Consolidate Dependabot updates; migrate ESLint 10 and Tailwind 4 (PER-15131)#639
Draft
zeevmoney wants to merge 2 commits into
Draft
Consolidate Dependabot updates; migrate ESLint 10 and Tailwind 4 (PER-15131)#639zeevmoney wants to merge 2 commits into
zeevmoney wants to merge 2 commits into
Conversation
Consolidates the 8 open Dependabot PRs (#630-#637) into one change. npm dependencies: - react/react-dom 18 -> 19; react-player 2 -> 3 (url -> src API); @inkeep/cxkit-docusaurus 0.5.119; sass 1.100 - dev: @babel 7.29.7, ajv 8.20, eslint 7 -> 10 (flat config), @typescript-eslint 8 (+ parser), eslint-config-prettier 10, eslint-plugin-prettier 5, prettier 2 -> 3, tailwindcss 3 -> 4 - hold @untitaker/hyperlink at 0.1.32: its 0.2.0 ships an npm-shrinkwrap pinning vulnerable axios/form-data/glob/minimatch that overrides cannot remediate (dev/build-only link checker) - add ws/shell-quote overrides -> clears the 1 critical + 1 high npm audit findings present on master (0 critical/0 high after) config and code migrations: - ESLint flat config (eslint.config.js); drop unmaintained eslint-plugin-spellcheck (cspell.json covers spelling); jsx-runtime config for React 19; pin react version (plugin v7 calls the context.getFilename API removed in ESLint 10) - Tailwind v4 CSS-first entrypoint (src/css/tailwind.css via @tailwindcss/postcss); preflight stays disabled; remove tailwind.config.js - react-player v3 component API in both current and versioned docs - GitHub Actions SHA-pinned (checkout v6, algolia crawler v1.1.13, wait-for-netlify v3.4.0) with least-privilege permissions and persist-credentials: false - fix react/no-deprecated (unused react-dom render import) and add rel=noreferrer to two target=_blank links surfaced by the upgrade Supersedes Dependabot PRs #630-#637 (PER-15131). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Reformats JS/JSX/TS/TSX/CSS/SCSS source with Prettier 3 so the prettier/prettier ESLint rule passes under the upgraded toolchain. Formatting-only; no behavioral change. The 406 .mdx documentation files are intentionally not reformatted here to keep this PR reviewable and avoid altering rendered docs; that can be done as a separate follow-up. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
✅ Deploy Preview for permitio-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
This was referenced Jun 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Linear issue
PER-15131
Why
Eight Dependabot PRs (#630–#637) were open against this repo. This consolidates all of them into a single reviewable change and closes the individual PRs. A security audit of the batch found that none of the eight PRs fix any of the open
npm auditadvisories — the actual critical (shell-quote) + high (ws) findings onmasterare dev-chain transitive deps that needoverrides, which are added here.What changed
npm production deps
react/react-dom18 → 19 (bumped together; Bump react from 18.3.1 to 19.2.7 #637 only bumpedreact, which is a broken pair on its own)react-player2 → 3 — v3 API rewrite (url→src, ref now points at the media element); updated the player component in current and versioned docs@inkeep/cxkit-docusaurus0.5.119,sass1.100npm dev deps (group #633)
@babel/*7.29.7,ajv8.20eslint7 → 10,@typescript-eslint/*8 (+ added requiredparser),eslint-config-prettier10,eslint-plugin-prettier5,prettier2 → 3,tailwindcss3 → 4@untitaker/hyperlinkat 0.1.32 (not the Bump the dev-dependencies group across 1 directory with 14 updates #633 target 0.2.0): 0.2.0 ships annpm-shrinkwrap.jsonpinning vulnerableaxios/form-data/glob/minimatch/@isaacs/brace-expansionthatoverridescannot remediate. It is a dev/build-only link checker and the bump is not security-motivated. 0.1.32 has zero dependencies and zero advisories.Security
overridesforws >=7.5.11(GHSA-96hv-2xvq-fx4p) andshell-quote >=1.8.4(GHSA-w7jw-789q-3m8p). Result:npm auditgoes from 1 critical / 1 high / 24 moderate onmasterto 0 critical / 0 high / 31 moderate (the moderate increase is new dev-chain transitive advisories pulled in by ESLint 10 / Tailwind 4; all build-time).Config / code migrations
.eslintrc.js→eslint.config.js);lintscript drops the removed--ignore-path. Dropped unmaintainedeslint-plugin-spellcheck(no flat-config support;cspell.jsonalready covers spelling). Added thejsx-runtimeconfig for React 19's automatic runtime. Pinnedsettings.react.versionbecauseeslint-plugin-react@7still calls thecontext.getFilename()API that ESLint 10 removed.src/css/tailwind.cssvia@tailwindcss/postcss; preflight stays disabled (base layer not imported); dark variant wired to[data-theme="dark"]; customwhitetoken ported. Removedtailwind.config.js.algolia_crawl.yml):actions/checkoutv2 → v6,algolia/algoliasearch-crawler-github-actionsv1.0.10 → v1.1.13,probablyup/wait-for-netlify-action3.2.0 → 3.4.0 — all SHA-pinned. Added a least-privilegepermissions: contents: readblock andpersist-credentials: false(passesactionlint+zizmor).react-domrenderimport and addedrel="noreferrer"to twotarget="_blank"links surfaced by the upgrade.Deferred (documented, not done here)
.mdxdocumentation files are not reformatted by Prettier 3 — that would be an unreviewable diff with rendering risk. Source files (JS/JSX/TS/TSX/CSS/SCSS) are formatted in an isolated commit. A repo-widenpm run formatcan be a follow-up.Architectural changes
No architectural change. Dependency, build-tooling, and lint/format config only — no shift in component communication, state, or request/auth flow.
How it was tested
npx docusaurus build— succeeds; verified the built CSS contains Tailwind v4 utilities (text-,bg-,rounded…), the custom#fdfcfctoken, and the[data-theme="dark"]variant, and that preflight is absent.npm run lint(ESLint 10 flat config) — exits 0: 0 errors, 80 non-blockingno-unused-varswarnings (pre-existing pattern plus now-redundantReactimports under the automatic runtime).npm audit— 0 critical / 0 high / 31 moderate.actionlint+zizmoron the workflow — clean.Manual test plan
npm ci && npm run build→ build succeeds,build/index.htmlgenerated.npm run serve→ spot-check a few pages render with correct styling (Tailwind utilities + dark mode toggle).npm run lint→ exits 0.Blast radius and isolation
Scope and size
package-lock.jsonregeneration excluded)Generated with Claude Code