Bump eslint-config-prettier from 8.10.0 to 10.1.8

[dependabot]

Bumps eslint-config-prettier from 8.10.0 to 10.1.8.

Release notes

Sourced from eslint-config-prettier's releases.

v10.1.8

republish latest version

Full Changelog: prettier/eslint-config-prettier@v10.1.5...v10.1.8

v10.1.5

Patch Changes

• #332 60fef02 Thanks @​JounQin! - chore: add funding field into package.json

Full Changelog: prettier/eslint-config-prettier@v10.1.4...v10.1.5

v10.1.4

Patch Changes

• #328 94b4799 Thanks @​silvenon! - fix(cli): do not crash on no rules configured

Full Changelog: prettier/eslint-config-prettier@v10.1.3...v10.1.4

v10.1.3

Patch Changes

• #325 4e95a1d Thanks @​pilikan! - fix: this package is commonjs, align its types correctly

New Contributors

• @​pilikan made their first contribution in prettier/eslint-config-prettier#325

Full Changelog: prettier/eslint-config-prettier@v10.1.2...v10.1.3

v10.1.2

Patch Changes

• #321 a8768bf Thanks @​Fdawgs! - chore(package): add homepage for some 3rd-party registry - see #321 for more details

v10.1.1

Patch Changes

• #309 eb56a5e Thanks @​JounQin! - fix: separate the /flat entry for compatibility

  For flat config users, the previous "eslint-config-prettier" entry still works, but "eslint-config-prettier/flat" adds a new name property for config-inspector, we just can't add it for the default entry for compatibility.

  See also prettier/eslint-config-prettier#308

  // before
  import eslintConfigPrettier from "eslint-config-prettier";
  // after
  import eslintConfigPrettier from "eslint-config-prettier/flat";

... (truncated)

Changelog

Sourced from eslint-config-prettier's changelog.

eslint-config-prettier

10.1.5

Patch Changes

• #332 60fef02 Thanks @​JounQin! - chore: add funding field into package.json

10.1.4

Patch Changes

• #328 94b4799 Thanks @​silvenon! - fix(cli): do not crash on no rules configured

10.1.3

Patch Changes

• #325 4e95a1d Thanks @​pilikan! - fix: this package is commonjs, align its types correctly

10.1.2

Patch Changes

• #321 a8768bf Thanks @​Fdawgs! - chore(package): add homepage for some 3rd-party registry - see #321 for more details

10.1.1

Patch Changes

• #309 eb56a5e Thanks @​JounQin! - fix: separate the /flat entry for compatibility

  For flat config users, the previous "eslint-config-prettier" entry still works, but "eslint-config-prettier/flat" adds a new name property for config-inspector, we just can't add it for the default entry for compatibility.

  See also prettier/eslint-config-prettier#308

  // before
  import eslintConfigPrettier from "eslint-config-prettier";
  // after
  import eslintConfigPrettier from "eslint-config-prettier/flat";

10.1.0

Minor Changes

• #306 56e2e34 Thanks @​JounQin! - feat: migrate to exports field

... (truncated)

Commits

• 9b0b0a4 fix: release a new latest version
• 4c94893 chore: release eslint-config-prettier (#333)
• 60fef02 chore: add funding field into package.json (#332)
• f55501f chore: release eslint-config-prettier (#329)
• 50a8a22 chore(deps): update all dependencies (#330)
• 94b4799 fix(cli): do not crash on no rules configured (#328)
• cdc4a5c chore: release eslint-config-prettier (#326)
• 4e95a1d fix: this package is commonjs, align its types correctly (#325)
• 8911369 chore: release eslint-config-prettier (#322)
• a8768bf chore(package): add homepage url (#321)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jounqin, a new releaser for eslint-config-prettier since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[cursor]

Stale comment

No blocking issues found.

Security

• eslint-config-prettier had a documented supply-chain compromise in CVE-2025-54313 / GHSA-f29h-pxvx-f335. The affected versions were 8.10.1, 9.1.1, 10.1.6, and 10.1.7.
• This PR moves from 8.10.0 to 10.1.8, so it does not introduce a known-bad version and instead lands on the patched release line.
• I did not find a published advisory affecting 8.10.0 or 10.1.8 themselves. The main residual concern is historical exposure only: if any Windows developer or CI machine installed 10.1.6 or 10.1.7 outside this PR, that host should be treated as potentially exposed.

Safety Of Merging

• In this repository, eslint-config-prettier is only consumed through legacy .eslintrc.json via plugin:prettier/recommended; I found no runtime imports or app code paths that depend on it directly.
• Relevant upstream changes between 8.x and 10.x are mostly lint-config mechanics: support for @stylistic rules in 10.0.0, the exports field in 10.1.0, and the separate /flat entry in 10.1.1 for flat-config users.
• None of those changes appear to affect this repo: it still uses legacy .eslintrc, does not import deprecated prettier/* subpaths, does not use flat config, and does not reference @stylistic rules.
• Upstream 9.0.0 also stopped disabling unicode-bom; if this repo had BOM-marked files, that could have surfaced new lint failures, but yarn lint passed cleanly, so there is no evidence of an actual regression here.
• Because this package is lint-only, no runtime/application behavior change is expected from the bump.

Local Validation

• yarn install --immutable ✅
• yarn lint ✅
• CI=true yarn test --coverage --maxWorkers=4 --workerThreads=true ✅ (92 suites, 835 tests passed)
• yarn exec cypress run could not be completed in this cloud agent because the Cypress binary was not installed locally and the agent could not download it from download.cypress.io (SSL_ERROR_SYSCALL while connecting). That looks environmental rather than PR-specific.

Recommendation

Merge with caution.

The dependency update itself looks safe for this repository and moves to the patched 10.1.8 line after the 2025 compromise. The only reasons I am not giving a straight merge are:

1. I could not run Cypress locally in this environment.
2. It is worth confirming no Windows machine in your fleet ever installed the compromised intermediary versions.

If GitHub Actions/Cypress passes on the PR, I would be comfortable merging this.

  

_{Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs}

[cursor]

No blocking findings.

Security

• eslint-config-prettier 10.1.8 is the clean patched release after the 2025 npm supply-chain compromise that affected 10.1.6 and 10.1.7 (GHSA-f29h-pxvx-f335 / CVE-2025-54313). This PR does not introduce the compromised builds.
• The currently resolved version on main is 8.10.0, which predates the compromised 8.10.1 release, so this PR is not fixing an active vulnerability already present in this repo. It does move the project onto a currently safe release line.
• Dependabot notes a newer npm releaser for this package than the one behind the old version. Given the July 2025 compromise, that is worth calling out, but 10.1.8 is the maintainer-published cleanup release rather than one of the poisoned versions.

Safety Of Merging

• This repo consumes the package through .eslintrc.json via plugin:prettier/recommended; it does not use flat config, deep imports, or @stylistic/* rules.
• The meaningful upstream behavior changes across 8.10.0 -> 10.1.8 are:
  • 9.0.0: stopped disabling unicode-bom
  • 10.0.0: added support for @stylistic/* formatting rules
  • 10.1.0: migrated the package to the exports field, with 10.1.1 adding a dedicated /flat entry
• None of those changes showed up as a local regression here: lint and Jest both passed unchanged.
• Residual repo-level note: yarn install --immutable still warns that the existing toolchain resolves eslint-plugin-prettier 5.5.5 alongside eslint 7.32.0, even though that plugin declares eslint >=8. That warning is pre-existing and not introduced by this PR, and yarn lint still passes, but it means the lint stack is already slightly outside the plugin's supported peer range.

Test Results

• Local: yarn install --immutable ✅
• Local: yarn lint ✅
• Local: CI=true yarn run test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporter ✅ (92/92 suites, 835/835 tests passed)
• Local Cypress: I could not run it in this cloud environment because the Cypress desktop binary is not installed. yarn exec cypress install returned immediately without caching a binary, and yarn exec cypress --version still reported Cypress binary version: not installed.
• GitHub checks at review time: lint ✅, test ✅, test-cypress still pending.

Recommendation

merge with caution.

I do not see a blocking code or security issue in the dependency bump itself, but I would wait for the hosted test-cypress job to finish green before merging. Separately, a follow-up housekeeping update to align eslint with eslint-plugin-prettier's supported peer range would reduce future lint-tooling risk.

  

_{Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs}