2026 05 05 audit

[stevendborrelli]

Description of your changes

Security and Tooling Upgrades

Summary

This PR addresses security vulnerabilities, upgrades ESLint and related tooling to their latest versions, and modernizes the project configuration to align with Node.js 24+ requirements.

Security Fixes

Resolved Vulnerabilities

• Fixed 3 high-severity minimatch ReDoS vulnerabilities via dependency upgrades
• pnpm audit: All vulnerabilities resolved ✅

Dependency Updates

ESLint Ecosystem

• eslint: 9.39.1 → 10.3.0
• @eslint/js: 9.39.1 → 10.0.1
• @eslint/eslintrc: 3.3.3 → 3.3.5
• @typescript-eslint/eslint-plugin: 8.49.0 → 8.59.2
• @typescript-eslint/parser: 8.49.0 → 8.59.2
• @typescript-eslint/utils: 8.49.0 → 8.59.2

Plugin Replacements

• Removed npm-run-all (unmaintained, vulnerable dependencies)
• Added npm-run-all2@8.0.4 (actively maintained fork)
• Replaced eslint-plugin-vitest@0.5.4 with official @vitest/eslint-plugin@1.6.16

Configuration Improvements

Node.js Version Requirement

• Updated engines.node from >=14 to >=24
• Rationale: ESLint 10.x requires Node.js 18.18+, and modern tooling benefits from Node.js 24+ features

ESLint Configuration

• Updated ecmaVersion from 2018 to "latest" in eslint.config.mjs
• Allows use of modern ECMAScript features available in Node.js 24+
• Updated import for @vitest/eslint-plugin

Husky Pre-commit Hook

• Removed deprecated husky v9 format (shebang and husky.sh sourcing)
• Updated to modern format compatible with husky v10

PNPM Workspace Overrides

• Consolidated redundant dependency overrides
• Reduced from 28 to 18 entries (10 fewer overrides to maintain)
• Removed overlapping version constraints for:
  • flatted, minimatch, tar, vite

Code Quality Fixes

Error Handling Improvements

File: scripts/fetch-github-crds.ts

• Added error cause to preserve original errors when re-throwing
• Improves debugging by maintaining full error context

Removed Dead Code

File: utils/openapi-generate/src/generators/schema.ts

• Fixed useless assignment detected by new ESLint rules
• Removed unnecessary initialization of schema variable

Files Changed

• .husky/pre-commit
• eslint.config.mjs
• package.json
• pnpm-lock.yaml
• pnpm-workspace.yaml
• scripts/fetch-github-crds.ts
• utils/openapi-generate/src/generators/schema.ts

Testing

All checks pass:

• ✅ pnpm audit - No known vulnerabilities found
• ✅ pnpm run lint:eslint - All files pass linting
• ✅ pnpm install - Clean install with no peer dependency warnings

Breaking Changes

⚠️ Node.js version requirement increased from >=14 to >=24

Projects using this package must upgrade to Node.js 24 or higher.

Migration Notes

For consumers of this package:

1. Ensure Node.js 24+ is installed
2. Run pnpm install to update dependencies
3. No code changes required for consumers

Fixes #

I have:

• Read and followed Upbound's contribution process.
• Run make reviewable to ensure this PR is ready for review.
• Added backport release-x.y labels to auto-backport this PR, as appropriate.

[humoflife]

Please see comments for pnpm and ecmaVersion.

[humoflife]

LGTM