Skip to content

Staged dependency bumps (split from #160) #164

Description

@delabrcd

Problem

Split out from #160 (which delivered the CI-hygiene parts). The runtime/dev dependencies are a major or
several minors behind and should be bumped in risk tiers via the operator's staging/update path — each
its own PR through the 5-job gate + ember-staging before :latest moves. This is not a drive-by;
it needs per-dep verification on a no-rollback prod.

Proposal (tiers)

  • Low-risk, now: newest next 14.2.x (security patches; stay on 14.2 — avoid the 15.x App Router
    changes), @prisma/client+prisma 5.x in lockstep, vitest 2.x, tsx/tailwind/postcss/autoprefixer.
  • Needs verification: playwrightimage-coupled (mcr.microsoft.com/playwright:vX-noble appears
    ~4× in app/Dockerfile); bump the npm package and the base-image tag together, then verify a real
    scrape against a live NG account (do NOT scrape from CI — standards §4). recharts 2.x — visual-regression
    risk; verify via the screenshot harness.
  • Defer (major migrations): React 19, Next 15, ESLint 9 (flat-config — bundle with extending the
    typescript-eslint ruleset repo-wide beyond src/lib/**).

Cross-check each against the WUD+Trivy stack (cve.delabc.xyz) / docs/updates-audit.md first.

Acceptance criteria

  • Each tier lands as its own PR, green through all 5 CI jobs, verified on staging before release.
  • playwright bump verified against a real account (flagged for operator); base image + npm in lockstep.

Pointers

  • app/package.json; app/Dockerfile (playwright base tag); docs/updates-audit.md

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:ciCI / build / releasearea:opsDeploy / backup / operationspriority:lowSomeday: speculative, heavy, optional, or long-termtech-debtRefactor / cleanup / debt paydown (no behavior change)

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions