chore(deps-dev): bump eslint-plugin-react-hooks from 4.6.2 to 7.0.1 #9190

dependabot · 2025-10-27T04:12:58Z

Bumps eslint-plugin-react-hooks from 4.6.2 to 7.0.1.

Release notes

Sourced from eslint-plugin-react-hooks's releases.

[email protected] (Oct 11, 2024)

This release only contains eslint-plugin-react-hooks. Notably, new violations and support for ESLint v9 were added.

eslint-plugin-react-hooks
New Violations: Component names now need to start with an uppercase letter instead of a non-lowercase letter. This means _Button or _component are no longer valid. (@kassens) in #25162 For example, in
function _Component() {
  useState()
  ^^^^^^^^ A React Hook "useState" is called in function "_Component" which is neither a Component nor a custom React Hook function.
}
_Component should be renamed to Component.
Add support for ESLint v9. (@eps1lon in #28773)

Consider dispatch from useActionState stable. (@eps1lon in #29665)

Accept as expression in callback. (@StyleShit in #28202)

Accept as expressions in deps array. (@StyleShit in #28189)

Treat React.use() the same as use(). (@kassens in #27769)

Move use() lint to non-experimental. (@kassens in #27768)

Support Flow as expressions. (@cpojer in #27590)

Allow useEffect(fn, undefined). (@kassens in #27525)

Disallow hooks in async functions. (@acdlite in #27045)

Rename experimental useEvent to useEffectEvent. (@sebmarkbage in #25881)

Lint for presence of useEvent functions in dependency lists. (@poteto in #25512)

Check useEvent references instead. (@poteto in #25319)

Update RulesOfHooks with useEvent rules. (@poteto in #25285)

Changelog

Sourced from eslint-plugin-react-hooks's changelog.

7.0.1

Disallowed passing inline useEffectEvent values as JSX props to guard against accidental propagation. (#34820 by @jf-eirinha)

Switch to export = so eslint-plugin-react-hooks emits correct types for consumers in Node16 ESM projects. (#34949 by @karlhorky)

Tightened the typing of configs.flat so the configs export is always defined. (#34950 by @poteto)

Fix named import runtime errors. (#34951, #34953 by @karlhorky)

7.0.0

This release slims down presets to just 2 configurations (recommended and recommended-latest), and all compiler rules are enabled by default.

Breaking: Removed recommended-latest-legacy and flat/recommended configs. The plugin now provides recommended (legacy and flat configs with all recommended rules), and recommended-latest (legacy and flat configs with all recommended rules plus new bleeding edge experimental compiler rules). (@poteto in #34757)

6.1.1

Note: 6.1.0 accidentally allowed use of recommended without flat config, causing errors when used with ESLint v9's defineConfig() helper. This has been fixed in 6.1.1.

Fix recommended config for flat config compatibility. The recommended config has been converted to flat config format. Non-flat config users should use recommended-legacy instead. (@poteto in #34700)

Add recommended-latest and recommended-latest-legacy configs that include React Compiler rules. (@poteto in #34675)

Remove unused NoUnusedOptOutDirectives rule. (@poteto in #34703)

Remove hermes-parser and dependency. (@poteto in #34719)

Remove @babel/plugin-proposal-private-methods dependency. (@ArnaudBarre and @josephsavona in #34715)

Update for Zod v3/v4 compatibility. (@kolian and @josephsavona in #34717)

6.1.0

Note: Version 6.0.0 was mistakenly released and immediately deprecated and untagged on npm. This is the first official 6.x major release and includes breaking changes.

Breaking: Require Node.js 18 or newer. (@michaelfaith in #32458)

Breaking: Flat config is now the default recommended preset. Legacy config moved to recommended-legacy. (@michaelfaith in #32457)

New Violations: Disallow calling use within try/catch blocks. (@poteto in #34040)

New Violations: Disallow calling useEffectEvent functions in arbitrary closures. (@jbrown215 in #33544)

Handle React.useEffect in addition to useEffect in rules-of-hooks. (@Ayc0 in #34076)

Added react-hooks settings config option that to accept additionalEffectHooks that are used across exhaustive-deps and rules-of-hooks rules. (@jbrown215) in #34497

6.0.0

Accidentally released. See 6.1.0 for the actual changes.

5.2.0

Support flat config (@michaelfaith in #30774)

Convert the plugin to TypeScript and provide package type declarations (@michaelfaith in #32279, #32283, #32240, #32400 and @poteto in #32420)

Fix false positive error in components with do/while loops (@tyxla in #31720)

Detect issues in class properties (@mjesun & @ecraig12345 in #31823)

5.1.0

Add support for do/while loops (@tyxla in #28714)

Fix error when callback argument is an identifier with an as expression (@mskelton in #31119)

... (truncated)

Commits

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

github-actions · 2025-10-27T04:13:16Z

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package

Version

Score

Details

npm/eslint-plugin-react-hooks

7.0.1

🟢 5.7

Details

Check	Score	Reason
Code-Review	🟢 7	Found 22/30 approved changesets -- score normalized to 7
Maintained	🟢 10	30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 2	badge detected: InProgress
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Binary-Artifacts	🟢 9	binaries present in source code
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
Fuzzing	⚠️ 0	project is not fuzzed
Vulnerabilities	⚠️ 0	229 existing vulnerabilities detected

npm/eslint-plugin-react-hooks

7.0.1

🟢 5.7

Details

Check	Score	Reason
Code-Review	🟢 7	Found 22/30 approved changesets -- score normalized to 7
Maintained	🟢 10	30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 2	badge detected: InProgress
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Binary-Artifacts	🟢 9	binaries present in source code
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
Fuzzing	⚠️ 0	project is not fuzzed
Vulnerabilities	⚠️ 0	229 existing vulnerabilities detected

npm/hermes-estree

0.25.1

🟢 4.8

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Security-Policy	🟢 9	security policy file detected
SAST	⚠️ 0	no SAST tool detected
Binary-Artifacts	🟢 7	binaries present in source code
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Fuzzing	🟢 10	project is fuzzed
Vulnerabilities	⚠️ 0	28 existing vulnerabilities detected

npm/hermes-parser

0.25.1

🟢 4.8

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Security-Policy	🟢 9	security policy file detected
SAST	⚠️ 0	no SAST tool detected
Binary-Artifacts	🟢 7	binaries present in source code
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Fuzzing	🟢 10	project is fuzzed
Vulnerabilities	⚠️ 0	28 existing vulnerabilities detected

npm/zod

4.1.12

🟢 4.2

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Code-Review	🟢 4	Found 12/30 approved changesets -- score normalized to 4
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	13 existing vulnerabilities detected

npm/zod-validation-error

4.0.2

Unknown

Scanned Files

package.json
yarn.lock

github-actions · 2025-10-27T04:13:41Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1106849�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

github-actions · 2025-10-27T04:28:18Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1106849�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

github-actions · 2025-10-28T04:08:50Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1106849�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

github-actions · 2025-10-28T04:13:36Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1106849�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

github-actions · 2025-10-29T04:10:10Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1106849�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

Bumps [eslint-plugin-react-hooks](https://github.com/facebook/react/tree/HEAD/packages/eslint-plugin-react-hooks) from 4.6.2 to 7.0.1. - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/packages/eslint-plugin-react-hooks/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/HEAD/packages/eslint-plugin-react-hooks) --- updated-dependencies: - dependency-name: eslint-plugin-react-hooks dependency-version: 7.0.1 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

github-actions · 2025-10-30T04:09:23Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1106849�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

sonarqubecloud · 2025-10-30T04:09:33Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

dependabot · 2025-10-31T04:17:36Z

Dependabot could not find a dependency.. Because of this, Dependabot cannot update this pull request.

dependabot bot added dependencies javascript Pull requests that update Javascript code labels Oct 27, 2025

dependabot bot mentioned this pull request Oct 27, 2025

chore(deps-dev): bump eslint-plugin-react-hooks from 4.6.2 to 7.0.0 #9151

Closed

otto-the-bot approved these changes Oct 27, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/eslint-plugin-react-hooks-7.0.1 branch from 6e5c0f9 to 0f949c9 Compare October 27, 2025 04:27

otto-the-bot approved these changes Oct 27, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/eslint-plugin-react-hooks-7.0.1 branch from 0f949c9 to 8f47801 Compare October 28, 2025 04:08

otto-the-bot approved these changes Oct 28, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/eslint-plugin-react-hooks-7.0.1 branch from 8f47801 to 5393b58 Compare October 28, 2025 04:12

otto-the-bot approved these changes Oct 28, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/eslint-plugin-react-hooks-7.0.1 branch from 5393b58 to f66a8f7 Compare October 29, 2025 04:09

otto-the-bot approved these changes Oct 29, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/eslint-plugin-react-hooks-7.0.1 branch from f66a8f7 to e0d30ab Compare October 30, 2025 04:08

otto-the-bot approved these changes Oct 30, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps-dev): bump eslint-plugin-react-hooks from 4.6.2 to 7.0.1 #9190

chore(deps-dev): bump eslint-plugin-react-hooks from 4.6.2 to 7.0.1 #9190

Uh oh!

dependabot bot commented on behalf of github Oct 27, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Oct 27, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Oct 27, 2025

Uh oh!

github-actions bot commented Oct 27, 2025

Uh oh!

github-actions bot commented Oct 28, 2025

Uh oh!

github-actions bot commented Oct 28, 2025

Uh oh!

github-actions bot commented Oct 29, 2025

Uh oh!

github-actions bot commented Oct 30, 2025

Uh oh!

sonarqubecloud bot commented Oct 30, 2025

Uh oh!

dependabot bot commented on behalf of github Oct 31, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

chore(deps-dev): bump eslint-plugin-react-hooks from 4.6.2 to 7.0.1 #9190

Are you sure you want to change the base?

chore(deps-dev): bump eslint-plugin-react-hooks from 4.6.2 to 7.0.1 #9190

Uh oh!

Conversation

dependabot bot commented on behalf of github Oct 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

[email protected] (Oct 11, 2024)

eslint-plugin-react-hooks

7.0.1

7.0.0

6.1.1

6.1.0

6.0.0

5.2.0

5.1.0

Uh oh!

github-actions bot commented Oct 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Dependency Review

OpenSSF Scorecard

Scanned Files

Uh oh!

github-actions bot commented Oct 27, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Oct 27, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Oct 28, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Oct 28, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Oct 29, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Oct 30, 2025

🟠 Dependency Security Audit

Uh oh!

sonarqubecloud bot commented Oct 30, 2025

Quality Gate passed

Uh oh!

dependabot bot commented on behalf of github Oct 31, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

dependabot bot commented on behalf of github Oct 27, 2025 •

edited

Loading

`eslint-plugin-react-hooks`

github-actions bot commented Oct 27, 2025 •

edited

Loading