Release/26.6.2#225
Open
skyflow-bharti wants to merge 11 commits into
Open
Conversation
…kyflow-react-js SK-2869 upgrade the dependencies
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep findings: No issues found, Good to merge. |
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep findings: No issues found, Good to merge. |
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep findings: No issues found, Good to merge. |
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep findings: No issues found, Good to merge. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
WHY
Dependencies in
skyflow-react-jshad accumulated significant version debt — some runtimepackages were multiple major versions behind, several dev packages carried known CVEs, and
20 dev dependencies were entirely unused dead weight left over from a previous webpack-based
build setup that was never referenced by any script or config file. Running
npm auditagainst the old lockfile reported 26 vulnerabilities including a critical severity finding
in
shell-quote(pulled in transitively bywebpack-dev-server).GOAL
Bring all dependencies to their current supported versions within the ** 14-day cooling period**
policy, eliminate the unused webpack toolchain from
devDependencies, migrate ESLint to theflat config format required by ESLint 9+, and reduce the vulnerability surface from 26
findings down to the minimum achievable without forcing breaking peer dependency overrides.
Changes
Production runtime (
dependencies)uuid9.0.114.0.0skyflow-js^2.7.8^2.7.7^2.7.9excluded by cooling period (3 days old)Dev tooling — upgraded
typescript4.9.56.0.3eslint8.57.19.39.4@eslint/js9.39.4@typescript-eslint/*5.62.08.60.0jest+jest-environment-jsdom28.1.330.4.2 / 30.4.1@testing-library/react13.4.016.3.2@testing-library/jest-dom6.6.36.9.1prettier2.8.83.8.3@babel/preset-react7.12.13(exact pin)7.29.7ts-jest28.0.829.4.11globals17.6.0eslint-plugin-react7.37.27.37.5eslint-plugin-react-hooks4.6.27.1.1eslint-config-prettier8.10.010.1.8eslint-plugin-prettier4.2.15.5.6@types/jest29.5.1430.0.0@types/node14.18.6325.9.1Dev tooling — removed (20 packages)
The entire webpack toolchain and associated plugins were removed. No
webpack.config.*file exists in the repo; a grep across all source and config files confirms zero references.
@babel/cli·@babel/plugin-proposal-class-properties·@babel/plugin-proposal-decorators·
@babel/plugin-proposal-object-rest-spread·@babel/plugin-transform-runtime·babel-loader·clean-webpack-plugin·compression-webpack-plugin·eslint-config-airbnb-base·eslint-config-airbnb-typescript·fork-ts-checker-webpack-plugin·html-webpack-plugin·webpack·webpack-bundle-analyzer·webpack-cli·webpack-dev-server·webpack-manifest-plugin·webpack-merge·@types/jquery-mask-plugin·@types/minimatchConfig file changes
eslint.config.mjs(new) /.eslintrc.json(deleted) — ESLint 9 dropped.eslintrc.*support; migrated to flat config preserving all existing rulestsconfig.json— added"rootDir": "./src"(TypeScript 6 now requires explicitdeclaration when
outDiris set) and"ignoreDeprecations": "6.0"to keepmoduleResolution: nodeworking through the TS6 lifetime; migration tonode16/nodenextrequires adding
.jsextensions to all relative imports and is tracked separatelyjest.config.js— updated type import from removedts-jest/dist/typespath tots-jest