Skip to content

Fix security vulnerabilities, resolve deprecation warnings, and upgrade to ESLint v10#35

Open
dduugg wants to merge 13 commits intomainfrom
fix/resolve-npm-security-and-deprecation-warnings
Open

Fix security vulnerabilities, resolve deprecation warnings, and upgrade to ESLint v10#35
dduugg wants to merge 13 commits intomainfrom
fix/resolve-npm-security-and-deprecation-warnings

Conversation

@dduugg
Copy link
Copy Markdown
Contributor

@dduugg dduugg commented Mar 26, 2026
edited
Loading

Summary

Comprehensive update of all dependencies to resolve security vulnerabilities, deprecation warnings, and modernize the development toolchain. All tests pass, builds succeed, and there are zero security vulnerabilities.

Security Vulnerabilities Fixed (npm audit)

4 vulnerabilities resolved (previously reported by npm audit):

  • ajv - ReDoS vulnerability with $data option (moderate severity)
  • brace-expansion - Regular Expression Denial of Service (low severity)
  • cross-spawn - Regular Expression Denial of Service (high severity)
  • semver - Regular Expression Denial of Service (high severity)

Deprecation Warnings Resolved

ESLint v8 end-of-support warning - Upgraded to ESLint v10

  • Migrated from .eslintrc.json to flat config (eslint.config.mjs)
  • Updated all ESLint plugins for compatibility

url.parse() deprecation (DEP0169) - Replaced npm-run-all with npm-run-all2

  • Eliminated 111 outdated packages from dependency tree
  • Modern maintained fork with WHATWG URL API

eslint-plugin-import peer dependency warning - Switched to eslint-plugin-import-x

  • Drop-in replacement with full ESLint 10 support
  • Same API, same rules, actively maintained

Removed stub type packages:

  • Removed @types/glob (glob provides its own types)

Major Dependency Updates

ESLint Ecosystem

  • eslint: 8.57.1 → 10.1.0
  • @typescript-eslint/eslint-plugin: 5.4.0 → 8.57.2
  • @typescript-eslint/parser: 5.4.0 → 8.57.2
  • eslint-config-prettier: 8.3.0 → 10.1.8
  • eslint-plugin-import: 2.25.3 → removed
  • eslint-plugin-import-x: → 4.16.2 (new, replaces eslint-plugin-import)

Build Tools

  • webpack: 5.105.0 → 5.105.4
  • webpack-cli: 4.9.2 → 7.0.2
  • ts-loader: 9.3.0 → 9.5.4
  • prettier: 2.6.2 → 3.8.1

Type Definitions

  • @types/node: 17.0.31 → 25.5.0 (latest Node types)
  • @types/vscode: 1.67.0 → 1.110.0 (latest VS Code API types)
  • @types/js-yaml: 4.0.5 → 4.0.9

Testing

  • jest: 30.2.0 → 30.3.0
  • ts-jest: 29.4.6 (kept at latest compatible version)

Utilities

  • glob: 11.0.0 → 13.0.6
  • rimraf: 3.0.2 → 6.1.3
  • npm-run-all: 4.1.5 → removed
  • npm-run-all2: → 8.0.4 (new, maintained fork)

TypeScript

  • typescript: 5.9.3 (kept at latest 5.x - TypeScript 6 not yet supported by @typescript-eslint)

Package Tree Improvements

  • 111 fewer outdated packages removed from node_modules
  • All transitive dependencies updated to latest allowed versions
  • Zero security vulnerabilities (verified with npm audit)

Configuration Changes

Migrated ESLint to Flat Config (Required for ESLint v9+)

Why this migration was necessary:
ESLint v9.0.0+ (released April 2024) removed support for the legacy .eslintrc.* configuration format. The flat config system (eslint.config.js) is now the only supported configuration format. This migration was mandatory to upgrade from ESLint v8 to v9/v10 - there is no way to use ESLint v9+ with the old configuration format.

Key changes in the flat config system:

  • Configuration uses ES modules instead of JSON
  • The ignores property replaces separate .eslintignore files
  • Plugins and parsers are imported as JavaScript modules
  • More explicit and predictable configuration resolution

Migration details:

  • ✅ Created eslint.config.mjs with ES module format
  • ✅ Removed .eslintrc.json (no longer supported in ESLint v9+)
  • ✅ Removed .eslintignore (now using ignores in config)
  • ✅ Maintained all existing rules and settings
  • ✅ Full ESLint 10 compatibility

Reference: ESLint Flat Config Migration Guide

Testing & Verification

✅ All tests passing
✅ All linting passing
✅ Production build working
✅ Development build working
✅ Zero security vulnerabilities
✅ CI/CD workflows remain compatible

Remaining Non-Critical Warnings

The following deprecation warnings remain but are not actionable at this time:

  • glob@10.5.0 and glob@7.2.3 - Used by Jest's internal dependencies (babel-plugin-istanbul, test-exclude). These are locked by upstream packages and don't affect our code or the bundled extension. No security vulnerabilities.

  • inflight@1.0.6 - Transitive dependency of old glob versions used by Jest. Does not affect production bundle.

These warnings are cosmetic, come from dev-only dependencies, and will be resolved when the Jest ecosystem updates its dependencies.

Files Changed

  • package.json - Updated all dependencies
  • package-lock.json - Regenerated with updated dependency tree
  • eslint.config.mjs - New flat config (replaces .eslintrc.json)
  • .eslintrc.json - Removed (migrated to flat config)
  • .eslintignore - Removed (now using ignores in config)

@dduugg dduugg requested a review from a team as a code owner March 26, 2026 17:10
@github-project-automation github-project-automation bot moved this to Triage in Modularity Mar 26, 2026
dduugg added 12 commits March 27, 2026 18:45
@dduugg
Fix npm security vulnerabilities and deprecation warnings
b80acb9 
Resolved all security vulnerabilities and updated deprecated packages
to eliminate warnings during npm install.

Security vulnerabilities fixed (npm audit):
- ajv: ReDoS vulnerability with $data option (moderate)
- brace-expansion: Regular Expression Denial of Service (low)
- cross-spawn: Regular Expression Denial of Service (high)
- semver: Regular Expression Denial of Service (high)

Deprecation warnings resolved:
- Removed @types/glob stub package (glob provides its own types)
- Updated glob from ^8.0.1 to ^11.0.0 (resolved security warnings)
- Updated rimraf from ^3.0.2 to ^6.0.0 (no longer deprecated)
- Updated @typescript-eslint/eslint-plugin from ^5.4.0 to ^8.0.0
- Updated @typescript-eslint/parser from ^5.4.0 to ^8.0.0

Result:
- 0 security vulnerabilities (down from 4)
- All tests passing
- All linting checks passing
- Compatible with existing CI/CD workflows
@dduugg
Update all devDependencies to latest versions
1b932e1 
Updated all development dependencies to their latest compatible versions:

Major updates:
- @types/node: ^17.0.31 → ^25.5.0 (latest Node types)
- @types/vscode: ^1.67.0 → ^1.110.0 (latest VS Code API types)
- eslint-config-prettier: ^8.3.0 → ^10.1.8
- eslint-plugin-import: ^2.25.3 → ^2.32.0
- glob: ^11.0.0 → ^13.0.6 (latest glob)
- prettier: ^2.6.2 → ^3.8.1 (Prettier 3)
- webpack-cli: ^4.9.2 → ^7.0.2

Minor/Patch updates:
- @types/js-yaml: ^4.0.5 → ^4.0.9
- @typescript-eslint/eslint-plugin: ^8.0.0 → ^8.57.2
- @typescript-eslint/parser: ^8.0.0 → ^8.57.2
- jest: ^30.2.0 → ^30.3.0
- rimraf: ^6.0.0 → ^6.1.3
- ts-loader: ^9.3.0 → ^9.5.4
- webpack: ^5.105.0 → ^5.105.4

Notes:
- TypeScript kept at ^5.9.3 (latest 5.x) as TypeScript 6.x is not yet
  supported by @typescript-eslint packages
- ESLint kept at ^8.57.1 as v9+ requires config file migration
- All tests passing
- All linting passing
- Production build working
@dduugg
Migrate ESLint from v8 to v9 with flat config
4e062df 
Upgraded ESLint to v9.39.4 and migrated configuration from the legacy
.eslintrc.json format to the new flat config format (eslint.config.mjs).

Changes:
- Updated eslint from ^8.57.1 to ^9.17.0
- Created eslint.config.mjs with flat config format
- Removed .eslintrc.json (legacy format)
- Removed .eslintignore (now using ignores in config)
- Migrated all existing rules and settings to flat config
- Used .mjs extension to avoid module type warnings

Config migration details:
- Converted extends/plugins to ES module imports
- Moved ignorePatterns to top-level ignores property
- Converted env/globals to languageOptions.globals
- Maintained all existing rules and settings
- Added prettier config as final config object

Result:
- All linting passing
- All tests passing
- Production build working
- No ESLint warnings
@dduugg
Upgrade ESLint to v10
7a9895e 
Updated ESLint from v9.39.4 to v10.1.0 (latest).

ESLint 10 is fully compatible with the existing flat config format
and all plugins continue to work as expected.

Note: eslint-plugin-import shows a peer dependency warning as it
doesn't officially declare support for ESLint 10 yet, but it works
correctly without issues.

Result:
- ESLint v10.1.0 installed
- All linting passing
- All tests passing
- Production build working
- 0 vulnerabilities
@dduugg
Replace eslint-plugin-import with eslint-plugin-import-x
0bcf113 
Switched from eslint-plugin-import to eslint-plugin-import-x to resolve
ESLint 10 peer dependency warning.

eslint-plugin-import-x is a maintained fork of eslint-plugin-import with
full ESLint 10 support and is a drop-in replacement.

Changes:
- Replaced eslint-plugin-import@2.32.0 with eslint-plugin-import-x@4.16.2
- Updated import in eslint.config.mjs
- All existing rules continue to work identically

Result:
- No peer dependency warnings
- All linting passing
- All tests passing
- Production build working
- 0 vulnerabilities
@dduugg
Replace npm-run-all with npm-run-all2 to fix url.parse() deprecation
208906a 
Replaced npm-run-all@4.1.5 (last updated 2018) with npm-run-all2@8.0.4,
a maintained fork that resolves the DEP0169 deprecation warning.

The deprecation warning was caused by old dependencies in npm-run-all:
- hosted-git-info@2.8.9 (using url.parse())
- normalize-package-data@2.5.0 (using url.parse())

npm-run-all2 is fully API compatible and uses updated dependencies that
use the WHATWG URL API instead of the deprecated url.parse().

Changes:
- Replaced npm-run-all@4.1.5 with npm-run-all2@8.0.4
- Removed 119 outdated transitive dependencies
- All scripts (run-s, run-p) work identically

Result:
- No DEP0169 deprecation warning
- All scripts working
- All tests passing
- Production build working
- 0 vulnerabilities
- 111 fewer packages in node_modules
@dduugg
Update all transitive dependencies to latest allowed versions
4941de5 
Ran npm update to update all transitive dependencies to the most recent
versions allowed by their semver ranges.

This update:
- Changed 388 packages
- Added 68 packages
- Removed 73 packages

Most updates were patches and minor version bumps within allowed ranges,
bringing in bug fixes and performance improvements from dependencies like:
- webpack ecosystem packages
- jest ecosystem packages
- babel ecosystem packages
- various TypeScript type definitions

Remaining deprecation warnings for old glob@7/10 and inflight@1.0.6 are
from deep transitive dependencies in the jest/babel ecosystem
(test-exclude -> glob@7.2.3 -> inflight@1.0.6). These cannot be resolved
without updates from upstream packages.

Result:
- All tests passing
- All linting passing
- Production build working
- 0 vulnerabilities
@dduugg
Add yarn.lock to .gitignore to prevent accidental yarn usage
cd33b05 
This project uses npm as the package manager (package-lock.json).

Added yarn.lock to .gitignore to prevent it from being accidentally
created and committed if someone runs 'yarn install' by mistake.

Note: If yarn install is run, it will show warnings about package-lock.json
and the 'vscode' engine. These warnings are unavoidable in an npm-based
project and should be ignored. Use 'npm install' instead.
@dduugg
Use overrides/resolutions to force glob@13 throughout dependency tree
0153619 
Added npm overrides and yarn resolutions to force all instances of glob
to use version 13.0.6, eliminating deprecation warnings from jest's
transitive dependencies.

This resolves warnings about:
- glob@10.5.0 (used by jest internals)
- glob@7.2.3 (used by test-exclude)
- inflight@1.0.6 (dependency of old glob versions)

The overrides field works for npm, while resolutions field works for yarn.
Both package managers now install glob@13.0.6 consistently throughout the
dependency tree, and inflight is completely eliminated since glob@13 no
longer depends on it.

Changes:
- Added "overrides" field to package.json (for npm)
- Added "resolutions" field to package.json (for yarn)
- Removed 40 outdated packages from dependency tree

Result:
- No glob deprecation warnings in npm or yarn
- No inflight deprecation warnings
- All tests passing
- All builds working
- 0 vulnerabilities
@dduugg
Revert yarn.lock addition to .gitignore
c4f6002 
Removing yarn.lock from .gitignore as it should be tracked when present.
@dduugg
Revert "Use overrides/resolutions to force glob@13 throughout depende…
06b82e5 
…ncy tree"

This reverts commit 26b46ec.
@dduugg
Regenerate package-lock.json after rebase on main and ignore .specsto…
ec2c8e9 
…ry in prettier
@dduugg dduugg force-pushed the fix/resolve-npm-security-and-deprecation-warnings branch from a693471 to ec2c8e9 Compare March 28, 2026 01:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Modularity
Status: Triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dduugg