[Snyk] Upgrade lint-staged from 12.3.7 to 16.2.0

[Dustin4444]

Snyk has created this PR to upgrade lint-staged from 12.3.7 to 16.2.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 55 versions ahead of your current version.

• The recommended version was released 22 days ago.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Server-side Request Forgery (SSRF) SNYK-JS-IP-12704893	436	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-IP-12761655	436	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	436	Proof of Concept
	Server-Side Request Forgery (SSRF) SNYK-JS-IP-7148531	436	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVERREGEX-2824151	436	Proof of Concept
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	436	Proof of Concept
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	436	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	436	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	436	Proof of Concept

Release notes

Package name: lint-staged

• 16.2.0 - 2025-09-22
  

  Minor Changes

  • #1615 99eb742 Thanks @ iiroj! - Added a new option --fail-on-changes to make lint-staged exit with code 1 when tasks modify any files, making the precommit hook fail. This is similar to the git diff --exit-code option. Using this flag also implies the --no-revert flag which means any changes made by tasks will be left in the working tree after failing, so that they can be manually staged and the commit tried again.

  • #1611 cd05fd3 Thanks @ rlorenzo! - Added a new option --continue-on-error so that lint-staged will run all tasks to completion even if some of them fail. By default, lint-staded will exit early on the first failure.

  • #1637 82fcc07 Thanks @ iiroj! - Internal lint-staged errors are now thrown and visible in the console output. Previously they were caught with the process exit code set to 1, but not logged. This happens when, for example, there's a syntax error in the lint-staged configuration file.

  • #1647 a5ecc06 Thanks @ iiroj! - Remove debug as a dependency due to recent malware issue; read more at debug-js/debug#1005. Because of this, the DEBUG environment variable is no longer supported — use the --debug to enable debugging

  • #1636 8db2717 Thanks @ iiroj! - Added a new option --hide-unstaged so that lint-staged will hide all unstaged changes to tracked files before running tasks. The changes will be applied back after running the tasks. Note that the combination of flags --hide-unstaged --no-hide-partially-staged isn't meaningful and behaves the same as just --hide-unstaged.

    Thanks to @ ItsNickBarry for the idea and initial implementation in #1552.

  • #1648 7900b3b Thanks @ iiroj! - Remove lilconfig to reduce reliance on third-party dependencies. It was used to find possible config files outside of those tracked in Git, including from the parent directories. This behavior has been moved directly into lint-staged and should work about the same.

  Patch Changes

  • #1633 7f9e485 Thanks @ dependabot! - Bumps listr2 from 9.0.3 to 9.0.4.

  • #1626 99d5a9b Thanks @ iiroj! - Due to recent phishing attacks, for example chalk@5.6.1 was released with malware. To avoid lint-staged's users being at risk the direct dependencies are pinned to exact versions, instead of allowing future patch versions with the caret (^) range.

  • #1588 035bbf2 Thanks @ outslept! - Increase performance by listing staged files and searching for configuration concurrently.

  • #1645 deba3ad Thanks @ iiroj! - Remove chalk as a dependency due to recent malware issue; read more at chalk/chalk#656.

    If you are having trouble with ANSI color codes when using lint-staged, you can try setting either FORCE_COLOR=true or NO_COLOR=true env variables.

• 16.1.6 - 2025-09-01
  

  Patch Changes

  • #1610 e93578e Thanks @ iiroj! - Try to improve terminating of subprocess of tasks by using SIGKILL, and only calling pidtree when the the main task process has a known pid.
• 16.1.5 - 2025-08-08
  

  Patch Changes

  • #1608 4e3ce22 Thanks @ srsatt! - Detect the git repo's top-level directory correctly when in a worktree.
• 16.1.4 - 2025-08-03
  

  Patch Changes

  • #1604 90b37b0 Thanks @ iiroj! - Add another types field to package.json to make even more sure NPM detects that lint-staged includes built-in TypeScript type definitions.
• 16.1.3 - 2025-08-03
  

  Patch Changes

  • #1602 7ea700b Thanks @ dword-design! - Add the types field to package.json to make sure NPM detects lint-staged includes built-in TypeScript type definitions.
• 16.1.2 - 2025-06-15
  

  Patch Changes

  • #1570 a7c0c88 Thanks @ ItsNickBarry! - When using --diff-filter with the D option to include deleted staged files, lint-staged no longer tries to stage the deleted files, unless they're no longer deleted. Previously this caused an error from git add like fatal: pathspec 'deleted-file' did not match any files.

  • 38f942e Thanks @ iiroj! - Removed an extraneous log entry that printed shouldHidePArtiallyStagedFiles to console output.

• 16.1.1 - 2025-06-14
  

  Patch Changes

  • #1565 3686977 Thanks @ iiroj! - Lint-staged now explicitly warns about potential data loss when using --no-stash.

  • #1571 02299a9 Thanks @ iiroj! - Function tasks (introduced in v16.0.0) only receive the staged files matching the configured glob, instead of all staged files.

  • #1563 bc61c74 Thanks @ iiroj! - This version fixes incorrect behavior where unstaged changes were committed when using the --no-stash option. This happened because --no-stash implied --no-hide-partially-staged, meaning unstaged changes to files which also had other staged changes were added to the commit by lint-staged; this is no longer the case.

    The previous (incorrect) behavior can still be achieved by using both options --no-stash --no-hide-partially-staged at the same time.

• 16.1.0 - 2025-05-27
  

  Minor Changes

  • #1536 e729daa Thanks @ iiroj! - A new flag --no-revert has been introduced for when task modifications should be applied to the index before aborting the commit in case of errors. By default, lint-staged will clear all task modifications and revert to the original state.

  • #1550 b27fa3f Thanks @ iiroj! - Lint-staged now ignores symlinks and leaves them out from the list of staged files.

  Patch Changes

  • #1558 c37dc38 Thanks @ iiroj! - The minimum required Node.js version is lowered to 20.17 following nano-spawn@1.0.2.
• 16.0.0 - 2025-05-10
  

  Major Changes

  • #1546 158d15c Thanks @ iiroj! - Processes are spawned using nano-spawn instead of execa. If you are using Node.js scripts as tasks, you might need to explicitly run them with node, especially when using Windows:

    {
      "*.js": "node my-js-linter.js"
    }

  • #1546 158d15c Thanks @ iiroj! - The --shell flag has been removed and lint-staged no longer supports evaluating commands directly via a shell. To migrate existing commands, you can create a shell script and invoke it instead. Lint-staged will pass matched staged files as a list of arguments, accessible via "$@":

    # my-script.sh
    #!/bin/bash

    echo "Staged files: $@"

    and

    { "*.js": "my-script.sh" }

    If you were using the shell option to avoid passing filenames to tasks, for example bash -c 'tsc --noEmit', use the function syntax instead:

    export default { '*.ts': () => 'tsc --noEmit' }

  • #1546 158d15c Thanks @ iiroj! - Validation for deprecated advanced configuration has been removed. The advanced configuration was removed in lint-staged version 9 and until now validation has failed if advanced configuration options were detected. Going forward the entire configuration will be treated with the same logic and if these advanced options are still present, they might be treated as valid globs for staged files instead.

  • #1546 158d15c Thanks @ iiroj! - The lowest supported Node.js version is 20.18. Please upgrade your Node.js version.

  Minor Changes

  • #1401 27110ef Thanks @ RohitLuthra19! - Added support for directly running functions on staged files. To configure a function task, use an object with a title and the task itself:

    export default {
      '*.js': {
        title: 'My task',
        task: async (files) => {
          console.log('Staged JS files:', files)
        },
      },
    }

    Lint-staged will run your function task with the staged files matching the configured glob as its argument, and show the custom title in its console output.

• 15.5.2 - 2025-05-06
  

  Patch Changes

  • #1544 5561321 Thanks @ YimingIsCOLD! - Correctly handle colon (:) characters in staged filenames.
• 15.5.1 - 2025-04-11
• 15.5.0 - 2025-03-12
• 15.4.3 - 2025-01-26
• 15.4.2 - 2025-01-23
• 15.4.1 - 2025-01-16
• 15.4.0 - 2025-01-16
• 15.3.0 - 2024-12-28
• 15.2.11 - 2024-12-10
• 15.2.10 - 2024-09-01
• 15.2.9 - 2024-08-13
• 15.2.8 - 2024-08-03
• 15.2.7 - 2024-06-12
• 15.2.6 - 2024-06-11
• 15.2.5 - 2024-05-25
• 15.2.4 - 2024-05-21
• 15.2.2 - 2024-02-05
• 15.2.1 - 2024-01-31
• 15.2.0 - 2023-12-03
• 15.1.0 - 2023-11-11
• 15.0.2 - 2023-10-19
• 15.0.1 - 2023-10-15
• 15.0.0 - 2023-10-14
• 14.0.1 - 2023-08-21
• 14.0.0 - 2023-08-13
• 13.3.0 - 2023-08-13
• 13.2.3 - 2023-06-28
• 13.2.2 - 2023-04-26
• 13.2.1 - 2023-04-07
• 13.2.0 - 2023-03-10
• 13.1.4 - 2023-03-06
• 13.1.3 - 2023-03-05
• 13.1.2 - 2023-02-13
• 13.1.1 - 2023-02-07
• 13.1.0 - 2022-12-04
• 13.0.4 - 2022-11-25
• 13.0.3 - 2022-06-24
• 13.0.2 - 2022-06-16
• 13.0.1 - 2022-06-08
• 13.0.0 - 2022-06-01
• 12.5.0 - 2022-05-31
• 12.4.3 - 2022-05-30
• 12.4.2 - 2022-05-24
• 12.4.1 - 2022-04-26
• 12.4.0 - 2022-04-20
• 12.3.8 - 2022-04-15
• 12.3.7 - 2022-03-17

from lint-staged GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[gemini-code-assist]

Summary of Changes

Hello @Dustin4444, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request, automatically generated by Snyk, updates the lint-staged dependency from version 12.3.7 to 16.2.0. This substantial upgrade aims to enhance the project's security posture by addressing multiple known vulnerabilities and introduces a suite of new features and performance improvements for managing staged files. Reviewers should be aware that this is a major version bump and includes breaking changes, particularly regarding command execution and Node.js version compatibility, which may require adjustments to existing configurations.

Highlights

• Dependency Upgrade: The lint-staged dependency has been upgraded from version 12.3.7 to 16.2.0, spanning multiple major versions.
• Security Fixes: This upgrade addresses several high and medium severity vulnerabilities, including Server-side Request Forgery (SSRF), Regular Expression Denial of Service (ReDoS), and Uncontrolled Resource Consumption.
• New Features: New command-line options have been introduced, such as --fail-on-changes (to fail the commit if tasks modify files), --continue-on-error (to run all tasks despite individual failures), and --hide-unstaged (to temporarily hide unstaged changes).
• Internal Improvements: Error logging for internal lint-staged errors is now enhanced. The debug and lilconfig dependencies have been removed to reduce the attack surface, and direct dependencies are now pinned to exact versions to mitigate supply chain attacks.
• Performance Enhancements: Performance has been improved by concurrently listing staged files and searching for configuration.
• Breaking Changes: The --shell flag has been removed, requiring shell scripts for complex commands. Process spawning now uses nano-spawn instead of execa, and the minimum required Node.js version has been raised to 20.18.
• Function Task Support: Support has been added for directly running JavaScript functions as tasks within the lint-staged configuration.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch snyk-upgrade-84deddb12331264a4e65b9a1567ab81a

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request upgrades lint-staged from 12.3.7 to 16.2.0. While this is a valuable security update, it introduces a significant breaking change. The new version of lint-staged requires Node.js v20.17.0 or higher, but this project still supports Node.js v18. This will cause the pre-commit hook to fail for developers using Node.js 18. I have added a comment with a suggestion to either upgrade to a lint-staged version that is compatible with Node.js 18, or to update the project's engines configuration to drop support for Node.js 18.

[gemini-code-assist]

This major upgrade of lint-staged to version 16.2.0 introduces a Node.js version requirement that is incompatible with this project's supported engines.

• lint-staged@16.2.0 requires Node.js >=20.17.0.
• Your package.json engines field specifies support for Node.js ^18.18.0.

This will cause the pre-commit hook to fail for developers running Node.js 18.

To resolve this while still addressing security vulnerabilities, you could upgrade to the latest 15.x version instead. For example, lint-staged@15.5.2 is compatible with Node.js 18. Alternatively, if you plan to drop support for Node.js 18, the engines field in package.json should be updated.

Suggested change

	"lint-staged": "^16.2.0",
	"lint-staged": "^15.5.2",