Skip to content

Consolidate Dependabot updates; migrate ESLint 10 and Tailwind 4 (PER-15131)#639

Draft
zeevmoney wants to merge 2 commits into
masterfrom
per-15131/consolidate-dependabot-updates
Draft

Consolidate Dependabot updates; migrate ESLint 10 and Tailwind 4 (PER-15131)#639
zeevmoney wants to merge 2 commits into
masterfrom
per-15131/consolidate-dependabot-updates

Conversation

@zeevmoney

Copy link
Copy Markdown
Contributor

Linear issue

PER-15131

Why

Eight Dependabot PRs (#630#637) were open against this repo. This consolidates all of them into a single reviewable change and closes the individual PRs. A security audit of the batch found that none of the eight PRs fix any of the open npm audit advisories — the actual critical (shell-quote) + high (ws) findings on master are dev-chain transitive deps that need overrides, which are added here.

What changed

npm production deps

  • react / react-dom 18 → 19 (bumped together; Bump react from 18.3.1 to 19.2.7 #637 only bumped react, which is a broken pair on its own)
  • react-player 2 → 3 — v3 API rewrite (urlsrc, ref now points at the media element); updated the player component in current and versioned docs
  • @inkeep/cxkit-docusaurus 0.5.119, sass 1.100

npm dev deps (group #633)

  • @babel/* 7.29.7, ajv 8.20
  • eslint 7 → 10, @typescript-eslint/* 8 (+ added required parser), eslint-config-prettier 10, eslint-plugin-prettier 5, prettier 2 → 3, tailwindcss 3 → 4
  • Held @untitaker/hyperlink at 0.1.32 (not the Bump the dev-dependencies group across 1 directory with 14 updates #633 target 0.2.0): 0.2.0 ships an npm-shrinkwrap.json pinning vulnerable axios/form-data/glob/minimatch/@isaacs/brace-expansion that overrides cannot remediate. It is a dev/build-only link checker and the bump is not security-motivated. 0.1.32 has zero dependencies and zero advisories.

Security

  • Added overrides for ws >=7.5.11 (GHSA-96hv-2xvq-fx4p) and shell-quote >=1.8.4 (GHSA-w7jw-789q-3m8p). Result: npm audit goes from 1 critical / 1 high / 24 moderate on master to 0 critical / 0 high / 31 moderate (the moderate increase is new dev-chain transitive advisories pulled in by ESLint 10 / Tailwind 4; all build-time).

Config / code migrations

  • ESLint flat config (.eslintrc.jseslint.config.js); lint script drops the removed --ignore-path. Dropped unmaintained eslint-plugin-spellcheck (no flat-config support; cspell.json already covers spelling). Added the jsx-runtime config for React 19's automatic runtime. Pinned settings.react.version because eslint-plugin-react@7 still calls the context.getFilename() API that ESLint 10 removed.
  • Tailwind v4: CSS-first entrypoint src/css/tailwind.css via @tailwindcss/postcss; preflight stays disabled (base layer not imported); dark variant wired to [data-theme="dark"]; custom white token ported. Removed tailwind.config.js.
  • GitHub Actions (algolia_crawl.yml): actions/checkout v2 → v6, algolia/algoliasearch-crawler-github-actions v1.0.10 → v1.1.13, probablyup/wait-for-netlify-action 3.2.0 → 3.4.0 — all SHA-pinned. Added a least-privilege permissions: contents: read block and persist-credentials: false (passes actionlint + zizmor).
  • Removed an unused/deprecated react-dom render import and added rel="noreferrer" to two target="_blank" links surfaced by the upgrade.

Deferred (documented, not done here)

  • The 406 .mdx documentation files are not reformatted by Prettier 3 — that would be an unreviewable diff with rendering risk. Source files (JS/JSX/TS/TSX/CSS/SCSS) are formatted in an isolated commit. A repo-wide npm run format can be a follow-up.

Architectural changes

No architectural change. Dependency, build-tooling, and lint/format config only — no shift in component communication, state, or request/auth flow.

How it was tested

  • npx docusaurus build — succeeds; verified the built CSS contains Tailwind v4 utilities (text-, bg-, rounded…), the custom #fdfcfc token, and the [data-theme="dark"] variant, and that preflight is absent.
  • npm run lint (ESLint 10 flat config) — exits 0: 0 errors, 80 non-blocking no-unused-vars warnings (pre-existing pattern plus now-redundant React imports under the automatic runtime).
  • npm audit — 0 critical / 0 high / 31 moderate.
  • actionlint + zizmor on the workflow — clean.
  • Tests not applicable: docs site, no unit-test suite in the repo.

Manual test plan

  1. npm ci && npm run build → build succeeds, build/index.html generated.
  2. npm run serve → spot-check a few pages render with correct styling (Tailwind utilities + dark mode toggle).
  3. npm run lint → exits 0.

Blast radius and isolation

  • Blast radius: the whole site build (React 19, Tailwind v4, PostCSS), the lint/format dev workflow, and the Algolia crawl CI workflow.
  • Isolation: isolated — single purpose (consolidate the Dependabot batch). Two commits: (1) deps + migrations, (2) Prettier formatting only.

Scope and size

  • Production lines added: ~150 (config + small code edits; package-lock.json regeneration excluded)
  • Test lines added: 0
  • Effective lines (= production + 0.10 × tests): ~150
  • Single responsibility: yes

Generated with Claude Code

zeevmoney and others added 2 commits June 15, 2026 21:50
Consolidates the 8 open Dependabot PRs (#630-#637) into one change.

npm dependencies:
- react/react-dom 18 -> 19; react-player 2 -> 3 (url -> src API);
  @inkeep/cxkit-docusaurus 0.5.119; sass 1.100
- dev: @babel 7.29.7, ajv 8.20, eslint 7 -> 10 (flat config),
  @typescript-eslint 8 (+ parser), eslint-config-prettier 10,
  eslint-plugin-prettier 5, prettier 2 -> 3, tailwindcss 3 -> 4
- hold @untitaker/hyperlink at 0.1.32: its 0.2.0 ships an
  npm-shrinkwrap pinning vulnerable axios/form-data/glob/minimatch
  that overrides cannot remediate (dev/build-only link checker)
- add ws/shell-quote overrides -> clears the 1 critical + 1 high
  npm audit findings present on master (0 critical/0 high after)

config and code migrations:
- ESLint flat config (eslint.config.js); drop unmaintained
  eslint-plugin-spellcheck (cspell.json covers spelling); jsx-runtime
  config for React 19; pin react version (plugin v7 calls the
  context.getFilename API removed in ESLint 10)
- Tailwind v4 CSS-first entrypoint (src/css/tailwind.css via
  @tailwindcss/postcss); preflight stays disabled; remove tailwind.config.js
- react-player v3 component API in both current and versioned docs
- GitHub Actions SHA-pinned (checkout v6, algolia crawler v1.1.13,
  wait-for-netlify v3.4.0) with least-privilege permissions and
  persist-credentials: false
- fix react/no-deprecated (unused react-dom render import) and add
  rel=noreferrer to two target=_blank links surfaced by the upgrade

Supersedes Dependabot PRs #630-#637 (PER-15131).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Reformats JS/JSX/TS/TSX/CSS/SCSS source with Prettier 3 so the
prettier/prettier ESLint rule passes under the upgraded toolchain.
Formatting-only; no behavioral change.

The 406 .mdx documentation files are intentionally not reformatted here
to keep this PR reviewable and avoid altering rendered docs; that can be
done as a separate follow-up.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@netlify

netlify Bot commented Jun 15, 2026

Copy link
Copy Markdown

Deploy Preview for permitio-docs ready!

Name Link
🔨 Latest commit 3802dd1
🔍 Latest deploy log https://app.netlify.com/projects/permitio-docs/deploys/6a304fe48e5e8f00081f9d8c
😎 Deploy Preview https://deploy-preview-639--permitio-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@linear-code

linear-code Bot commented Jun 15, 2026

Copy link
Copy Markdown

PER-15131

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant