Bump eslint-plugin-react-hooks from 4.6.2 to 7.1.1

[dependabot]

Bumps eslint-plugin-react-hooks from 4.6.2 to 7.1.1.

Release notes

Sourced from eslint-plugin-react-hooks's releases.

eslint-plugin-react-hooks@7.1.1 (April 17, 2026)

Note: 7.1.0 accidentally removed the component-hook-factories rule, causing errors for users who referenced it in their ESLint config. This is now fixed.

• Add deprecated no-op component-hook-factories rule for backwards compatibility. (@​mofeiZ in #36307)

eslint-plugin-react-hooks@7.1.0 (April 16, 2026)

This release adds ESLint v10 support, improves performance by skipping compilation for non-React files, and includes compiler lint improvements including better set-state-in-effect detection, improved ref validation, and more helpful error reporting.

• Add ESLint v10 support. (@​azat-io in #35720)
• Skip compilation for non-React files to improve performance. (@​josephsavona in #35589)
• Fix exhaustive deps bug with Flow type casting. (@​jorge-cab in #35691)
• Fix useEffectEvent checks in component syntax. (@​jbrown215 in #35041)
• Improved set-state-in-effect validation with fewer false negatives. (@​jorge-cab in #35134, @​josephsavona in #35147, @​jackpope in #35214, @​chesnokov-tony in #35419, @​jsleitor in #36107)
• Improved ref validation for non-mutating functions and event handler props. (@​josephsavona in #35893, @​kolvian in #35062)
• Compiler now reports all errors instead of stopping at the first. (@​josephsavona in #35873–#35884)
• Improved source locations and error display in compiler diagnostics. (@​nathanmarks in #35348, @​josephsavona in #34963)

eslint-plugin-react-hooks@5.0.0 (Oct 11, 2024)

This release only contains eslint-plugin-react-hooks. Notably, new violations and support for ESLint v9 were added.

eslint-plugin-react-hooks

• New Violations: Component names now need to start with an uppercase letter instead of a non-lowercase letter. This means _Button or _component are no longer valid. (@​kassens) in #25162 For example, in

  function _Component() {
    useState()
    ^^^^^^^^ A React Hook "useState" is called in function "_Component" which is neither a Component nor a custom React Hook function.
  }

  _Component should be renamed to Component.

• Add support for ESLint v9. (@​eps1lon in #28773)
• Consider dispatch from useActionState stable. (@​eps1lon in #29665)
• Accept as expression in callback. (@​StyleShit in #28202)
• Accept as expressions in deps array. (@​StyleShit in #28189)
• Treat React.use() the same as use(). (@​kassens in #27769)
• Move use() lint to non-experimental. (@​kassens in #27768)
• Support Flow as expressions. (@​cpojer in #27590)
• Allow useEffect(fn, undefined). (@​kassens in #27525)
• Disallow hooks in async functions. (@​acdlite in #27045)
• Rename experimental useEvent to useEffectEvent. (@​sebmarkbage in #25881)
• Lint for presence of useEvent functions in dependency lists. (@​poteto in #25512)
• Check useEvent references instead. (@​poteto in #25319)
• Update RulesOfHooks with useEvent rules. (@​poteto in #25285)

Changelog

Sourced from eslint-plugin-react-hooks's changelog.

7.1.1

Note: 7.1.0 accidentally removed the component-hook-factories rule, causing errors for users who referenced it in their ESLint config. This is now fixed.

• Add deprecated no-op component-hook-factories rule for backwards compatibility. (@​mofeiZ in #36307)

7.1.0

This release adds ESLint v10 support, improves performance by skipping compilation for non-React files, and includes compiler lint improvements including better set-state-in-effect detection, improved ref validation, and more helpful error reporting.

• Add ESLint v10 support. (@​azat-io in #35720)
• Skip compilation for non-React files to improve performance. (@​josephsavona in #35589)
• Fix exhaustive deps bug with Flow type casting. (@​jorge-cab in #35691)
• Fix useEffectEvent checks in component syntax. (@​jbrown215 in #35041)
• Improved set-state-in-effect validation with fewer false negatives. (@​jorge-cab in #35134, @​josephsavona in #35147, @​jackpope in #35214, @​chesnokov-tony in #35419, @​jsleitor in #36107)
• Improved ref validation for non-mutating functions and event handler props. (@​josephsavona in #35893, @​kolvian in #35062)
• Compiler now reports all errors instead of stopping at the first. (@​josephsavona in #35873–#35884)
• Improved source locations and error display in compiler diagnostics. (@​nathanmarks in #35348, @​josephsavona in #34963)

7.0.1

• Disallowed passing inline useEffectEvent values as JSX props to guard against accidental propagation. (#34820 by @​jf-eirinha)
• Switch to export = so eslint-plugin-react-hooks emits correct types for consumers in Node16 ESM projects. (#34949 by @​karlhorky)
• Tightened the typing of configs.flat so the configs export is always defined. (#34950 by @​poteto)
• Fix named import runtime errors. (#34951, #34953 by @​karlhorky)

7.0.0

This release slims down presets to just 2 configurations (recommended and recommended-latest), and all compiler rules are enabled by default.

• Breaking: Removed recommended-latest-legacy and flat/recommended configs. The plugin now provides recommended (legacy and flat configs with all recommended rules), and recommended-latest (legacy and flat configs with all recommended rules plus new bleeding edge experimental compiler rules). (@​poteto in #34757)

6.1.1

Note: 6.1.0 accidentally allowed use of recommended without flat config, causing errors when used with ESLint v9's defineConfig() helper. This has been fixed in 6.1.1.

• Fix recommended config for flat config compatibility. The recommended config has been converted to flat config format. Non-flat config users should use recommended-legacy instead. (@​poteto in #34700)
• Add recommended-latest and recommended-latest-legacy configs that include React Compiler rules. (@​poteto in #34675)
• Remove unused NoUnusedOptOutDirectives rule. (@​poteto in #34703)
• Remove hermes-parser and dependency. (@​poteto in #34719)
• Remove @babel/plugin-proposal-private-methods dependency. (@​ArnaudBarre and @​josephsavona in #34715)
• Update for Zod v3/v4 compatibility. (@​kolian and @​josephsavona in #34717)

6.1.0

Note: Version 6.0.0 was mistakenly released and immediately deprecated and untagged on npm. This is the first official 6.x major release and includes breaking changes.

• Breaking: Require Node.js 18 or newer. (@​michaelfaith in #32458)
• Breaking: Flat config is now the default recommended preset. Legacy config moved to recommended-legacy. (@​michaelfaith in #32457)
• New Violations: Disallow calling use within try/catch blocks. (@​poteto in #34040)

... (truncated)

Commits

• See full diff in compare view

[dependabot]

Labels

The following labels could not be found: dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint-plugin-react-hooks@​4.6.2 ⏵ 7.1.1	+1		+8

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Filesystem access: npm hermes-parser with module fs Module: fs Location: Package overview From: package-lock.json → npm/eslint-plugin-react-hooks@7.1.1 → npm/hermes-parser@0.25.1 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hermes-parser@0.25.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Minified code present: npm hermes-parser with 100.0% likelihood Confidence: 1.00 Location: Package overview From: package-lock.json → npm/eslint-plugin-react-hooks@7.1.1 → npm/hermes-parser@0.25.1 ℹ Read more on: This package | This alert | What's wrong with minified code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hermes-parser@0.25.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm hermes-parser URLs: https://github.com/eslint/eslint/blob/21d647904dc30f9484b22acdd9243a6d0ecfba38/lib/linter/linter.js#L779, https://github.com/prettier/prettier/issues/11793 Location: Package overview From: package-lock.json → npm/eslint-plugin-react-hooks@7.1.1 → npm/hermes-parser@0.25.1 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hermes-parser@0.25.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm zod is 100.0% likely to have a medium risk anomaly Notes: No explicit network exfiltration, reverse shell, or credential theft is present in this fragment. However, the code assembles and compiles arbitrary code via the Function constructor and invokes passed-in functions immediately (twice). That behavior constitutes a strong dangerous primitive (arbitrary code execution) which can be abused if any inputs (strings or args) are attacker-controlled. Treat this module as risky in threat models where inputs are not fully trusted; review call sites and sanitize/validate inputs or avoid dynamic evaluation. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/eslint-plugin-react-hooks@7.1.1 → npm/zod@4.4.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/zod@4.4.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Minified code present: npm zod with 95.0% likelihood Confidence: 0.95 Location: Package overview From: package-lock.json → npm/eslint-plugin-react-hooks@7.1.1 → npm/zod@4.4.3 ℹ Read more on: This package | This alert | What's wrong with minified code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/zod@4.4.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm zod URLs: 127.0.0.1, z.date, lkajsdf.com, gmail.com, https://json-schema.org/draft/2020-12/schema, http://json-schema.org/draft-07/schema#, http://json-schema.org/draft-04/schema#, domain.com, firstname.lastname@domain.com, subdomain.domain.com, domain-one.com, domain.name, domain.co.jp, very.common@example.com, disposable.style.email.with+symbol@example.com, other.email-with-hyphen@example.com, example.com, user.name+tag+sorting@example.com, asdf.example.com, strange-example.com, example.org, my-example.com, b.cd, mail.com, test.te-st.com, etu.inp-n7.fr, example.com@example.org, test.com, strange.example.com, 123.123.123.123, email.domain.com, -domain.com, Abc.example.com, but_its_not_allowed_in_this_part.example.com, -start.com, http://google.com, https://google.com/asdf?asdf=ljk3lk4&asdf=234#asdf, lkjsdf.com, 122.122.122.122, 254.164.77.1, 114.71.82.94, 0.0.0.0, 37.85.236.115, 192.168.0.1/24, 192.168.0.0/24, 10.0.0.0/8, 203.0.113.0/24, 192.0.2.0/24, 127.0.0.0/8, 172.16.0.0/12, 192.168.1.0/24, 192.168.1.1/33, 10.0.0.1/-1, 192.168.1.1/24/24, 192.168.1.0/abc, https://stackoverflow.com/a/46181/1550155, https://thekevinscott.com/emojis-in-javascript/#writing-a-regular-expression, https://stackoverflow.com/questions/7860392/determine-if-string-is-in-base64-using-javascript, https://base64.guru/standards/base64url, https://stackoverflow.com/a/3143231, https://stackoverflow.com/questions/3966484/why-does-modulus-operator-return-fractional-number-in-javascript/31711034#31711034, https://example.com/path?query=value, https://test.com/api/v1?foo=bar&baz=qux, https://example.com/path, http://example.com/path, http://api.example.com/v1/users, ftp://example.com, https://example.com/schema#/definitions/User, https://example.com/schemas/user, z.coerce.date, z.iso.date, z.map, https://github.com/colinhacks/zod/security/advisories/GHSA-r34p-xfmx-58wv, https://github.com/colinhacks/zod/security/advisories/GHSA-84jv-fqfx-wxhr, user.name, http://example.org/, https://my.local, https://example.com?key=NUXOmHqWNVTapJkJJHw8BfD155AuqhH_qju_5fNmQ4ZHV7u8, https://example.com?foo=bar, http://example.com?test=123, https://sub.example.com?param=value&other=data, https://example.com/, https://example.com/path/, https://example.com/path?query=param, https://example.com, https://example.com?key=value, https://example.com/?key=value, http://example.com/?test=123, https://example.com/../?key=value, https://example.com/./path?key=value, https://example.com/path?key=value, http://example.com?key=value, https://other.com?key=value, http://example.com, https://example.com:8080, http://example.com:8080, https://sub.example.com, http://sub.example.com, https://example.com/path/to/resource, http://example.com/path/to/resource, http://example.com/path?query=param, https://example.com/path#fragment, http://example.com/path#fragment, shttp://example.com, httpz://example.com, http://-asdf.com, http://asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdf.com, http://asdf.c, developer.mozilla.org/en-US/docs/Web/API/URL/password, lckj.com, www.google.com, 94.105.123.75, 192.168.0.1, 255.255.255.255, 1.2.3.4, 0.0.0.0/0, 255.255.255.255/32, 192.168.0.0, 192.168.0.0/33, 192.168.0.0/-1, sub.example.com, a-b-c.example.com, 123.example.com, example-123.com, developer.mozilla.org, hello.world.example.com, 192.168.1.1, xn--d1acj3b.com, xn--d1acj3b.org, example-.com, -example.com, example.com:8080, tp://invalid.com, mple.com, e.co, EXAMPLE.COM, https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/email, https://stackoverflow.com/questions/106179/regular-expression-to-match-dns-hostname-or-ip-address, https://blog.stevenlevithan.com/archives/validate-phone-number#r4-3, z.lt, z.gt, z.int, z.email, https://example.com/path?query=123#fragment, http://example.com/, http://example.com//, http://examples.com, http://example.org, https://example.org, 213.174.246.205, https://speedtest.net, https://example.net.il, https://github.com/paralleldrive/cuid., jsonSchema.id, https://example.com/Post.json, https://example.com/User.json Location: Package overview From: package-lock.json → npm/eslint-plugin-react-hooks@7.1.1 → npm/zod@4.4.3 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/zod@4.4.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[guibranco]

Automatically approved by gstraccini[bot]

[deepsource-io]

DeepSource Code Review

We reviewed changes in 860e9d9...5bdce59 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
JavaScript		May 6, 2026 2:55p.m.	Review ↗
Secrets		May 6, 2026 2:55p.m.	Review ↗

---

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.