Skip to content

fix: Upgrade eslint to v10 to resolve @eslint/plugin-kit ReDoS vulnerability#11705

Merged
anthonyshew merged 1 commit intomainfrom
fix/turbo-5239-eslint-plugin-kit-v2
Feb 7, 2026
Merged

fix: Upgrade eslint to v10 to resolve @eslint/plugin-kit ReDoS vulnerability#11705
anthonyshew merged 1 commit intomainfrom
fix/turbo-5239-eslint-plugin-kit-v2

Conversation

@anthonyshew
Copy link
Copy Markdown
Contributor

@anthonyshew anthonyshew commented Feb 7, 2026

Summary

Fixes TURBO-5239. Upgrades eslint from 9.26.0 to 10.0.0 in eslint-config-turbo and eslint-plugin-turbo to resolve a ReDoS vulnerability in @eslint/plugin-kit@0.2.8 (requires >=0.3.4).

eslint@10.0.0 depends on @eslint/plugin-kit@^0.6.0, which resolves to 0.6.0.

Changes

  • Bumped eslint devDependency to 10.0.0 in both packages
  • Added @eslint/core as a devDependency (required by eslint 10's type re-exports for declaration emit)
  • Removed deprecated category property from rule metadata (RulesMetaDocs no longer has it in eslint 10)
  • Migrated Linter.FlatConfig to Linter.Config (flat config is now the default/only format)
  • Added explicit type annotations to plugin, rules, and configs exports to fix TS2742 declaration emit errors

Verification

  • pnpm why @eslint/plugin-kit -r confirms 0.6.0 (above the >=0.3.4 fix threshold)
  • Both eslint-plugin-turbo and eslint-config-turbo build successfully
  • No deprecated eslint context APIs were in use (already using modern context.filename, context.cwd, etc.)

@anthonyshew anthonyshew requested a review from a team as a code owner February 7, 2026 04:02
@anthonyshew anthonyshew requested review from tknickman and removed request for a team February 7, 2026 04:02
@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented Feb 7, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
examples-basic-web Ready Ready Preview, Comment, Open in v0 Feb 7, 2026 4:27am
examples-designsystem-docs Ready Ready Preview, Comment, Open in v0 Feb 7, 2026 4:27am
examples-gatsby-web Ready Ready Preview, Comment, Open in v0 Feb 7, 2026 4:27am
examples-kitchensink-blog Ready Ready Preview, Comment, Open in v0 Feb 7, 2026 4:27am
examples-nonmonorepo Ready Ready Preview, Comment, Open in v0 Feb 7, 2026 4:27am
examples-svelte-web Ready Ready Preview, Comment, Open in v0 Feb 7, 2026 4:27am
examples-tailwind-web Ready Ready Preview, Comment, Open in v0 Feb 7, 2026 4:27am
examples-vite-web Ready Ready Preview, Comment, Open in v0 Feb 7, 2026 4:27am
turbo-site Ready Ready Preview, Comment, Open in v0 Feb 7, 2026 4:27am
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
turborepo-test-coverage Skipped Skipped Open in v0 Feb 7, 2026 4:27am

@turbo-orchestrator turbo-orchestrator Bot added the pkg: turbo-eslint eslint-config-turbo and eslint-plugin-turbo label Feb 7, 2026
@anthonyshew anthonyshew force-pushed the fix/turbo-5239-eslint-plugin-kit-v2 branch from e0365d4 to 1fbc57d Compare February 7, 2026 04:25
@vercel vercel Bot temporarily deployed to Preview – turborepo-test-coverage February 7, 2026 04:25 Inactive
@anthonyshew anthonyshew merged commit fd541f3 into main Feb 7, 2026
43 of 44 checks passed
@anthonyshew anthonyshew deleted the fix/turbo-5239-eslint-plugin-kit-v2 branch February 7, 2026 04:29
@github-actions github-actions Bot mentioned this pull request Feb 7, 2026
Merged
github-actions Bot added a commit that referenced this pull request Feb 7, 2026
@github-actions @turbobot-temp
release(turborepo): 2.8.3-canary.8 (#11712)
f54205e 
## Release v2.8.3-canary.8

Versioned docs: https://v2-8-3-canary-8.turborepo.dev

### Changes

- fix: Upgrade eslint to v10 to resolve @eslint/plugin-kit ReDoS
vulnerability (#11705) (`fd541f3a59`)
- fix: Upgrade tsdown in create-turbo to resolve valibot ReDoS
vulnerability (#11702) (`e5efb86265`)
- fix: Upgrade fumadocs and shiki in docs to resolve mdast-util-to-hast
vulnerability (#11704) (`c94e2c54ed`)
- fix: Upgrade inquirer to remove lodash dependency (#11709)
(`87970c1fa4`)
- release(turborepo): 2.8.3-canary.7 (#11686) (`d189b9e9e2`)

Co-authored-by: Turbobot <turbobot@vercel.com>
@github-actions github-actions Bot mentioned this pull request Feb 7, 2026
Merged
github-actions Bot added a commit that referenced this pull request Feb 7, 2026
@github-actions @turbobot-temp
release(turborepo): 2.8.3-canary.9 (#11713)
ea07d2f 
## Release v2.8.3-canary.9

Versioned docs: https://v2-8-3-canary-9.turborepo.dev

### Changes

- fix: Replace ts-node with tsx to resolve diff DoS vulnerability
(#11708) (`1a3ae1d2ae`)
- fix: Upgrade jest to v30 to resolve brace-expansion ReDoS
vulnerability (#11706) (`50fb1c52b9`)
- release(turborepo): 2.8.3-canary.8 (#11712) (`f54205e6f6`)
- fix: Upgrade eslint to v10 to resolve @eslint/plugin-kit ReDoS
vulnerability (#11705) (`fd541f3a59`)
- fix: Upgrade tsdown in create-turbo to resolve valibot ReDoS
vulnerability (#11702) (`e5efb86265`)
- fix: Upgrade fumadocs and shiki in docs to resolve mdast-util-to-hast
vulnerability (#11704) (`c94e2c54ed`)

Co-authored-by: Turbobot <turbobot@vercel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tknickman tknickman Awaiting requested review from tknickman tknickman is a code owner automatically assigned from vercel/turbo-oss

Assignees

No one assigned

Labels

pkg: turbo-eslint eslint-config-turbo and eslint-plugin-turbo

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anthonyshew