build(deps-dev): bump @duckduckgo/eslint-config from v0.1.0 to v0.2.1

[dependabot]

Bumps @duckduckgo/eslint-config from v0.1.0 to v0.2.1.

Release notes

Sourced from @​duckduckgo/eslint-config's releases.

v0.2.1

⚠️ Pushed to main

• don't apply major label to dependabot prs (@​muodov)

Authors: 1

• Maxim Tsoy (@​muodov)

v0.2.0

🚀 Enhancement

• add auto-merge and release automations #4 (@​muodov)

🐛 Bug Fix

• Dependabot #3 (@​muodov)

⚠️ Pushed to main

• set release CI identity to Dax (@​muodov)
• Add recommended Prettier config to the readme (@​muodov)

Authors: 1

• Maxim Tsoy (@​muodov)

Changelog

Sourced from @​duckduckgo/eslint-config's changelog.

v0.2.1 (Wed May 27 2026)

⚠️ Pushed to main

• don't apply major label to dependabot prs (@​muodov)

Authors: 1

• Maxim Tsoy (@​muodov)

---

v0.2.0 (Wed May 27 2026)

🚀 Enhancement

• add auto-merge and release automations #4 (@​muodov)

🐛 Bug Fix

• Dependabot #3 (@​muodov)

⚠️ Pushed to main

• set release CI identity to Dax (@​muodov)
• Add recommended Prettier config to the readme (@​muodov)

Authors: 1

• Maxim Tsoy (@​muodov)

Commits

• 1a2a3f0 Bump version to: 0.2.1 [skip ci]
• e2b7298 Update CHANGELOG.md [skip ci]
• d773502 don't apply major label to dependabot prs
• 9bc1a41 Bump version to: 0.2.0 [skip ci]
• 5d03d08 Update CHANGELOG.md [skip ci]
• 7ddf7cf set release CI identity to Dax
• 07b1e4c Merge pull request #4 from duckduckgo/max/automation
• 3d05557 don't hardcode the version in readme
• 930248c use colldown from dependabot
• 673dccf Merge pull request #3 from duckduckgo/max/dependabot
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Dev-only dependency bump with no runtime or source changes; main risk is CI lint behavior shifting if the upgraded shared config or plugins enforce new rules.

Overview
Bumps the shared @duckduckgo/eslint-config dev dependency from v0.1.0 to v0.2.1 in package.json and refreshes package-lock.json accordingly.

The lockfile also picks up updated transitive lint tooling from that package—notably eslint-config-prettier v10, eslint-plugin-n v18 (tighter Node engine requirements and optional TypeScript-related peers), and related semver/tapable bumps. No application or ESLint config source files change in this diff; only dependency pins.

^{Reviewed by Cursor Bugbot for commit bfd5ad8. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

[cursor]

Dependency risk review for @duckduckgo/eslint-config v0.1.0 -> v0.2.1:

Confirmed findings: none blocking.

Evidence checked:

• PR diff only updates package.json and package-lock.json for this direct dev dependency.
• Upstream index.js is unchanged between the old resolved commit 09f3780... and v0.2.1 1a2a3f...; upstream release notes are release/dependabot automation, README/changelog, and dependency metadata changes.
• The lockfile impact is limited to dev-only lint packages: eslint-config-prettier 9.1.2 -> 10.1.8, eslint-plugin-n 17.23.2 -> 18.0.1, plus related resolver/semver/get-tsconfig/tapable changes. ts-declaration-location is removed because eslint-plugin-n moved it to an optional peer.
• Current repo usage still needs the dependency: eslint.config.js imports @duckduckgo/eslint-config directly.
• Local validation passed with the PR state after generated assets were built: npm run build && npm run lint.
• PR unit/integration/snapshot checks observed passing for the dependency-relevant paths. The failed build job is a release-branch push rejection, and the failed Asana sync is missing ASANA_ACCESS_TOKEN; neither appears caused by this dependency bump.

Uncertain/residual concerns:

• eslint-plugin-n 18 is a breaking major and the installed package declares Node ^20.19.0 || ^22.13.0 || >=24. CI uses .nvmrc value 22 and resolved locally to Node 22.22.3, so validation passed. If any supported developer/automation environment pins an older Node 22 point release, lint/install could fail and should be validated there.
• npm audit reports existing repo dev-dependency advisories, but the vulnerable package versions are unchanged between base and this PR; I did not find a new advisory introduced by this bump.

No separate fix PR drafted because I did not find a concrete dependency-update issue to fix.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Web Compatibility Assessment

No findings. This PR only updates the root dev dependency @duckduckgo/eslint-config and the corresponding lockfile entries; it does not change injected runtime code, wrapper utilities, message bridge, platform entry points, DOM manipulation, or API shims.

Security Assessment

No findings. There are no changes to captured globals, messaging transports, origin validation, config handling, iframe access, or page-world execution paths.

Risk Level

Low Risk: devDependency/lockfile-only change affecting lint tooling rather than shipped injected JavaScript behavior.

Recommendations

No code changes requested. Verification performed: npm ci, npm run build, and npm run lint all pass. The release comparison for @duckduckgo/eslint-config v0.1.0...v0.2.1 shows automation/metadata changes and dependency metadata updates, with no index.js rule/config changes.

  

_{Sent by Cursor Automation: Web compat and sec}