint": "^8.0.1", | ||
| "eslint-config-next": "14.2.6", | ||
| "eslint-config-next": "15.0.0", |
There was a problem hiding this comment.
Version mismatch detected: The project is upgrading to eslint-config-next 15.0.0 while still using Next.js 14.2.6. This is a major version mismatch that could lead to compatibility issues. The eslint-config-next package version should typically match the major version of Next.js being used. Consider either:
- Upgrading Next.js to version 15.x to match eslint-config-next 15.0.0, or
- Keeping eslint-config-next at version 14.x and finding an alternative way to address the security vulnerabilities
| "eslint-config-next": "15.0.0", | |
| "eslint-config-next": "^14.2.6", |
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-CROSSSPAWN-8303230
SNYK-JS-BRACEEXPANSION-9789073
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)