Bump the update-dependencies group across 1 directory with 16 updates

[dependabot]

Bumps the update-dependencies group with 15 updates in the / directory:

Package	From	To
@azure/msal-common	16.4.1	16.5.1
@azure/msal-node	5.1.2	5.1.4
@inquirer/confirm	6.0.10	6.0.12
@inquirer/input	5.0.10	5.0.12
@inquirer/select	5.1.2	5.1.4
@xmldom/xmldom	0.9.9	0.9.10
adaptivecards	3.0.5	3.0.6
axios	1.14.0	1.15.2
@actions/core	3.0.0	3.0.1
@types/node	24.12.0	24.12.2
@typescript-eslint/eslint-plugin	8.58.0	8.59.0
eslint	10.1.0	10.2.1
globals	17.4.0	17.5.0
sinon	21.0.3	21.1.2
@types/sinon	21.0.0	21.0.1

Updates @azure/msal-common from 16.4.1 to 16.5.1

Release notes

Sourced from @​azure/msal-common's releases.

@​azure/msal-common v16.5.1

16.5.1

Tue, 21 Apr 2026 22:41:19 GMT

Patches

• Improved account filtering when login hint is provided #8478 (lalimasharda@microsoft.com)

@​azure/msal-common v16.5.0

16.5.0

Thu, 16 Apr 2026 22:44:53 GMT

Minor changes

• Add support for client data telemetry with CLI_DATA parameter #8378 (kshabelko@microsoft.com)
• Add Platform broker telemetry #8488 (lalimasharda@microsoft.com)

Patches

• Add ssoCapable field to PerformanceEvent type for SSO capability telemetry. (sameera.gajjarapu@microsoft.com)
• Add skipBrokerClaims parameter for brokered authentication flows #8419 (AzureADGitHubBot@users.noreply.github.com)

Commits

• ae4e3cc Remove office-addin-debugging from OfficeAddin sample (#8546)
• 4ff5911 [v5] improve account filtering when login hint is provided (#8478)
• 0f6c981 Update cache schema to fix upgrade bug between v4 and v5 (#8545)
• ea87289 Add flat username (alias) support in sign-up flow (#8536)
• f2dcab7 Add CJS build for redirect-bridge subpath export (#8541)
• 4958ee2 Post-release PR (#8539)
• 86735c6 fix(e2e): improve E2E pipeline reliability - Chrome pre-warm, timeout fixes, ...
• 2250b83 Update event handling documentation for account state synchronization (#8526)
• 45bd7d9 [v5] Cache lookup B2C tests (#8508)
• 58bc3b2 Enhance security guidance in redirect bridge documentation regarding CDN usag...
• Additional commits viewable in compare view

Updates @azure/msal-node from 5.1.2 to 5.1.4

Release notes

Sourced from @​azure/msal-node's releases.

@​azure/msal-angular v5.1.4

5.1.4

Wed, 01 Apr 2026 20:09:00 GMT

Patches

• Bump @​azure/msal-browser to v5.6.3 (beachball)

@​azure/msal-node-extensions v5.1.4

5.1.4

Tue, 21 Apr 2026 22:41:19 GMT

Patches

• Bump @​azure/msal-common to v16.5.1 (beachball)

@​azure/msal-node v5.1.4

5.1.4

Tue, 21 Apr 2026 22:41:19 GMT

Patches

• Bump @​azure/msal-common to v16.5.1 (beachball)

@​azure/msal-angular v5.1.3

5.1.3

Wed, 18 Mar 2026 20:47:24 GMT

Patches

• Bump @​azure/msal-browser to v5.6.0 (beachball)
• Bump eslint-config-msal to v0.0.0 (beachball)

@​azure/msal-node-extensions v5.1.3

5.1.3

Thu, 16 Apr 2026 22:44:53 GMT

Patches

• Bump @​azure/msal-common to v16.5.0 (beachball)

@​azure/msal-node v5.1.3

5.1.3

Thu, 16 Apr 2026 22:44:53 GMT

... (truncated)

Commits

• ae4e3cc Remove office-addin-debugging from OfficeAddin sample (#8546)
• 4ff5911 [v5] improve account filtering when login hint is provided (#8478)
• 0f6c981 Update cache schema to fix upgrade bug between v4 and v5 (#8545)
• ea87289 Add flat username (alias) support in sign-up flow (#8536)
• f2dcab7 Add CJS build for redirect-bridge subpath export (#8541)
• 4958ee2 Post-release PR (#8539)
• 86735c6 fix(e2e): improve E2E pipeline reliability - Chrome pre-warm, timeout fixes, ...
• 2250b83 Update event handling documentation for account state synchronization (#8526)
• 45bd7d9 [v5] Cache lookup B2C tests (#8508)
• 58bc3b2 Enhance security guidance in redirect bridge documentation regarding CDN usag...
• Additional commits viewable in compare view

Updates @inquirer/confirm from 6.0.10 to 6.0.12

Commits

• 35bda2a chore: Publish new release
• 98eee29 fix(lint): suppress no-unnecessary-type-parameters on parseJSON helper
• aba5965 chore(deps-dev): Bump @​types/node in the types group (#2088)
• db8fbf1 chore(deps-dev): Bump turbo from 2.9.5 to 2.9.6 in the build group (#2087)
• 3cdecf5 chore(deps-dev): Bump oxfmt in the formatting group (#2086)
• e370b57 chore(deps-dev): Bump the linting group with 5 updates (#2085)
• 2787267 chore(deps-dev): Bump the testing group with 3 updates (#2084)
• 0c55499 chore(deps-dev): Bump the formatting group with 2 updates (#2081)
• e7115d9 fix(@​inquirer/core): mute output after readline initialization (#2077)
• e5e14ab chore(deps): Bump dependabot/fetch-metadata from 2 to 3 (#2078)
• Additional commits viewable in compare view

Updates @inquirer/input from 5.0.10 to 5.0.12

Commits

• 35bda2a chore: Publish new release
• 98eee29 fix(lint): suppress no-unnecessary-type-parameters on parseJSON helper
• aba5965 chore(deps-dev): Bump @​types/node in the types group (#2088)
• db8fbf1 chore(deps-dev): Bump turbo from 2.9.5 to 2.9.6 in the build group (#2087)
• 3cdecf5 chore(deps-dev): Bump oxfmt in the formatting group (#2086)
• e370b57 chore(deps-dev): Bump the linting group with 5 updates (#2085)
• 2787267 chore(deps-dev): Bump the testing group with 3 updates (#2084)
• 0c55499 chore(deps-dev): Bump the formatting group with 2 updates (#2081)
• e7115d9 fix(@​inquirer/core): mute output after readline initialization (#2077)
• e5e14ab chore(deps): Bump dependabot/fetch-metadata from 2 to 3 (#2078)
• Additional commits viewable in compare view

Updates @inquirer/select from 5.1.2 to 5.1.4

Commits

• 35bda2a chore: Publish new release
• 98eee29 fix(lint): suppress no-unnecessary-type-parameters on parseJSON helper
• aba5965 chore(deps-dev): Bump @​types/node in the types group (#2088)
• db8fbf1 chore(deps-dev): Bump turbo from 2.9.5 to 2.9.6 in the build group (#2087)
• 3cdecf5 chore(deps-dev): Bump oxfmt in the formatting group (#2086)
• e370b57 chore(deps-dev): Bump the linting group with 5 updates (#2085)
• 2787267 chore(deps-dev): Bump the testing group with 3 updates (#2084)
• 0c55499 chore(deps-dev): Bump the formatting group with 2 updates (#2081)
• e7115d9 fix(@​inquirer/core): mute output after readline initialization (#2077)
• e5e14ab chore(deps): Bump dependabot/fetch-metadata from 2 to 3 (#2078)
• Additional commits viewable in compare view

Updates @xmldom/xmldom from 0.9.9 to 0.9.10

Release notes

Sourced from @​xmldom/xmldom's releases.

0.9.10

Commits

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production
  • ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw
• isEqualNode now correctly returns false for CDATASection nodes with different data

Deprecated

• The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.

Chore

• updated dependencies

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

Changelog

Sourced from @​xmldom/xmldom's changelog.

0.9.10

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production
  • ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw
• isEqualNode now correctly returns false for CDATASection nodes with different data

Deprecated

• The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.

Chore

• updated dependencies

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.8.13

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -->
  • ProcessingInstruction: throws when data contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

Commits

• bf396a5 0.9.10
• 78f6089 test: add missing serializer coverage for nodeFilter string return, Attribute...
• 192ce5b ci: remove unused imports flagged by CodeQL
• ca81c06 test: lower stack size for tests
• c9d5937 style: npm run format
• 1537fb4 docs: add 0.9.10 changelog entry
• afd6f6f docs: add 0.8.13 changelog entry
• afeb4ee refactor: align error mesage between branches
• 4845ef1 fix: prevent stack overflow in isEqualNode (GHSA-2v35-w6hq-6mfw)
• dfb94a4 test: add missing isEqualNode behavioral coverage
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by karfau, a new releaser for @​xmldom/xmldom since your current version.

Updates adaptivecards from 3.0.5 to 3.0.6

Release notes

Sourced from adaptivecards's releases.

adaptivecards@3.0.6

Adaptive Cards JavaScript SDK v3.0.6

Security Fix

• CVE-2026-27212 — Updated swiper peer dependency from ^11.0.7 → ^12.1.2

Bug Fixes

• Fixed Dart Sass import issue caused by Swiper 12 dropping .scss files — imports updated to extensionless format to ensure CSS is properly inlined
• Bumped sass dev dependency from ^1.43.4 → ^1.98.0 to support CSS nesting in Swiper 1

Commits

• bae9212 Version adaptivecards to 3.0.6 for swiper CVE-2026-27212 fix
• 99ec7d0 Merge remote-tracking branch 'origin/main' into release/3.0.6
• 76156ce Update swiper peer dependency to ^12.1.2 to fix CVE-2026-27212 (#9356)
• 23b0987 Update swiper peer dependency to ^12.1.2 to fix CVE-2026-27212 (#9356)
• dd0ffca Update ASP.NET Core dependencies and add Kestrel in ImageRendererServer (#9352)
• 368bb76 Updating Microsoft.Bot.AdaptiveExpressions.Core Version to 4.23.1 (#9339)
• 644d933 Redirect website to new domain (#9337)
• 78f0f5f Adaptive Cards dev team review is mandatory for all changes in AdaptiveCards ...
• ea28be6 fixing WinUI3 pipeline (#9336)
• 7ad630d fixing c# projections (#9293)
• Additional commits viewable in compare view

Updates axios from 1.14.0 to 1.15.2

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

---

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

... (truncated)

Commits

• 5829343 chore(release): prepare release 1.15.2 (#10789)
• 4709a48 fix: added fix for memory leak in sockets (#10788)
• be33360 chore: update changelog (#10781)
• 4791514 fix: more header pollutions (#10779)
• 6feafcf fix: socket issue (#10777)
• 302e273 docs: update docs, add a couple actions etc (#10776)
• ac42446 chore(release): prepare release 1.15.1 (#10767)
• 908f220 docs: update threatmodel (#10765)
• f93f815 docs: added docs around potential decompressions bomb (#10763)
• 1728aa1 fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)
• Additional commits viewable in compare view

Updates @actions/core from 3.0.0 to 3.0.1

Changelog

Sourced from @​actions/core's changelog.

3.0.1

• Bump undici from 6.23.0 to 6.24.1 #2348

Commits

• See full diff in compare view

Updates @types/node from 24.12.0 to 24.12.2

Commits

• See full diff in compare view

Updates @typescript-eslint/eslint-plugin from 8.58.0 to 8.59.0

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.58.2

8.58.2 (2026-04-13)

🩹 Fixes

• remove tsbuildinfo cache file from published packages (#12187)
• eslint-plugin: [no-unnecessary-condition] use assignability checks in checkTypePredicates (#12147)

❤️ Thank You

• Abhijeet Singh @​cseas
• 송재욱

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.58.1

8.58.1 (2026-04-08)

🩹 Fixes

• eslint-plugin: [no-unused-vars] fix false negative for type predicate parameter (#12004)

❤️ Thank You

• MinJae @​Ju-MINJAE

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.58.2 (2026-04-13)

🩹 Fixes

• eslint-plugin: [no-unnecessary-condition] use assignability checks in checkTypePredicates (#12147)
• remove tsbuildinfo cache file from published packages (#12187)

❤️ Thank You

• Abhijeet Singh @​cseas
• 송재욱

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.58.1 (2026-04-08)

🩹 Fixes

• eslint-plugin: [no-unused-vars] fix false negative for type predicate parameter (#12004)

❤️ Thank You

• MinJae @​Ju-MINJAE

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• ea9ae4f chore(release): publish 8.59.0
• cfca550 feat(eslint-plugin): [no-unnecessary-type-assertion] report more cases based ...
• 6d599b4 chore(eslint-plugin): switch auto-generated test cases to hand-written in ret...
• 33c8169 chore: fix cspell violations in code blocks (#12167)
• 90c2803 chore(release): publish 8.58.2
• 7c9e06f fix(eslint-plugin): [no-unnecessary-condition] use assignability checks in ch...
• dae1732 chore(eslint-plugin): switch auto-generated test cases to hand-written in unb...
• be6b49a fix: remove tsbuildinfo cache file from published packages (#12187)
• 5311ed3 chore(release): publish 8.58.1
• c3f8ed5 fix(eslint-plugin): [no-unused-vars] fix false negative for type predicate pa...
• Additional commits viewable in compare view

Updates @typescript-eslint/parser from 8.58.0 to 8.59.1

Release notes

Sourced from @​typescript-eslint/parser's releases.

v8.59.1

8.59.1 (2026-04-27)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#12246)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#12257)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#12269)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#12278)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#12220)
• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#12241)

❤️ Thank You

• anasm266 @​anasm266
• Anshika Jain @​Anshikakalpana
• Ulrich Stark
• yugo innami @​nami8824

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.58.2

8.58.2 (2026-04-13)

🩹 Fixes

• remove tsbuildinfo cache file from published packages (#12187)
• eslint-plugin: [no-unnecessary-condition] use assignability checks in checkTypePredicates (#12147)

❤️ Thank You

• Abhijeet Singh @​cseas
• 송재욱

... (truncated)

Changelog

Sourced from @​typescript-eslint/parser's changelog.

8.59.1 (2026-04-27)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.0 (2026-04-20)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.58.2 (2026-04-13)

🩹 Fixes

• remove tsbuildinfo cache file from published packages (

[milanholemans]

@dependabot rebase

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.