chore(deps)(deps-dev): bump eslint-plugin-react-hooks from 5.2.0 to 7.1.1 in /apps/web

[dependabot]

Bumps eslint-plugin-react-hooks from 5.2.0 to 7.1.1.

Release notes

Sourced from eslint-plugin-react-hooks's releases.

eslint-plugin-react-hooks@7.1.1 (April 17, 2026)

Note: 7.1.0 accidentally removed the component-hook-factories rule, causing errors for users who referenced it in their ESLint config. This is now fixed.

• Add deprecated no-op component-hook-factories rule for backwards compatibility. (@​mofeiZ in #36307)

eslint-plugin-react-hooks@7.1.0 (April 16, 2026)

This release adds ESLint v10 support, improves performance by skipping compilation for non-React files, and includes compiler lint improvements including better set-state-in-effect detection, improved ref validation, and more helpful error reporting.

• Add ESLint v10 support. (@​azat-io in #35720)
• Skip compilation for non-React files to improve performance. (@​josephsavona in #35589)
• Fix exhaustive deps bug with Flow type casting. (@​jorge-cab in #35691)
• Fix useEffectEvent checks in component syntax. (@​jbrown215 in #35041)
• Improved set-state-in-effect validation with fewer false negatives. (@​jorge-cab in #35134, @​josephsavona in #35147, @​jackpope in #35214, @​chesnokov-tony in #35419, @​jsleitor in #36107)
• Improved ref validation for non-mutating functions and event handler props. (@​josephsavona in #35893, @​kolvian in #35062)
• Compiler now reports all errors instead of stopping at the first. (@​josephsavona in #35873–#35884)
• Improved source locations and error display in compiler diagnostics. (@​nathanmarks in #35348, @​josephsavona in #34963)

Changelog

Sourced from eslint-plugin-react-hooks's changelog.

7.1.1

Note: 7.1.0 accidentally removed the component-hook-factories rule, causing errors for users who referenced it in their ESLint config. This is now fixed.

• Add deprecated no-op component-hook-factories rule for backwards compatibility. (@​mofeiZ in #36307)

7.1.0

This release adds ESLint v10 support, improves performance by skipping compilation for non-React files, and includes compiler lint improvements including better set-state-in-effect detection, improved ref validation, and more helpful error reporting.

• Add ESLint v10 support. (@​azat-io in #35720)
• Skip compilation for non-React files to improve performance. (@​josephsavona in #35589)
• Fix exhaustive deps bug with Flow type casting. (@​jorge-cab in #35691)
• Fix useEffectEvent checks in component syntax. (@​jbrown215 in #35041)
• Improved set-state-in-effect validation with fewer false negatives. (@​jorge-cab in #35134, @​josephsavona in #35147, @​jackpope in #35214, @​chesnokov-tony in #35419, @​jsleitor in #36107)
• Improved ref validation for non-mutating functions and event handler props. (@​josephsavona in #35893, @​kolvian in #35062)
• Compiler now reports all errors instead of stopping at the first. (@​josephsavona in #35873–#35884)
• Improved source locations and error display in compiler diagnostics. (@​nathanmarks in #35348, @​josephsavona in #34963)

7.0.1

• Disallowed passing inline useEffectEvent values as JSX props to guard against accidental propagation. (#34820 by @​jf-eirinha)
• Switch to export = so eslint-plugin-react-hooks emits correct types for consumers in Node16 ESM projects. (#34949 by @​karlhorky)
• Tightened the typing of configs.flat so the configs export is always defined. (#34950 by @​poteto)
• Fix named import runtime errors. (#34951, #34953 by @​karlhorky)

7.0.0

This release slims down presets to just 2 configurations (recommended and recommended-latest), and all compiler rules are enabled by default.

• Breaking: Removed recommended-latest-legacy and flat/recommended configs. The plugin now provides recommended (legacy and flat configs with all recommended rules), and recommended-latest (legacy and flat configs with all recommended rules plus new bleeding edge experimental compiler rules). (@​poteto in #34757)

6.1.1

Note: 6.1.0 accidentally allowed use of recommended without flat config, causing errors when used with ESLint v9's defineConfig() helper. This has been fixed in 6.1.1.

• Fix recommended config for flat config compatibility. The recommended config has been converted to flat config format. Non-flat config users should use recommended-legacy instead. (@​poteto in #34700)
• Add recommended-latest and recommended-latest-legacy configs that include React Compiler rules. (@​poteto in #34675)
• Remove unused NoUnusedOptOutDirectives rule. (@​poteto in #34703)
• Remove hermes-parser and dependency. (@​poteto in #34719)
• Remove @babel/plugin-proposal-private-methods dependency. (@​ArnaudBarre and @​josephsavona in #34715)
• Update for Zod v3/v4 compatibility. (@​kolian and @​josephsavona in #34717)

6.1.0

Note: Version 6.0.0 was mistakenly released and immediately deprecated and untagged on npm. This is the first official 6.x major release and includes breaking changes.

• Breaking: Require Node.js 18 or newer. (@​michaelfaith in #32458)
• Breaking: Flat config is now the default recommended preset. Legacy config moved to recommended-legacy. (@​michaelfaith in #32457)
• New Violations: Disallow calling use within try/catch blocks. (@​poteto in #34040)

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies, web. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/eslint-plugin-react-hooks	7.1.1	🟢 6.5	Details Check Score Reason Code-Review 🟢 8 Found 24/30 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 2 badge detected: InProgress Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 2 SAST tool is not run on all commits -- score normalized to 2 Fuzzing ⚠️ 0 project is not fuzzed
npm/hermes-estree	0.25.1	Unknown	Unknown
npm/hermes-parser	0.25.1	Unknown	Unknown
npm/zod	4.4.3	🟢 4.9	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 6 Found 20/30 approved changesets -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/zod-validation-error	4.0.2	Unknown	Unknown

Scanned Files

• apps/web/package-lock.json