Upgrade eslint toolchain to fix minimatch vulnerabilities

Upgrade @typescript-eslint/* (6.x→8.x), eslint-plugin-github (4.x→5.x),
and eslint-plugin-jest (27.x→28.x) to resolve minimatch 9.0.0–9.0.6
ReDoS vulnerabilities. Remove deprecated eslint rules that were moved to
@stylistic in @typescript-eslint v8 (func-call-spacing, semi,
type-annotation-spacing, camelcase) and rename no-empty-interface to
no-empty-object-type. Resolves all remaining npm audit vulnerabilities.

.eslintrc.json

@@ -17,11 +17,9 @@
       "@typescript-eslint/array-type": "error",
       "@typescript-eslint/await-thenable": "error",
       "camelcase": "off",
-      "@typescript-eslint/camelcase": "off",
       "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
-      "@typescript-eslint/func-call-spacing": ["error", "never"],
       "@typescript-eslint/no-array-constructor": "error",
-      "@typescript-eslint/no-empty-interface": "error",
+      "@typescript-eslint/no-empty-object-type": "error",
       "@typescript-eslint/no-explicit-any": "off",
       "@typescript-eslint/no-extraneous-class": "error",
       "@typescript-eslint/no-for-in-array": "error",
@@ -32,7 +30,6 @@
       "@typescript-eslint/no-unnecessary-qualifier": "error",
       "@typescript-eslint/no-unnecessary-type-assertion": "error",
       "@typescript-eslint/no-useless-constructor": "error",
-      "@typescript-eslint/no-var-requires": "error",
       "@typescript-eslint/prefer-for-of": "warn",
       "@typescript-eslint/prefer-function-type": "warn",
       "@typescript-eslint/prefer-includes": "error",
@@ -41,8 +38,6 @@
       "@typescript-eslint/require-array-sort-compare": "error",
       "@typescript-eslint/restrict-plus-operands": "error",
       "semi": "off",
-      "@typescript-eslint/semi": ["error", "never"],
-      "@typescript-eslint/type-annotation-spacing": "error",
       "@typescript-eslint/unbound-method": "error"
     },
     "env": {

dist/index.js

@@ -42,18 +42,29 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
 }) : function(o, v) {
     o["default"] = v;
 });
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.Filter = exports.isPredicateQuantifier = exports.SUPPORTED_PREDICATE_QUANTIFIERS = exports.PredicateQuantifier = void 0;
+exports.Filter = exports.SUPPORTED_PREDICATE_QUANTIFIERS = exports.PredicateQuantifier = void 0;
+exports.isPredicateQuantifier = isPredicateQuantifier;
 const jsyaml = __importStar(__nccwpck_require__(4281));
 const picomatch_1 = __importDefault(__nccwpck_require__(4006));
 // Minimatch options used in all matchers
@@ -95,7 +106,6 @@ exports.SUPPORTED_PREDICATE_QUANTIFIERS = Object.values(PredicateQuantifier);
 function isPredicateQuantifier(x) {
     return exports.SUPPORTED_PREDICATE_QUANTIFIERS.includes(x);
 }
-exports.isPredicateQuantifier = isPredicateQuantifier;
 class Filter {
     // Creates instance of Filter and load rules from YAML if it's provided
     constructor(yaml, filterConfig) {
@@ -196,15 +206,34 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
 }) : function(o, v) {
     o["default"] = v;
 });
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.isGitSha = exports.getShortName = exports.getCurrentRef = exports.listAllFilesAsAdded = exports.parseGitDiffOutput = exports.getChangesSinceMergeBase = exports.getChangesOnHead = exports.getChanges = exports.getChangesInLastCommit = exports.HEAD = exports.NULL_SHA = void 0;
+exports.HEAD = exports.NULL_SHA = void 0;
+exports.getChangesInLastCommit = getChangesInLastCommit;
+exports.getChanges = getChanges;
+exports.getChangesOnHead = getChangesOnHead;
+exports.getChangesSinceMergeBase = getChangesSinceMergeBase;
+exports.parseGitDiffOutput = parseGitDiffOutput;
+exports.listAllFilesAsAdded = listAllFilesAsAdded;
+exports.getCurrentRef = getCurrentRef;
+exports.getShortName = getShortName;
+exports.isGitSha = isGitSha;
 const exec_1 = __nccwpck_require__(5236);
 const core = __importStar(__nccwpck_require__(7484));
 const file_1 = __nccwpck_require__(5868);
@@ -222,7 +251,6 @@ async function getChangesInLastCommit() {
     }
     return parseGitDiffOutput(output);
 }
-exports.getChangesInLastCommit = getChangesInLastCommit;
 async function getChanges(base, head) {
     const baseRef = await ensureRefAvailable(base);
     const headRef = await ensureRefAvailable(head);
@@ -240,7 +268,6 @@ async function getChanges(base, head) {
     }
     return parseGitDiffOutput(output);
 }
-exports.getChanges = getChanges;
 async function getChangesOnHead() {
     // Get current changes - both staged and unstaged
     core.startGroup(`Change detection on HEAD`);
@@ -254,7 +281,6 @@ async function getChangesOnHead() {
     }
     return parseGitDiffOutput(output);
 }
-exports.getChangesOnHead = getChangesOnHead;
 async function getChangesSinceMergeBase(base, head, initialFetchDepth) {
     let baseRef;
     let headRef;
@@ -328,7 +354,6 @@ async function getChangesSinceMergeBase(base, head, initialFetchDepth) {
     }
     return parseGitDiffOutput(output);
 }
-exports.getChangesSinceMergeBase = getChangesSinceMergeBase;
 function parseGitDiffOutput(output) {
     const tokens = output.split('\u0000').filter(s => s.length > 0);
     const files = [];
@@ -340,7 +365,6 @@ function parseGitDiffOutput(output) {
     }
     return files;
 }
-exports.parseGitDiffOutput = parseGitDiffOutput;
 async function listAllFilesAsAdded() {
     core.startGroup('Listing all files tracked by git');
     let output = '';
@@ -359,7 +383,6 @@ async function listAllFilesAsAdded() {
         filename: path
     }));
 }
-exports.listAllFilesAsAdded = listAllFilesAsAdded;
 async function getCurrentRef() {
     core.startGroup(`Get current git ref`);
     try {
@@ -377,7 +400,6 @@ async function getCurrentRef() {
         core.endGroup();
     }
 }
-exports.getCurrentRef = getCurrentRef;
 function getShortName(ref) {
     if (!ref)
         return '';
@@ -389,11 +411,9 @@ function getShortName(ref) {
         return ref.slice(tags.length);
     return ref;
 }
-exports.getShortName = getShortName;
 function isGitSha(ref) {
     return /^[a-z0-9]{40}$/.test(ref);
 }
-exports.isGitSha = isGitSha;
 async function hasCommit(ref) {
     return (await (0, exec_1.getExecOutput)('git', ['cat-file', '-e', `${ref}^{commit}`], { ignoreReturnCode: true })).exitCode === 0;
 }
@@ -466,7 +486,7 @@ const statusMap = {
 "use strict";
 
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.csvEscape = void 0;
+exports.csvEscape = csvEscape;
 // Returns filename escaped for CSV
 // Wraps file name into "..." only when it contains some potentially unsafe character
 function csvEscape(value) {
@@ -482,7 +502,6 @@ function csvEscape(value) {
     // another double quote
     return `"${value.replace(/"/g, '""')}"`;
 }
-exports.csvEscape = csvEscape;
 
 
 /***/ }),
@@ -493,12 +512,12 @@ exports.csvEscape = csvEscape;
 "use strict";
 
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.shellEscape = exports.backslashEscape = void 0;
+exports.backslashEscape = backslashEscape;
+exports.shellEscape = shellEscape;
 // Backslash escape every character except small subset of definitely safe characters
 function backslashEscape(value) {
     return value.replace(/([^a-zA-Z0-9,._+:@%/-])/gm, '\\$1');
 }
-exports.backslashEscape = backslashEscape;
 // Returns filename escaped for usage as shell argument.
 // Applies "human readable" approach with as few escaping applied as possible
 function shellEscape(value) {
@@ -519,7 +538,6 @@ function shellEscape(value) {
     // Contains some unsafe characters but no single quote
     return `'${value}'`;
 }
-exports.shellEscape = shellEscape;
 
 
 /***/ }),
@@ -545,13 +563,23 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
 }) : function(o, v) {
     o["default"] = v;
 });
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 const fs = __importStar(__nccwpck_require__(9896));
 const core = __importStar(__nccwpck_require__(7484));
@@ -5816,6 +5844,22 @@ function charFromCodepoint(c) {
   );
 }
 
+// set a property of a literal object, while protecting against prototype pollution,
+// see https://github.com/nodeca/js-yaml/issues/164 for more details
+function setProperty(object, key, value) {
+  // used for this specific key only because Object.defineProperty is slow
+  if (key === '__proto__') {
+    Object.defineProperty(object, key, {
+      configurable: true,
+      enumerable: true,
+      writable: true,
+      value: value
+    });
+  } else {
+    object[key] = value;
+  }
+}
+
 var simpleEscapeCheck = new Array(256); // integer, for fast access
 var simpleEscapeMap = new Array(256);
 for (var i = 0; i < 256; i++) {
@@ -5994,7 +6038,7 @@ function mergeMappings(state, destination, source, overridableKeys) {
     key = sourceKeys[index];
 
     if (!_hasOwnProperty.call(destination, key)) {
-      destination[key] = source[key];
+      setProperty(destination, key, source[key]);
       overridableKeys[key] = true;
     }
   }
@@ -6054,17 +6098,7 @@ function storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, valu
       throwError(state, 'duplicated mapping key');
     }
 
-    // used for this specific key only because Object.defineProperty is slow
-    if (keyNode === '__proto__') {
-      Object.defineProperty(_result, keyNode, {
-        configurable: true,
-        enumerable: true,
-        writable: true,
-        value: valueNode
-      });
-    } else {
-      _result[keyNode] = valueNode;
-    }
+    setProperty(_result, keyNode, valueNode);
     delete overridableKeys[keyNode];
   }
 

package.json

@@ -39,12 +39,12 @@
     "@types/js-yaml": "^4.0.9",
     "@types/node": "^25.3.5",
     "@types/picomatch": "^2.3.3",
-    "@typescript-eslint/eslint-plugin": "^6.19.1",
-    "@typescript-eslint/parser": "^6.19.1",
+    "@typescript-eslint/eslint-plugin": "^8.57.0",
+    "@typescript-eslint/parser": "^8.57.0",
     "@vercel/ncc": "^0.38.4",
     "eslint": "^8.56.0",
-    "eslint-plugin-github": "^4.10.1",
-    "eslint-plugin-jest": "^27.6.3",
+    "eslint-plugin-github": "^5.1.8",
+    "eslint-plugin-jest": "^28.11.0",
     "jest": "^30.2.0",
     "jest-circus": "^30.2.0",
     "js-yaml": "^4.1.0",