build: replace `eslint-plugin-node` with `eslint-plugin-n` (gh54 part II) by Planeshifter · Pull Request #10952 · stdlib-js/stdlib

Planeshifter · 2026-03-15T06:32:12Z

Progresses stdlib-js/metr-issue-tracker#54.

Description

What is the purpose of this pull request?

This pull request:

Replaces the unmaintained eslint-plugin-node (v11) with its actively maintained fork eslint-plugin-n (v17) (PR 3 of the migration plan).
Renames plugin registration from node to n in etc/eslint/plugins/index.js.
Renames all rule references from node/* to n/* in etc/eslint/rules/nodejs.js.
Updates ~530 eslint-disable comments across the codebase from node/ to n/.
Drops the tryExtensions option from n/file-extension-in-import (no longer supported by eslint-plugin-n).
Adds ignores for features newly detected by eslint-plugin-n: bigint and hashbang in n/no-unsupported-features/es-syntax, http2 and process.release in n/no-unsupported-features/node-builtins.
Updates JSDoc @name tags and documentation URLs to point to the eslint-community/eslint-plugin-n repository.
Moves nested log/logError functions to outer scope in remark-run-javascript-examples and fixes pre-existing lint violations in touched files.

Related Issues

Does this pull request have any related issues?

This pull request has the following related issues:

[RFC]: migrate to ESLint v9 metr-issue-tracker#54

Questions

Any questions for reviewers of this pull request?

No.

Other

Any other information relevant to this pull request? This may include screenshots, references, and/or implementation notes.

Stacked on #10950. eslint-plugin-n is the community-maintained fork of the unmaintained eslint-plugin-node and is required for ESLint v9 compatibility.

Checklist

Please ensure the following tasks are completed before submitting this pull request.

Read, understood, and followed the contributing guidelines.

AI Assistance

When authoring the changes proposed in this PR, did you use any kind of AI assistance?

Yes
No

If you answered "yes" above, how did you use AI assistance?

Code generation (e.g., when writing an implementation or fixing a bug)
Test/benchmark generation
Documentation (including examples)
Research and understanding

Disclosure

If you answered "yes" to using AI assistance, please provide a short disclosure indicating how you used AI assistance. This helps reviewers determine how much scrutiny to apply when reviewing your contribution. Example disclosures: "This PR was written primarily by Claude Code." or "I consulted ChatGPT to understand the codebase, but the proposed changes were fully authored manually by myself.".

This PR was written primarily by Claude Code. The bulk rename was done via scripted sed, with manual review of config changes and rule compatibility.

@stdlib-js/reviewers

socket-security · 2026-03-15T06:34:18Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	zeros@1.0.0
	ndarray@1.0.19
	ndarray-gemm@1.0.0
	ndarray-ops@1.2.2
	jstat@1.9.6
	eslint-plugin-n@17.24.0

View full report

socket-security · 2026-03-15T16:26:08Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Critical CVE: npm `form-data` uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 2.5.4 From: `?` → `npm/form-data@2.3.3` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/form-data@2.3.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Prototype Pollution in npm `minimist` CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL) Affected versions: >= 1.0.0 < 1.2.6; < 0.2.4 Patched version: 0.2.4 From: `?` → `npm/factor-bundle@2.5.0` → `npm/minimist@0.0.5` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/minimist@0.0.5`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

kgryte · 2026-03-22T07:00:44Z

@Planeshifter Heads-up: looks like stacking went sideways. Would you mind resolving the merge conflicts?

kgryte · 2026-03-22T07:06:21Z

Actually, I think I know what happened. It went sideways because I had deleted the base branch on the GitHub UI. And it is not clear to me how to move this PR back against the restored base branch. :(

kgryte · 2026-03-22T07:08:49Z

Maybe you can force push to move it back on the original base branch? 😬

lib/node_modules/@stdlib/_tools/eslint/rules/jsdoc-doctest/lib/main.js

stdlib-bot · 2026-03-23T06:03:00Z

Coverage Report

No coverage information available.

kgryte · 2026-03-26T05:32:17Z

/stdlib merge

stdlib-bot · 2026-03-26T05:34:39Z

/stdlib merge

@kgryte, the slash command failed to complete. Please check the workflow logs for details.

View workflow run

lib/node_modules/@stdlib/_tools/eslint/rules/doctest/lib/main.js

lib/node_modules/@stdlib/_tools/eslint/rules/jsdoc-doctest/lib/main.js

Signed-off-by: Philipp Burckhardt <pburckhardt@outlook.com>

kgryte · 2026-03-27T06:21:38Z

lib/node_modules/@stdlib/_tools/changelog/generate/lib/npm_releases.js

 // MODULES //

-var shell = require( 'child_process' ).execSync; // eslint-disable-line node/no-sync
+var shell = require( 'child_process' ).execSync;


@Planeshifter Removing this comment re-enables the warning. Is that intended?

kgryte · 2026-03-27T06:23:00Z

lib/node_modules/@stdlib/_tools/pkgs/browser-entry-points/lib/entries.js


 	total = pkgs.length;
-	out = new Array( total );
+	out = new Array( total ); // eslint-disable-line stdlib/no-new-array


@Planeshifter We should go ahead and use #.push here. This isn't a scenario where we explicitly want a sparse array.

kgryte · 2026-03-27T06:27:23Z

etc/eslint/rules/nodejs.js

+rules[ 'n/no-unsupported-features/es-syntax' ] = [ 'error', {
 	'version': '>=0.12.18',
-	'ignores': []
+	'ignores': [ 'bigint', 'hashbang', 'object-assign', 'object-getownpropertydescriptors', 'proxy', 'string-fromcodepoint', 'string-prototype-repeat' ]


@Planeshifter Why are we adding these to the ignored list and not just ignoring them on a per file basis? Given that most of these are localized to specific packages, I am not sure why it makes sense to globally ignore these.

kgryte · 2026-03-27T06:29:54Z

etc/eslint/rules/nodejs.js

 * @memberof rules
 * @type {Array}
-* @see [node/shebang]{@link https://github.com/mysticatea/eslint-plugin-node/blob/master/docs/rules/shebang.md}
+* @see [node/shebang]{@link https://github.com/eslint-community/eslint-plugin-n/blob/HEAD/docs/rules/shebang.md}


@Planeshifter This link is incorrect.

kgryte · 2026-03-27T06:31:09Z

docs/editors/sublime-text/scripts/completions/awk.js

 * limitations under the License.
 */

-/* eslint-disable node/shebang */


@Planeshifter Why is this no longer applicable? It seems like n/hashbang is the same rule as node/shebang, so I am curious how this rule no longer applies.

This obviously applies to the other files.

kgryte · 2026-03-27T06:32:54Z

lib/node_modules/@stdlib/assert/is-node/lib/main.js

 		// Check for a `node` property:
 		isString( proc.versions.node ) &&

-		/* eslint-disable node/no-unsupported-features/es-builtins */


@Planeshifter This seems to be likely the only package where we use proc.release, so I am not understanding why you chose to globally ignore proc.release.

kgryte · 2026-03-27T06:33:06Z

lib/node_modules/@stdlib/assert/is-node/test/test.main.js

 * limitations under the License.
 */

-/* eslint-disable node/no-unsupported-features/node-builtins */


Same comment.

kgryte · 2026-03-27T06:40:10Z

lib/node_modules/@stdlib/fs/append-file/lib/sync.js

@@ -20,7 +20,7 @@

 // MODULES //

-var appendFile = require( 'fs' ).appendFileSync; // eslint-disable-line node/no-sync
+var appendFile = require( 'fs' ).appendFileSync;


@Planeshifter Not understanding why this comment was removed instead of changed to n/no-sync. Applies throughout this PR.

Given that the default value for allowRootLevel is false (ref: https://github.com/eslint-community/eslint-plugin-n/blob/master/docs/rules/no-sync.md#allowatrootlevel), I would expect this to trigger a warning given *Sync.

Especially in this case, we shouldn't be emitting a warning, as using the sync API is intentional.

kgryte · 2026-03-27T06:42:27Z

lib/node_modules/@stdlib/fs/read-file/test/test.main.js

@@ -43,7 +43,7 @@ tape( 'main export is a function', function test( t ) {
 });

 tape( 'the function reads the entire contents of a file', opts, function test( t ) {
-	var expected = fs.readFileSync( __filename ); // eslint-disable-line node/no-sync
+	var expected = fs.readFileSync( __filename ); // eslint-disable-line n/no-sync


@Planeshifter And then, here, we do what I would expect. So it is very unclear to me why you removed the comment in some files but then here you simply update the rule name.

kgryte · 2026-03-27T06:44:28Z

lib/node_modules/@stdlib/math/strided/ops/add/scripts/dtypes.js

@@ -18,8 +18,6 @@
 * limitations under the License.
 */

-/* eslint-disable node/shebang */


@Planeshifter Based on my reading of https://github.com/eslint-community/eslint-plugin-n/blob/master/docs/rules/hashbang.md, this script is not in the bin field of the package.json. In which case, we need to disable the lint rule, as the rule should claim that this file needs no hashbang. What am I missing?

kgryte · 2026-03-27T06:45:58Z

lib/node_modules/@stdlib/net/http2-secure-server/examples/index.js

@@ -18,8 +18,10 @@

 'use strict';

+/* eslint-disable n/no-unsupported-features/node-builtins */


@Planeshifter Do we really need to disable this rule for the entire file?

kgryte · 2026-03-27T06:46:09Z

lib/node_modules/@stdlib/net/http2-secure-server/lib/main.js

@@ -18,9 +18,11 @@

 'use strict';

+/* eslint-disable n/no-unsupported-features/node-builtins */


@Planeshifter Do we really need to disable this rule for the entire file?

kgryte · 2026-03-27T06:46:12Z

lib/node_modules/@stdlib/net/http2-secure-server/test/fixtures/server.js

@@ -18,10 +18,12 @@

 'use strict';

+/* eslint-disable n/no-unsupported-features/node-builtins */


@Planeshifter Do we really need to disable this rule for the entire file?

kgryte · 2026-03-27T06:46:18Z

lib/node_modules/@stdlib/net/http2-secure-server/test/test.js

@@ -18,10 +18,12 @@

 'use strict';

+/* eslint-disable n/no-unsupported-features/node-builtins */


@Planeshifter Do we really need to disable this rule for the entire file?

kgryte · 2026-03-27T06:49:43Z

lib/node_modules/@stdlib/utils/async/series-waterfall/lib/factory.js

@@ -105,7 +105,7 @@ function factory( fcns, clbk, thisArg ) {
 			}
 			// Copy the remaining arguments...
 			len = arguments.length;
-			args = new Array( len );
+			args = new Array( len ); // eslint-disable-line stdlib/no-new-array


@Planeshifter We should explicitly use #.push here.

kgryte · 2026-03-27T06:51:46Z

lib/node_modules/@stdlib/utils/inmap-right/benchmark/benchmark.js

@@ -38,7 +38,7 @@ bench( pkg, function benchmark( b ) {
 		return v * i;
 	}

-	arr = new Array( 100 );
+	arr = new Array( 100 ); // eslint-disable-line stdlib/no-new-array


@Planeshifter In all the loop generation here and below, we should go ahead and explicit use #.push.

kgryte · 2026-03-27T06:52:06Z

lib/node_modules/@stdlib/utils/inmap/benchmark/benchmark.js

@@ -38,7 +38,7 @@ bench( pkg, function benchmark( b ) {
 		return v * i;
 	}

-	arr = new Array( 100 );
+	arr = new Array( 100 ); // eslint-disable-line stdlib/no-new-array


@Planeshifter We should go ahead and explicitly use #.push here and below.

kgryte · 2026-03-27T06:52:45Z

lib/node_modules/@stdlib/utils/parallel/examples/serial.js

@@ -16,7 +16,7 @@
 * limitations under the License.
 */

-/* eslint-disable node/no-sync, stdlib/no-dynamic-require, stdlib/no-unassigned-require, stdlib/require-last-path-relative */
+/* eslint-disable n/no-sync, stdlib/no-dynamic-require, stdlib/no-unassigned-require */


@Planeshifter Why is stdlib/require-last-path-relative no longer applicable here?

kgryte · 2026-03-27T06:53:17Z

lib/node_modules/@stdlib/utils/property-descriptors/lib/builtin.js

@@ -25,7 +25,7 @@ var Object = require( '@stdlib/object/ctor' );

 // VARIABLES //

-var propertyDescriptors = Object.getOwnPropertyDescriptors; // eslint-disable-line node/no-unsupported-features/es-builtins
+var propertyDescriptors = Object.getOwnPropertyDescriptors;


@Planeshifter We shouldn't be globally ignoring getOwnPropertyDescriptors because of this one package.

kgryte

Left a series of comments. Reviewed all 542 files. There are 107 files which, IMO, have issues, as alluded to in my comments.

kgryte · 2026-03-27T06:56:20Z

For METR,

review_time: 38 mins

kgryte · 2026-04-08T00:48:16Z

/stdlib merge

kgryte · 2026-04-08T00:49:49Z

lib/node_modules/@stdlib/_tools/remark/plugins/remark-lint-equations/test/test.js

 var tape = require( 'tape' );
 var remark = require( 'remark' );
-var readSync = require( 'to-vfile' ).readSync; // eslint-disable-line node/no-sync
+var readSync = require( 'to-vfile' ).readSync;


@Planeshifter If only call expressions, why would it work here?

stdlib-bot · 2026-04-08T00:50:48Z

/stdlib merge

@kgryte, the slash command failed to complete. Please check the workflow logs for details.

View workflow run

Planeshifter changed the base branch from develop to philipp/gh54-modernize-custom-rule-apis March 15, 2026 06:33

Planeshifter mentioned this pull request Mar 15, 2026

build: migrate JSDoc linting off removed core rules (gh54 part III) #10965

Draft

7 tasks

Planeshifter changed the title ~~bench: replace eslint-plugin-node with eslint-plugin-n~~ build: replace eslint-plugin-node with eslint-plugin-n Mar 15, 2026

Planeshifter force-pushed the philipp/gh54-eslint-plugin-n branch 2 times, most recently from ac2468f to ff1e4ba Compare March 15, 2026 16:25

Planeshifter changed the title ~~build: replace eslint-plugin-node with eslint-plugin-n~~ build: replace eslint-plugin-node with eslint-plugin-n (gh54 part II) Mar 15, 2026

Planeshifter force-pushed the philipp/gh54-eslint-plugin-n branch 2 times, most recently from 4fbfcbf to 7f06a75 Compare March 15, 2026 17:38

Planeshifter added the METR Pull request associated with the METR project. label Mar 18, 2026

Base automatically changed from philipp/gh54-modernize-custom-rule-apis to develop March 22, 2026 06:59

github-actions bot mentioned this pull request Mar 22, 2026

[aw] No-Op Runs #11033

Open

bench: replace eslint-plugin-node with eslint-plugin-n

dd197bb

Planeshifter force-pushed the philipp/gh54-eslint-plugin-n branch from 7f06a75 to dd197bb Compare March 23, 2026 04:20

Planeshifter marked this pull request as ready for review March 23, 2026 04:21

Planeshifter requested a review from kgryte March 23, 2026 04:21

kgryte reviewed Mar 23, 2026

View reviewed changes

lib/node_modules/@stdlib/_tools/eslint/rules/jsdoc-doctest/lib/main.js Outdated Show resolved Hide resolved

stdlib-bot added the Needs Review A pull request which needs code review. label Mar 23, 2026

stdlib-bot added the bot: In Progress Pull request is currently awaiting automation. label Mar 26, 2026

stdlib-bot removed the bot: In Progress Pull request is currently awaiting automation. label Mar 26, 2026

Planeshifter commented Mar 27, 2026

View reviewed changes

lib/node_modules/@stdlib/_tools/eslint/rules/doctest/lib/main.js Outdated Show resolved Hide resolved

Planeshifter commented Mar 27, 2026

View reviewed changes

lib/node_modules/@stdlib/_tools/eslint/rules/jsdoc-doctest/lib/main.js Outdated Show resolved Hide resolved

chore: fix accidental replacement

4a09f3c

Signed-off-by: Philipp Burckhardt <pburckhardt@outlook.com>

chore: fix accidental replacement

9ca7480

Signed-off-by: Philipp Burckhardt <pburckhardt@outlook.com>

Planeshifter requested a review from kgryte March 27, 2026 04:32

kgryte reviewed Mar 27, 2026

View reviewed changes

kgryte requested changes Mar 27, 2026

View reviewed changes

kgryte added Needs Changes Pull request which needs changes before being merged. and removed Needs Review A pull request which needs code review. labels Mar 27, 2026

stdlib-bot added the bot: In Progress Pull request is currently awaiting automation. label Apr 8, 2026

kgryte reviewed Apr 8, 2026

View reviewed changes

stdlib-bot removed the bot: In Progress Pull request is currently awaiting automation. label Apr 8, 2026

		@@ -18,8 +18,10 @@

		'use strict';

		/* eslint-disable n/no-unsupported-features/node-builtins */

		@@ -18,9 +18,11 @@

		'use strict';

		/* eslint-disable n/no-unsupported-features/node-builtins */

		@@ -18,10 +18,12 @@

		'use strict';

		/* eslint-disable n/no-unsupported-features/node-builtins */

Uh oh!

Conversation

Planeshifter commented Mar 15, 2026

Description

Related Issues

Questions

Other

Checklist

AI Assistance

Disclosure

Uh oh!

socket-security bot commented Mar 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security bot commented Mar 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kgryte commented Mar 22, 2026

Uh oh!

kgryte commented Mar 22, 2026

Uh oh!

kgryte commented Mar 22, 2026

Uh oh!

Uh oh!

stdlib-bot commented Mar 23, 2026

Coverage Report

Uh oh!

kgryte commented Mar 26, 2026

Uh oh!

stdlib-bot commented Mar 26, 2026

Uh oh!

Uh oh!

Uh oh!

kgryte Mar 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

kgryte left a comment

socket-security bot commented Mar 15, 2026 •

edited

Loading

socket-security bot commented Mar 15, 2026 •

edited

Loading

kgryte Mar 27, 2026 •

edited

Loading