Bump @typescript-eslint/eslint-plugin from 6.21.0 to 8.59.2

[dependabot]

Bumps @typescript-eslint/eslint-plugin from 6.21.0 to 8.59.2.

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.59.2

8.59.2 (2026-05-04)

🩹 Fixes

• eslint-plugin: [no-unsafe-type-assertion] handle crash on recursive template literal types (#12150)
• eslint-plugin: [no-deprecated] object destructuring values should be treated as declarations (#12292)
• rule-tester: add TypeScript as a peer dependency (#12288)

❤️ Thank You

• Dariusz Czajkowski
• Dima Barabash
• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.1

8.59.1 (2026-04-27)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#12246)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#12257)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#12269)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#12278)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#12220)
• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#12241)

❤️ Thank You

• anasm266 @​anasm266
• Anshika Jain @​Anshikakalpana
• Ulrich Stark
• yugo innami @​nami8824

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

... (truncated)

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.59.2 (2026-05-04)

🩹 Fixes

• eslint-plugin: [no-deprecated] object destructuring values should be treated as declarations (#12292)
• eslint-plugin: [no-unsafe-type-assertion] handle crash on recursive template literal types (#12150)

❤️ Thank You

• Dima Barabash
• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.1 (2026-04-27)

🩹 Fixes

• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#12241)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#12220)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#12278)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#12269)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#12257)
• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#12246)

❤️ Thank You

• anasm266 @​anasm266
• Anshika Jain @​Anshikakalpana
• Ulrich Stark
• yugo innami @​nami8824

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

... (truncated)

Commits

• 2ec35f1 chore(release): publish 8.59.2
• ec3ef25 test: make no-useless-empty-export tests fully static (#12260)
• 60d0a51 chore(eslint-plugin): switch auto-generated test cases to hand-written in no-...
• 5c53da2 fix(eslint-plugin): [no-deprecated] object destructuring values should be tre...
• 80c28a1 fix(eslint-plugin): [no-unsafe-type-assertion] handle crash on recursive temp...
• b7b2670 test: make no-this-alias tests fully static (#12258)
• 5245793 chore(release): publish 8.59.1
• 3cef124 chore(eslint-plugin): switch auto-generated test cases to hand-written in dot...
• 27c507b test: make sort-type-constituents tests fully static (#12262)
• a03b31d chore(eslint-plugin): switch auto-generated test cases to hand-written in no-...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​typescript-eslint/eslint-plugin since your current version.

[dependabot]

Labels

The following labels could not be found: dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​typescript-eslint/​eslint-plugin@​6.21.0 ⏵ 8.59.2	+1		+1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Embedded URLs or IPs: npm @typescript-eslint/eslint-plugin URLs: https://eslint.org/docs/latest/rules/no-new-symbol, https://github.com/typescript-eslint/typescript-eslint/pull/8895, https://typescript-eslint.io/users/configs#base, https://typescript-eslint.io/users/configs/#eslint-recommended, https://gist.github.com/mathiasbynens/6334847, https://github.com/typescript-eslint/typescript-eslint/issues/5468, https://github.com/typescript-eslint/typescript-eslint/issues/7527, Fruit.Apple, https://github.com/typescript-eslint/typescript-eslint/issues/5439, https://typescript-eslint.io/rules/no-empty-object-type, https://github.com/typescript-eslint/typescript-eslint/pull/8977, https://github.com/ajafff/tsutils/blob/49d0d31050b44b81e918eae4fbaf1dfe7b7286af/util/type.ts#L95-L125, https://github.com/microsoft/TypeScript/issues/48077, https://eslint.org/docs/latest/rules/no-loss-of-precision, https://github.com/typescript-eslint/typescript-eslint/pull/8832, https://typescript-eslint.io/rules/consistent-type-definitions, https://github.com/typescript-eslint/typescript-eslint/pull/6229, https://github.com/typescript-eslint/typescript-eslint/issues/11559, this.foo, https://github.com/microsoft/TypeScript/issues/62933, https://typescript-eslint.io/rules/no-require-imports, https://github.com/typescript-eslint/typescript-eslint/pull/8334, https://typescript-eslint.io/rules/ban-ts-comment, https://github.com/typescript-eslint/typescript-eslint/pull/9081, https://github.com/typescript-eslint/typescript-eslint/issues/4975, https://perfectionist.dev, https://perfectionist.dev/rules/sort-intersection-types, https://perfectionist.dev/rules/sort-union-types, https://github.com/typescript-eslint/typescript-eslint/pull/9253, https://github.com/microsoft/TypeScript/pull/56908, obf.foo, foo.bar.baz.buzz, https://typescript-eslint.io/rules/, https://github.com/typescript-eslint/typescript-eslint/pull/8952#discussion_r1576543310, https://github.com/microsoft/TypeScript/issues/31294, https://github.com/eslint/eslint/blob/3a4eaf921543b1cd5d1df4ea9dec02fab396af2a/lib/rules/utils/ast-utils.js#L1026-L1041, https://github.com/eslint/eslint/blob/3a4eaf921543b1cd5d1df4ea9dec02fab396af2a/lib/rules/utils/ast-utils.js#L1043-L1132 Location: Package overview From: package-lock.json → npm/@typescript-eslint/eslint-plugin@8.59.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.59.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm @typescript-eslint/project-service URLs: https://github.com/typescript-eslint/typescript-eslint/issues/9905 Location: Package overview From: package-lock.json → npm/@typescript-eslint/eslint-plugin@8.59.2 → npm/@typescript-eslint/project-service@8.59.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/project-service@8.59.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm @typescript-eslint/scope-manager URLs: es2020.date, es2017.date, esnext.date Location: Package overview From: package-lock.json → npm/@typescript-eslint/eslint-plugin@8.59.2 → npm/@typescript-eslint/scope-manager@8.59.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/scope-manager@8.59.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm @typescript-eslint/types URLs: es2017.date, es2020.date, esnext.date Location: Package overview From: package-lock.json → npm/@typescript-eslint/eslint-plugin@8.59.2 → npm/@typescript-eslint/types@8.59.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/types@8.59.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm @typescript-eslint/typescript-estree URLs: https://tseslint.com/allowdefaultproject-glob-too-wide, https://github.com/typescript-eslint/typescript-eslint/issues/101., https://github.com/typescript-eslint/typescript-eslint/issues/new/choose., https://tseslint.com/are-project-references-supported, https://tseslint.com/none-of-those-tsconfigs-include-this-file, https://github.com/typescript-eslint/typescript-eslint/issues/6289, https://github.com/typescript-eslint/typescript-eslint/issues/7896, https://github.com/typescript-eslint/typescript-eslint/issues/6469, https://tseslint.com/key-property-deprecated., this.foo, https://github.com/typescript-eslint/typescript-eslint/pull/6615#discussion_r1136489935 Location: Package overview From: package-lock.json → npm/@typescript-eslint/eslint-plugin@8.59.2 → npm/@typescript-eslint/typescript-estree@8.59.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/typescript-estree@8.59.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm @typescript-eslint/utils URLs: https://eslint-community.github.io/eslint-utils/api/ast-utils.html#getstringifconstant, https://eslint-community.github.io/eslint-utils/api/ast-utils.html#hassideeffect, https://eslint.org/docs/developer-guide/working-with-rules#messageids, http://json-schema.org/schema#, http://json-schema.org/hyper-schema#, http://json-schema.org/draft-04/schema#, http://json-schema.org/draft-04/hyper-schema#, http://json-schema.org/draft-03/schema#, http://json-schema.org/draft-03/hyper-schema#, https://tools.ietf.org/html/draft-zyp-json-schema-03#section-5.3, https://tools.ietf.org/html/draft-zyp-json-schema-03#section-5.2, https://json-schema.org/understanding-json-schema/reference/array.html, https://tools.ietf.org/html/draft-zyp-json-schema-03#section-5.6, https://tools.ietf.org/html/draft-zyp-json-schema-03#section-5.5, https://json-schema.org/understanding-json-schema/reference/string.html, https://json-schema.org/understanding-json-schema/reference/numeric.html, https://tools.ietf.org/html/draft-zyp-json-schema-03#section-5.19, https://json-schema.org/understanding-json-schema/reference/boolean.html, https://json-schema.org/understanding-json-schema/reference/null.html, https://github.com/eslint/espree, https://tseslint.com/typed-linting Location: Package overview From: package-lock.json → npm/@typescript-eslint/eslint-plugin@8.59.2 → npm/@typescript-eslint/utils@8.59.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/utils@8.59.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ignore is 100.0% likely to have a medium risk anomaly Notes: The code fragment represents a conventional, well-structured path-ignore utility with caching and recursive parent-directory evaluation. Windows path normalization is present for compatibility but does not indicate malicious intent. No indicators of data leakage, external communication, or covert backdoors were found. Security impact primarily revolves around correct ignore semantics rather than intrinsic vulnerabilities. The component remains appropriate for use in a broader security-conscious pipeline if used with careful awareness of what is being ignored. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@typescript-eslint/eslint-plugin@8.59.2 → npm/ignore@7.0.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ignore@7.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm ignore URLs: https://git-scm.com/docs/gitignore, https://git-scm.com/docs/gitignore/2.22.1, https://github.com/search?q=ignore.default%28%29&type=code Location: Package overview From: package-lock.json → npm/@typescript-eslint/eslint-plugin@8.59.2 → npm/ignore@7.0.5 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ignore@7.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm semver URLs: 1.2.3.4, https://semver.org/, SemVer.compare Location: Package overview From: package-lock.json → npm/@typescript-eslint/eslint-plugin@8.59.2 → npm/semver@7.7.4 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/semver@7.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm ts-api-utils URLs: https://github.com/JoshuaKGoldberg/ts-api-utils/issues/382, https://github.com/microsoft/TypeScript/pull/50929 Location: Package overview From: package-lock.json → npm/@typescript-eslint/eslint-plugin@8.59.2 → npm/ts-api-utils@2.5.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ts-api-utils@2.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[guibranco]

Automatically approved by gstraccini[bot]

[deepsource-io]

DeepSource Code Review

We reviewed changes in 860e9d9...a5f5bc7 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
JavaScript		May 6, 2026 2:53p.m.	Review ↗
Secrets		May 6, 2026 2:53p.m.	Review ↗

---

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.