chore(deps): update typescript-eslint monorepo to v8 (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@typescript-eslint/eslint-plugin (source)	^7.0.0 → ^8.0.0
@typescript-eslint/parser (source)	^7.0.0 → ^8.0.0

---

Release Notes

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.55.0

Compare Source

🚀 Features

• utils: deprecate defaultOptions in favor of meta.defaultOptions (#​11992)

🩹 Fixes

• eslint-plugin: [no-useless-default-assignment] reduce param index to ts this handling (#​11949)
• eslint-plugin: [no-useless-default-assignment] report unnecessary defaults in ternary expressions (#​11984)
• eslint-plugin: [no-useless-default-assignment] require strictNullChecks (#​11966, #​12000)
• eslint-plugin: [no-unused-vars] remove trailing newline when removing entire import (#​11990)

❤️ Thank You

• Christian Rose @​chrros95
• Josh Goldberg
• Maria Solano @​MariaSolOs
• Minyeong Kim @​minyeong981
• SungHyun627 @​SungHyun627
• Yukihiro Hasegawa @​y-hsgw

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.54.0

Compare Source

🚀 Features

• eslint-plugin-internal: add prefer-tsutils-methods rule (#​11974, #​11625)
• typescript-estree: add shortcut methods to ParserServicesWithTypeInformation (#​11965, #​11955)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] check both base constraint and actual type for non-null assertions (#​11967, #​11559)
• deps: update dependency prettier to v3.8.0 (#​11991)
• scope-manager: fix catch clause scopes def.name (#​11982)
• eslint-plugin: [no-unused-private-class-members] private destructured class member is defined but used (#​11785)

❤️ Thank You

• Brad Zacher @​bradzacher
• Josh Goldberg
• MinJae @​Ju-MINJAE
• Minyeong Kim @​minyeong981
• overlookmotel
• Yuya Yoshioka @​YuyaYoshioka
• 김현수 @​Kimsoo0119

You can read about our versioning strategy and releases on our website.

v8.53.1

Compare Source

🩹 Fixes

• utils: make RuleCreator root defaultOptions optional (#​11956)
• eslint-plugin: [consistent-indexed-object-style] skip fixer if interface is a default export (#​11951)

❤️ Thank You

• Cameron
• Yukihiro Hasegawa @​y-hsgw

You can read about our versioning strategy and releases on our website.

v8.53.0

Compare Source

🚀 Features

• eslint-plugin: add rule [strict-void-return] (#​9707)
• eslint-plugin: [no-unused-vars] add a fixer to remove unused imports (#​11922)

🩹 Fixes

• eslint-plugin: [no-useless-default-assignment] fix false positive for parameters corresponding to a rest parameter (#​11916)
• eslint-plugin: replace unclear "error typed" with more helpful description (#​11704)
• typescript-estree: forbid invalid extends and implements in interface declaration (#​11935)
• typescript-estree: forbid invalid class implements (#​11934)
• typescript-estree: forbid type-only import with both default and named specifiers (#​11930)

❤️ Thank You

• Brad Zacher @​bradzacher
• fisker Cheung @​fisker
• Josh Goldberg
• Josh Goldberg ✨
• Kirk Waiblinger
• Niki @​phaux
• Nikita
• SungHyun627 @​SungHyun627
• Will Harney @​wjhsf

You can read about our versioning strategy and releases on our website.

v8.52.0

Compare Source

🚀 Features

• eslint-plugin-internal: [no-multiple-lines-of-errors] add rule (#​11899)

🩹 Fixes

• eslint-plugin: [no-base-to-string] detect @​@​toPrimitive and valueOf (#​11901)
• eslint-plugin: [no-useless-default-assignment] handle conditional initializer (#​11908)

❤️ Thank You

• Josh Goldberg ✨
• Ulrich Stark

You can read about our versioning strategy and releases on our website.

v8.51.0

Compare Source

🚀 Features

• eslint-plugin: add namespace to plugin meta (#​11885)
• eslint-plugin: [no-useless-default-assignment] fix some cases to optional syntax (#​11871)

🩹 Fixes

• eslint-plugin: [prefer-optional-chain] handle MemberExpression in final chain position (#​11835)
• eslint-plugin: bump ts-api-utils to 2.2.0 (#​11881)
• eslint-plugin: remove fixable from no-dynamic-delete rule (#​11876)
• eslint-plugin: fix crash and false positives in no-useless-default-assignment (#​11845)

❤️ Thank You

• Josh Goldberg ✨
• Kirk Waiblinger @​kirkwaiblinger
• mdm317
• Ulrich Stark
• Yannick Decat @​mho22

You can read about our versioning strategy and releases on our website.

v8.50.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] correct handling of undefined vs. void (#​11826)
• eslint-plugin: [method-signature-style] ignore methods that return this (#​11813)

❤️ Thank You

• Josh Goldberg ✨
• Tamashoo @​Tamashoo

You can read about our versioning strategy and releases on our website.

v8.50.0

Compare Source

🚀 Features

• eslint-plugin: [no-useless-default-assignment] add rule (#​11720)

❤️ Thank You

• Josh Goldberg ✨
• Ulrich Stark

You can read about our versioning strategy and releases on our website.

v8.49.0

Compare Source

🚀 Features

• eslint-plugin: use Intl.Segmenter instead of graphemer (#​11804)

🩹 Fixes

• deps: update dependency prettier to v3.7.2 (#​11820)

❤️ Thank You

• Justin McBride
• Kirk Waiblinger @​kirkwaiblinger

You can read about our versioning strategy and releases on our website.

v8.48.1

Compare Source

🩹 Fixes

• eslint-plugin: [restrict-template-expressions] check base types in allow list (#​11764, #​11759)
• eslint-plugin: honor ignored base types on generic classes (#​11767)
• eslint-plugin: [consistent-type-exports] check value flag before resolving alias (#​11769)

❤️ Thank You

• Josh Goldberg
• OleksandraKordonets
• SangheeSon @​Higangssh
• tao

You can read about our versioning strategy and releases on our website.

v8.48.0

Compare Source

🚀 Features

• eslint-plugin: [no-redundant-type-constituents] use assignability checking for redundancy checks (#​10744)

🩹 Fixes

• typescript-estree: disallow binding patterns in parameter properties (#​11760)
• eslint-plugin: [consistent-generic-constructors] ignore when constructor is typed array (#​10477)

❤️ Thank You

• Dima Barabash @​dbarabashh
• JamesHenry @​JamesHenry
• Josh Goldberg
• mdm317 @​gen-ip-1

You can read about our versioning strategy and releases on our website.

v8.47.0

Compare Source

🚀 Features

• eslint-plugin: [no-unused-private-class-members] new extension rule (#​10913)

❤️ Thank You

• Brad Zacher @​bradzacher

You can read about our versioning strategy and releases on our website.

v8.46.4

Compare Source

🩹 Fixes

• parser: error when both projectService and project are set (#​11333)
• eslint-plugin: handle override modifier in promise-function-async fixer (#​11730)
• eslint-plugin: [no-deprecated] fix double-report on computed literal identifiers (#​11006, #​10958)

❤️ Thank You

• Evgeny Stepanovych @​undsoft
• Kentaro Suzuki @​sushichan044
• Maria Solano @​MariaSolOs

You can read about our versioning strategy and releases on our website.

v8.46.3

Compare Source

🩹 Fixes

• eslint-plugin: [no-duplicate-enum-values] support signed numbers (#​11722, #​11723)
• eslint-plugin: [no-misused-promises] expand union type to retrieve target property (#​11706)

❤️ Thank You

• Evgeny Stepanovych @​undsoft
• tao

You can read about our versioning strategy and releases on our website.

v8.46.2

Compare Source

🩹 Fixes

• eslint-plugin: [prefer-optional-chain] skip optional chaining when it could change the result (#​11702)

❤️ Thank You

• mdm317

You can read about our versioning strategy and releases on our website.

v8.46.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-misused-promises] special-case .finally not to report when a promise returning function is provided as an argument (#​11667)
• eslint-plugin: [prefer-optional-chain] include mixed "nullish comparison style" chains in checks (#​11533)

❤️ Thank You

• mdm317
• Ronen Amiel

You can read about our versioning strategy and releases on our website.

v8.46.0

Compare Source

🚀 Features

• eslint-plugin: [no-unsafe-member-access] add allowOptionalChaining option (#​11659)
• rule-schema-to-typescript-types: clean up and make public (#​11633)

🩹 Fixes

• eslint-plugin: [prefer-readonly-parameter-types] ignore tagged primitives (#​11660)
• typescript-estree: forbid abstract method and accessor to have implementation (#​11657)
• eslint-plugin: removed error type previously deprecated (#​11674)
• eslint-plugin: [no-deprecated] ignore deprecated export imports (#​11603)
• eslint-plugin: [unbound-method] improve wording around this: void and binding (#​11634)
• rule-tester: deprecate TestCaseError#type and LintMessage#nodeType (#​11628)
• eslint-plugin: [no-floating-promises] remove excess parentheses in suggestions (#​11487)

❤️ Thank You

• fisker Cheung @​fisker
• Josh Goldberg ✨
• Kirk Waiblinger @​kirkwaiblinger
• Mark de Dios @​peanutenthusiast
• Richard Torres @​richardtorres314
• Victor Genaev @​mainframev

You can read about our versioning strategy and releases on our website.

v8.45.0

Compare Source

🚀 Features

• eslint-plugin: expose rule name via RuleModule interface (#​11616)

🩹 Fixes

• eslint-plugin: [prefer-nullish-coalescing] ignoreBooleanCoercion should not apply to top-level ternary expressions (#​11614)
• eslint-plugin: [no-base-to-string] check if superclass is ignored (#​11617)

❤️ Thank You

• mdm317
• Moses Odutusin @​thebolarin
• Yukihiro Hasegawa @​y-hsgw

You can read about our versioning strategy and releases on our website.

v8.44.1

Compare Source

🩹 Fixes

• eslint-plugin: [await-thenable] should not report passing values to promise aggregators which may be a promise in an array literal (#​11611)
• eslint-plugin: [no-unsafe-enum-comparison] support unions of literals (#​11599)
• eslint-plugin: [no-base-to-string] make ignoredTypeNames match type names without generics (#​11597)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger
• mdm317
• Ronen Amiel

You can read about our versioning strategy and releases on our website.

v8.44.0

Compare Source

🚀 Features

• eslint-plugin: [await-thenable] report invalid (non-promise) values passed to promise aggregator methods (#​11267)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-conversion] ignore enum members (#​11490)

❤️ Thank You

• Moses Odutusin @​thebolarin
• Ronen Amiel

You can read about our versioning strategy and releases on our website.

v8.43.0

Compare Source

🚀 Features

• typescript-estree: disallow empty type parameter/argument lists (#​11563)

🩹 Fixes

• eslint-plugin: [prefer-return-this-type] don't report an error when returning a union type that includes a classType (#​11432)
• eslint-plugin: [no-deprecated] should report deprecated exports and reexports (#​11359)
• eslint-plugin: [no-floating-promises] allowForKnownSafeCalls now supports function names (#​11423, #​11430)
• eslint-plugin: [consistent-type-exports] fix declaration shadowing (#​11457)
• eslint-plugin: [no-unnecessary-type-conversion] only report ~~ on integer literal types (#​11517)
• scope-manager: exclude Program from DefinitionBase node types (#​11469)
• eslint-plugin: [no-non-null-assertion] do not suggest optional chain on LHS of assignment (#​11489)
• type-utils: add union type support to TypeOrValueSpecifier (#​11526)

❤️ Thank You

• Dima @​dbarabashh
• Kirk Waiblinger @​kirkwaiblinger
• mdm317
• tao
• Victor Genaev @​mainframev
• Yukihiro Hasegawa @​y-hsgw
• 민감자(Minji Kim) @​mouse0429
• 송재욱

You can read about our versioning strategy and releases on our website.

v8.42.0

Compare Source

🩹 Fixes

• deps: update eslint monorepo to v9.33.0 (#​11482)

You can read about our versioning strategy and releases on our website.

v8.41.0

Compare Source

🩹 Fixes

• deps: update dependency prettier to v3.6.2 (#​11496)

You can read about our versioning strategy and releases on our website.

v8.40.0

Compare Source

🚀 Features

• typescript-estree: forbid invalid keys in EnumMember (#​11232)

❤️ Thank You

• fisker Cheung @​fisker

You can read about our versioning strategy and releases on our website.

v8.39.1

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.39.0

Compare Source

🚀 Features

• eslint-plugin: [only-throw-error] support yield/await expressions (#​11417)
• eslint-plugin: add no-unnecessary-type-conversion to strict-type-checked ruleset (#​11427)
• update to TypeScript 5.9.2 (#​11445)
• eslint-plugin: [naming-convention] add enumMember PascalCase default option (#​11127)

🩹 Fixes

• eslint-plugin: [no-unsafe-assignment] add an unsafeObjectPattern message (#​11403)
• eslint-plugin: [prefer-optional-chain] ignore check option for most RHS of a chain (#​11272)

❤️ Thank You

• Brad Zacher @​bradzacher
• James Garbutt @​43081j
• Kim Sang Du @​developer-bandi
• Sasha Kondrashov
• tao
• Younsang Na @​nayounsang

You can read about our versioning strategy and releases on our website.

v8.38.0

Compare Source

🩹 Fixes

• disallow extra properties in rule options (#​11397)
• eslint-plugin: [consistent-generic-constructors] resolve conflict with isolatedDeclarations if enabled in constructor option (#​11351)

❤️ Thank You

• Andrew Kazakov @​andreww2012
• Younsang Na @​nayounsang

You can read about our versioning strategy and releases on our website.

v8.37.0

Compare Source

🩹 Fixes

• eslint-plugin: [unified-signatures] fix false positives for ignoreOverloadsWithDifferentJSDoc option (#​11381)

❤️ Thank You

• Yukihiro Hasegawa @​y-hsgw

You can read about our versioning strategy and releases on our website.

v8.36.0

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.35.1

Compare Source

🩹 Fixes

• remove prettier from eslint-plugin (#​11339)

❤️ Thank You

• Abhijeet Singh @​cseas

You can read about our versioning strategy and releases on our website.

v8.35.0

Compare Source

🚀 Features

• eslint-plugin: [no-base-to-string] add checkUnknown Option (#​11128)

❤️ Thank You

• Kim Sang Du @​developer-bandi

You can read about our versioning strategy and releases on our website.

v8.34.1

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.34.0

Compare Source

🩹 Fixes

• typescript-estree: add validation to interface extends (#​11271)

❤️ Thank You

• Tao

You can read about our versioning strategy and releases on our website.

v8.33.1

Compare Source

🩹 Fixes

• exclude docs/ directory from eslint-plugin package (#​11251)

❤️ Thank You

• roottool

You can read about our versioning strategy and releases on our website.

v8.33.0

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.32.1

Compare Source

🩹 Fixes

• eslint-plugin: [consistent-indexed-object-style] check for indirect circular types in aliased mapped types (#​11177)
• eslint-plugin: [consistent-indexed-object-style] adjust auto-fixer to generate valid syntax for TSMappedType with no type annotation (#​11180)
• eslint-plugin: [no-deprecated] support computed member access (#​10867)
• eslint-plugin: [no-unnecessary-type-conversion] shouldn't have fixable property (#​11194)

❤️ Thank You

• Azat S. @​azat-io
• Dima Barabash @​dbarabashh
• Ronen Amiel

You can read about our versioning strategy and releases on our website.

v8.32.0

Compare Source

🚀 Features

• eslint-plugin: [only-throw-error] add option allowRethrowing (#​11075)
• eslint-plugin: [no-unnecessary-type-conversion] add rule (#​10182)

🩹 Fixes

• eslint-plugin: [prefer-nullish-coalescing] fix parenthesization bug in suggestion (#​11098)
• eslint-plugin: [unified-signatures] exempt this from optional parameter overload check (#​11005)
• eslint-plugin: [no-unnecessary-type-parameters] should parenthesize type in suggestion fixer if necessary (#​10907)

❤️ Thank You

• Andy Edwards
• Kirk Waiblinger @​kirkwaiblinger
• mdm317
• Sasha Kondrashov
• Yukihiro Hasegawa @​y-hsgw

You can read about our versioning strategy and releases on our website.

v8.31.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-unnecessary-condition] downgrade fix to suggestion (#​11081)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

You can read about our versioning strategy and releases on our website.

v8.31.0

Compare Source

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] add option to ignore string const assertions (#​10979)

❤️ Thank You

• Nicolas Le Cam

You can read about our versioning strategy and releases on our website.

v8.30.1

Compare Source

🩹 Fixes

• eslint-plugin: fix mistake with eslintrc config generation (#​11072)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

You can read about our versioning strategy and releases on our website.

v8.30.0

Compare Source

🚀 Features

• eslint-plugin: [no-explicit-any] suggest to replace keyof any with PropertyKey (#​11032)

🩹 Fixes

• eslint-plugin: [promise-function-async] use a different error message for functions with promise and non-promise types (#​10950)

❤️ Thank You

• Dima Barabash @​dbarabashh
• Ronen Amiel

You can read about our versioning strategy and releases on our website.

v8.29.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-deprecated] report on deprecated imported variable used as property (#​10998)

❤️ Thank You

• Ronen Amiel

You can read about our versioning strategy and releases on our website.

v8.29.0

Compare Source

🚀 Features

• eslint-plugin: [prefer-nullish-coalescing] create ignoreIfStatements option (#​11000)

🩹 Fixes

• eslint-plugin: [no-array-constructor] remove optional chaining exemption (#​10963)
• eslint-plugin: support arbitrary extensions in definition files (#​10957)
• eslint-plugin: [prefer-for-of] fix false positive when using erasable type syntax within update expressions (#​10981)
• eslint-plugin: [use-unknown-in-catch-callback-variable] remove fixable property (#​10993)
• eslint-plugin: [no-unnecessary-condition] don't report on unnecessary optional array index access when noUncheckedIndexedAccess is enabled (#​10961)

❤️ Thank You

• Dima Barabash @​dbarabashh
• Kim Sang Du @​developer-bandi
• Olivier Zalmanski @​OlivierZal
• Ronen Amiel
• Yannick Decat @​mho22
• zyoshoka @​zyoshoka

You can read about our versioning strategy and releases on our website.

v8.28.0

Compare Source

🚀 Features

• eslint-plugin: [prefer-nullish-coalescing] support if statement assignment (??=) and fix several minor bugs (#​10861)

🩹 Fixes

• eslint-plugin: [no-unsafe-function-type] remove fixable property (#​10986)

❤️ Thank You

• Olivier Zalmanski @​OlivierZal
• Yannick Decat @​mho22

You can read about our versioning strategy and releases on our website.

v8.27.0

Compare Source

🚀 Features

• utils: support DeprecatedInfo for rule.meta.deprecated (#​10932)

❤️ Thank You

• ntnyq @​ntnyq

You can read about our versioning strategy and releases on our website.

v8.26.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-unsafe-return] handle recursive type (#​10883)
• eslint-plugin: [prefer-nullish-coalescing] treat any/unknown as eligible for nullish coalescing (#​10865)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger
• YeonJuan @​yeonjuan

You can read about our versioning strategy and releases on our website.

v8.26.0

Compare Source

🚀 Features

• eslint-plugin: [unified-signatures] support ignoring overload signatures with different JSDoc comments (#​10781)
• eslint-plugin: [explicit-module-boundary-types] add an option to ignore overload implementations (#​10889)
• eslint-plugin: [no-unused-var] handle implicit exports in declaration files (#​10714)
• support TypeScript 5.8 (#​10903)
• eslint-plugin: [no-unnecessary-type-parameters] special case tuples and parameter location arrays as single-use (#​9536)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] handle unknown (#​10875)
• eslint-plugin: [no-invalid-void-type] report accessor properties with an invalid void type (#​10864)
• eslint-plugin: [unified-signatures] does not differentiate truly private methods (#​10806)

❤️ Thank You

• Andrea Simone Costa @​jfet97
• Dirk Luijk @​dirkluijk
• Ronen Amiel
• YeonJuan @​yeonjuan
• Yukihiro Hasegawa @​y-hsgw

You can read about our versioning strategy and releases on our website.

v8.25.0

Compare Source

🚀 Features

• eslint-plugin: [no-misused-spread] add suggestions (#​10719)

🩹 Fixes

• eslint-plugin: [prefer-nullish-coalescing] report on chain expressions in a ternary (#​10708)
• eslint-plugin: [no-deprecated] report usage of deprecated private identifiers (#​10844)
• eslint-plugin: [unified-signatures] handle getter-setter (#​10818)

❤️ Thank You

• Olivier Zalmanski @​OlivierZal
• Ronen Amiel
• YeonJuan @​yeonjuan

You can read about our versioning strategy and releases on our website.

v8.24.1

Compare Source

🩹 Fixes

• eslint-plugin: [class-methods-use-this] check accessor methods with a function initializer (#​10796)
• eslint-plugin: [no-misused-promises] don't report on static accessor properties (#​10814)
• eslint-plugin: [no-deprecated] don't report on deprecated accessor property declaration (#​10813)
• eslint-plugin: [explicit-member-accessibility] check accessor class properties for missing accessibility modifier (#​10805)
• eslint-plugin: [explicit-module-boundary-types] check accessor class properties with a function initializer (#​10804)
• eslint-plugin: [prefer-return-this-type] check accessor properties with a function initializer (#​10794)
• eslint-plugin: [consistent-generic-constructors] check accessor class properties (#​10789)
• eslint-plugin: [no-unsafe-assignment] report on an any value assigned as an initializer of an accessor property (#​10785)
• eslint-plugin: [no-unnecessary-template-expression] ignore enum and enum members (#​10782)
• eslint-plugin: [no-inferrable-types] hand

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	6		0	0	0.09s
✅ JSON	jsonlint	18		0	0	0.38s
✅ JSON	npm-package-json-lint	yes		no	no	0.51s
✅ JSON	prettier	18	0	0	0	0.97s
✅ JSON	v8r	18		0	0	15.21s
⚠️ MARKDOWN	markdownlint	4	0	1	0	1.36s
✅ MARKDOWN	markdown-table-formatter	4	0	0	0	0.25s
✅ REPOSITORY	checkov	yes		no	no	20.4s
✅ REPOSITORY	gitleaks	yes		no	no	6.9s
✅ REPOSITORY	git_diff	yes		no	no	0.02s
❌ REPOSITORY	grype	yes		5	no	40.04s
⚠️ REPOSITORY	kics	yes		9	no	1.71s
✅ REPOSITORY	secretlint	yes		no	no	1.06s
✅ REPOSITORY	syft	yes		no	no	3.73s
❌ REPOSITORY	trivy	yes		1	no	11.66s
✅ REPOSITORY	trivy-sbom	yes		no	no	4.56s
✅ REPOSITORY	trufflehog	yes		no	no	5.33s
✅ SPELL	cspell	37		0	0	3.54s
⚠️ SPELL	lychee	31		9	0	3.51s
✅ YAML	prettier	9	0	0	0	0.72s
✅ YAML	v8r	9		0	0	6.82s
✅ YAML	yamllint	9		0	0	0.58s

Detailed Issues

❌ REPOSITORY / grype - 5 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME                     INSTALLED  FIXED IN  TYPE  VULNERABILITY        SEVERITY  EPSS           RISK   
@isaacs/brace-expansion  5.0.0      5.0.1     npm   GHSA-7h2j-956f-4vf2  High      < 0.1% (17th)  < 0.1  
tar                      7.5.2      7.5.7     npm   GHSA-34x7-hfp2-rc4v  High      < 0.1% (6th)   < 0.1  
tar                      7.5.2      7.5.4     npm   GHSA-r6q2-hw4h-h46w  High      < 0.1% (2nd)   < 0.1  
axios                    1.13.2     1.13.5    npm   GHSA-43fc-jf86-j433  High      < 0.1% (1st)   < 0.1  
tar                      7.5.2      7.5.3     npm   GHSA-8qq5-rm4j-mr97  High      < 0.1% (0th)   < 0.1
[0040] ERROR discovered vulnerabilities at or above the severity threshold

❌ REPOSITORY / trivy - 1 error

-------------------------------->] 100.00% 86.52 MiB p/s ETA 0s85.07 MiB / 85.07 MiB [---------------------------------------------->] 100.00% 80.94 MiB p/s ETA 0s85.07 MiB / 85.07 MiB [---------------------------------------------->] 100.00% 80.94 MiB p/s ETA 0s85.07 MiB / 85.07 MiB [-------------------------------------------------] 100.00% 16.36 MiB p/s 5.4s2026-02-12T16:06:27Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2026-02-12T16:06:27Z	INFO	[vuln] Vulnerability scanning is enabled
2026-02-12T16:06:27Z	INFO	[misconfig] Misconfiguration scanning is enabled
2026-02-12T16:06:27Z	INFO	[checks-client] Need to update the checks bundle
2026-02-12T16:06:27Z	INFO	[checks-client] Downloading the checks bundle...
235.65 KiB / 235.65 KiB [------------------------------------------------------] 100.00% ? p/s 200ms2026-02-12T16:06:32Z	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="client/node_modules"
2026-02-12T16:06:32Z	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="node_modules"
2026-02-12T16:06:32Z	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="server/node_modules"
2026-02-12T16:06:32Z	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2026-02-12T16:06:32Z	INFO	Number of language-specific files	num=3
2026-02-12T16:06:32Z	INFO	[npm] Detecting vulnerabilities...
2026-02-12T16:06:32Z	INFO	Detected config files	num=0

Report Summary

┌──────────────────────────┬──────┬─────────────────┬───────────────────┐
│          Target          │ Type │ Vulnerabilities │ Misconfigurations │
├──────────────────────────┼──────┼─────────────────┼───────────────────┤
│ client/package-lock.json │ npm  │        1        │         -         │
├──────────────────────────┼──────┼─────────────────┼───────────────────┤
│ server/package-lock.json │ npm  │        5        │         -         │
└──────────────────────────┴──────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


client/package-lock.json (npm)
==============================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│         Library         │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                          │
├─────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ @isaacs/brace-expansion │ CVE-2026-25547 │ HIGH     │ fixed  │ 5.0.0             │ 5.0.1         │ brace-expansion: brace-expansion: Denial of Service via │
│                         │                │          │        │                   │               │ unbounded brace range expansion                         │
│                         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-25547              │
└─────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

server/package-lock.json (npm)
==============================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 5, CRITICAL: 0)

┌─────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│         Library         │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ @isaacs/brace-expansion │ CVE-2026-25547 │ HIGH     │ fixed  │ 5.0.0             │ 5.0.1         │ brace-expansion: brace-expansion: Denial of Service via      │
│                         │                │          │        │                   │               │ unbounded brace range expansion                              │
│                         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-25547                   │
├─────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ axios                   │ CVE-2026-25639 │          │        │ 1.13.2            │ 1.13.5        │ axios: Axios affected by Denial of Service via __proto__ Key │
│                         │                │          │        │                   │               │ in mergeConfig...                                            │
│                         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-25639                   │
├─────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ tar                     │ CVE-2026-23745 │          │        │ 7.5.2             │ 7.5.3         │ node-tar: tar: node-tar: Arbitrary file overwrite and        │
│                         │                │          │        │                   │               │ symlink poisoning via unsanitized linkpaths...               │
│                         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-23745                   │
│                         ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                         │ CVE-2026-23950 │          │        │                   │ 7.5.4         │ node-tar: tar: node-tar: Arbitrary file overwrite via        │
│                         │                │          │        │                   │               │ Unicode path collision race condition...                     │
│                         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-23950                   │
│                         ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                         │ CVE-2026-24842 │          │        │                   │ 7.5.7         │ node-tar: tar: node-tar: Arbitrary file creation via path    │
│                         │                │          │        │                   │               │ traversal bypass in hardlink...                              │
│                         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-24842                   │
└─────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

(Truncated to last 8000 characters out of 10556)

⚠️ REPOSITORY / kics - 9 errors

MLLLLLM             MLLLLLLLLL   LLLLLLL             KLLLLLLLLLLLLLLLL       LLLLLLLLLLLLLLLLLLLLLLL 
   MMMMMMM           MMMMMMMMMML    MMMMMMMK       LMMMMMMMMMMMMMMMMMMMML   KLMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM         MMMMMMMMML       MMMMMMMK     LMMMMMMMMMMMMMMMMMMMMMML  LMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM      MMMMMMMMMML         MMMMMMMK   LMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM    LMMMMMMMMML           MMMMMMMK  LMMMMMMMMMLLMLLLLLLLLLLLLLL LMMMMMMMLLLLLLLLLLLLLLLLLLLLM 
   MMMMMMM  MMMMMMMMMLM             MMMMMMMK LMMMMMMMM                    LMMMMMML                      
   MMMMMMMLMMMMMMMML                MMMMMMMK MMMMMMML                     LMMMMMMMMLLLLLLLLLLLLLMLL     
   MMMMMMMMMMMMMMMM                 MMMMMMMK MMMMMML                       LMMMMMMMMMMMMMMMMMMMMMMMMML  
   MMMMMMMMMMMMMMMMMM               MMMMMMMK MMMMMMM                         LMMMMMMMMMMMMMMMMMMMMMMMML 
   MMMMMMM KLMMMMMMMMML             MMMMMMMK LMMMMMMM                                          MMMMMMMML
   MMMMMMM    LMMMMMMMMMM           MMMMMMMK LMMMMMMMMLL                                        MMMMMMML
   MMMMMMM      LMMMMMMMMMLL        MMMMMMMK  LMMMMMMMMMMMMMMMMMMMMMMMMML LLLLLLLLLLLLLLLLLLLLMMMMMMMMMM
   MMMMMMM        MMMMMMMMMMML      MMMMMMMK   MMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM          LLMMMMMMMMML    MMMMMMMK     LLMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMML  
   MMMMMMM             MMMMMMMMMML  MMMMMMMK         KLMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMLK    
                                                                                                            
                                                                                                                                                                                                                                                                                                                        


Scanning with Keeping Infrastructure as Code Secure v2.1.19





Unpinned Actions Full Length Commit SHA, Severity: LOW, Results: 9
Description: Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Platform: CICD
CWE: 829
Risk Score: 4.1
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cicd-queries/555ab8f9-2001-455e-a077-f2d0f41e2fb9

	[1]: .github/workflows/test.yml:75

		074:       - name: Run headless test
		075:         uses: GabrielBB/xvfb-action@v1
		076:         env:


	[2]: .github/workflows/build-deploy-docs.yml:34

		033:         if: success() || failure()
		034:         uses: UnicornGlobal/has-changes-action@v1.0.12
		035: 


	[3]: .github/workflows/mega-linter.yml:63

		062:         if: success() || failure()
		063:         uses: UnicornGlobal/has-changes-action@v1.0.12
		064: 


	[4]: .github/workflows/build-deploy-docs.yml:42

		041:         if: steps.changes.outputs.changed == 1
		042:         uses: stefanzweifel/git-auto-commit-action@v7
		043:         with:


	[5]: .github/workflows/deploy-RELEASE.yml:38

		037:       - name: Publish to Open VSX Registry
		038:         uses: HaaLeo/publish-vscode-extension@v2
		039:         with:


	[6]: .github/workflows/mega-linter.yml:42

		041:       - name: Mega-Linter
		042:         uses: oxsecurity/megalinter/flavors/cupcake@beta
		043:         env:


	[7]: .github/workflows/mega-linter.yml:69

		068:         if: steps.changes.outputs.changed == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request'
		069:         uses: peter-evans/create-pull-request@v8
		070:         with:


	[8]: .github/workflows/mega-linter.yml:87

		086:         if: steps.changes.outputs.changed == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/master' && github.repository == github.event.pull_request.hea
		087:         uses: stefanzweifel/git-auto-commit-action@v7
		088:         with:


	[9]: .github/workflows/test.yml:37

		036:       - name: Run headless test
		037:         uses: GabrielBB/xvfb-action@v1
		038:         env:



Results Summary:
CRITICAL: 0
HIGH: 0
MEDIUM: 0
LOW: 9
INFO: 0
TOTAL: 9

⚠️ SPELL / lychee - 9 errors

[403] https://www.npmjs.com/package/npm-groovy-lint | Network error: Forbidden
[403] https://www.npmjs.com/package/java-caller | Network error: Forbidden
[403] https://www.npmjs.com/package/analytics | Network error: Forbidden
[403] https://www.npmjs.com/package/npm-groovy-lint | Network error: Forbidden
[403] https://www.npmjs.com/package/java-caller | Network error: Forbidden
[IGNORED] git+https://github.com/nvuillam/vscode-groovy-lint.git | Unsupported: Error creating request client: builder error for url (git+https://github.com/nvuillam/vscode-groovy-lint.git)
[ERROR] https://mochajs.org/ | Network error: error sending request for url (https://mochajs.org/) Maybe a certificate error?
[404] https://download.vscodium.com/debs | Network error: Not Found
[403] https://www.npmjs.com/package/java-caller | Error (cached)
[403] https://www.npmjs.com/package/npm-groovy-lint | Error (cached)
[IGNORED] git+https://github.com/nvuillam/vscode-groovy-lint.git | Unsupported: Error creating request client: builder error for url (git+https://github.com/nvuillam/vscode-groovy-lint.git)
📝 Summary
---------------------
🔍 Total..........767
✅ Successful.....751
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........5
❓ Unknown..........0
🚫 Errors...........9

Errors in CHANGELOG.md
[403] https://www.npmjs.com/package/npm-groovy-lint | Network error: Forbidden
[ERROR] https://mochajs.org/ | Network error: error sending request for url (https://mochajs.org/) Maybe a certificate error?
[403] https://www.npmjs.com/package/java-caller | Network error: Forbidden
[403] https://www.npmjs.com/package/analytics | Network error: Forbidden

Errors in README.md
[403] https://www.npmjs.com/package/npm-groovy-lint | Network error: Forbidden
[403] https://www.npmjs.com/package/java-caller | Network error: Forbidden

Errors in docs/index.md
[403] https://www.npmjs.com/package/npm-groovy-lint | Error (cached)
[403] https://www.npmjs.com/package/java-caller | Error (cached)

Errors in .github/workflows/test.yml
[404] https://download.vscodium.com/debs | Network error: Not Found

⚠️ MARKDOWN / markdownlint - 1 error

CONTRIBUTING.md:26:20 error MD059/descriptive-link-text Link text should be descriptive [Context: "[here]"]

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@beta --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_CSPELL,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository