@shopify/eslint-plugin has security warnings, how to deal with them?

[martijnhartlief]

We're trying to resolve some dependabot security warnings that come from eslint-config-hardcore, for example:
@graphql-tools/url-loader@6.10.1 > graphql-config > eslint-plugin-graphql > @shopify/eslint-plugin

Since eslint-plugin-graphql is being deprecated and there hasn't been movement in @shopify/eslint-plugin to replace the package, is there any way around this?

• eslint-plugin-graphql is deprecated Shopify/web-configs#327

[EvgenyOrekhov]

You probably don't need to worry about GraphQL-related packages since GraphQL-related rules are not included in eslint-config-hardcore.

BTW here's a good relevant article by Dan Abramov: npm audit: Broken by Design.

Also, I'm thinking about removing @shopify/eslint-plugin since eslint-config-hardcore uses only a few rules from it, but @shopify/eslint-plugin pulls too many transient dependencies.

[martijnhartlief]

You probably don't need to worry about GraphQL-related packages since GraphQL-related rules are not included in eslint-config-hardcore.

Alright, we'll ignore them for now.

Also, I'm thinking about removing @shopify/eslint-plugin since eslint-config-hardcore uses only a few rules from it, but @shopify/eslint-plugin pulls too many transient dependencies.

That sounds like a more maintainable way of handling dependencies indeed. As I see it, depending on another "bundeling package" makes your work way harder.

[EvgenyOrekhov]

They fixed it in @shopify/eslint-plugin@42.0.0.
Released in eslint-config-hardcore@24.8.1.

[martijnhartlief]

Nice! 👍🏻