BREAKING: Bump all ESLint dependencies

[Mrtenz]

This bumps all ESLint and related dependencies to the latest version which has support for Node 16. When we drop support for Node 16, some dependencies can be bumped again.

The only exception is eslint-plugin-import, which has a regression since >=27.0.0. I'm planning to swap it out with eslint-plugin-import-x (a fork of eslint-plugin-import) since it has significantly better performance regardless.

Closes #349.
Closes #338.

Breaking changes

• @typescript-eslint/eslint-plugin now requires a boolean for parserOptions.project, instead of a path to tsconfig.json.
• @typescript-eslint/eslint-plugin now requires strictNullChecks to be enabled.
• Formatting between the previous and current version of Prettier has changed slightly.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@es-joy/jsdoccomment@0.41.0	None	0	113 kB	brettz9
npm/@eslint/eslintrc@3.0.2	filesystem, unsafe	+1	785 kB	eslintbot
npm/@isaacs/cliui@8.0.2	None	+2	37.7 kB	isaacs
npm/@lavamoat/aa@4.2.0	None	0	19.8 kB	boneskull
npm/@lavamoat/allow-scripts@3.0.4	environment	0	45.8 kB	boneskull
npm/@npmcli/agent@2.2.1	environment, network	0	17.7 kB	npm-cli-ops
npm/@npmcli/fs@3.1.0	filesystem	0	26.5 kB	lukekarrys
npm/@npmcli/git@5.0.4	filesystem	0	21.8 kB	npm-cli-ops
npm/@npmcli/package-json@5.0.0	filesystem	0	37 kB	npm-cli-ops
npm/@npmcli/promise-spawn@7.0.1	environment, shell	0	12 kB	npm-cli-ops
npm/@npmcli/run-script@7.0.4	environment	0	18.4 kB	npm-cli-ops
npm/@pkgjs/parseargs@0.11.0	None	0	74.2 kB	oss-bot
npm/@typescript-eslint/eslint-plugin@6.21.0	Transitive: environment	+6	4.7 MB	jameshenry
npm/@typescript-eslint/parser@6.21.0	None	0	17.8 kB	jameshenry
npm/@typescript-eslint/type-utils@6.21.0	None	0	109 kB	jameshenry
npm/abbrev@2.0.0	None	0	4.83 kB	lukekarrys
npm/agent-base@7.1.0	network	0	23.5 kB	tootallnate
npm/agentkeepalive@4.2.1	network	0	38.8 kB	fengmk2
npm/ansi-regex@6.0.1	None	0	5.67 kB	qix
npm/bin-links@4.0.3	filesystem	0	20.6 kB	npm-cli-ops
npm/builtin-modules@3.3.0	unsafe	0	4.51 kB	sindresorhus
npm/cacache@18.0.2	filesystem	0	63.6 kB	npm-cli-ops
npm/comment-parser@1.4.1	None	0	366 kB	yavorskiys
npm/eastasianwidth@0.2.0	None	0	13.6 kB	komagata
npm/emoji-regex@9.2.2	None	0	97.9 kB	google-wombot
npm/eslint-compat-utils@0.5.0	filesystem	0	48.6 kB	ota-meshi
npm/eslint-config-prettier@9.1.0	None	0	20.8 kB	lydell
npm/eslint-plugin-es-x@7.6.0	None	0	396 kB	eslint-community-bot
npm/eslint-plugin-jsdoc@43.2.0	None	+2	2.25 MB	gajus
npm/eslint-plugin-jsdoc@47.0.2	filesystem	0	1.38 MB	gajus
npm/eslint-plugin-mocha@10.4.1	None	+1	146 kB	lo1tuma
npm/eslint-plugin-n@16.6.2	filesystem	0	348 kB	weiran.zsd
npm/eslint-plugin-prettier@5.1.3	None	0	33.9 kB	jounqin
npm/espree@10.0.1	None	+1	106 kB	eslintbot
npm/foreground-child@3.1.1	shell	+1	137 kB	isaacs
npm/fs-minipass@3.0.3	filesystem	0	14.4 kB	npm-cli-ops
npm/get-tsconfig@4.7.3	filesystem, unsafe	0	101 kB	hirokiosame
npm/glob@10.3.10	None	0	454 kB	isaacs
npm/globals@15.0.0	None	0	149 kB	sindresorhus
npm/hosted-git-info@7.0.1	None	0	26.7 kB	npm-cli-ops
npm/http-proxy-agent@7.0.2	network	0	23.3 kB	tootallnate
npm/https-proxy-agent@7.0.4	network	0	35.3 kB	tootallnate
npm/is-builtin-module@3.2.1	None	0	3.88 kB	sindresorhus
npm/jackspeak@2.3.6	environment	0	253 kB	isaacs
npm/lru-cache@10.2.0	None	0	458 kB	isaacs
npm/make-fetch-happen@13.0.0	network	0	52.5 kB	npm-cli-ops
npm/minipass-collect@2.0.1	None	0	4.96 kB	isaacs
npm/minipass-fetch@3.0.4	environment, network	0	46.8 kB	npm-cli-ops
npm/minipass@7.0.4	None	0	285 kB	isaacs
npm/node-gyp@10.1.0	environment, shell	0	1.73 MB	lukekarrys
npm/nopt@7.2.0	None	0	26.1 kB	npm-cli-ops
npm/normalize-package-data@6.0.0	None	0	28.3 kB	npm-cli-ops
npm/npm-install-checks@6.3.0	None	0	6.21 kB	npm-cli-ops
npm/npm-package-arg@11.0.1	None	0	19.1 kB	npm-cli-ops
npm/npm-pick-manifest@9.0.0	None	0	16.4 kB	npm-cli-ops
npm/path-scurry@1.10.1	filesystem	0	529 kB	isaacs
npm/prettier@3.2.5	environment, filesystem, unsafe	0	8.39 MB	prettier-bot
npm/proc-log@3.0.0	None	0	5.21 kB	lukekarrys
npm/resolve-pkg-maps@1.0.0	None	0	15 kB	hirokiosame
npm/socks-proxy-agent@8.0.2	network	0	24.1 kB	tootallnate
npm/spdx-correct@3.2.0	None	+1	35.3 kB	kemitchell
npm/spdx-expression-parse@4.0.0	None	0	12.3 kB	kemitchell
npm/ssri@10.0.5	None	0	38.7 kB	npm-cli-ops
npm/string-width@5.1.2	None	0	5.78 kB	sindresorhus
npm/synckit@0.8.8	environment	0	54.5 kB	jounqin
npm/ts-api-utils@1.3.0	None	0	828 kB	joshuakgoldberg
npm/unique-filename@3.0.0	None	0	3.41 kB	lukekarrys
npm/unique-slug@4.0.0	None	0	2.58 kB	lukekarrys
npm/validate-npm-package-license@3.0.4	None	0	16.6 kB	kemitchell
npm/validate-npm-package-name@5.0.0	None	0	7.88 kB	lukekarrys
npm/which@4.0.0	environment Transitive: filesystem	+1	50.5 kB	npm-cli-ops
npm/wrap-ansi@8.1.0	None	+1	29.3 kB	sindresorhus

🚮 Removed packages: npm/@es-joy/jsdoccomment@0.37.1, npm/@eslint/eslintrc@1.4.1, npm/@lavamoat/aa@3.1.5, npm/@lavamoat/allow-scripts@2.5.1, npm/@nicolo-ribaudo/semver-v6@6.3.3, npm/@npmcli/fs@2.1.2, npm/@npmcli/promise-spawn@6.0.2, npm/@npmcli/run-script@6.0.2, npm/@types/glob@7.2.0, npm/@types/minimatch@5.1.2, npm/@types/prettier@2.7.1, npm/@typescript-eslint/eslint-plugin@5.42.1, npm/@typescript-eslint/parser@5.62.0, npm/@typescript-eslint/type-utils@5.42.1, npm/abbrev@1.1.1, npm/agent-base@6.0.2, npm/agentkeepalive@4.5.0, npm/bin-links@4.0.1, npm/cacache@16.1.3, npm/eslint-plugin-es@4.1.0, npm/eslint-plugin-jsdoc@41.1.2, npm/eslint-plugin-mocha@10.1.0, npm/eslint-plugin-n@15.7.0, npm/http-proxy-agent@5.0.0, npm/https-proxy-agent@5.0.1, npm/ip@2.0.1, npm/make-fetch-happen@10.2.1, npm/minipass-collect@1.0.2, npm/minipass-fetch@2.1.2, npm/natural-compare-lite@1.4.0, npm/node-gyp@9.4.1, npm/nopt@6.0.0, npm/read-package-json-fast@3.0.2, npm/regexpp@3.2.0, npm/socks-proxy-agent@7.0.0, npm/ssri@9.0.1, npm/typescript@5.1.6, npm/unique-filename@2.0.1, npm/unique-slug@3.0.0, npm/which@3.0.1, npm/yargs@16.2.0

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note
Network access	npm/agent-base@7.1.0	Module: http Location: Package overview
Network access	npm/agent-base@7.1.0	Module: https Location: Package overview
New author	npm/validate-npm-package-name@5.0.0	New Author: lukekarrys Previous Author: gar
Shell access	npm/foreground-child@3.1.1	Module: child_process Location: Package overview
Shell access	npm/foreground-child@3.1.1	Module: child_process Location: Package overview
New author	npm/nopt@7.2.0	New Author: npm-cli-ops Previous Author: gar
New author	npm/abbrev@2.0.0	New Author: lukekarrys Previous Author: isaacs
New author	npm/normalize-package-data@6.0.0	New Author: npm-cli-ops Previous Author: lukekarrys
Network access	npm/socks-proxy-agent@8.0.2	Module: net Location: Package overview
Network access	npm/@npmcli/agent@2.2.1	Module: tls Location: Package overview
Network access	npm/@npmcli/agent@2.2.1	Module: http-proxy-agent Location: Package overview
Network access	npm/@npmcli/agent@2.2.1	Module: https-proxy-agent Location: Package overview
Network access	npm/@npmcli/agent@2.2.1	Module: dns Location: Package overview
Network access	npm/@npmcli/agent@2.2.1	Module: net Location: Package overview

View full report↗︎

Next steps

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

What is shell access?

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/agent-base@7.1.0
• @SocketSecurity ignore npm/validate-npm-package-name@5.0.0
• @SocketSecurity ignore npm/foreground-child@3.1.1
• @SocketSecurity ignore npm/nopt@7.2.0
• @SocketSecurity ignore npm/abbrev@2.0.0
• @SocketSecurity ignore npm/normalize-package-data@6.0.0
• @SocketSecurity ignore npm/socks-proxy-agent@8.0.2
• @SocketSecurity ignore npm/@npmcli/agent@2.2.1

[Mrtenz]

I'm not sure why we used this range before, but I replaced it with the latest (Node.js 16-compatible) version. I can revert if there's a good reason to have this range.

cc @legobeat

[legobeat]

Context and previous discussion:

• typescript: add support for typescript 5.0.x, 5.1.x #288 (comment)
• jsdoc: remove deprecated rule jsdoc/newline-after-description #290
• peerDeps(base): allow eslint-plugin-jsdoc ^43.0.7 #319

[Mrtenz]

Our validation script was complaining about this being handled by Prettier.

[Mrtenz]

AFAIK this matches the previous behaviour, where one line between the description and the first tag is required.

[Mrtenz]

Our validation script was complaining about this being handled by Prettier.

[Mrtenz]

This is now required by @typescript-eslint/eslint-plugin when type checking is enabled. I think most of our repos use strict which also enables this anyway.

[mcmire]

Thanks so much for doing this work, this is super helpful. I'll try to take a look soon.

[Mrtenz]

Bumping to Prettier v3 will require some more changes, so we may want to do that separately.

• Jest currently does not support Prettier v3 for snapshots.
• auto-changelog and create-release-branch break because the API is now async.
• Potentially more issues that I haven't found yet.

[kanthesha]

LGTM.

[legobeat]

For peerDeps, what do you think about being a bit more lenient with supported versions? Motivation being to reduce the amount and risk of update-hell where all packages need to be updated in lockstep and there may be external conflicting peerDeps from other packages at play.

So something like

Suggested change

	"eslint-plugin-jsdoc": "^47.0.2",
	"eslint-plugin-jsdoc": "^43.0.7 || ^47.0.2",

or

Suggested change

	"eslint-plugin-jsdoc": "^47.0.2",
	"eslint-plugin-jsdoc": ">=43.0.7 <48",

would allow users to upgrade in a more incremental fashion. Especially when new versions break engines or other peerDeps, this can make a big difference.

[mcmire]

I don't think we need to bend over backward when it comes to peer dependencies like this. If we're upgrading ESLint packages and the new version of this package ends up adding a new rule and we don't want to deal with it, we can follow the approach we take now, which is to disable it temporarily and come back in a new PR to re-enable it. Otherwise, we fix lint violations along with the upgrade.

If we continue to use a version range like this, it's only going to prompt the question "why", and anyone who wants an answer will have to dig through pull requests to find the context all over again.

[mcmire]

I realize that I was a bit dismissive here. I've looked back over the notes you left on eslint-plugin-jsdoc, @legobeat, specifically this comment. Thanks for summarizing the issues there.

To give more context to my previous comment, our ESLint configurations rely on specific versions of plugins/presets, since the rules we use come from those versions, and so in general I think it's okay if clients usually need to update a slew of dependencies whenever they want to use a new version of @metamask/eslint-config. Also, if we release a major version (such as we would be with this PR) then we are communicating that clients may need to do extra work, such as fixing lint violations, or making other changes, if they choose to upgrade. Obviously we don't want this to be a painful process, but a little work is okay, I think. That's where I was coming from.

That said, I am slowly realizing that this plugin, eslint-plugin-jsdoc is badly managed. They have no changelog file, they've made breaking changes (such as bumping the Node version) in non-major releases, and the notes for releases prior to 45.0.0 are entirely unreadable. And now with 48.x they've moved to ESM and in the process have most likely broken the CJS build (if Are the Types Wrong? is to be trusted). So in hindsight it's no surprise that we've had a frustrating experience with this package, and apparently, we will continue to do so in future versions.

So, my response in the previous comment was a bit mistargeted, and I agree that dealing with eslint-plugin-jsdoc doesn't seem like something we ought to foist on clients.

If we feel that remaining with 43.0.7 would prevent frustration, then my vote would be to use "eslint-plugin-jsdoc": ">=43.0.7 <48".

[legobeat]

"eslint-plugin-jsdoc": ">=43.0.7 <48" SGTM!

And while, yes, this particular package has been especially cumbersome, I think we might want to be less aggressive in removing support for old peerDeps in this package as we introduce support for newer version to avoid the general problem.

If there is a practical reason to break an old version, of course we can do so, but I don't think we should default to only ever supporting the latest possible version at whatever point we're updating a peerDependency.

(This reasoning only applies to peerDependencies)

[mcmire]

Okay. Sounds like a guideline that we need to create. I'll make a note to record this somewhere, perhaps the contributor-docs, so we can remind ourselves about it.

[legobeat]

Along the lines of above, is this doable without too much hassle?

Suggested change

	"eslint-plugin-prettier": "^5.1.3",
	"eslint-plugin-prettier": "^4.2.1 || ^5.1.3",

[mcmire]

eslint-plugin-prettier 5.0.0 places a peer dependency on ESLint 8, which we already use. Going through the changelog there don't seem to be any real breaking changes to this package in 5.0.0 and beyond, so forcing consumers to bump this doesn't seem like a big ask. This seems contingent on upgrading to Prettier 3, however.

[legobeat]

If there's nothing major, why force users to update rather than maintaining compatibility with eslint-plugin-prettier v4?

[mcmire]

I added a note at the end, but I take this back — the major change here is a reliance on Prettier 3. If we want to not make that change yet, then perhaps we ought to roll this back.

[mcmire]

To answer your comment though:

If there's nothing major, why force users to update rather than maintaining compatibility with eslint-plugin-prettier v4?

In this case, if there is nothing that clients would have to do in upgrading to Prettier 3, then why not ask users them to upgrade? I would think that we would want our packages to be on the latest versions of the tools we use, no?

[legobeat]

Asking is one thing, disallowing is another. Consider also the case of prettier here. It's not even clear if the upgrade to v3 is feasible at this point. So we're cautious about forcing the upgrade. Why not support both v2 and v3 concurrently until such a point that we don't rely on v2 in any meaningful sense anymore, or at least have used the new version of prettier with the eslint configs in a few packages and see it work out?

Why force all updates in lockstep by default?

[mcmire]

Okay, sure, fair enough.

[legobeat]

https://github.com/MetaMask/eslint-config/pull/351/files#r1566550269
(GH won't let me do multiline-suggestion here)

Suggested change

	"prettier": "^3.2.5"
	"prettier": "^2.8.7 || ^3.2.5"

[mcmire]

@Mrtenz You said:

Bumping to Prettier v3 will require some more changes, so we may want to do that separately.

So do we still want to do this?

[mcmire]

Question about upgrading Prettier, but everything else looks pretty good to me.

[mcmire]

I don't think we need to bend over backward when it comes to peer dependencies like this. If we're upgrading ESLint packages and the new version of this package ends up adding a new rule and we don't want to deal with it, we can follow the approach we take now, which is to disable it temporarily and come back in a new PR to re-enable it. Otherwise, we fix lint violations along with the upgrade.

If we continue to use a version range like this, it's only going to prompt the question "why", and anyone who wants an answer will have to dig through pull requests to find the context all over again.

[mcmire]

eslint-plugin-prettier 5.0.0 places a peer dependency on ESLint 8, which we already use. Going through the changelog there don't seem to be any real breaking changes to this package in 5.0.0 and beyond, so forcing consumers to bump this doesn't seem like a big ask. This seems contingent on upgrading to Prettier 3, however.

[mcmire]

@Mrtenz You said:

Bumping to Prettier v3 will require some more changes, so we may want to do that separately.

So do we still want to do this?