Bump ESLint and related dependencies

[Mrtenz]

ESLint 8 and the legacy config format are EOL. In this PR I've updated ESLint to v9, and bumped all related dependencies (ESLint configs, Prettier, auto-changelog), and rewritten the config to use the flat config format.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@es-joy/jsdoccomment@0.49.0	None	0	121 kB	brettz9
npm/@eslint-community/eslint-utils@4.4.1	None	0	378 kB	eslint-community-bot, michaeldeboey
npm/@eslint-community/regexpp@4.12.1	None	0	473 kB	eslint-community-bot, michaeldeboey
npm/@eslint/config-array@0.18.0	None	0	113 kB	eslintbot
npm/@eslint/core@0.7.0	None	0	36.3 kB	eslintbot
npm/@eslint/eslintrc@3.1.0	filesystem, unsafe Transitive: environment	+4	1.44 MB	eslintbot
npm/@eslint/js@9.14.0	None	0	14.6 kB	eslintbot
npm/@eslint/object-schema@2.1.4	None	0	55.5 kB	eslintbot
npm/@eslint/plugin-kit@0.2.2	None	0	76.5 kB	eslintbot, openjsfoundation
npm/@humanfs/core@0.19.1	None	0	72.7 kB	nzakas
npm/@humanfs/node@0.16.6	None	+1	89.5 kB	nzakas
npm/@humanwhocodes/retry@0.4.0	None	0	64.7 kB	nzakas
npm/@metamask/auto-changelog@4.0.0	None	0	211 kB	metamaskbot
npm/@metamask/eslint-config-jest@14.0.0	None	0	12.2 kB	metamaskbot
npm/@metamask/eslint-config-nodejs@14.0.0	unsafe	0	98.4 kB	metamaskbot
npm/@metamask/eslint-config-typescript@14.0.0	None	0	22.7 kB	metamaskbot
npm/@metamask/eslint-config@14.0.0	unsafe	0	130 kB	metamaskbot
npm/@nolyfill/is-core-module@1.0.39	unsafe	0	2.71 kB	sukkaw
npm/@pkgr/core@0.1.1	None	0	8.54 kB	jounqin
npm/@shikijs/core@1.22.2	None	0	107 kB	antfu
npm/@shikijs/engine-javascript@1.22.2	None	0	10.2 kB	antfu
npm/@shikijs/engine-oniguruma@1.22.2	None	0	648 kB	antfu
npm/@shikijs/types@1.22.2	None	0	60.6 kB	antfu
npm/@shikijs/vscode-textmate@9.3.0	None	0	126 kB	antfu
npm/@types/estree@1.0.6	None	0	25.8 kB	types
npm/@types/hast@3.0.4	None	0	9.7 kB	types
npm/@types/json-schema@7.0.15	None	0	31.7 kB	types
npm/@types/mdast@4.0.4	None	0	29.4 kB	types
npm/@typescript-eslint/eslint-plugin@8.12.2	None	0	2.69 MB	bradzacher, jameshenry
npm/@typescript-eslint/parser@8.12.2	None	0	18.8 kB	bradzacher, jameshenry
npm/@typescript-eslint/scope-manager@8.12.2	None	0	606 kB	bradzacher, jameshenry
npm/@typescript-eslint/type-utils@8.12.2	None	0	122 kB	bradzacher, jameshenry
npm/@typescript-eslint/types@8.12.2	None	0	173 kB	bradzacher, jameshenry
npm/@typescript-eslint/typescript-estree@8.12.2	None	0	591 kB	jameshenry
npm/@typescript-eslint/utils@8.12.2	None	0	284 kB	bradzacher, jameshenry
npm/@typescript-eslint/visitor-keys@8.12.2	None	+1	51.5 kB	bradzacher, jameshenry
npm/@ungap/structured-clone@1.2.0	None	0	26.2 kB	webreflection
npm/acorn@8.14.0	None	0	547 kB	marijn
npm/are-docs-informative@0.0.2	None	0	13.6 kB	joshuakgoldberg
npm/ccount@2.0.1	None	0	7.34 kB	wooorm
npm/character-entities-html4@2.1.0	None	0	11.4 kB	wooorm
npm/character-entities-legacy@3.0.0	None	0	9.14 kB	wooorm
npm/comma-separated-tokens@2.0.3	None	0	9.97 kB	wooorm
npm/comment-parser@1.4.1	None	0	366 kB	yavorskiys
npm/dequal@2.0.3	None	0	14.2 kB	lukeed
npm/devlop@1.1.0	None	0	22 kB	wooorm
npm/enhanced-resolve@5.17.1	unsafe	0	212 kB	evilebottnawi
npm/entities@4.5.0	None	0	413 kB	feedic
npm/es-module-lexer@1.5.4	None	0	90.9 kB	guybedford
npm/eslint-compat-utils@0.5.1	filesystem	0	53.1 kB	ota-meshi
npm/eslint-config-prettier@9.1.0	None	0	20.8 kB	lydell
npm/eslint-import-resolver-typescript@3.6.3	None	0	46.8 kB	jounqin
npm/eslint-module-utils@2.12.0	None	0	54.6 kB	benmosher, jfmengels, ljharb
npm/eslint-plugin-es-x@7.8.0	None	0	409 kB	eslint-community-bot
npm/eslint-plugin-import-x@4.4.0	None	0	684 kB	jounqin
npm/eslint-plugin-jest@28.8.3	filesystem	0	349 kB	aaronabramov, jeysal, jsonp, ...6 more
npm/eslint-plugin-jsdoc@50.4.3	filesystem	+2	2.1 MB	gajus
npm/eslint-plugin-n@17.12.0	None	0	446 kB	eslint-community-bot, weiran.zsd
npm/eslint-plugin-prettier@5.2.1	None	0	34.3 kB	jounqin
npm/eslint-plugin-promise@7.1.0	None	0	77.7 kB	eslint-community-bot
npm/eslint-scope@8.2.0	None	0	152 kB	eslintbot
npm/eslint-visitor-keys@4.2.0	None	0	36.1 kB	eslintbot
npm/eslint@9.14.0	environment	+1	3.34 MB	eslintbot
npm/esquery@1.6.0	None	+1	1.07 MB	michaelficarra
npm/fast-glob@3.3.2	filesystem	0	96.7 kB	mrmlnc
npm/file-entry-cache@8.0.0	filesystem	0	16 kB	jaredwray
npm/flat-cache@4.0.1	filesystem	0	29.3 kB	jaredwray
npm/flatted@3.3.1	None	0	40.3 kB	webreflection
npm/get-tsconfig@4.8.1	filesystem	0	105 kB	hirokiosame
npm/globals@15.12.0	None	0	176 kB	byk, lo1tuma, nzakas, ...1 more
npm/graceful-fs@4.2.11	environment, filesystem	0	32.5 kB	isaacs
npm/hast-util-to-html@9.0.3	None	+1	78.4 kB	wooorm
npm/hast-util-whitespace@3.0.0	None	0	11.8 kB	wooorm
npm/html-void-elements@3.0.0	None	0	6.9 kB	wooorm
npm/ignore@5.3.2	None	0	53.6 kB	kael
npm/is-bun-module@1.2.1	None	0	11.7 kB	sunset_techuila
npm/jsdoc-type-pratt-parser@4.1.0	None	0	245 kB	jsdoc-type-pratt-parser
npm/json-buffer@3.0.1	None	0	5.4 kB	dominictarr
npm/keyv@4.5.4	None	0	27.8 kB	jaredwray
npm/linkify-it@5.0.0	None	+1	68.6 kB	vitaly
npm/markdown-it@14.1.0	None	0	767 kB	vitaly
npm/mdast-util-to-hast@13.2.0	None	0	125 kB	wooorm
npm/mdurl@2.0.0	None	0	37.5 kB	vitaly
npm/micromark-util-character@2.1.0	None	0	33.1 kB	wooorm
npm/micromark-util-encode@2.0.0	None	0	6.42 kB	wooorm
npm/micromark-util-sanitize-uri@2.0.0	None	0	16.1 kB	wooorm
npm/micromark-util-symbol@2.0.0	None	0	37.5 kB	wooorm
npm/micromark-util-types@2.0.0	None	0	36.7 kB	wooorm
npm/minimatch@9.0.5	environment	0	435 kB	isaacs
npm/ms@2.1.3	None	0	6.72 kB	styfle
npm/oniguruma-to-js@0.4.3	None	0	63.4 kB	antfu
npm/parse-imports@2.2.1	None	0	39.1 kB	tomeraberbach
npm/prettier@3.3.3	environment, filesystem, unsafe	0	7.7 MB	prettier-bot
npm/property-information@6.5.0	None	0	105 kB	wooorm
npm/punycode.js@2.3.1	None	0	33.5 kB	google-wombot
npm/regex@4.4.0	None	0	513 kB	slevithan
npm/resolve-pkg-maps@1.0.0	None	0	15 kB	hirokiosame
npm/semver@7.6.3	None	0	95.8 kB	npm-cli-ops
npm/shiki@1.22.2	None	0	10.1 MB	antfu, octref, orta, ...1 more
npm/slashes@3.0.12	None	0	26 kB	chrisackerman
npm/space-separated-tokens@2.0.2	None	0	7.75 kB	wooorm
npm/stable-hash@0.0.4	None	0	5.46 kB	quietshu
npm/stringify-entities@4.0.4	None	0	23.8 kB	wooorm
npm/synckit@0.9.2	environment	0	59.8 kB	jounqin
npm/tapable@2.2.1	None	0	46.9 kB	sokra
npm/trim-lines@3.0.1	None	0	7.49 kB	wooorm
npm/ts-api-utils@1.4.0	None	0	1.19 MB	joshuakgoldberg
npm/tslib@2.8.1	None	0	90.4 kB	typescript-bot
npm/typedoc@0.26.11	None	+1	2.45 MB	typedoc-bot
npm/typescript-eslint@8.12.2	None	0	101 kB	jameshenry
npm/unist-util-is@6.0.0	None	0	27.1 kB	wooorm
npm/unist-util-position@5.0.0	None	0	12.8 kB	wooorm
npm/unist-util-stringify-position@4.0.0	None	0	13.2 kB	wooorm
npm/unist-util-visit-parents@6.0.1	None	0	32.9 kB	wooorm
npm/unist-util-visit@5.0.0	None	0	28.5 kB	wooorm
npm/vfile-message@4.0.2	None	0	22.3 kB	wooorm
npm/vfile@6.0.3	None	0	122 kB	wooorm
npm/zwitch@2.0.4	None	0	13.8 kB	wooorm

🚮 Removed packages: npm/@es-joy/jsdoccomment@0.36.1, npm/@eslint-community/eslint-utils@4.4.0, npm/@eslint-community/regexpp@4.5.1, npm/@eslint/eslintrc@2.1.0, npm/@eslint/js@8.44.0, npm/@humanwhocodes/config-array@0.11.10, npm/@humanwhocodes/object-schema@1.2.1, npm/@metamask/auto-changelog@3.4.4, npm/@metamask/eslint-config-jest@12.1.0, npm/@metamask/eslint-config-nodejs@12.1.0, npm/@metamask/eslint-config-typescript@12.1.0, npm/@metamask/eslint-config@12.2.0, npm/@types/json-schema@7.0.11, npm/@types/json5@0.0.29, npm/@types/semver@7.3.13, npm/@typescript-eslint/eslint-plugin@5.43.0, npm/@typescript-eslint/parser@6.21.0, npm/@typescript-eslint/scope-manager@5.43.0, npm/@typescript-eslint/type-utils@5.43.0, npm/@typescript-eslint/types@5.43.0, npm/@typescript-eslint/typescript-estree@5.43.0, npm/@typescript-eslint/utils@5.43.0, npm/@typescript-eslint/visitor-keys@5.43.0, npm/acorn@8.10.0, npm/array-buffer-byte-length@1.0.0, npm/array-includes@3.1.7, npm/array.prototype.flat@1.3.2, npm/arraybuffer.prototype.slice@1.0.2, npm/available-typed-arrays@1.0.5, npm/call-bind@1.0.5, npm/comment-parser@1.3.1, npm/define-properties@1.2.1, npm/es-abstract@1.22.3, npm/es-set-tostringtag@2.0.1, npm/es-shim-unscopables@1.0.0, npm/es-to-primitive@1.2.1, npm/eslint-config-prettier@8.8.0, npm/eslint-module-utils@2.8.0, npm/eslint-plugin-es@4.1.0, npm/eslint-plugin-import@2.26.0, npm/eslint-plugin-jest@27.2.2, npm/eslint-plugin-jsdoc@39.9.1, npm/eslint-plugin-n@15.7.0, npm/eslint-plugin-prettier@4.2.1, npm/eslint-plugin-promise@6.1.1, npm/eslint-scope@5.1.1, npm/eslint-utils@3.0.0, npm/eslint-visitor-keys@3.4.1, npm/eslint@8.44.0, npm/espree@9.6.0, npm/esquery@1.5.0, npm/estraverse@4.3.0, npm/fast-glob@3.2.12, npm/file-entry-cache@6.0.1, npm/flat-cache@3.0.4, npm/flatted@3.1.1, npm/for-each@0.3.3, npm/function.prototype.name@1.1.6, npm/functions-have-names@1.2.3, npm/get-symbol-description@1.0.0, npm/globalthis@1.0.3, npm/globby@11.1.0, npm/gopd@1.0.1, npm/graceful-fs@4.2.10, npm/has-bigints@1.0.2, npm/has-property-descriptors@1.0.0, npm/has-proto@1.0.1, npm/has-symbols@1.0.3, npm/has-tostringtag@1.0.0, npm/has@1.0.3, npm/ignore@5.2.1, npm/internal-slot@1.0.5, npm/is-array-buffer@3.0.2, npm/is-bigint@1.0.1, npm/is-boolean-object@1.1.0, npm/is-date-object@1.0.2, npm/is-negative-zero@2.0.2, npm/is-number-object@1.0.4, npm/is-path-inside@3.0.3, npm/is-regex@1.1.4, npm/is-shared-array-buffer@1.0.2, npm/is-string@1.0.7, npm/is-symbol@1.0.3, npm/is-typed-array@1.1.12, npm/is-weakref@1.0.2, npm/isarray@2.0.5, npm/jsdoc-type-pratt-parser@3.1.0, npm/jsonc-parser@3.2.0, npm/minimatch@9.0.4, npm/ms@2.1.2, npm/natural-compare-lite@1.4.0, npm/object-inspect@1.13.1, npm/object-keys@1.1.1, npm/object.assign@4.1.4, npm/object.values@1.1.7, npm/prettier@2.8.8, npm/regexp.prototype.flags@1.5.1, npm/regexpp@3.2.0, npm/safe-array-concat@1.0.1, npm/safe-regex-test@1.0.0, npm/semver@7.6.2, npm/set-function-length@1.1.1, npm/set-function-name@2.0.1, npm/shiki@0.11.1, npm/side-channel@1.0.4, npm/string.prototype.trim@1.2.8, npm/string.prototype.trimend@1.0.7, npm/string.prototype.trimstart@1.0.7, npm/strip-bom@3.0.0, npm/ts-api-utils@1.3.0, npm/tsconfig-paths@3.14.1, npm/tslib@1.14.1, npm/tsutils@3.21.0, npm/type-fest@0.20.2, npm/typed-array-buffer@1.0.0, npm/typed-array-byte-length@1.0.0, npm/typed-array-byte-offset@1.0.0, npm/typed-array-length@1.0.4, npm/typedoc@0.23.15, npm/unbox-primitive@1.0.2, npm/vscode-oniguruma@1.6.2, npm/vscode-textmate@6.0.0, npm/which-boxed-primitive@1.0.2

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Manifest confusion	npm/eslint-plugin-jest@28.8.3	Location: Package overview	package.json yarn.lock	⚠︎

View full report↗︎

Next steps

What is manifest confusion?

This package has inconsistent metadata. This could be malicious or caused by an error when publishing the package.

Packages with inconsistent metadata may be corrupted or malicious.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/eslint-plugin-jest@28.8.3

[mcmire]

I know that the createConfig function was already released and published. However, I can't help but wonder whether it will, in the long run, make our ESLint configurations unnecessarily difficult to understand and debug. ESLint already provides recommendations for combining configuration objects (and exporting configs so they can be properly combined), and these are what plugins like eslint-plugin-import-x, eslint-plugin-jsdoc, and eslint-plugin-prettier follow in switching to the flat config format.

Upon switching to ESLint 9, I would expect the config file to look like the following:

import baseConfigs from '@metamask/eslint-config';
import typescriptConfigs from '@metamask/eslint-config-typescript';
import nodejsConfigs from '@metamask/eslint-config-nodejs';
import jestConfigs from '@metamask/eslint-config-jest';

export default [
  ...baseConfigs,
  {
    ignores: ['dist/', 'docs/', '.yarn/'],
  },
  {
    languageOptions: {
      sourceType: 'module'
    },
    settings: {
      'import-x/extensions': ['.js', '.mjs'],
    },
  },
  ...typescriptConfigs.map((config) => ({
    files: ['**/*.ts'],
    languageOptions: {
      parserOptions: {
        tsconfigRootDir: import.meta.dirname,
        project: ['./tsconfig.json'],
      },
    },
  }}),
  ...nodeJsConfigs.map((config) => ({
    ...config,
    files: ['**/*.js', '**/*.cjs'],
    languageOptions: {
      sourceType: 'script',
    },
  })),
  ...nodeJsConfigs.map((config) => ({
    ...config,
    files: ['**/*.test.ts', '**/*.test.js'],
    languageOptions: {
      sourceType: 'script',
    },
  })),
  ...jestConfigs.map((config) => ({
    ...config,
    files: ['**/*.test.ts', '**/*.test.js'],
  })),
];

While using map is a bit more verbose, I think it's very clear that we are creating objects to add to the flat array that we are ultimately exporting. I am not sure that is so clear with the createConfig utility.

What are your thoughts on this? I believe there are also further improvements we can make to the ESLint packages so that we can streamline this file, but I will leave that for a future comment.

[Mrtenz]

I considered this, and after talking about it with @rekmarks, we decided to create a simple util function that handles it for you. I don't think it changes so much in understandability of the config, and because it's less verbose, I feel like it's easier to read.

The function is based on typescript-eslint's config function, so it's not like we're the only ones doing this.

Upon switching to ESLint 9, I would expect the config file to look like the following:

[...]

This gets very verbose if you actually want to override some rules or other settings. For example:

...typescript.map((config) => {
  ...config,
  rules: {
    ...config.rules,
    'some-rule': 'off',
  },

  languageOptions: {
    ...config.languageOptions,
    parserOptions: {
      ...config.languageOptions.parserOptions,
      ecmaVersion: 2023,
    }
  }
});

Of course we could use some deep merge function, but that's essentially what createConfig does, but easier.

I can't help but wonder whether it will, in the long run, make our ESLint configurations unnecessarily difficult to understand and debug.

I don't think this will be any more of a problem with createConfig compared to map and spreading the config. Either way it's quite easy to log the object to see what's going on.

[rekmarks]

I find ESLint's recommendations—i.e. the map() syntax—to be completely unreadable, and much prefer the utility function. In fact, during the migration of our monorepo to ESLint 9, not using the createConfig() function was more difficult and bug-prone, as opposed to the reverse.

[mcmire]

Thanks for the replies. That helps me understand the reasoning better.

I do wish it were more obvious that an object with extends actually represents multiple objects; that seems to diverge from the central ideas behind flat config. But, if it succeeds in helping us write the config files we want to write, then perhaps it doesn't matter.