🚨 [security] Update @vue/eslint-config-typescript 14.6.0 → 14.7.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ @​vue/eslint-config-typescript (14.6.0 → 14.7.0) · Repo

Release Notes

14.7.0

What's Changed

• fix: respect global ignores when scanning for vue files to lint by @haoqunjiang in #239
• feat: support ESLint 10 as peer dependency

Full Changelog: v14.6.0...v14.7.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 60 commits:

• 14.7.0
• chore(deps): update eslint monorepo to v10 (#262)
• chore(deps): update dependency vue-router to v5 (#261)
• chore: update yml config
• chore: migrate from unplugin-vue-router to vue-router 5
• chore: approve @parcel/watcher scripts
• chore(deps): update dependency eslint-plugin-yml to v3 (#254)
• chore(deps): update all non-major dependencies (#260)
• chore(deps): replace dependency @tsconfig/node22 with @tsconfig/node24 (#259)
• chore(deps): update dependency globals to v17 (#255)
• chore(deps): update dependency jsdom to v28 (#256)
• chore(deps): update dependency chromedriver to v145 (#258)
• chore(deps): update dependency prettier to v3.8.1 (#257)
• chore(deps): replace dependency @tsconfig/node20 with @tsconfig/node22 (#246)
• chore(deps): update all non-major dependencies (#252)
• chore(deps): replace dependency @tsconfig/node22 with @tsconfig/node24 (#247)
• chore(deps): update vite packages (#249)
• chore(deps): update all non-major dependencies (#250)
• chore: add more to ignoreBuildDependencies
• chore(deps): update all non-major dependencies (#244)
• chore: dedupe
• chore(deps): update v0.x (#243)
• chore(deps): update dependency chromedriver to v143 (#242)
• chore(deps): update vite packages (#241)
• chore(deps): update all non-major dependencies (#238)
• chore(deps): update actions/checkout action to v6 (#240)
• fix: respect global ignores when scanning for vue files to lint (#239)
• chore(deps): update dependency unplugin-vue-router to ^0.18.0 (#237)
• chore(deps): update all non-major dependencies (#235)
• chore(deps): update dependency unplugin-vue-router to ^0.17.2 (#233)
• chore(deps): update dependency prettier to v3.7.4 (#236)
• chore(deps): update vite packages (#234)
• chore(deps): update all non-major dependencies (#228)
• chore(deps): update vite packages (#227)
• chore(deps): update dependency unplugin-vue-router to ^0.17.0 (#232)
• chore(deps): update dependency chromedriver to v142 (#229)
• chore(deps): update dependency vitest to v4 (#230)
• chore: setting up trusted publisher for npm publish
• chore(deps-dev): bump vite from 6.3.6 to 6.4.1 (#223)
• chore: dedupe deps
• chore(deps): update dependency cypress to v15 (#220)
• chore(deps): update dependency geckodriver to v6 (#221)
• chore(deps): update dependency @vue/tsconfig to ^0.8.1 (#211)
• chore(deps): update dependency jsdom to v27 (#222)
• chore(deps): update dependency chromedriver to v141 (#219)
• chore(deps): update actions/setup-node action to v6 (#218)
• chore(deps): update vite packages (#214)
• chore(deps): update v0.x (#213)
• chore(deps): update all non-major dependencies (#212)
• chore(deps-dev): bump vite from 7.1.2 to 7.1.5 (#208)
• chore(deps): update actions/checkout action to v5 (#205)
• chore(deps): update dependency pnpm to v10 (#204)
• chore(deps): update dependency vite-plugin-vue-devtools to v8 (#202)
• chore(deps): update dependency chromedriver to v139 (#201)
• chore(deps): update dependency prettier to v3.6.2 (#197)
• chore(deps): update v0.x (#199)
• chore(deps): update vite packages (#195)
• chore(deps): update dependency vue-tsc to v3 (#200)
• chore(deps): update dependency typescript to ~5.9.0 (#198)
• chore(deps): update all non-major dependencies (#196)

↗️ debug (indirect, 4.4.1 → 4.4.3) · Repo · Changelog

Security Advisories 🚨

🚨 debug@4.4.2 contains malware after npm account takeover

Impact

On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments.

Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt.

The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload.

Patches

npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper.

On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. This version is functionally identical to the previously known-good version, published as a patch version bump above the compromised version.

Users should upgrade to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch.

Those operating private registries or registry mirrors should purge the offending versions from any caches.

References

• https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
• https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
• https://www.ox.security/blog/npm-packages-compromised/

Point of Contact

In the event suspicious behavior is still observed for the package listed in this security advisory after performing all of the above cleaning operations (see Patches above), please reach out via one of the following channels of communication:

• Bluesky, package owner: https://bsky.app/profile/bad-at-computer.bsky.social
• debug repository, tracking issue (applies to all packages affected in the breach): #1005

Release Notes

4.4.3

Functionally identical release to 4.4.1.

Version 4.4.2 is compromised. Please see #1005.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 1 commit:

• 4.4.3

↗️ semver (indirect, 7.7.2 → 7.7.4) · Repo · Changelog

Release Notes

7.7.4

7.7.4 (2026-01-16)

Bug Fixes

• a29faa5 #835 cli: pass options to semver.valid() for loose version validation (#835) (@mldangelo)

Documentation

• 1d28d5e #836 fix typos and update -n CLI option documentation (#836) (@mldangelo)

Dependencies

• 120968b #840 @npmcli/template-oss@4.29.0 (#840)

Chores

• 44d7130 #824 bump @npmcli/eslint-config from 5.1.0 to 6.0.0 (#824) (@dependabot[bot])
• 7073576 #820 reorder parameters in invalid-versions.js test (#820) (@reggi)
• 5816d4c #829 bump @npmcli/template-oss from 4.28.0 to 4.28.1 (#829) (@dependabot[bot], @npm-cli-bot)

7.7.3

7.7.3 (2025-10-06)

Bug Fixes

• e37e0ca #813 faster paths for compare (#813) (@H4ad)
• 2471d75 #811 x-range build metadata support (i529015)

Chores

• 8f05c87 #807 bump @npmcli/template-oss from 4.25.0 to 4.25.1 (#807) (@dependabot[bot], @owlstronaut)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

• chore: release 7.7.4 (#839)
• deps: @npmcli/template-oss@4.29.0 (#840)
• fix(cli): pass options to semver.valid() for loose version validation (#835)
• docs: fix typos and update -n CLI option documentation (#836)
• chore: bump @npmcli/template-oss from 4.28.0 to 4.28.1 (#829)
• chore: bump @npmcli/template-oss from 4.27.1 to 4.28.0 (#827)
• chore: bump @npmcli/eslint-config from 5.1.0 to 6.0.0 (#824)
• chore: reorder parameters in invalid-versions.js test (#820)
• chore: bump @npmcli/template-oss from 4.26.0 to 4.27.1 (#823)
• chore: bump @npmcli/template-oss from 4.25.1 to 4.26.0 (#818)
• chore: release 7.7.3 (#812)
• fix: faster paths for compare (#813)
• fix: x-range build metadata support
• chore: bump @npmcli/template-oss from 4.25.0 to 4.25.1 (#807)
• chore: bump @npmcli/template-oss from 4.24.4 to 4.25.0 (#797)
• chore: bump @npmcli/template-oss from 4.24.3 to 4.24.4 (#790)

↗️ typescript-eslint (indirect, 8.41.0 → 8.56.1)

Sorry, we couldn't find anything useful about this release.

↗️ vue-eslint-parser (indirect, 10.2.0 → 10.4.0) · Repo

Release Notes

10.4.0

⚙️ Changes

• feat: updated scope analyzer to mark variables as used to prevent false positives with no-useless-assignment by @ota-meshi in #288

Full Changelog: v10.3.0...v10.4.0

10.3.0

✨ Enhancements

• Allow ESLint v10 as peer dependency by @FloEdelmann in #277

⚙️ Infrastructure Updates

• test: move to vitest by @9romise in #269
• feat: migrate to tsdown by @9romise in #266

Full Changelog: v10.2.0...v10.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

• 10.4.0
• feat: updated scope analyzer to mark variables as used to prevent false positives with `no-useless-assignment` (#288)
• 10.3.0
• chore: update test script
• chore: use eslint v10 (#286)
• Allow ESLint v10 as peer dependency (#277)
• test: update example title (#284)
• refactor: replace `fs-extra` with `node:fs`, cleanup dev deps (#281)
• feat: upgrade `tsdown`, enable `exports` (#278)
• test: use vitest snapshot testing, update snapshot (#279)
• chore: update scripts
• chore: update fixtures (#273)
• refactor: enhance `fallbackKeysFilter` readability (#272)
• feat: migrate to `tsdown` (#266)
• test: align with `nyc` coverage configuration (#270)
• test: move to `vitest` (#269)

🆕 brace-expansion (added, 5.0.3)

🆕 minimatch (added, 10.2.2)

🆕 @​typescript-eslint/eslint-plugin (added, 8.56.1)

🆕 @​typescript-eslint/project-service (added, 8.56.1)

🆕 @​typescript-eslint/scope-manager (added, 8.56.1)

🆕 @​typescript-eslint/tsconfig-utils (added, 8.56.1)

🆕 @​typescript-eslint/types (added, 8.56.1)

🆕 @​typescript-eslint/typescript-estree (added, 8.56.1)

🆕 @​typescript-eslint/utils (added, 8.56.1)

🆕 @​typescript-eslint/visitor-keys (added, 8.56.1)

🆕 eslint-visitor-keys (added, 5.0.1)

🆕 @​typescript-eslint/parser (added, 8.56.1)

🆕 @​typescript-eslint/type-utils (added, 8.56.1)

🆕 balanced-match (added, 4.0.4)

🗑️ graphemer (removed)

🗑️ @​typescript-eslint/eslint-plugin (removed)

🗑️ @​typescript-eslint/eslint-plugin (removed)

🗑️ @​typescript-eslint/project-service (removed)

🗑️ @​typescript-eslint/project-service (removed)

🗑️ @​typescript-eslint/scope-manager (removed)

🗑️ @​typescript-eslint/scope-manager (removed)

🗑️ @​typescript-eslint/tsconfig-utils (removed)

🗑️ @​typescript-eslint/tsconfig-utils (removed)

🗑️ @​typescript-eslint/types (removed)

🗑️ @​typescript-eslint/types (removed)

🗑️ @​typescript-eslint/typescript-estree (removed)

🗑️ @​typescript-eslint/typescript-estree (removed)

🗑️ @​typescript-eslint/utils (removed)

🗑️ @​typescript-eslint/utils (removed)

🗑️ @​typescript-eslint/visitor-keys (removed)

🗑️ @​typescript-eslint/visitor-keys (removed)

🗑️ @​typescript-eslint/parser (removed)

🗑️ @​typescript-eslint/parser (removed)

🗑️ @​typescript-eslint/type-utils (removed)

🗑️ @​typescript-eslint/type-utils (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)