🚨 [security] Update @vue/eslint-config-typescript 14.6.0 → 14.8.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ @​vue/eslint-config-typescript (14.6.0 → 14.8.0) · Repo

Release Notes

14.8.0

What's Changed

• feat: add includeDotFolders option by @mlmoravek in #278

New Contributors

• @arpitjain099 made their first contribution in #285
• @mlmoravek made their first contribution in #278

Full Changelog: v14.7.0...v14.8.0

14.7.0

What's Changed

• fix: respect global ignores when scanning for vue files to lint by @haoqunjiang in #239
• feat: support ESLint 10 as peer dependency

Full Changelog: v14.6.0...v14.7.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ debug (indirect, 4.4.1 → 4.4.3) · Repo · Changelog

Security Advisories 🚨

🚨 debug@4.4.2 contains malware after npm account takeover

Impact

On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments.

Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt.

The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload.

Patches

npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper.

On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. This version is functionally identical to the previously known-good version, published as a patch version bump above the compromised version.

Users should upgrade to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch.

Those operating private registries or registry mirrors should purge the offending versions from any caches.

References

• https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
• https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
• https://www.ox.security/blog/npm-packages-compromised/

Point of Contact

In the event suspicious behavior is still observed for the package listed in this security advisory after performing all of the above cleaning operations (see Patches above), please reach out via one of the following channels of communication:

• Bluesky, package owner: https://bsky.app/profile/bad-at-computer.bsky.social
• debug repository, tracking issue (applies to all packages affected in the breach): #1005

Release Notes

4.4.3

Functionally identical release to 4.4.1.

Version 4.4.2 is compromised. Please see #1005.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 1 commit:

• 4.4.3

↗️ semver (indirect, 7.7.2 → 7.8.4) · Repo · Changelog

Release Notes

7.8.4

7.8.4 (2026-06-09)

Bug Fixes

• e583226 #874 reject numeric segments after x-ranges (@pupuking723)

7.8.3

7.8.3 (2026-06-08)

Bug Fixes

• 046da7f #872 align caret includePrerelease lower bounds (#872) (@wayyoungboy)

Chores

• 3485dda #866 bump @npmcli/eslint-config from 6.0.1 to 7.0.0 (#866) (@dependabot[bot])

7.8.2

7.8.2 (2026-06-04)

Bug Fixes

• bea6028 #870 increment dotted prerelease identifiers (#870) (@liuzemei, @SheldonNeo)

7.8.1

7.8.1 (2026-05-21)

Bug Fixes

• 17aa702 #869 strip build metadata before comparator trimming (#869) (@owlstronaut)
• 5f3ca13 #867 handle prerelease bounds in subset (#867) (@puneetdixit200, Puneet Dixit)

7.8.0

7.8.0 (2026-05-08)

Features

• 0d0a0a2 #855 Add truncate function (#855) (@pjohnmeyer, @owlstronaut)

Bug Fixes

• 3905343 #859 Warn when defaulting to --inc=patch in CLI (@pjohnmeyer)

Documentation

• c368af6 #853 fix typos in documentation (#853) (@ankitkumar572005)
• 37776c3 #846 fix BNF grammar to distinguish prerelease from build identifiers (#846) (@abhu85, @claude)

Chores

• 9542e09 #860 template-oss-apply (@owlstronaut)
• 937bc2c #860 template-oss-apply@5.0.0 (@owlstronaut)
• 6946fef #852 bump @npmcli/template-oss from 4.29.0 to 4.30.0 (#852) (@dependabot[bot], @npm-cli-bot)

7.7.4

7.7.4 (2026-01-16)

Bug Fixes

• a29faa5 #835 cli: pass options to semver.valid() for loose version validation (#835) (@mldangelo)

Documentation

• 1d28d5e #836 fix typos and update -n CLI option documentation (#836) (@mldangelo)

Dependencies

• 120968b #840 @npmcli/template-oss@4.29.0 (#840)

Chores

• 44d7130 #824 bump @npmcli/eslint-config from 5.1.0 to 6.0.0 (#824) (@dependabot[bot])
• 7073576 #820 reorder parameters in invalid-versions.js test (#820) (@reggi)
• 5816d4c #829 bump @npmcli/template-oss from 4.28.0 to 4.28.1 (#829) (@dependabot[bot], @npm-cli-bot)

7.7.3

7.7.3 (2025-10-06)

Bug Fixes

• e37e0ca #813 faster paths for compare (#813) (@H4ad)
• 2471d75 #811 x-range build metadata support (i529015)

Chores

• 8f05c87 #807 bump @npmcli/template-oss from 4.25.0 to 4.25.1 (#807) (@dependabot[bot], @owlstronaut)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 34 commits:

• chore: release 7.8.4 (#875)
• fix: reject numeric segments after x-ranges
• chore: release 7.8.3 (#873)
• chore: bump @npmcli/eslint-config from 6.0.1 to 7.0.0 (#866)
• fix: align caret includePrerelease lower bounds (#872)
• chore: release 7.8.2 (#871)
• fix: increment dotted prerelease identifiers (#870)
• chore: release 7.8.1 (#868)
• fix: strip build metadata before comparator trimming (#869)
• fix: handle prerelease bounds in subset (#867)
• chore: release 7.8.0 (#847)
• chore: template-oss-apply
• chore: template-oss-apply@5.0.0
• fix: Warn when defaulting to --inc=patch in CLI
• feat: Add `truncate` function (#855)
• docs: fix typos in documentation (#853)
• chore: bump @npmcli/template-oss from 4.29.0 to 4.30.0 (#852)
• docs: fix BNF grammar to distinguish prerelease from build identifiers (#846)
• chore: release 7.7.4 (#839)
• deps: @npmcli/template-oss@4.29.0 (#840)
• fix(cli): pass options to semver.valid() for loose version validation (#835)
• docs: fix typos and update -n CLI option documentation (#836)
• chore: bump @npmcli/template-oss from 4.28.0 to 4.28.1 (#829)
• chore: bump @npmcli/template-oss from 4.27.1 to 4.28.0 (#827)
• chore: bump @npmcli/eslint-config from 5.1.0 to 6.0.0 (#824)
• chore: reorder parameters in invalid-versions.js test (#820)
• chore: bump @npmcli/template-oss from 4.26.0 to 4.27.1 (#823)
• chore: bump @npmcli/template-oss from 4.25.1 to 4.26.0 (#818)
• chore: release 7.7.3 (#812)
• fix: faster paths for compare (#813)
• fix: x-range build metadata support
• chore: bump @npmcli/template-oss from 4.25.0 to 4.25.1 (#807)
• chore: bump @npmcli/template-oss from 4.24.4 to 4.25.0 (#797)
• chore: bump @npmcli/template-oss from 4.24.3 to 4.24.4 (#790)

↗️ typescript-eslint (indirect, 8.41.0 → 8.61.0) · Repo · Changelog

Release Notes

8.61.0

8.61.0 (2026-06-08)

🚀 Features

• ast-spec: change type of UnaryExpression.prefix to always true (#12372)
• ast-spec: tighten types of ArrowFunction, YieldExpression, TSTypePredicate (#12373)

🩹 Fixes

• rule-schema-to-typescript-types: respect ECMAScript line terminators (#12374)

❤️ Thank You

• Kirk Waiblinger @kirkwaiblinger
• lumir

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.60.1

8.60.1 (2026-06-01)

🩹 Fixes

• eslint-plugin: respect ECMAScript line terminators in ts-comment rules (#12352)
• eslint-plugin: [no-shadow] correct rule to match ESLint v10 handling (#12182)

❤️ Thank You

• lumir
• Nevette Bailey @nevette-bailey

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.60.0

8.60.0 (2026-05-25)

🚀 Features

• rule-tester: added updates of RuleTester from upstream (#12291)

🩹 Fixes

• playground TS version selector is not working (#12326, #12325)

❤️ Thank You

• Evyatar Daud @StyleShit
• Vinccool96

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.4

8.59.4 (2026-05-18)

🩹 Fixes

• eslint-plugin: [no-floating-promises] stack overflow when using recursive types (#12294)
• project-service: throw error cause in getParsedConfigFileFromTSServer (#12321)
• typescript-eslint: export Compatible* types from typescript-eslint to resolve pnpm TS error (#12340)

❤️ Thank You

• Evyatar Daud @StyleShit
• Kirk Waiblinger @kirkwaiblinger
• lumir

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ vue-eslint-parser (indirect, 10.2.0 → 10.4.1) · Repo

Release Notes

10.4.1

🐛 Bug Fixes

• fix: compatibility with @babel/eslint-parser v8 by @JounQin in #294

Full Changelog: v10.4.0...v10.4.1

10.4.0

⚙️ Changes

• feat: updated scope analyzer to mark variables as used to prevent false positives with no-useless-assignment by @ota-meshi in #288

Full Changelog: v10.3.0...v10.4.0

10.3.0

✨ Enhancements

• Allow ESLint v10 as peer dependency by @FloEdelmann in #277

⚙️ Infrastructure Updates

• test: move to vitest by @9romise in #269
• feat: migrate to tsdown by @9romise in #266

Full Changelog: v10.2.0...v10.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 23 commits:

• 10.4.1
• chore: repository maintenance (#295)
• 10.4.1
• fix: compatibility with `@babel/eslint-parser` v8 (#294)
• chore(ci): set least-privilege workflow token permissions (#292)
• chore: Update test fixtures and eslint fix (#293)
• chore: add GitHub Actions workflow for npm publishing (#289)
• 10.4.0
• feat: updated scope analyzer to mark variables as used to prevent false positives with `no-useless-assignment` (#288)
• 10.3.0
• chore: update test script
• chore: use eslint v10 (#286)
• Allow ESLint v10 as peer dependency (#277)
• test: update example title (#284)
• refactor: replace `fs-extra` with `node:fs`, cleanup dev deps (#281)
• feat: upgrade `tsdown`, enable `exports` (#278)
• test: use vitest snapshot testing, update snapshot (#279)
• chore: update scripts
• chore: update fixtures (#273)
• refactor: enhance `fallbackKeysFilter` readability (#272)
• feat: migrate to `tsdown` (#266)
• test: align with `nyc` coverage configuration (#270)
• test: move to `vitest` (#269)

🆕 brace-expansion (added, 5.0.6)

🆕 minimatch (added, 10.2.5)

🆕 @​typescript-eslint/eslint-plugin (added, 8.61.0)

🆕 @​typescript-eslint/project-service (added, 8.61.0)

🆕 @​typescript-eslint/scope-manager (added, 8.61.0)

🆕 @​typescript-eslint/tsconfig-utils (added, 8.61.0)

🆕 @​typescript-eslint/types (added, 8.61.0)

🆕 @​typescript-eslint/typescript-estree (added, 8.61.0)

🆕 @​typescript-eslint/utils (added, 8.61.0)

🆕 @​typescript-eslint/visitor-keys (added, 8.61.0)

🆕 eslint-visitor-keys (added, 5.0.1)

🆕 @​typescript-eslint/parser (added, 8.61.0)

🆕 @​typescript-eslint/type-utils (added, 8.61.0)

🆕 balanced-match (added, 4.0.4)

🗑️ graphemer (removed)

🗑️ @​typescript-eslint/eslint-plugin (removed)

🗑️ @​typescript-eslint/eslint-plugin (removed)

🗑️ @​typescript-eslint/project-service (removed)

🗑️ @​typescript-eslint/project-service (removed)

🗑️ @​typescript-eslint/scope-manager (removed)

🗑️ @​typescript-eslint/scope-manager (removed)

🗑️ @​typescript-eslint/tsconfig-utils (removed)

🗑️ @​typescript-eslint/tsconfig-utils (removed)

🗑️ @​typescript-eslint/types (removed)

🗑️ @​typescript-eslint/types (removed)

🗑️ @​typescript-eslint/typescript-estree (removed)

🗑️ @​typescript-eslint/typescript-estree (removed)

🗑️ @​typescript-eslint/utils (removed)

🗑️ @​typescript-eslint/utils (removed)

🗑️ @​typescript-eslint/visitor-keys (removed)

🗑️ @​typescript-eslint/visitor-keys (removed)

🗑️ @​typescript-eslint/parser (removed)

🗑️ @​typescript-eslint/parser (removed)

🗑️ @​typescript-eslint/type-utils (removed)

🗑️ @​typescript-eslint/type-utils (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)