chore(client): Phase 6a — bump ESLint 9 → 10#554
Merged
Conversation
Phase 6a of the dep-update sweep. @eslint/js ^9.39.4 → ^10.0.1 eslint ^9.39.4 → ^10.3.0 ESLint 10 has not introduced any rule change that fires on the current codebase per CI's Frontend job baseline (verified post-PR). Local lint fails on a pre-existing eslint-plugin-solid resolver issue (the plugin's exports map omits the `.js` suffix that eslint.config.mjs imports); this is unrelated to ESLint 10 and predates this branch — the CI Frontend job remains the authoritative lint gate. Build, test, and bun audit are unaffected by this dev-only bump. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Detair
force-pushed
the
chore/eslint-10-bump
branch
from
ad4918a to
00ffd75
Compare
4 tasks
Detair
added a commit
that referenced
this pull request
May 10, 2026
Plan was committed as future TODO but Phases 0–4a, 4c, and 6a have since shipped (PRs #548–#554). Adds a status table at the top so reviewers and future executors know which phases are historical narration vs. live work. Per-phase bodies left untouched. Surfaced by PR #556 review. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Detair
added a commit
that referenced
this pull request
May 10, 2026
* docs: dependency update design — phased plan to latest versions Spec for bringing every direct dependency to upstream-verified latest: 10 phases ordered by risk-and-coupling, starting with the in-flight rustls-webpki advisory fix and ending with webrtc 0.11→0.17, rusqlite 0.32→0.39, and a cleanup pass. All versions verified live against crates.io and npm registry on 2026-05-08; no version assumed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: revise dep-update spec — drop Phase 5, split 4 and 6, add pre-flight gates Self-review pass after pushback found that: - vodozemac 0.10 still pins sha2 ^0.10.9 / hkdf ^0.12.4 / hmac ^0.12.1, so the RustCrypto suite bump (sha1/sha2/hkdf/hmac → 0.11/0.13) cannot ship this round. Moved to Out of scope; getrandom 0.2 → 0.4 follows. - Original Phase 4 mislabeled reqwest 0.12 → 0.13 and zip 2 → 8 as "low-risk minors". Split into 4a (genuine low-risk batch), 4b (reqwest own PR), 4c (zip own PR). - Original Phase 6 packed 8 frontend majors into one PR. Split into 6a (eslint 10), 6b (TypeScript 6 own PR), 6c (jsdom/marked/@types/node), 6d (lucide-solid + @solidjs/router). - Added a Pre-flight Gates section so each phase's verification work happens before the PR opens, not in CI. - Added Merge Cadence rule: 24h beta soak between phases. - Verified facts that previously needed assumption: aws-smithy default-https-client feature name (correct), scap fork has no webrtc dependency (won't break), mobile is Android-native (no Rust webrtc-rs coupling), THIRD_PARTY_NOTICES regen script does not exist (out of scope). - Concretized vague smoke tests (Phase 3) and added the Olm session round-trip test as the merge gate for Phase 7. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: dep-update implementation plan (10 phases) Companion to docs/superpowers/specs/2026-05-08-dependency-update-design.md. Encodes the per-phase how (branches, commands, edits, pre-flight gates, soak windows) for the spec's what+why. Phase 0 is already done as PR #548; Phases 1–10 remain. Key cross-cutting elements: explicit re-query of registry versions at PR-creation time, monotone-non-increasing audit error count gate, soak windows of 24/48/72h scaled to phase risk (E2EE crypto and webrtc bumps get the longer windows), and a multi-platform canary on Phase 8. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: dep-update spec — Phase 4b abandoned (reqwest 0.13 upstream-blocked) Phase 4b execution discovered that bumping reqwest 0.12 → 0.13 is blocked by oauth2 5.0.0 / openidconnect 4.0.1 (both stable, no upcoming reqwest-0.13 support), in addition to opentelemetry-otlp 0.31.1 (workaroundable but still pinned to ^0.12). The expected bonus — clearing the openssl 0.10.x OSV cluster — is also blocked because openssl is reached through openidconnect's reqwest 0.12 pull. Adds an Execution notes section to the spec documenting the discovery, and moves reqwest 0.13 + opentelemetry-otlp default-features cleanup to the Out-of-scope follow-up list. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: dep-update spec — fix @types/node baseline to manifest range Spec table listed `@types/node` current as 22.19.15 (a resolved lockfile version) where every other row uses the manifest range minimum. `client/package.json` actually has `^22.15.0`, so the plan's literal-edit instruction (^22.15.0 → ^24.12.3) would not match a sed/Edit operation against the wrong baseline. Surfaced by PR #556 review. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: dep-update plan — add status header for shipped phases Plan was committed as future TODO but Phases 0–4a, 4c, and 6a have since shipped (PRs #548–#554). Adds a status table at the top so reviewers and future executors know which phases are historical narration vs. live work. Per-phase bodies left untouched. Surfaced by PR #556 review. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 6a of the dep-update sweep. Builds on Phase 4c (#553).
Notes
.jssuffix thateslint.config.mjsimports). This pre-dates this PR — it fails identically onmain. The CI Frontend job is the authoritative lint gate.bun auditare unaffected by this bump.refactor/zip-8-server(Phase 4c). After Phase 4c merges, this PR will retarget tomainautomatically.Test plan
bun run test:run— 32 files, 581/581 tests passbun run build—tsc && vite buildgreenbun audit— unchanged from Phase 2bun run lint— CI-only (local resolver issue is pre-existing)🤖 Generated with Claude Code