Bump eslint from 8.57.1 to 9.39.4

[dependabot]

Bumps eslint from 8.57.1 to 9.39.4.

Release notes

Sourced from eslint's releases.

v9.39.4

Bug Fixes

• f18f6c8 fix: update dependency minimatch to ^3.1.5 (#20564) (Milos Djermanovic)
• a3c868f fix: update dependency @​eslint/eslintrc to ^3.3.4 (#20554) (Milos Djermanovic)
• 234d005 fix: minimatch security vulnerability patch for v9.x (#20549) (Andrej Beles)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#20538) (루밀LuMir)

Documentation

• 4675152 docs: add deprecation notice partial (#20520) (Milos Djermanovic)

Chores

• b8b4eb1 chore: update dependencies for ESLint v9.39.4 (#20596) (Francesco Trotta)
• 71b2f6b chore: package.json update for @​eslint/js release (Jenkins)
• 1d16c2f ci: pin Node.js 25.6.1 (#20563) (Milos Djermanovic)

v9.39.3

Bug Fixes

• 791bf8d fix: restore TypeScript 4.0 compatibility in types (#20504) (sethamus)

Chores

• 8594a43 chore: upgrade @​eslint/js@​9.39.3 (#20529) (Milos Djermanovic)
• 9ceef92 chore: package.json update for @​eslint/js release (Jenkins)
• af498c6 chore: ignore /docs/v9.x in link checker (#20453) (Milos Djermanovic)

v9.39.2

Bug Fixes

• 5705833 fix: warn when eslint-env configuration comments are found (#20381) (sethamus)

Build Related

• 506f154 build: add .scss files entry to knip (#20391) (Milos Djermanovic)

Chores

• 7ca0af7 chore: upgrade to @eslint/js@9.39.2 (#20394) (Francesco Trotta)
• c43ce24 chore: package.json update for @​eslint/js release (Jenkins)
• 4c9858e ci: add v9.x-dev branch (#20382) (Milos Djermanovic)

v9.39.1

Bug Fixes

• 650753e fix: Only pass node to JS lang visitor methods (#20283) (Nicholas C. Zakas)

Documentation

• 51b51f4 docs: add a section on when to use extends vs cascading (#20268) (Tanuj Kanti)
• b44d426 docs: Update README (GitHub Actions Bot)

Chores

• 92db329 chore: update @eslint/js version to 9.39.1 (#20284) (Francesco Trotta)
• c7ebefc chore: package.json update for @​eslint/js release (Jenkins)
• 61778f6 chore: update eslint-config-eslint dependency @​eslint/js to ^9.39.0 (#20275) (renovate[bot])
• d9ca2fc ci: Add rangeStrategy to eslint group in renovate config (#20266) (唯然)
• 009e507 test: fix version tests for ESLint v10 (#20274) (Milos Djermanovic)

... (truncated)

Commits

• f5770b0 9.39.4
• c30147a Build: changelog update for 9.39.4
• b8b4eb1 chore: update dependencies for ESLint v9.39.4 (#20596)
• 71b2f6b chore: package.json update for @​eslint/js release
• 4675152 docs: add deprecation notice partial (#20520)
• f18f6c8 fix: update dependency minimatch to ^3.1.5 (#20564)
• 1d16c2f ci: pin Node.js 25.6.1 (#20563)
• a3c868f fix: update dependency @​eslint/eslintrc to ^3.3.4 (#20554)
• 234d005 fix: minimatch security vulnerability patch for v9.x (#20549)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#20538)
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
eslint	[>= 10.a, < 11]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[rtibblesbot]

Straightforward major eslint bump, but requires a config migration before merging.

CI passing (no lint workflow runs in CI, so npm run lint compatibility is not verified by CI).

Blocking:

• .eslintrc.js incompatible with ESLint 9's default flat config system — see inline comment on package.json

Praise:

• ESLint 9.39.4 bundles security patches for ajv (security vulnerabilities addressed) and minimatch — good dependency hygiene in the upstream release.

---

Dependency Update Review

Package: eslint 8.57.0 → 9.39.4
Semver risk: Major
Dependency type: devDependency
CI status: Passing

Changelog Analysis

Sources consulted:

• PR body release notes (9.39.1–9.39.4)
• ESLint v9.0.0 migration guide

Breaking changes:

• Flat config (eslint.config.js) is now the default. Legacy config files (.eslintrc.js, .eslintrc.json, etc.) are no longer recognized unless ESLINT_USE_FLAT_CONFIG=false is set. Running eslint . without a flat config is effectively a no-op — no rules will be enforced.

Security fixes (9.39.x):

• ajv updated to 6.14.0 to address security vulnerabilities
• minimatch updated to ^3.1.5 (security patch)

Other notable changes (9.39.x):

• TypeScript 4.0 compatibility restored in types (9.39.3)
• Warning added when eslint-env configuration comments are found (9.39.2)

Compatibility Assessment

• Project uses .eslintrc.js (legacy config): yes — ignored by ESLint 9 by default
• eslint.config.js present: no
• eslint-config-prettier v10.1.8: supports ESLint 9 flat config ✓
• Code changes required: yes — migrate .eslintrc.js to eslint.config.js
• Prior failed attempts: none found

Recommendation

REQUEST_CHANGES — requires flat config migration before merging.

---

@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly

How was this generated?

Reviewed the pull request diff checking for:

• Correctness: bugs, edge cases, undocumented behavior, resource leaks, hardcoded values
• Design: unnecessary complexity, naming, readability, comment accuracy, redundant state
• Architecture: duplicated concerns, minimal interfaces, composition over inheritance
• Testing: behavior-based assertions, mocks only at hard boundaries, accurate coverage
• Completeness: missing dependencies, unupdated usages, i18n, accessibility, security
• Principles: DRY (same reason to change), SRP, Rule of Three (no premature abstraction)
• Checked CI status and linked issue acceptance criteria
• For UI changes: inspected screenshots for layout, visual completeness, and consistency

[rtibblesbot]

blocking: ESLint 9 replaces the legacy config system (.eslintrc.*) with flat config (eslint.config.js). The project's .eslintrc.js will be silently ignored after this upgrade, leaving npm run lint a no-op — no rules enforced.

To fix, add an eslint.config.js at the repo root and remove .eslintrc.js. See the migration guide. A starting point for this project:

import js from "@eslint/js";
import globals from "globals";
import eslintConfigPrettier from "eslint-config-prettier";

export default [
  js.configs.recommended,
  eslintConfigPrettier,
  {
    languageOptions: {
      ecmaVersion: 2020,
      sourceType: "module",
      globals: { ...globals.browser, ...globals.node },
    },
    rules: {
      "comma-style": "error",
      "no-console": "error",
      "max-len": ["error", 100, {
        ignoreStrings: true,
        ignoreTemplateLiterals: true,
        ignoreUrls: true,
        ignoreTrailingComments: true,
      }],
    },
  },
];

Add globals as a dev dependency: yarn add -D globals.