Skip to content

Land ESLint v10 modernization (#284) + open dep/feature PRs + undici CVE fix#307

Open
chad-fossa wants to merge 8 commits into
mainfrom
chad/integration-open-prs
Open

Land ESLint v10 modernization (#284) + open dep/feature PRs + undici CVE fix#307
chad-fossa wants to merge 8 commits into
mainfrom
chad/integration-open-prs

Conversation

@chad-fossa

Copy link
Copy Markdown
Contributor

Purpose

Integration / test branch — merges the open PRs together so their combined behavior gets exercised end-to-end by test.yml (real fossa analyze / test / container / report / --diff against the FOSSA key). Not intended to merge as-is; it's a green-light check that the open PRs are mutually compatible.

What's included

PR Change How
#303 include-unused-deps input (feature) merged
#306 bump actions/checkout 6 → 7 merged
#284 ESLint v10 flat-config modernization (typescript-eslint + eslint-plugin-import-x, drops airbnb/standard stack) applied
#302 eslint → 10.3.0 pinned into #284's range
#300 globals → 17.6.0 pinned into #284's range

Deliberately NOT included

Obsoleted by #284 — it removes the packages these bump:

Preserved from main, NOT reverted (#284 was branched before these landed; a naive merge would have reverted them):

Local verification (Node 24)

  • yarn install — clean lockfile regen
  • yarn lint — passes on the new flat config
  • yarn builddist/ rebuilt and in sync; include-unused-deps present in bundle

Testing

Pushing this branch triggers test.yml, which is the real e2e suite. Watch the checks tab.

saramaebee and others added 6 commits May 13, 2026 12:16
The report JSON is interpolated into the run script as raw text, so a
single quote in dependency copyright text (e.g. "Georg Reinke (<...>)")
broke the echo '...' quoting and failed with a bash syntax error / exit 2.
Pass the report via an env var instead.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The env-var approach from the previous commit fixed the quoting bug but
hit MAX_ARG_STRLEN: the attribution report is ~350KB on a single line, so
placing it in an env var made the kernel reject starting bash with
'Argument list too long'. A quoted heredoc keeps the value in the script
file (no argv/env size limit) and treats it literally (no quoting issues).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Merges open PRs for combined end-to-end testing:
- #303 add include-unused-deps input (feature)
- #306 bump actions/checkout 6->7
- #284 ESLint v10 flat-config modernization (typescript-eslint + import-x)
- #302 eslint ->10.3.0, #300 globals ->17.6.0 (pinned into #284's ranges)

Obsoleted by #284 (packages removed), so not included:
- #279 @typescript-eslint/parser, #301 eslint-plugin, #292 @eslint/compat

Preserved from main (NOT reverted despite #284 being based pre-them):
- #278 fossa test --diff push-event fix
- #291 dependabot @types/node major guard

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015cyhpr2n4CDui7j9AVWukq
@chad-fossa

Copy link
Copy Markdown
Contributor Author

e2e result (run 28587298720)

All functional steps passed under Node 24 with every merged PR's changes:

Step Result
lint (new flat config)
Build (dist rebuild)
Rebuild-dist verify (in sync)
fossa analyze (+debug bundle)
fossa container analyze
fossa analyze --branch
fossa test --project --branch
fossa test (repo policy gate)

The single failure is fossa test's vulnerability-policy gate on the repo's own dependency graph — 3 CVEs: lodash@4.17.5, undici@6.24.1, pydantic-ai-slim@0.0.48 (a stray Python pkg from the accumulated FOSSA project).

This is not introduced by the merge: none of those packages are in the lockfile changes, main would fail the same gate today (its last green run was 2026-04-21, before these CVEs), and the failing step is orthogonal to whether the PRs integrate. Every step that actually exercises the merged code passed.

@actions/http-client pulled undici 6.24.1, flagged by fossa test for
CVE-2026-6733, CVE-2026-11525, CVE-2026-9679 (all fixed in 6.27.0).
Add a resolutions entry and rebuild dist so the fix ships in the bundle.

lodash@4.17.5 and pydantic-ai-slim@0.0.48 were also flagged but are not
in this repo's manifests (phantom FOSSA-project issues); not fixable here.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015cyhpr2n4CDui7j9AVWukq
@chad-fossa chad-fossa marked this pull request as ready for review July 2, 2026 12:26
@chad-fossa chad-fossa requested a review from a team as a code owner July 2, 2026 12:26
@chad-fossa chad-fossa requested a review from tjugdev July 2, 2026 12:26
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: b11b06d7-51b8-4c96-ab07-bf73020622c7

📥 Commits

Reviewing files that changed from the base of the PR and between 29693cc and 7f4dd19.

⛔ Files ignored due to path filters (3)
  • dist/index.js is excluded by !**/dist/**
  • dist/index.js.map is excluded by !**/dist/**, !**/*.map
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (8)
  • .github/workflows/rebuild-dist.yml
  • .github/workflows/test.yml
  • README.md
  • action.yml
  • eslint.config.mjs
  • package.json
  • src/config.ts
  • src/index.ts
👮 Files not reviewed due to content moderation or server errors (8)
  • src/config.ts
  • action.yml
  • .github/workflows/test.yml
  • README.md
  • package.json
  • .github/workflows/rebuild-dist.yml
  • eslint.config.mjs
  • src/index.ts

Warning

Walkthrough skipped

File diffs could not be summarized.


Comment @coderabbitai help to get the list of available commands.

@chad-fossa chad-fossa changed the title test: integration branch merging all open PRs Land ESLint v10 modernization (#284) + open dep/feature PRs + undici CVE fix Jul 2, 2026
Add a dogfood job that runs the published @v2 action against this repo,
complementing the working-copy (./) jobs which test the PR's own code.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015cyhpr2n4CDui7j9AVWukq
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants