[Snyk] Upgrade eslint from 8.40.0 to 9.36.0

[Dustin4444]

Snyk has created this PR to upgrade eslint from 8.40.0 to 9.36.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 68 versions ahead of your current version.

• The recommended version was released 25 days ago.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Excessive Platform Resource Consumption within a Loop SNYK-JS-BRACES-6838727	436	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-BROWSERIFYSIGN-6037026	436	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	436	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8172694	436	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GETFUNCNAME-5923417	436	Proof of Concept
	Improper Input Validation SNYK-JS-NANOID-8492085	436	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-6147607	436	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	436	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	436	Proof of Concept
	Function Call With Incorrect Argument Type SNYK-JS-CIPHERBASE-12084814	436	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577916	436	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577917	436	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577918	436	Proof of Concept
	Information Exposure SNYK-JS-ELLIPTIC-8720086	436	Proof of Concept
	Generation of Predictable Numbers or Identifiers SNYK-JS-PBKDF2-10495496	436	Proof of Concept
	Generation of Predictable Numbers or Identifiers SNYK-JS-PBKDF2-10495498	436	No Known Exploit
	Function Call With Incorrect Argument Type SNYK-JS-SHAJS-12089400	436	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WORDWRAP-3149973	436	Proof of Concept

Release notes

Package name: eslint

• 9.36.0 - 2025-09-19
  

  Features

  • 47afcf6 feat: correct preserve-caught-error edge cases (#20109) (Francesco Trotta)

  Bug Fixes

  • 75b74d8 fix: add missing rule option types (#20127) (ntnyq)
  • 1c0d850 fix: update eslint-all.js to use Object.freeze for rules object (#20116) (루밀LuMir)
  • 7d61b7f fix: add missing scope types to Scope.type (#20110) (Pixel998)
  • 7a670c3 fix: correct rule option typings in rules.d.ts (#20084) (Pixel998)

  Documentation

  • b73ab12 docs: update examples to use defineConfig (#20131) (sethamus)
  • 31d9392 docs: fix typos (#20118) (Pixel998)
  • c7f861b docs: Update README (GitHub Actions Bot)
  • 6b0c08b docs: Update README (GitHub Actions Bot)
  • 91f97c5 docs: Update README (GitHub Actions Bot)

  Chores

  • 12411e8 chore: upgrade @ eslint/js@9.36.0 (#20139) (Milos Djermanovic)
  • 488cba6 chore: package.json update for @ eslint/js release (Jenkins)
  • bac82a2 ci: simplify renovate configuration (#19907) (唯然)
  • c00bb37 ci: bump actions/labeler from 5 to 6 (#20090) (dependabot[bot])
  • fee751d refactor: use defaultOptions in rules (#20121) (Pixel998)
  • 1ace67d chore: update example to use defineConfig (#20111) (루밀LuMir)
  • 4821963 test: add missing loc information to error objects in rule tests (#20112) (루밀LuMir)
  • b42c42e chore: disallow use of deprecated type property in core rule tests (#20094) (Milos Djermanovic)
  • 7bb498d test: remove deprecated type property from core rule tests (#20093) (Pixel998)
  • e10cf2a ci: bump actions/setup-node from 4 to 5 (#20089) (dependabot[bot])
  • 5cb0ce4 refactor: use meta.defaultOptions in preserve-caught-error (#20080) (Pixel998)
  • f9f7cb5 chore: package.json update for eslint-config-eslint release (Jenkins)
  • 81764b2 chore: update eslint peer dependency in eslint-config-eslint (#20079) (Milos Djermanovic)
• 9.35.0 - 2025-09-05
  

  Features

  • 42761fa feat: implement suggestions for no-empty-function (#20057) (jaymarvelz)
  • 102f444 feat: implement suggestions for no-empty-static-block (#20056) (jaymarvelz)
  • e51ffff feat: add preserve-caught-error rule (#19913) (Amnish Singh Arora)

  Bug Fixes

  • 10e7ae2 fix: update uncloneable options error message (#20059) (soda-sorcery)
  • bfa4601 fix: ignore empty switch statements with comments in no-empty rule (#20045) (jaymarvelz)
  • dfd11de fix: add before and after to test case types (#20049) (Francesco Trotta)
  • dabbe95 fix: correct types for no-restricted-imports rule (#20034) (Milos Djermanovic)
  • ea789c7 fix: no-loss-of-precision false positive with uppercase exponent (#20032) (sethamus)

  Documentation

  • d265515 docs: improve phrasing - "if" → "even if" from getting-started section (#20074) (jjangga0214)
  • a355a0e docs: invert comparison logic for example in no-var doc page (#20064) (OTonGitHub)
  • 5082fc2 docs: Update README (GitHub Actions Bot)
  • 99cfd7e docs: add missing "the" in rule deprecation docs (#20050) (Josh Goldberg ✨)
  • 6ad8973 docs: update --no-ignore and --ignore-pattern documentation (#20036) (Francesco Trotta)
  • 8033b19 docs: add documentation for --no-config-lookup (#20033) (Francesco Trotta)

  Chores

  • da87f2f chore: upgrade @ eslint/js@9.35.0 (#20077) (Milos Djermanovic)
  • af2a087 chore: package.json update for @ eslint/js release (Jenkins)
  • 7055764 test: remove tests/lib/eslint/eslint.config.js (#20065) (Milos Djermanovic)
  • 84ffb96 chore: update @ eslint-community/eslint-utils (#20069) (Francesco Trotta)
  • d5ef939 refactor: remove deprecated context.parserOptions usage across rules (#20060) (sethamus)
  • 1b3881d chore: remove redundant word (#20058) (pxwanglu)
• 9.34.0 - 2025-08-22
  

  Features

  • 0bb777a feat: multithread linting (#19794) (Francesco Trotta)
  • 43a5f9e feat: add eslint-plugin-regexp to eslint-config-eslint base config (#19951) (Pixel998)

  Bug Fixes

  • 9b89903 fix: default value of accessor-pairs option in rule.d.ts file (#20024) (Tanuj Kanti)
  • 6c07420 fix: fix spurious failure in neostandard integration test (#20023) (Kirk Waiblinger)
  • 676f4ac fix: allow scientific notation with trailing zeros matching exponent (#20002) (Sweta Tanwar)

  Documentation

  • 0b4a590 docs: make rulesdir deprecation clearer (#20018) (Domenico Gemoli)
  • 327c672 docs: Update README (GitHub Actions Bot)
  • bf26229 docs: Fix typo in core-concepts/index.md (#20009) (Tobias Hernstig)
  • 2309327 docs: fix typo in the "Configuring Rules" section (#20001) (ghazi-git)
  • 2b87e21 docs: [no-else-return] clarify sample code. (#19991) (Yuki Takada (Yukinosuke Takada))
  • c36570c docs: Update README (GitHub Actions Bot)

  Chores

  • f19ad94 chore: upgrade to @ eslint/js@9.34.0 (#20030) (Francesco Trotta)
  • b48fa20 chore: package.json update for @ eslint/js release (Jenkins)
  • 4bce8a2 chore: package.json update for eslint-config-eslint release (Jenkins)
  • 0c9999c refactor: prefer default options in grouped-accessor-pairs (#20028) (루밀LuMir)
  • d503f19 ci: fix stale.yml (#20010) (루밀LuMir)
  • e2dc67d ci: centralize stale.yml (#19994) (루밀LuMir)
  • 7093cb8 ci: bump actions/checkout from 4 to 5 (#20005) (dependabot[bot])
• 9.33.0 - 2025-08-08
  

  Features

  • e07820e feat: add global object access detection to no-restricted-globals (#19939) (sethamus)
  • 90b050e feat: support explicit resource management in one-var (#19941) (Sweta Tanwar)

  Bug Fixes

  • 732433c fix: allow any type for meta.docs.recommended in custom rules (#19995) (Francesco Trotta)
  • e8a6914 fix: Fixed potential bug in check-emfile-handling.js (#19975) (諏訪原慶斗)

  Documentation

  • 34f0723 docs: playground button for TypeScript code example (#19671) (Tanuj Kanti)
  • dc942a4 docs: Update README (GitHub Actions Bot)
  • 5a4b6f7 docs: Update no-multi-assign.md (#19979) (Yuki Takada (Yukinosuke Takada))
  • 247e156 docs: add missing let declarations in no-plusplus (#19980) (Yuki Takada (Yukinosuke Takada))
  • 0d17242 docs: Update README (GitHub Actions Bot)
  • fa20b9d docs: Clarify when to open an issue for a PR (#19974) (Nicholas C. Zakas)

  Build Related

  • 27fa865 build: use ESLint class to generate formatter examples (#19972) (Milos Djermanovic)

  Chores

  • 4258046 chore: update dependency @ eslint/js to v9.33.0 (#19998) (renovate[bot])
  • ad28371 chore: package.json update for @ eslint/js release (Jenkins)
  • 06a22f1 test: resolve flakiness in --mcp flag test (#19993) (Pixel998)
  • 54920ed test: switch to Linter.Config in ESLintRules type tests (#19977) (Francesco Trotta)
• 9.32.0 - 2025-07-25
  

  Features

  • 1245000 feat: support explicit resource management in core rules (#19828) (fnx)
  • 0e957a7 feat: support typescript types in accessor rules (#19882) (fnx)

  Bug Fixes

  • 960fd40 fix: Upgrade @ eslint/js (#19971) (Nicholas C. Zakas)
  • bbf23fa fix: Refactor reporting into FileReport (#19877) (Nicholas C. Zakas)
  • d498887 fix: bump @ eslint/plugin-kit to 0.3.4 to resolve vulnerability (#19965) (Milos Djermanovic)
  • f46fc6c fix: report only global references in no-implied-eval (#19932) (Nitin Kumar)
  • 7863d26 fix: remove outdated types in ParserOptions.ecmaFeatures (#19944) (ntnyq)
  • 3173305 fix: update execScript message in no-implied-eval rule (#19937) (TKDev7)

  Documentation

  • 86e7426 docs: Update README (GitHub Actions Bot)

  Chores

  • 50de1ce chore: package.json update for @ eslint/js release (Jenkins)
  • 74f01a3 ci: unpin jiti to version ^2.5.1 (#19970) (루밀LuMir)
  • 2ab1381 ci: pin jiti to version 2.4.2 (#19964) (Francesco Trotta)
  • b7f7545 test: switch to flat config mode in SourceCode tests (#19953) (Milos Djermanovic)
  • f5a35e3 test: switch to flat config mode in eslint-fuzzer (#19960) (Milos Djermanovic)
  • e22af8c refactor: use CustomRuleDefinitionType in JSRuleDefinition (#19949) (Francesco Trotta)
  • e855717 chore: switch performance tests to hyperfine (#19919) (Francesco Trotta)
  • 2f73a23 test: switch to flat config mode in ast-utils tests (#19948) (Milos Djermanovic)
  • c565a53 chore: exclude further_reading_links.json from Prettier formatting (#19943) (Milos Djermanovic)
• 9.31.0 - 2025-07-11
  

  Features

  • 35cf44c feat: output full actual location in rule tester if different (#19904) (ST-DDT)
  • a6a6325 feat: support explicit resource management in no-loop-func (#19895) (Milos Djermanovic)
  • 4682cdc feat: support explicit resource management in no-undef-init (#19894) (Milos Djermanovic)
  • 5848216 feat: support explicit resource management in init-declarations (#19893) (Milos Djermanovic)
  • bb370b8 feat: support explicit resource management in no-const-assign (#19892) (Milos Djermanovic)

  Bug Fixes

  • 07fac6c fix: retry on EMFILE when writing autofix results (#19926) (TKDev7)
  • 28cc7ab fix: Remove incorrect RuleContext types (#19910) (Nicholas C. Zakas)

  Documentation

  • 664cb44 docs: Update README (GitHub Actions Bot)
  • 40dbe2a docs: fix mismatch between globalIgnores() code and text (#19914) (MaoShizhong)
  • 5a0069d docs: Update README (GitHub Actions Bot)
  • fef04b5 docs: Update working on issues info (#19902) (Nicholas C. Zakas)

  Chores

  • 3ddd454 chore: upgrade to @ eslint/js@9.31.0 (#19935) (Francesco Trotta)
  • d5054e5 chore: package.json update for @ eslint/js release (Jenkins)
  • 0f4a378 chore: update eslint (#19933) (renovate[bot])
  • 76c2340 chore: bump mocha to v11 (#19917) (루밀LuMir)
• 9.30.1 - 2025-07-01
  

  Bug Fixes

  • e91bb87 fix: allow separate default and named type imports (#19899) (xbinaryx)

  Documentation

  • ab7c625 docs: Update README (GitHub Actions Bot)
  • dae1e5b docs: update jsdoc's link (#19896) (JamesVanWaza)

  Chores

  • b035f74 chore: upgrade to @ eslint/js@9.30.1 (#19906) (Francesco Trotta)
  • b3dbc16 chore: package.json update for @ eslint/js release (Jenkins)
• 9.30.0 - 2025-06-27
  

  Features

  • 52a5fca feat: Support basePath property in config objects (#19879) (Milos Djermanovic)
  • 4ab4482 feat: add allowSeparateTypeImports option to no-duplicate-imports (

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch snyk-upgrade-7378dc0814d87835f8e8cc69d9895b99

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @Dustin4444, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request, automatically generated by Snyk, aims to update the project's "eslint" dependency to the latest major version, "9.36.0". This update is crucial for maintaining up-to-date dependencies, incorporating the latest features and bug fixes, and most importantly, addressing a substantial list of security vulnerabilities across various severity levels. Due to the major version bump, thorough testing is recommended to mitigate any potential breaking changes.

Highlights

• Dependency Upgrade: The "eslint" dependency has been upgraded from version "8.39.0" to "9.36.0". This is a significant jump across major versions.
• Security Vulnerabilities Addressed: This upgrade resolves numerous security vulnerabilities identified by Snyk, including several critical, high, medium, and low severity issues such as Excessive Platform Resource Consumption, Improper Verification of Cryptographic Signature, Regular Expression Denial of Service (ReDoS), and Information Exposure.
• Potential Breaking Changes: As this is a major version upgrade for "eslint", there is a warning that it may contain breaking changes, requiring careful review and testing.
• New Features and Bug Fixes: The new "eslint" versions introduce various features like multithread linting, explicit resource management support in core rules, and suggestions for "no-empty-function", along with numerous bug fixes and documentation updates.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request upgrades eslint from v8.40.0 to v9.36.0, which is a major version update that addresses several security vulnerabilities. While applying these security fixes is important, this upgrade introduces breaking changes. Most notably, ESLint v9 uses a new 'flat config' system, which will require a manual migration of your configuration files. Furthermore, the package-lock.json file has not been updated along with package.json. This must be corrected by running npm install and committing the updated lock file to ensure consistent builds and prevent CI failures.

[gemini-code-assist]

While the eslint version is correctly updated here, the package-lock.json file has not been updated. This will lead to inconsistencies and likely cause CI builds that use npm ci to fail. Please run npm install and commit the updated package-lock.json file.

Additionally, this is a major version upgrade from ESLint v8 to v9, which introduces significant breaking changes. Your project's ESLint configuration will need to be migrated to the new 'flat config' format. You can find instructions in the ESLint v9 migration guide.