Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NEXT-15104645 - https://snyk.io/vuln/SNYK-JS-ESLINT-15102420
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR upgrades two critical dependencies to address security vulnerabilities: ESLint from ^8.0.1 to ^9.26.0 (fixing SNYK-JS-ESLINT-15102420, an uncontrolled recursion vulnerability) and Next.js from ^14.2.6 to ^15.5.10 (fixing SNYK-JS-NEXT-15104645, an allocation of resources without limits vulnerability).
Changes:
- Upgraded ESLint to version 9.26.0 to fix a medium severity uncontrolled recursion vulnerability
- Upgraded Next.js to version 15.5.10 to fix a high severity resource allocation vulnerability
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Updated ESLint and Next.js dependency versions to address security vulnerabilities |
| package-lock.json | Auto-generated lockfile updates reflecting the new dependency versions and their transitive dependencies |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "eslint": "^9.26.0", | ||
| "eslint-config-next": "14.2.6", |
There was a problem hiding this comment.
The upgrade to eslint 9.26.0 is incompatible with eslint-config-next 14.2.6, which requires eslint ^7.23.0 || ^8.0.0 according to its peer dependencies. Additionally, eslint-plugin-primer-react 5.4.0 requires eslint ^8.42.0. This will cause peer dependency conflicts when installing the dependencies.
To fix this, you need to also upgrade eslint-config-next to version 15.x which is compatible with both Next.js 15 and ESLint 9. The eslint-config-next version should match the Next.js major version. Additionally, you may need to update eslint-plugin-primer-react to a version that supports ESLint 9, or check if a newer version is available.
| "@types/react-dom": "18.3.0", | ||
| "autoprefixer": "10.4.20", | ||
| "eslint": "^8.0.1", | ||
| "eslint": "^9.26.0", |
There was a problem hiding this comment.
ESLint 9 uses a new flat configuration format (eslint.config.js) by default and has deprecated the .eslintrc.json format. The project currently uses .eslintrc.json which may not work with ESLint 9 without additional configuration or migration.
To properly upgrade to ESLint 9, you should either:
- Migrate to the flat config format by creating an eslint.config.js file, or
- Use the ESLINT_USE_FLAT_CONFIG=false environment variable to continue using the legacy format (though this is not recommended for long-term use)
The migration is particularly important if eslint-config-next is upgraded to version 15.x, as it will likely expect the new flat config format.
| "eslint": "^9.26.0", | |
| "eslint": "^8.57.0", |
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-NEXT-15104645
SNYK-JS-ESLINT-15102420
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling