Skip to content

fix: Upgrade eslint devDependency to fix stack overflow vulnerability#11610

Merged
anthonyshew merged 3 commits intomainfrom
anthonyshew/turbo-5166-eslint-upgrade
Feb 1, 2026
Merged

fix: Upgrade eslint devDependency to fix stack overflow vulnerability#11610
anthonyshew merged 3 commits intomainfrom
anthonyshew/turbo-5166-eslint-upgrade

Conversation

@anthonyshew
Copy link
Copy Markdown
Contributor

@anthonyshew anthonyshew commented Jan 31, 2026
edited
Loading

Summary

Upgrades eslint devDependency in eslint-plugin-turbo from 8.57.0 to 9.26.0 to address CVE-2025-6294 (stack overflow with circular references).

Changes:

  • Upgrade eslint from 8.57.0 to 9.26.0 (devDependency only)
  • Upgrade @types/estree from 1.0.5 to 1.0.8 (required by eslint 9)
  • Remove @types/eslint (eslint 9 has built-in TypeScript types)
  • Update RuleTester usage in tests: parserOptionslanguageOptions (ESLint 9 API change)
  • Remove duplicate test cases detected by ESLint 9's stricter RuleTester
  • Update Linter.Config to Linter.LegacyConfig for eslintrc-style config

Testing:

  • All 107 tests pass
  • Build succeeds
  • Type checking passes

Note: This is a devDependency upgrade only. The peerDependency (eslint: >6.6.0) remains unchanged, so end users can continue using both ESLint 8.x and 9.x.

@anthonyshew anthonyshew requested a review from a team as a code owner January 31, 2026 22:06
@anthonyshew anthonyshew requested review from tknickman and removed request for a team January 31, 2026 22:06
@turbo-orchestrator turbo-orchestrator Bot added the pkg: turbo-eslint eslint-config-turbo and eslint-plugin-turbo label Jan 31, 2026
@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented Jan 31, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
examples-basic-web Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 3:58am
examples-designsystem-docs Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 3:58am
examples-gatsby-web Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 3:58am
examples-kitchensink-blog Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 3:58am
examples-nonmonorepo Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 3:58am
examples-svelte-web Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 3:58am
examples-tailwind-web Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 3:58am
examples-vite-web Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 3:58am
turbo-site Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 3:58am
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
turborepo-test-coverage Skipped Skipped Open in v0 Feb 1, 2026 3:58am

@anthonyshew anthonyshew changed the title fix: Upgrade eslint devDependency to fix Stack Overflow vulnerability fix: Upgrade eslint devDependency to fix stack overflow vulnerability Jan 31, 2026
@anthonyshew
fix: Upgrade eslint devDependency to fix Stack Overflow vulnerability (
510a008 
…TURBO-5166)
@anthonyshew
fix: Align eslint-config-turbo types with eslint-plugin-turbo
f9d1c06 
Remove @types/eslint from eslint-config-turbo devDependencies and add
eslint 9.26.0 to ensure both packages use ESLint 9's built-in types.
This fixes the type conflict during build where eslint-plugin-turbo
exports types from ESLint 9 but eslint-config-turbo expected types
from @types/eslint@8.

This change only affects build-time types. End users are unaffected:
- devDependencies are not installed by package consumers
- peerDependencies remain 'eslint: >6.6.0' for ESLint 8 compatibility
@anthonyshew anthonyshew force-pushed the anthonyshew/turbo-5166-eslint-upgrade branch from 6fd616f to f9d1c06 Compare February 1, 2026 03:53
@anthonyshew
fix: Restore deleted test cases with unique variations
c02f685 
ESLint 9's RuleTester detects duplicate test cases. Instead of deleting
the duplicates, restore them with reversed destructuring order to make
them unique while still testing the same functionality.
@vercel vercel Bot temporarily deployed to Preview – turborepo-test-coverage February 1, 2026 03:58 Inactive
@anthonyshew anthonyshew merged commit 41b32f6 into main Feb 1, 2026
47 checks passed
@anthonyshew anthonyshew deleted the anthonyshew/turbo-5166-eslint-upgrade branch February 1, 2026 04:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tknickman tknickman Awaiting requested review from tknickman tknickman is a code owner automatically assigned from vercel/turbo-oss

Assignees

No one assigned

Labels

pkg: turbo-eslint eslint-config-turbo and eslint-plugin-turbo

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anthonyshew