[Snyk] Security upgrade eslint-config-next from 14.1.0 to 15.0.0#31
[Snyk] Security upgrade eslint-config-next from 14.1.0 to 15.0.0#31anonthedev wants to merge 1 commit into
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230 - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| "axios": "^1.3.6", | ||
| "eslint": "8.36.0", | ||
| "eslint-config-next": "14.1.0", | ||
| "eslint-config-next": "15.0.0", |
There was a problem hiding this comment.
Major version mismatch between eslint-config-next and Next.js
Medium Severity
The eslint-config-next package is being upgraded from 14.1.0 to 15.0.0, but the project uses next: "13.2.4". The eslint-config-next version is typically kept in sync with the Next.js version. Using version 15.0.0 with Next.js 13 creates a significant version mismatch that may cause ESLint rules designed for Next.js 15 features to incorrectly flag or miss issues in a Next.js 13 codebase. Additionally, the transitive dependencies now require Node.js 18.18.0+ which may be stricter than before.


Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-CROSSSPAWN-8303230
SNYK-JS-BRACEEXPANSION-9789073
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
Note
Medium Risk
Dependency-only change, but it upgrades the Next.js ESLint config and multiple linting transitive packages, which may introduce new lint rules/behavior or Node/ESLint peer/engine constraints in CI.
Overview
Updates linting dependencies by upgrading
eslint-config-nextfrom14.1.0to15.0.0inpackage.json, with the correspondingpackage-lock.jsonrefresh.The lockfile reflects the new Next ESLint stack (updated
@next/eslint-plugin-next,@rushstack/eslint-patch,@typescript-eslint/*, and related ESLint plugins/utilities), addressing reported ReDoS vulnerabilities in transitive packages.Written by Cursor Bugbot for commit bf5c55a. This will update automatically on new commits. Configure here.