Update dependency @eslint-react/eslint-plugin to v5.9.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@eslint-react/eslint-plugin (source)	5.8.3 → 5.9.0

---

Release Notes

Rel1cx/eslint-react (@​eslint-react/eslint-plugin)

v5.9.0

Compare Source

✨ New

• Added react-web-api/no-leaked-intersection-observer rule to prevent leaked IntersectionObserver instances in components and hooks, enabled as warn in the recommended preset (#​1841, #​1868).

🐞 Fixes

• react-web-api/no-leaked-intersection-observer, react-web-api/no-leaked-resize-observer: Report when disconnect is only called inside the observer's own callback, since the callback may never run if the component unmounts before the element intersects or resizes (#​1872).

🏗️ Internal

• Improved CI configuration and updated SECURITY.md documentation (#​1871).
• Bumped fumadocs-core and fumadocs-ui to 16.10.1.

New Contributors

• Maikel van Dort (@​Netail) made their first contribution in #​1868.

Full Changelog: Rel1cx/eslint-react@v5.8.19...v5.9.0

v5.8.19

Compare Source

🏗️ Internal

• Simplified isJsxLike in core package and added behavior boundary tests (#​1869).
• Aligned code style in jsx package with core package (#​1870).
• Updated @types/node to ^25.9.3.

Full Changelog: Rel1cx/eslint-react@v5.8.18...v5.8.19

v5.8.18

Compare Source

🐞 Fixes

• Improved key detection in react-x/no-array-index-key and react-x/no-missing-key rules (#​1867).

📝 Documentation

• Removed 'See Also' sections from custom rule recipes.
• Reordered AST section in kit package docs (#​1866).
• Formatted examples as accordions in kit package docs.

🏗️ Internal

• Removed postinstall script on the website.
• Updated textlint rules for inclusive language.
• Updated dependencies and relaxed eslint peer dependency.

Full Changelog: Rel1cx/eslint-react@v5.8.17...v5.8.18

v5.8.17

Compare Source

📝 Documentation

• Simplified project description (#​1860).
• Updated LICENSE copyright to include contributors (#​1858).
• Updated brand assets guidelines and trademark policy on the website (#​1859).

🏗️ Internal

• Bumped typescript-eslint packages to v8.61.0 (#​1863, #​1864).
• Cleaned up config files (#​1856).
• Dropped rename-rule script and npm script (#​1857).
• Updated sponsors.svg (#​1855).
• Updated undici and cleaned up dprint config (#​1854).
• Updated brand component and removed boilerplate on the website (#​1861).
• Updated scaffold script, docs and baseline (#​1862).

Full Changelog: Rel1cx/eslint-react@v5.8.16...v5.8.17

v5.8.16

Compare Source

🐞 Fixes

• Aligned dependency versions across monorepo (#​1853).

Full Changelog: Rel1cx/eslint-react@v5.8.15...v5.8.16

v5.8.15

📝 Documentation

• Added under-construction callouts and refined kit pages on the website (#​1850, #​1851).
• Removed AGENTS.md and CONTRIBUTING.md documents and references (#​1848).
• Updated home and third-party plugins pages on the website.
• Updated issue template guidance and labels.

🏗️ Internal

• Bumped @types/* dependencies (#​1852).
• Relaxed checklist requirements in issue templates (#​1849).

Full Changelog: Rel1cx/eslint-react@v5.8.13...v5.8.15

v5.8.13

Compare Source

📝 Documentation

• Added GoogleCloudPlatform/gke-mcp and removed archived antfu/shiki-stream from community projects on the website.
• Improved RSC Directives wording in documentation.
• Removed the no-multiple-children-in-title recipe from the website.
• Removed the kit beta banner from the website (#​1846).

🏗️ Internal

• Added RuleListener return type to all rule create functions (#​1845).
• Added boundary and edge case tests for react-dom rules, JSX rules, and naming-convention rules (context-name, id-name, ref-name).
• Added identifier resolution tests for react-x/no-leaked-conditional-rendering (#​1844).
• Bumped pnpm and updated lockfile.
• Bumped tsdown to 0.22.2 and updated dependencies.
• Removed redundant single-argument merge() calls in rules (#​1843).
• Switched GitHub workflows to ubuntu-latest.
• Updated website brand assets and icons.

Full Changelog: Rel1cx/eslint-react@v5.8.12...v5.8.13

v5.8.12

Compare Source

🪄 Improvements

• jsx: Aligned getChildren with Babel's buildChildren and cleanJSXElementLiteralChild patterns, improving whitespace handling accuracy in react-jsx/no-useless-fragment and react-jsx/no-children-prop rules. Migrated child text cleanup to @eslint-react/jsx utilities and removed local lib.ts helpers. (#​1836)
• jsx: Removed isPaddingWhitespace API and added whitespace boundary tests for react-jsx/no-useless-fragment and react-dom/no-dangerously-set-innerhtml-with-children rules. (#​1837)
• jsx: Renamed cleanJSXTextValue to collapseMultilineText in the public API and updated react-jsx/no-useless-fragment to use the new name. (#​1838)

📝 Documentation

• Website: Expanded the Brand Assets page with an icons section and formatted file names as inline code. (#​1834)

🏗️ Internal

• Added scripts/generate-website-icons.py for automated icon generation and refined logo geometry across all website assets. (#​1833)
• Bumped import-integrity-lint and enhanced-resolve.
• Bumped axios to ^1.17.0 and shiki to 4.2.0.
• Updated pnpm lockfiles for dompurify and rolldown.
• Updated rule-level changelogs for no-useless-fragment, no-children-prop, and no-dangerously-set-innerhtml-with-children. (#​1836, #​1837, #​1838)

Full Changelog: Rel1cx/eslint-react@v5.8.11...v5.8.12

v5.8.11

Compare Source

📝 Documentation

• Added a new Brand Assets page and updated Meta legal name (#​1832).

🏗️ Internal

• Updated default React fallback version to 19.2.7 (#​1827).
• Recreated logo with an open-source workflow, removing reliance on SVG assets exported by Amadine (#​1831).
• Removed @fontsource/iosevka-aile and switched to system font fallbacks.
• Bumped TypeScript to 6.0.3 (#​1828).
• Patch bumped @typescript-eslint/* to 8.60.1, react / react-dom to 19.2.7, next to 16.2.7, and @types/react to 19.2.16.

Full Changelog: Rel1cx/eslint-react@v5.8.10...v5.8.11

v5.8.10

Compare Source

🐞 Fixes

• react-dom/no-unused-class-component-members: Aligned preset details in rule documentation (#​1825).
• react-dom/no-unsafe-iframe-sandbox, react-x/context-name, react-x/id-name, react-x/ref-name, react-x/no-unnecessary-use-prefix, react-x/no-string-style-prop: Fixed missing or incorrect presets in rule documentation (#​1826).

📝 Documentation

• naming-convention: Expanded examples and annotated Ok cases for context-name, id-name, and ref-name rules (#​1819).
• Refactored MyComponent examples to Button component in custom rules of props and function component definition recipes (#​1823).
• Added azat-io eslint-config to the community presets list.

🏗️ Internal

• jsx: Consolidated whitespace child predicates and added isEmptyStringExpression to the public API (#​1820).
• Added preset verification to verify-docs.ts (#​1822).
• Added AGENTS.md guide for AI coding agents (#​1824).
• Normalized local package metadata in .pkgs/*.
• Bumped vite to ^8.0.15 and ansis to ^4.3.1 across workspace packages.

New Contributors

• Kenton Jacobsen (@​brokentone) made their first contribution in #​1825.

Full Changelog: Rel1cx/eslint-react@v5.8.9...v5.8.10

v5.8.9

Compare Source

🐞 Fixes

• react-x/no-direct-mutation-state: Detect nested state mutations and member expressions in assignment expressions (#​1818).

📝 Documentation

• Updated contributing guide and monorepo structure documentation.

🏗️ Internal

• Removed .vscode directories from all examples, added missing engines.node to Preact examples, cleaned up redundant .config/*.ts from tsconfig.node.json, and updated .gitignore.
• Cleaned up configs and docs.
• Patch bumped eslint, tinyglobby, and tsdown across workspace packages; added @fontsource/iosevka-aile to the website; reordered CSS imports in layout.tsx.
• Updated .sentrux baseline timestamp.

Full Changelog: Rel1cx/eslint-react@v5.8.8...v5.8.9

v5.8.8

Compare Source

📝 Documentation

• kit: Added is.APICall callout to the Kit documentation (#​1813).
• jsx: Updated getChildren and hasChildren API documentation to reflect empty string children behavior.
• Reworked status emoji indicators across docs and examples (#​1816).
• Added ℞ prefix to recipe titles and cleaned up See Also sections.
• Removed the custom-rules-of-children recipe and cross-linked the remaining recipes.
• Added redirects for moved rule documentation.
• Cleaned up the "Community Maintained Presets that use ESLint React" documentation page.

🏗️ Internal

• react-x/no-misused-capture-owner-stack: Added edge-case tests for captureOwnerStack (#​1813).
• Updated fonts and dropped the data-theme attribute.
• Updated theme configuration (#​1815).
• Aligned the tsdown version in @local/configs.
• Enabled trustPolicy: "no-downgrade" and added minimumReleaseAge: 1440 (1 day).
• Bumped eslint to 10.4.1 across workspace packages.
• Bumped pnpm to 11.5.0 and refreshed the lockfile.
• Bumped fumadocs packages and tinyexec.
• Bumped eslint-plugin-package-json to 1.2.0.
• Updated dprint plugins and reformatted font families in example projects.
• Updated Sentrux baseline metrics.
• Updated .gitignore.

Full Changelog: Rel1cx/eslint-react@v5.8.7...v5.8.8

v5.8.7

Compare Source

🐞 Fixes

• react-x/no-create-ref: Fixed a false positive where createRef calls in non-React classes were reported. The rule now only reports createRef calls inside function components or Hooks (#​1812).
• react-x/no-unused-state: Removed the "only used in effects" detection so the rule only reports state variables that are defined but never used, reducing false positives (#​1808, #​1749).
• jsx: Aligned children filtering and hasChildren behavior with React source, updating no-children-prop and no-useless-fragment rules accordingly (#​1805).
• Zod compatibility: Relaxed zod peer dependency to support both v3 and v4 (#​1810).

📝 Documentation

• react-dom, react-web-api, react-x: Enriched rule MDX examples with TypeScript snippets from react.dev (#​1809).
• react-dom: Added more rule examples to no-dangerously-set-innerhtml, no-find-dom-node, no-hydrate, no-render, and no-render-return-value documentation (#​1804).
• react-dom: Added legitimate flushSync use cases to no-flush-sync rule documentation (#​1803).
• Bumped the documented ESLint minimum version to 10.3.0.
• Clarified that the off preset disables all rules.
• Fixed inaccurate minimum ESLint version and off preset description in README.

🏗️ Internal

• react-x/no-misused-capture-owner-stack: Refactored the process.env.NODE_ENV detection helpers to use the shared core.isAPI utility (#​1812).
• react-x/no-unused-state: Removed incorrect invalid test cases.
• jsx: Added targeted test cases for empty string children behavior in no-children-prop-with-children and no-useless-fragment rules (#​1806).
• Website: Removed SF Pro fonts from the body font stack and normalized CSS baseline.
• Tests: Normalized quote usage in test files and removed www prefix from eslint-react.xyz links (#​1807).
• Removed eslint-plugin-function and bumped website dependencies (#​1811).
• Flattened scripts/lib into the scripts root.
• Updated .textlintrc.json.
• Updated dprint plugins and tidied scripts.
• Removed enriching-rule-examples-from-react-dev.md from main branch.
• Updated Sentrux baseline metrics.
• Updated per-rule CHANGELOGs for no-useless-fragment, no-children-prop, and no-children-prop-with-children (#​1805).
• Bumped dependencies:
  • @takumi-rs/image-response to ^1.6.0
  • dompurify to 3.4.6
  • fumadocs-mdx and updated pnpm lockfile
  • tsdown to 0.22.1
  • dprint plugins (g-plane/markup_fmt and markdown)

Full Changelog: Rel1cx/eslint-react@v5.8.6...v5.8.7

v5.8.6

Compare Source

📝 Documentation

• Improved react-x/context-name rule description accuracy.
• Removed broken Further Reading links across rule documentation.
• Reordered Further Reading links by relevance in react-x, react-dom, and react-web-api rule documentation.
• Updated term-based-rule-patterns.md documentation.

🏗️ Internal

• ast: Replaced isLiteral with isStringLiteral in Check utilities (#​1798).
• Assets: Made logo 120° rotationally symmetric and regenerated all icon assets (#​1799).
• Configs: Converted tsdown and tsl base configs to factory functions.
• Custom Rules: Moved custom rule samples to the @local/samples package (#​1800).
• TypeScript: Fixed TypeScript version specification and cleaned up code style (#​1801).
• Bumped dependencies across workspace packages:
  • @typescript-eslint to ^8.60.0
  • eslint-plugin-jsdoc to 63.0.0
  • fumadocs patch versions
  • nx to ^22.7.4
  • pnpm and lockfile updates

Full Changelog: Rel1cx/eslint-react@v5.8.5...v5.8.6

v5.8.5

Compare Source

📝 Documentation

• Added rule implementation patterns guide (docs/rule-implementation-patterns.md) and term-based rule patterns guide (docs/term-based-rule-patterns.md).
• Lowered minimum TypeScript version requirement from 5.1.0 to 5.0.0 across README and documentation.
• Fixed textlint war-metaphor warnings and refined .textlintrc.json patterns.

🏗️ Internal

• Adjusted formatting across configuration and script files (#​1795).
• Fixed a typo in the CI test workflow step.
• Added regression tests for oxc issues compatibility verification (#​1796).
• Bumped dependencies across workspace packages:
  • @effect/language-service to ^0.86.2
  • @takumi-rs/image-response to ^1.3.0
  • @tsconfig/vite-react to ^8.0.6
  • @types/node to ^25.9.1
  • @types/react to ^19.2.15
  • eslint-plugin-package-json to ^1.1.0
  • fumadocs-core to ^16.9.0
  • fumadocs-mdx to ^15.0.7
  • fumadocs-ui to ^16.9.0
  • lru-cache to 11.5.0
  • nx to ^22.7.3
  • postcss to ^8.5.15
  • vite to ^8.0.14
  • vitest to ^4.1.7
  • pnpm to 11.2.1

Full Changelog: Rel1cx/eslint-react@v5.8.4...v5.8.5

v5.8.4

Compare Source

📝 Documentation

• Website: Restructured the FAQ page from an accordion layout to standard headings for better SEO, accessibility, and direct anchor linking.
• Website: Replaced the homepage Hint popover with a direct link to the FAQ anchor explaining the project's human/LLM collaboration policy.
• Added a new "What does 90% human-written mean?" section to the FAQ.
• Updated documentation for isClassComponent and JsxConfig.
• Removed outdated documentation files.

🏗️ Internal

• core: Simplified isClassComponent by removing the context parameter and replacing isClassComponentLoose with the simplified function.
• eslint-plugin-react-x: Removed unnecessary optional chaining across multiple rules (immutability, no-unused-state, purity, refs, set-state-in-effect, static-components, use-memo, etc.) and expanded test coverage for edge cases (#​1792).
• Added automated GitHub Release workflow and fixed actions/setup-node cache parameter error.
• Added null-safety boundary tests for rules affected by PR #​1792 (#​1794).
• Bumped dependencies across workspace packages: @takumi-rs/image-response to 1.2.1, fumadocs-mdx to 15.0.6, import-integrity-lint to 1.1.1, preact to 10.29.2, tsx to 4.22.1, @typescript-eslint to ^8.59.4, @types/node to ^25.9.0, dompurify to ^3.4.5, pnpm to 11.1.3, textlint to 15.7.1, and dprint TypeScript plugin to 0.96.1.
• Cleaned up stray empty string in tsl.config.ts.
• Cleaned up type and lint errors across the workspace (#​1793).
• Downgraded TypeScript override in pnpm-workspace.yaml from ^6.0.3 to 5.9.3.
• Fixed zizmor security audit findings in release workflow and moved ignore comments inline, removing .github/zizmor.yml.
• Removed scripts/verify-lockfile.ts, scripts/verify-devtools.ts, and all references to them.
• Reordered handler functions in react-jsx/no-children-prop (no logic change).
• Updated baseline metrics and compacted tsconfig.

Full Changelog: Rel1cx/eslint-react@v5.8.3...v5.8.4

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[Claudia-Anthropica]

@renovate Clean patch bump — upstream 5.8.1 is docs and scaffolding only, no rule behavior changes. CI is green. LGTM.

[Claudia-Anthropica]

@renovate Same story as 5.8.1 — 5.8.2 upstream is docs + internal only, no rule behavior changes. Lockfile diff is restricted to @eslint-react/* and the corresponding eslint-plugin-react-* peers. CI is green. LGTM.

[Claudia-Anthropica]

@renovate Patch bump from 5.8.2 → 5.8.3. Upstream 5.8.3 is a targeted false-positive fix in react-dom/no-unknown-property (adds React 19 precedence/blocking to the known-attribute allowlist, with version-gated tag checks). Lockfile diff is restricted to @eslint-react/* and the matching eslint-plugin-react-* peers — no unrelated transitive shuffling. Build checks are green. LGTM.

[Claudia-Anthropica]

@renovate Straightforward patch bump and the lockfile diff checks out. Holding off on approval this round though — CI is red and won't self-heal: pnpm install --frozen-lockfile is blocked by pnpm's minimumReleaseAge (5.8.4 was published today, clears ~tomorrow), and hiding behind that the committed client SBOM is stale and needs regenerating. Details inline.

[Claudia-Anthropica]

@renovate [medium] The 5.8.4 bump itself is clean — upstream is docs + internal-only (optional-chaining cleanup in rules, added null-safety tests), no rule behavior changes, and the lockfile diff is consistent (@eslint-react/* → 5.8.4 plus the transitive @typescript-eslint 8.59.3→8.59.4 consolidation). But CI is red and won't go green on its own. Two things: pnpm install --frozen-lockfile fails with ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION because 5.8.4 was published today (clears once it ages past pnpm's ~1-day cutoff, roughly tomorrow), and the committed client SBOM is stale — client/sbom/.lock-hash no longer matches sha256(pnpm-lock.yaml + package.json). The refresh_sbom workflow already failed twice on this commit (it hits the same age gate), so it won't self-heal. Once the packages age out, regenerate the SBOM and commit it.

🤖 Prompt for AI agents

In the client/ directory, the committed SBOM is stale after bumping @eslint-react/eslint-plugin to 5.8.4: client/sbom/.lock-hash does not match the sha256 of pnpm-lock.yaml + package.json. After the @eslint-react/* 5.8.4 packages have aged past pnpm's minimumReleaseAge cutoff (~2026-05-23), run pnpm run sbom:force in client/ and commit the regenerated client/sbom/bom.json and client/sbom/.lock-hash.

[Claudia-Anthropica]

@renovate Status update after the rebase onto develop: the minimumReleaseAge block has cleared, so pnpm install --frozen-lockfile passes now and the only thing still red is the SBOM gate. client/sbom/ is stale — .lock-hash is bf47dc0… but pnpm-lock.yaml + package.json now hash to 396bc75…, so run-tests / build fails with "client/sbom/ is stale". It still needs pnpm run sbom:force run in client/ and the regenerated bom.json + .lock-hash committed.

Heads up for the maintainers: this won't self-heal. The refresh_sbom workflow is now failing right at the start with "Neither SBOM_BOT_APP_ID/SBOM_BOT_PRIVATE_KEY nor SBOM_BOT_PAT is configured" — so the auto-refresh bot can't push the SBOM until those repo secrets are wired up. Until then someone has to regenerate and push it manually. Leaving this unresolved until the SBOM lands.

[Claudia-Anthropica]

@renovate Now bumped to 5.8.5 — the bump itself is still clean. CI is red for the same SBOM reason plus a fresh wrinkle: client/sbom/ is still stale (.lock-hash is bf47dc0… but pnpm-lock.yaml + package.json now hash to 8cb8709…), and because 5.8.5 was published today the minimumReleaseAge gate is back, so pnpm install --frozen-lockfile fails again in build-client/e2e (clears in ~1 day). Once the packages age out, someone still needs to run pnpm run sbom:force in client/ and commit the regenerated bom.json + .lock-hash — the refresh_sbom bot can't do it (SBOM_BOT secrets still unconfigured). Leaving unresolved.

[Claudia-Anthropica]

@renovate Still unresolved on 5.8.6. pnpm install --frozen-lockfile is failing again because the 5.8.6 @eslint-react/eslint-plugin package set was published today and is inside pnpm minimumReleaseAge, and client/sbom/ is still stale (.lock-hash is bf47dc0..., current hash is 055c58f...). Once the age gate clears, run pnpm run sbom:force in client/ and commit the regenerated SBOM files; the refresh workflow still cannot push this automatically because SBOM_BOT credentials are not configured.

[Claudia-Anthropica]

@renovate Still unresolved on 5.8.7. The client jobs are failing again on pnpm minimumReleaseAge for the newly published 5.8.7 @eslint-react package set, and client/sbom/ is still stale: .lock-hash is bf47dc0..., while the current pnpm-lock.yaml + package.json hash is e9b6e94.... Once the age gate clears, run pnpm run sbom:force in client/ and commit the regenerated SBOM files; the refresh workflow still cannot push this automatically because the SBOM bot credentials are missing.

[Claudia-Anthropica]

@renovate Still unresolved on 5.8.12. CI is red on the fresh pnpm minimumReleaseAge block for the 5.8.12 @eslint-react package set, and client/sbom/ is still stale: .lock-hash is bf47dc04..., while the current pnpm-lock.yaml + package.json hash is 93894c5a.... Once the age gate clears (latest package publish time is 2026-06-04 21:02:59 UTC, so roughly after 2026-06-05 21:03 UTC), run pnpm run sbom:force in client/ and commit the regenerated SBOM files; the refresh workflow still cannot push this automatically because the SBOM bot credentials are missing.

[Claudia-Anthropica]

@renovate Still open on 5.8.13. CI is red on the fresh pnpm minimumReleaseAge block for the 5.8.13 package set, and client/sbom/.lock-hash is still bf47dc04... while the current hash is cdd48297...; once the age gate clears, run pnpm run sbom:force in client/ and commit the regenerated SBOM files.

[Claudia-Anthropica]

@renovate Still unresolved on 5.8.16. CI is failing on pnpm minimumReleaseAge for the newly published 5.8.16 package set, and client/sbom/.lock-hash is still bf47dc04... while the current package/lockfile hash is 4b15467c...; once the age gate clears, regenerate and commit client/sbom/. The refresh workflow still cannot push this automatically because the SBOM bot credentials are missing.

[Claudia-Anthropica]

@renovate Still unresolved on 5.8.17. client/sbom/.lock-hash is still bf47dc04..., but the current pnpm-lock.yaml + package.json hash is bd674768..., so client/sbom/ still needs regeneration and a commit. The last CI run also hit pnpm minimumReleaseAge because the 5.8.17 packages had just been published; that should clear on rerun, but the SBOM mismatch will remain until pnpm run sbom:force is committed.

[Claudia-Anthropica]

@renovate Still open on 5.9.0. The committed client/sbom/.lock-hash is still bf47dc04..., while the current pnpm-lock.yaml + package.json hash is 8f76b0be...; client/sbom/ still needs pnpm run sbom:force and a commit. CI is also currently hitting pnpm minimumReleaseAge for the freshly published 5.9.0 package set, so rerun after the age gate clears, but the SBOM mismatch will remain until the regenerated files are committed.

[Claudia-Anthropica]

@renovate The bump itself is still clean and the rebase fixed the install block (minimumReleaseAge has cleared). But CI's SBOM gate is still red — client/sbom/ wasn't regenerated after the lockfile change, so run-tests / build fails with "client/sbom/ is stale". Needs pnpm run sbom:force run in client/ and the result committed (details in the thread). Holding off on approval until that lands and the build goes green.

[Claudia-Anthropica]

@renovate Clean bump to 5.8.5 (upstream is docs + internal-only, no rule behavior changes), but holding off again because CI is red. The minimumReleaseAge gate is back now that 5.8.5 published today, so pnpm install --frozen-lockfile fails in build-client/e2e (self-heals in ~a day), and the committed client/sbom/ is still stale — it needs a manual pnpm run sbom:force + commit since the refresh_sbom bot can't push it (SBOM_BOT secrets unconfigured). Details in the thread above.

[Claudia-Anthropica]

@renovate The dependency bump itself still looks straightforward, but the requested CI/SBOM fix is not addressed on the 5.8.6 update. The client jobs are blocked by pnpm minimumReleaseAge for the newly published 5.8.6 packages, and client/sbom/ is still stale, so I need to keep this as changes requested.

[Claudia-Anthropica]

@renovate The dependency bump itself still looks straightforward, but the requested CI/SBOM fix is still open on 5.8.7. Client install is blocked by pnpm minimumReleaseAge again, and the committed client SBOM hash is stale; I updated the existing thread with the current hashes and log details.

[Claudia-Anthropica]

@renovate The bump itself still looks straightforward, but the requested SBOM fix is still missing and CI is red again on the 5.8.8 age gate. Keeping changes requested until client/sbom/ is regenerated and committed once the packages age out.

[Claudia-Anthropica]

@renovate The dependency bump itself is still straightforward, but the requested CI/SBOM fix is still open on 5.8.9. CI is red on pnpm minimumReleaseAge for the freshly published packages, and client/sbom/ still needs regeneration once the age gate clears.

[Claudia-Anthropica]

@renovate The dependency bump itself still looks straightforward, but the requested SBOM fix is still missing. client/sbom/.lock-hash does not match the current package/lockfile hash, and the refresh workflow cannot push the regeneration, so CI remains red. Keeping changes requested until the SBOM files are regenerated and committed.

[Claudia-Anthropica]

@renovate The bump itself still looks straightforward, but the requested SBOM/CI fix is still open on 5.8.11. CI is red on the fresh pnpm minimumReleaseAge block, and client/sbom/ still needs regeneration once that clears.

[Claudia-Anthropica]

@renovate The dependency bump still looks straightforward, but the requested CI/SBOM fix is still open on 5.8.12. Client CI is blocked by pnpm minimumReleaseAge for the freshly published packages, and client/sbom/ still needs regeneration once the age gate clears.

[Claudia-Anthropica]

@renovate The dependency bump itself still looks straightforward, but CI is red and the previous SBOM request is still open. The current 5.8.13 packages are inside pnpm minimumReleaseAge, and client/sbom/.lock-hash still needs to be regenerated from the current package/lockfile once that clears.

[Claudia-Anthropica]

@renovate The dependency bump itself still looks straightforward, but the previous CI/SBOM blocker is still open. client/sbom/ was not regenerated for the current package/lockfile, and the fresh 5.8.16 packages are still inside pnpm minimumReleaseAge, so I need to keep this as changes requested.

[Claudia-Anthropica]

@renovate The dependency bump itself still looks fine, but the previous SBOM/CI blocker is still open. The committed client/sbom/.lock-hash is stale for the current package/lockfile pair, and the refresh workflow still cannot push the regenerated SBOM automatically. Keeping changes requested until client/sbom/ is regenerated and committed.

[Claudia-Anthropica]

@renovate The 5.9.0 bump itself still looks straightforward, but the previously requested SBOM/CI fix is still open. client/sbom/.lock-hash is stale for the current package/lockfile, and client CI is currently also blocked by pnpm minimumReleaseAge for the freshly published 5.9.0 packages. Keeping changes requested until client/sbom/ is regenerated and committed and CI can pass.

[krusche]

Superseded by #1101, which consolidates the client and server dependency updates into a single PR (this dependency is included there at @eslint-react/eslint-plugin 5.9.0). Closing in favor of #1101.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (5.9.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.