build(deps-dev): bump typescript-eslint from 8.59.3 to 8.59.4

[dependabot]

Bumps typescript-eslint from 8.59.3 to 8.59.4.

Release notes

Sourced from typescript-eslint's releases.

v8.59.4

8.59.4 (2026-05-18)

🩹 Fixes

• eslint-plugin: [no-floating-promises] stack overflow when using recursive types (#12294)
• project-service: throw error cause in getParsedConfigFileFromTSServer (#12321)
• typescript-eslint: export Compatible* types from typescript-eslint to resolve pnpm TS error (#12340)

❤️ Thank You

• Evyatar Daud @​StyleShit
• Kirk Waiblinger @​kirkwaiblinger
• lumir

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.59.4 (2026-05-18)

🩹 Fixes

• typescript-eslint: export Compatible* types from typescript-eslint to resolve pnpm TS error (#12340)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• ca6ca14 chore(release): publish 8.59.4
• 4b927c6 fix(typescript-eslint): export Compatible* types from typescript-eslint to re...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Dev-only dependency patch with no runtime or source changes; impact is limited to local/CI lint tooling.

Overview
Bumps the dev dependency typescript-eslint from 8.59.3 to 8.59.4 in package.json, with the lockfile updated for the matching @typescript-eslint/* packages. There are no application or config source changes—only dependency versions.

The patch release includes small tooling fixes (e.g. no-floating-promises stack overflow on recursive types, clearer project-service errors, and Compatible* type exports for pnpm). Lint behavior in eslint.config.js stays the same; you mainly get the updated ESLint/TypeScript-ESLint stack when running npm run lint.

^{Reviewed by Cursor Bugbot for commit ecb1fde. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

[github-actions]

Build Branch

Branch	pr-releases/dependabot/npm_and_yarn/main/typescript-eslint-8.59.4
Commit	d493f9155b
Updated	May 27, 2026 at 11:50:58 AM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/typescript-eslint-8.59.4

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/typescript-eslint-8.59.4")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/typescript-eslint-8.59.4
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/typescript-eslint-8.59.4

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#d493f9155b17045da06cb655d9d43a4a00d348fb

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "d493f9155b17045da06cb655d9d43a4a00d348fb")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/typescript-eslint-8.59.4
git -C submodules/content-scope-scripts checkout d493f9155b17045da06cb655d9d43a4a00d348fb

[cursor]

Dependency risk review for typescript-eslint 8.59.3 -> 8.59.4: no blocking concerns found.

Confirmed from the diff: this is a devDependency-only bump in package.json plus lockfile updates for the @typescript-eslint/* family. The lockfile also refreshes the nested semver used under @typescript-eslint/typescript-estree from 7.8.0 to 7.8.1.

Changelog impact checked:

• typescript-eslint 8.59.4 contains fixes for no-floating-promises stack overflow on recursive types, project-service error cause propagation, and exported Compatible* types from the meta package.
• Local usage imports the meta package in eslint.config.js and enables @typescript-eslint/no-floating-promises plus type-aware rules, so the relevant behavioral surface is lint/type-analysis only, not shipped runtime code.
• semver 7.8.1 is a nested tooling dependency with bug fixes around comparator/build metadata trimming and prerelease bounds in subset.

Validation performed:

• npm ci completed.
• npm run build && npm run lint passed locally. eslint produced only existing generated-surrogate warnings and no errors.
• npm audit signatures passed: 797 packages with verified registry signatures, 103 with verified attestations.
• npm audit --json still reports existing vulnerabilities, but none are attributed to typescript-eslint, @typescript-eslint/*, or the updated nested semver package.
• PR CI evidence at review time: build, Ubuntu unit/lint, production deps, and injected/special-pages integration jobs passed. The observed snapshots failure was an npm ci ECONNRESET, and the Asana sync failure was missing ASANA_ACCESS_TOKEN on a Dependabot-triggered run, so I did not treat those as dependency regressions.

No separate fix PR drafted because I did not find a dependency-specific issue requiring code or config changes.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Web Compatibility Assessment

No findings. The diff is limited to package.json and package-lock.json, updating dev-only typescript-eslint packages from 8.59.3 to 8.59.4 plus a nested semver patch under @typescript-eslint/typescript-estree. It does not touch injected runtime code, API wrappers/shims, DOM manipulation, platform entry points, or message bridge behavior.

Security Assessment

No findings. There are no changes to injected/src, captured-globals.js, messaging transports, origin validation, stack-trace exemption logic, or any page-world execution paths. The dependency remains dev tooling only and is not part of the injected browser runtime surface.

Risk Level

Low Risk. This is a patch-level devDependency update with unchanged eslint/typescript peer ranges and no runtime bundle diff in the working tree after build.

Recommendations

No code changes required. Keep the normal CI checks; I verified npm run build and npm run lint pass locally. Release notes for 8.59.4 list fixes for no-floating-promises recursive-type stack overflow, project-service error cause propagation, and Compatible* type exports, with no new browser/runtime surface.

  

_{Sent by Cursor Automation: Web compat and sec}