Bump @typescript-eslint/eslint-plugin from 8.58.2 to 8.59.2

[dependabot]

Bumps @typescript-eslint/eslint-plugin from 8.58.2 to 8.59.2.

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.59.2

8.59.2 (2026-05-04)

🩹 Fixes

• eslint-plugin: [no-unsafe-type-assertion] handle crash on recursive template literal types (#12150)
• eslint-plugin: [no-deprecated] object destructuring values should be treated as declarations (#12292)
• rule-tester: add TypeScript as a peer dependency (#12288)

❤️ Thank You

• Dariusz Czajkowski
• Dima Barabash
• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.1

8.59.1 (2026-04-27)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#12246)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#12257)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#12269)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#12278)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#12220)
• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#12241)

❤️ Thank You

• anasm266 @​anasm266
• Anshika Jain @​Anshikakalpana
• Ulrich Stark
• yugo innami @​nami8824

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

... (truncated)

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.59.2 (2026-05-04)

🩹 Fixes

• eslint-plugin: [no-deprecated] object destructuring values should be treated as declarations (#12292)
• eslint-plugin: [no-unsafe-type-assertion] handle crash on recursive template literal types (#12150)

❤️ Thank You

• Dima Barabash
• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.1 (2026-04-27)

🩹 Fixes

• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#12241)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#12220)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#12278)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#12269)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#12257)
• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#12246)

❤️ Thank You

• anasm266 @​anasm266
• Anshika Jain @​Anshikakalpana
• Ulrich Stark
• yugo innami @​nami8824

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

... (truncated)

Commits

• 2ec35f1 chore(release): publish 8.59.2
• ec3ef25 test: make no-useless-empty-export tests fully static (#12260)
• 60d0a51 chore(eslint-plugin): switch auto-generated test cases to hand-written in no-...
• 5c53da2 fix(eslint-plugin): [no-deprecated] object destructuring values should be tre...
• 80c28a1 fix(eslint-plugin): [no-unsafe-type-assertion] handle crash on recursive temp...
• b7b2670 test: make no-this-alias tests fully static (#12258)
• 5245793 chore(release): publish 8.59.1
• 3cef124 chore(eslint-plugin): switch auto-generated test cases to hand-written in dot...
• 27c507b test: make sort-type-constituents tests fully static (#12262)
• a03b31d chore(eslint-plugin): switch auto-generated test cases to hand-written in no-...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[fossabot]

[fossabot]

✓ Safe to upgrade

I recommend merging this upgrade because it is a patch-level update to a pure devDependencies linting tool with no runtime or production impact. The upgrade bundles internal dependency updates across the @​typescript-eslint ecosystem (e.g., scope-manager, type-utils, utils, visitor-keys) along with 2 new features and 10 bug fixes. Two deprecation notices relate to internal changes in the no-deprecated rule's handling of object destructuring — these are forward-looking deprecations scheduled for eventual removal in a future major version and do not require any code changes now. The CI failure present in this PR is caused by FOSSA detecting pre-existing vulnerabilities in lodash@​4.17.5 and pydantic-ai-slim@​0.0.48, which are entirely unrelated to this @​typescript-eslint/eslint-plugin upgrade. No breaking changes were detected that affect the codebase.

Fix Suggestions

We identified 3 fixable issues in this upgrade.

• Upgrade lodash to at least 4.17.21 (latest stable) to resolve all 9 CVEs flagged by FOSSA (including Critical CVE-2019-10744). Run 'yarn upgrade lodash@^4.17.21' or manually update lodash version in package.json and run 'yarn install' to regenerate yarn.lock. If lodash is only a transitive dependency, add a resolutions field in package.json: "resolutions": { "lodash": "^4.17.21" } and run 'yarn install'.
  Run: cd . && grep -rn '"lodash"' package.json yarn.lock | head -20
  Files: package.json, yarn.lock
• Resolve the pydantic-ai-slim@​0.0.48 vulnerability (CVE-2026-25580, High). This is a Python package detected by FOSSA scanning, not a Node.js dependency in this repository. Investigate where pydantic-ai-slim is referenced (possibly in a scanned Python project or transitive dependency of a non-JS target). Either upgrade pydantic-ai-slim to >=1.56.0 in the relevant Python environment/requirements, or add a FOSSA policy exception for this CVE if it is outside this repository's control.
• If lodash and pydantic-ai-slim upgrades cannot be completed before merging this PR, add FOSSA policy exceptions for the 10 flagged CVEs with documented justification. This requires access to the FOSSA dashboard to modify the project's security policy or issue suppression rules.

AI Assistant Prompt

Copy prompt for AI assistant

Help me fix CI failures in my `fossa-action` repository (PR #301) after upgrading `@​typescript-eslint/eslint-plugin`. The eslint plugin upgrade itself is fine — no breaking changes. The CI failure is caused by FOSSA detecting pre-existing security vulnerabilities unrelated to the upgrade.

## Context
- The `@​typescript-eslint/eslint-plugin` patch upgrade is safe to merge (bug fixes only, no breaking changes).
- The `fossa-scan` CI job fails because `fossa test` found 10 security vulnerabilities and exited with code 1.
- These vulnerabilities are **not** caused by this PR — they are pre-existing.

## CI Failures to Fix

### 1. Upgrade lodash (9 CVEs, including Critical)

`lodash@​4.17.5` has 9 known vulnerabilities (Medium to Critical, including CVE-2019-10744). All are fixed in `4.17.21+`.

**Steps:**

1. First, check if lodash is a direct or transitive dependency:
   ```bash
   grep '"lodash"' package.json
   ```

2. **If lodash is a direct dependency** in `package.json`:
   - Update its version to `"^4.17.21"` in `package.json`
   - Run `yarn install` to regenerate `yarn.lock`

3. **If lodash is only a transitive dependency** (not in `package.json` dependencies):
   - Add a `resolutions` field to `package.json`:
     ```json
     "resolutions": {
       "lodash": "^4.17.21"
     }
     ```
   - Run `yarn install` to regenerate `yarn.lock`

4. Verify the fix:
   ```bash
   yarn list lodash
   ```
   Confirm all instances resolve to `4.17.21` or higher.

**Files to modify:** `package.json`, `yarn.lock`

### 2. pydantic-ai-slim@​0.0.48 (1 High CVE) — Manual Investigation Needed

This is a **Python** package, not a Node.js dependency. FOSSA is detecting it from somewhere outside the JS dependency tree (possibly a scanned Python project or monorepo context).

- I cannot fix this automatically. Please investigate:
  - Where is `pydantic-ai-slim` referenced? Check any Python requirements files, Dockerfiles, or FOSSA scan configuration.
  - If it's in a Python environment you control, upgrade to `pydantic-ai-slim>=1.56.0`.
  - If it's outside this repo's control, add a FOSSA policy exception for CVE-2026-25580.

### 3. Alternative: FOSSA Policy Exceptions

If the lodash or pydantic-ai-slim fixes can't be completed before merging, the 10 CVEs can be suppressed via FOSSA dashboard policy exceptions with documented justification. This requires FOSSA dashboard access and organizational approval.

## Summary of Changes Needed

Please focus on **Step 1 (lodash upgrade)** — that's the actionable fix in this repo. Check whether lodash is direct or transitive, apply the appropriate fix in `package.json`, and regenerate `yarn.lock`. The pydantic-ai-slim issue requires manual investigation outside this codebase.

What we checked

• @​typescript-eslint/eslint-plugin is declared in devDependencies as ^8.59.2, confirming it has zero production/runtime impact — it is exclusively a development-time linting tool. ^[1]
• The plugin is imported as typescriptEslint and wired into the ESLint flat config. All usages are developer tooling only — no runtime code imports or depends on this package. ^[2]
• The config extends plugin:@​typescript-eslint/eslint-recommended and plugin:@​typescript-eslint/recommended via compat.extends. The deprecated no-deprecated rule behavior change (object destructuring) may tighten lint enforcement but does not require changes to the config itself. ^[3]
• Custom rules like @​typescript-eslint/naming-convention, @​typescript-eslint/array-type, @​typescript-eslint/no-use-before-define, and @​typescript-eslint/no-var-requires are explicitly configured. None of these rules are affected by the deprecation notices in this upgrade. ^[4]
• Inline eslint-disable-next-line @​typescript-eslint/naming-convention suppression confirms the naming-convention rule is actively enforced. This rule is unchanged in the upgrade and these suppressions remain valid. ^[5]
• Second inline eslint-disable-next-line @​typescript-eslint/naming-convention suppression — again unaffected by the upgrade's changes to the no-deprecated rule. ^[6]
• The package source diff confirms this is a patch-level release: internal dependencies (@​typescript-eslint/scope-manager, type-utils, utils, visitor-keys, rule-tester) all updated in lockstep. The peer dependency @​typescript-eslint/parser is bumped to ^8.59.1, consistent with the declared ^8.52.0 range in package.json (line 25) — no peer dependency conflict. ^[7]

Dependency Usage

@​typescript-eslint/eslint-plugin is used exclusively within the developer tooling layer, configured entirely in eslint.config.mjs to enforce TypeScript-aware linting rules across the codebase. The plugin is set up with the recommended rule sets (eslint-recommended and recommended) alongside a rich set of custom rules — including naming-convention, array-type, no-use-before-define, and others — with active inline suppressions visible in src/index.ts, confirming the rules are enforced during development. This dependency supports code quality and consistency standards rather than any runtime business functionality, making it a pure developer experience and CI/CD guardrail concern.

• The plugin is imported as typescriptEslint and wired into the ESLint flat config. All usages are developer tooling only — no runtime code imports or depends on this package.
  eslint.config.mjs:3
• The config extends plugin:@​typescript-eslint/eslint-recommended and plugin:@​typescript-eslint/recommended via compat.extends. The deprecated no-deprecated rule behavior change (object destructuring) may tighten lint enforcement but does not require changes to the config itself.
  eslint.config.mjs:22

View 3 more usages

• Custom rules like @​typescript-eslint/naming-convention, @​typescript-eslint/array-type, @​typescript-eslint/no-use-before-define, and @​typescript-eslint/no-var-requires are explicitly configured. None of these rules are affected by the deprecation notices in this upgrade.
  eslint.config.mjs:67
• Inline eslint-disable-next-line @​typescript-eslint/naming-convention suppression confirms the naming-convention rule is actively enforced. This rule is unchanged in the upgrade and these suppressions remain valid.
  src/index.ts:74
• Second inline eslint-disable-next-line @​typescript-eslint/naming-convention suppression — again unaffected by the upgrade's changes to the no-deprecated rule.
  src/index.ts:141

Changes

@​typescript-eslint/eslint-plugin was updated with several bug fixes to the no-unnecessary-type-assertion, no-unnecessary-type-arguments, no-unnecessary-condition, and no-unsafe-type-assertion rules — most notably resolving a crash (TypeError: checker.getTypeArguments is not a function) and a false positive in logical assignment assertions. The no-deprecated rule also received improved handling of object destructuring values, and TypeScript was added as a peer dependency to rule-tester.

• eslint-plugin: [no-deprecated] object destructuring values should be treated as declarations (#12292) (v8.59.1-8.59.2, changelog)
• Switched auto-generated test cases to hand-written in no-deprecated rule (v8.59.1-8.59.2, commit)
• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#12246) (v8.59.0-8.59.1, changelog)

View 40 more changes

• rule-tester: add TypeScript as a peer dependency (#12288) (v8.59.1-8.59.2, changelog)
• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789) (v8.58.2-8.59.0, changelog)
• Ulrich Stark (v8.58.2-8.59.0, changelog)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#12257) (v8.59.0-8.59.1, changelog)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#12269) (v8.59.0-8.59.1, changelog)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#12278) (v8.59.0-8.59.1, changelog)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#12220) (v8.59.0-8.59.1, changelog)
• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#12241) (v8.59.0-8.59.1, changelog)
• anasm266 @​anasm266 (v8.59.0-8.59.1, changelog)
• Anshika Jain @​Anshikakalpana (v8.59.0-8.59.1, changelog)
• Ulrich Stark (v8.59.0-8.59.1, changelog)
• yugo innami @​nami8824 (v8.59.0-8.59.1, changelog)
• eslint-plugin: [no-unsafe-type-assertion] handle crash on recursive template literal types (#12150) (v8.59.1-8.59.2, changelog)
• Dariusz Czajkowski (v8.59.1-8.59.2, changelog)
• Dima Barabash (v8.59.1-8.59.2, changelog)
• Kirk Waiblinger @​kirkwaiblinger (v8.59.1-8.59.2, changelog)
• chore: fix cspell violations in code blocks (v8.58.2-8.59.0, commit)
• Fixed [no-unnecessary-condition] to treat void as nullish (v8.59.0-8.59.1, commit)
• Fixed [no-unnecessary-type-arguments] to handle instantiation expressions (v8.59.0-8.59.1, commit)
• Fixed [no-unnecessary-type-assertion] to avoid false positive in certain cases (v8.59.0-8.59.1, commit)
• Fixed [no-unnecessary-type-assertion] to preserve phantom type arguments (v8.59.0-8.59.1, commit)
• Fixed [no-unnecessary-type-assertion] crash with "TypeError: cannot read property" (v8.59.0-8.59.1, commit)
• Fixed [no-deprecated] rule to properly handle object destructuring values (v8.59.1-8.59.2, commit)
• Corrected ESLint capitalization typos in website playground (v8.59.1-8.59.2, commit)
• Fixed [no-unsafe-type-assertion] rule crash on recursive templates (v8.59.1-8.59.2, commit)
• Added TypeScript as a peer dependency to rule-tester (v8.59.1-8.59.2, commit)
• feat(eslint-plugin): [no-unnecessary-type-assertion] report more cases based on improved detection (v8.58.2-8.59.0, commit)
• chore(eslint-plugin): switch auto-generated test cases to hand-written ones (v8.58.2-8.59.0, commit)
• chore(deps): update dependency cspell to v9.8.0 (v8.58.2-8.59.0, commit)
• chore(website): redirect from /docs to /getting-started (v8.58.2-8.59.0, commit)
• Published version 8.59.1 (v8.59.0-8.59.1, commit)
• Switched auto-generated test cases to hand-written test cases across multiple rules (do-not-use-namespace, no-unnecessary-condition, no-unnecessary-type-arguments, no-unnecessary-type-assertion, prefer-nullish-coalescing, member-ordering, naming-convention, and others) (v8.59.0-8.59.1, commit)
• Made sort-type-constituents tests fully static (v8.59.0-8.59.1, commit)
• Updated dependency eslint-plugin-perfectionist to v5.9.0 (v8.59.0-8.59.1, commit)
• Configured the playground website for all available file types (v8.59.0-8.59.1, commit)
• Published version 8.59.2 (v8.59.1-8.59.2, commit)
• Made no-useless-empty-export tests fully static (v8.59.1-8.59.2, commit)
• Made no-this-alias tests fully static (v8.59.1-8.59.2, commit)
• Updated @​typescript-eslint/scope-manager dependency from 8.58.2 to 8.59.0 (v8.59.0, package source)
• Patch release with dependency updates: @​typescript-eslint/scope-manager, @​typescript-eslint/type-utils, @​typescript-eslint/utils, @​typescript-eslint/visitor-keys, @​typescript-eslint/rule-schema-to-typescript-types, and @​typescript-eslint/rule-tester all updated to 8.59.1. Peer dependency @​typescript-eslint/parser updated to ^8.59.1. (v8.59.1, package source)

References (7)

[1]: @​typescript-eslint/eslint-plugin is declared in devDependencies as ^8.59.2, confirming it has zero production/runtime impact — it is exclusively a development-time linting tool.

fossa-action/package.json

Line 24 in 4734eb4

"@typescript-eslint/eslint-plugin": "^8.59.2",

[2]: The plugin is imported as typescriptEslint and wired into the ESLint flat config. All usages are developer tooling only — no runtime code imports or depends on this package.

fossa-action/eslint.config.mjs

Line 3 in 4734eb4

import typescriptEslint from "@typescript-eslint/eslint-plugin";

[3]: The config extends plugin:@​typescript-eslint/eslint-recommended and plugin:@​typescript-eslint/recommended via compat.extends. The deprecated no-deprecated rule behavior change (object destructuring) may tighten lint enforcement but does not require changes to the config itself.

fossa-action/eslint.config.mjs

Line 22 in 4734eb4

extends: fixupConfigRules(compat.extends(

[4]: Custom rules like @​typescript-eslint/naming-convention, @​typescript-eslint/array-type, @​typescript-eslint/no-use-before-define, and @​typescript-eslint/no-var-requires are explicitly configured. None of these rules are affected by the deprecation notices in this upgrade.

fossa-action/eslint.config.mjs

Line 67 in 4734eb4

"@typescript-eslint/naming-convention": [

[5]: Inline eslint-disable-next-line @​typescript-eslint/naming-convention suppression confirms the naming-convention rule is actively enforced. This rule is unchanged in the upgrade and these suppressions remain valid.

fossa-action/src/index.ts

Line 74 in 4734eb4

// eslint-disable-next-line @typescript-eslint/naming-convention

[6]: Second inline eslint-disable-next-line @​typescript-eslint/naming-convention suppression — again unaffected by the upgrade's changes to the no-deprecated rule.

fossa-action/src/index.ts

Line 141 in 4734eb4

// eslint-disable-next-line @typescript-eslint/naming-convention

[7]: The package source diff confirms this is a patch-level release: internal dependencies (@​typescript-eslint/scope-manager, type-utils, utils, visitor-keys, rule-tester) all updated in lockstep. The peer dependency @​typescript-eslint/parser is bumped to ^8.59.1, consistent with the declared ^8.52.0 range in package.json (line 25) — no peer dependency conflict. (source link)

---

fossabot analyzed this PR using static analysis and dependency research. View this analysis on the web