[Snyk] Upgrade @typescript-eslint/eslint-plugin from 8.34.1 to 8.40.0

[Dargon789]

Snyk has created this PR to upgrade @typescript-eslint/eslint-plugin from 8.34.1 to 8.40.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 59 versions ahead of your current version.

• The recommended version was released 25 days ago.

Release notes

Package name: @typescript-eslint/eslint-plugin

• 8.40.0 - 2025-08-18
  

  8.40.0 (2025-08-18)

  🩹 Fixes

  • typescript-eslint: export plugin, parser, and configs that are compatible with both defineConfig() and tseslint.config() (#11475)
  • typescript-estree: correct range of import assertion with trailing comma (#11478)
  • utils: correct calculateConfigForFile return type (#11451)

  ❤️ Thank You

  • Kirk Waiblinger @ kirkwaiblinger
  • Nolan Gajdascz @ Gajdascz

  You can read about our versioning strategy and releases on our website.

• 8.39.2-alpha.1 - 2025-08-18
• 8.39.2-alpha.0 - 2025-08-11
• 8.39.1 - 2025-08-11
  

  8.39.1 (2025-08-11)

  🩹 Fixes

  • typescript-eslint: handle file:// urls in stack trace when inferring tsconfigRootDir (#11464)

  ❤️ Thank You

  • Kirk Waiblinger @ kirkwaiblinger

  You can read about our versioning strategy and releases on our website.

• 8.39.1-alpha.4 - 2025-08-09
• 8.39.1-alpha.3 - 2025-08-08
• 8.39.1-alpha.2 - 2025-08-05
• 8.39.1-alpha.1 - 2025-08-05
• 8.39.1-alpha.0 - 2025-08-04
• 8.39.0 - 2025-08-04
  

  8.39.0 (2025-08-04)

  🚀 Features

  • update to TypeScript 5.9.2 (#11445)
  • eslint-plugin: [naming-convention] add enumMember PascalCase default option (#11127)
  • eslint-plugin: add no-unnecessary-type-conversion to strict-type-checked ruleset (#11427)
  • eslint-plugin: [only-throw-error] support yield/await expressions (#11417)

  🩹 Fixes

  • eslint-plugin: [prefer-optional-chain] ignore check option for most RHS of a chain (#11272)
  • eslint-plugin: [no-unsafe-assignment] add an unsafeObjectPattern message (#11403)

  ❤️ Thank You

  • Brad Zacher @ bradzacher
  • James Garbutt @ 43081j
  • Kim Sang Du @ developer-bandi
  • Sasha Kondrashov
  • tao
  • Younsang Na @ nayounsang

  You can read about our versioning strategy and releases on our website.

• 8.38.1-alpha.8 - 2025-08-04
• 8.38.1-alpha.7 - 2025-08-04
• 8.38.1-alpha.6 - 2025-08-03
• 8.38.1-alpha.5 - 2025-08-03
• 8.38.1-alpha.4 - 2025-08-03
• 8.38.1-alpha.3 - 2025-08-01
• 8.38.1-alpha.2 - 2025-08-01
• 8.38.1-alpha.1 - 2025-08-01
• 8.38.1-alpha.0 - 2025-08-01
• 8.38.0 - 2025-07-21
  

  8.38.0 (2025-07-21)

  🚀 Features

  • typescript-estree: forbid optional chain in TemplateTaggedLiteral (#11391)

  🩹 Fixes

  • disallow extra properties in rule options (#11397)
  • eslint-plugin: [consistent-generic-constructors] resolve conflict with isolatedDeclarations if enabled in constructor option (#11351)
  • typescript-eslint: infer tsconfigRootDir with v8 API (#11412)
  • typescript-eslint: error on nested extends in tseslint.config() (#11361)
  • typescript-estree: ensure the token type of the property name is Identifier (#11329)

  ❤️ Thank You

  • Andrew Kazakov @ andreww2012
  • Kirk Waiblinger @ kirkwaiblinger
  • MK @ asdf93074
  • tao
  • Younsang Na @ nayounsang

  You can read about our versioning strategy and releases on our website.

• 8.37.1-alpha.6 - 2025-07-21
• 8.37.1-alpha.5 - 2025-07-21
• 8.37.1-alpha.4 - 2025-07-19
• 8.37.1-alpha.3 - 2025-07-18
• 8.37.1-alpha.2 - 2025-07-18
• 8.37.1-alpha.1 - 2025-07-16
• 8.37.1-alpha.0 - 2025-07-14
• 8.37.0 - 2025-07-14
  

  8.37.0 (2025-07-14)

  🚀 Features

  • typescript-estree: infer tsconfigRootDir from call stack (#11370)

  🩹 Fixes

  • eslint-plugin: [unified-signatures] fix false positives for ignoreOverloadsWithDifferentJSDoc option (#11381)
  • type-utils: add missing 'types' dependency to 'type-utils' (#11383)
  • type-utils: handle namespaced exports in specifier matching (#11380)

  ❤️ Thank You

  • Bill Collins
  • Josh Goldberg ✨
  • René @ Renegade334
  • Yukihiro Hasegawa @ y-hsgw

  You can read about our versioning strategy and releases on our website.

• 8.36.1-alpha.4 - 2025-07-14
• 8.36.1-alpha.3 - 2025-07-14
• 8.36.1-alpha.2 - 2025-07-09
• 8.36.1-alpha.1 - 2025-07-08
• 8.36.1-alpha.0 - 2025-07-07
• 8.36.0 - 2025-07-07
  

  8.36.0 (2025-07-07)

  🚀 Features

  • typescript-eslint: support basePath in tseslint.config() (#11357)

  ❤️ Thank You

  • Kirk Waiblinger @ kirkwaiblinger

  You can read about our versioning strategy and releases on our website.

• 8.35.2-alpha.11 - 2025-07-07
• 8.35.2-alpha.10 - 2025-07-07
• 8.35.2-alpha.9 - 2025-07-06
• 8.35.2-alpha.8 - 2025-07-06
• 8.35.2-alpha.7 - 2025-07-06
• 8.35.2-alpha.6 - 2025-07-05
• 8.35.2-alpha.5 - 2025-07-01
• 8.35.2-alpha.4 - 2025-07-01
• 8.35.2-alpha.3 - 2025-07-01
• 8.35.2-alpha.2 - 2025-07-01
• 8.35.2-alpha.1 - 2025-07-01
• 8.35.2-alpha.0 - 2025-07-01
• 8.35.1 - 2025-06-30
  

  8.35.1 (2025-06-30)

  🩹 Fixes

  • remove prettier from eslint-plugin (#11339)
  • website: did not find a source file error if url hash doesn't contain fileType (#11350)

  ❤️ Thank You

  • Abhijeet Singh @ cseas
  • mdm317

  You can read about our versioning strategy and releases on our website.

• 8.35.1-alpha.6 - 2025-06-26
• 8.35.1-alpha.5 - 2025-06-26
• 8.35.1-alpha.4 - 2025-06-25
• 8.35.1-alpha.3 - 2025-06-24
• 8.35.1-alpha.2 - 2025-06-24
• 8.35.1-alpha.1 - 2025-06-23
• 8.35.1-alpha.0 - 2025-06-23
• 8.35.0 - 2025-06-23
• 8.34.2-alpha.3 - 2025-06-23
• 8.34.2-alpha.2 - 2025-06-23
• 8.34.2-alpha.1 - 2025-06-18
• 8.34.2-alpha.0 - 2025-06-16
• 8.34.1 - 2025-06-16

from @typescript-eslint/eslint-plugin GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
hardhat-project-uz7z	Ready	Preview	Comment	Sep 12, 2025 7:19pm

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[gemini-code-assist]

Summary of Changes

Hello @Dargon789, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request automates the process of keeping project dependencies current by upgrading the @typescript-eslint/eslint-plugin. This update ensures the project benefits from the latest features, performance enhancements, and critical bug fixes, contributing to better code quality and security posture.

Highlights

• Dependency Upgrade: The @typescript-eslint/eslint-plugin package has been updated from version 8.34.1 to 8.40.0.
• TypeScript Version Update: Version 8.39.0 of the plugin now supports TypeScript 5.9.2, bringing compatibility with the latest TypeScript features.
• Enhanced Type Safety Rules: The no-unnecessary-type-conversion rule has been added to the strict-type-checked ruleset in 8.39.0, improving code quality and type correctness.
• Configuration Compatibility Fixes: Version 8.40.0 includes important fixes to ensure plugin, parser, and configs are compatible with both defineConfig() and tseslint.config(), enhancing configuration flexibility.
• Various Bug Fixes: Multiple patches across the upgraded versions address issues such as tsconfigRootDir inference, import assertion range handling, and optional chaining in template literals.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@typescript-eslint/eslint-plugin	8.40.0	🟢 5.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 26 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 7 Found 7/10 approved changesets -- score normalized to 7 Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 33 existing vulnerabilities detected

Scanned Files

• packages/hardhat-web3-v4/package.json

[gemini-code-assist]

Code Review

This pull request, automatically generated by Snyk, upgrades the @typescript-eslint/eslint-plugin package from version 8.34.1 to 8.40.0. This is a good maintenance update that brings in many new features and fixes. My review includes one suggestion to also update the corresponding @typescript-eslint/parser package to maintain version consistency and prevent potential issues.

[gemini-code-assist]

It's great to keep dependencies up to date. To ensure compatibility and prevent subtle issues, it's highly recommended to keep @typescript-eslint/eslint-plugin and @typescript-eslint/parser on the same version. Since you're upgrading the plugin to 8.40.0, please also upgrade @typescript-eslint/parser on the next line from 8.39.0 to 8.40.0.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​nomicfoundation/​hardhat-toolbox@​5.0.0 ⏵ 2.0.2			-4
	io-ts@​1.10.4
	@​nomicfoundation/​hardhat-network-helpers@​1.0.8
	@​nomiclabs/​hardhat-web3-legacy@​2.0.0
	@​nomiclabs/​hardhat-ethers@​2.2.3
	@​nomiclabs/​hardhat-web3@​2.0.0
	immutable@​4.3.7
	@​nomicfoundation/​hardhat-chai-matchers@​2.1.0 ⏵ 1.0.6			-10
	hardhat@​2.26.3 ⏵ 2.14.0			-2
	jest-diff@​29.7.0
	@​nomicfoundation/​hardhat-verify@​2.1.1 ⏵ 1.0.0			+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		[email protected] has a License Policy Violation. License: WTFPL (package/LICENSE) From: pnpm-lock.yaml → npm/@nomiclabs/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		@nomiclabs/[email protected] is an Unpopular package. Location: Package overview From: package-lock.json → npm/@nomiclabs/[email protected] ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomiclabs/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		@nomiclabs/[email protected] is an Unpopular package. Location: Package overview From: package-lock.json → npm/@nomiclabs/[email protected] ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomiclabs/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] is Deprecated. Reason: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. From: pnpm-lock.yaml → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report