Security and dependency updates (Phase 1 & 2)

[yepzdk]

Summary

• Resolve 8 out of 17 security vulnerabilities (vite, ajv, js-yaml CVEs)
• Migrate ESLint v8 → v9 with flat config, eliminating the old dependency chain that caused 14 high-severity minimatch audit warnings
• Update React, Prettier, and other safe-to-update dependencies
• Remove unused CRA leftovers (Babel presets, .babelrc)

Vulnerability summary

	Before	After
High	14	9 (all minimatch in dev-only transitive deps)
Moderate	3	0
Total	17	9

The remaining 9 are minimatch ReDoS in transitive dependencies of ESLint plugins and Tailwind's sucrase — dev-only, not shipped to production. These will resolve when upstream packages release updates.

Changes

• Phase 1 — Safe fixes

  • npm audit fix — patched vite (3 CVEs), ajv (ReDoS), js-yaml (prototype pollution)
  • react / react-dom 19.0.0 → 19.2.4
  • proj4 updated to latest 2.x
  • Removed @babel/plugin-transform-optional-chaining, @babel/preset-env, @babel/preset-react, @tailwindcss/line-clamp
  • Deleted .babelrc
  • Updated browserslist database

• Phase 2 — ESLint v9 migration

  • New flat config: eslint.config.mjs
  • Removed: eslint-config-airbnb, @babel/eslint-parser, eslint-plugin-only-warn, eslint-plugin-cypress
  • Updated: prettier 2→3, eslint-config-prettier 8→10, eslint-plugin-react-hooks 4→7
  • Updated lint scripts (removed deprecated --ext flags)
  • Fixed no-empty-pattern in RoutesLoading.jsx

Follow-up issues

• Update build and styling tooling (Vite, Tailwind CSS) #70 — Update build and styling tooling (Vite, Tailwind CSS)
• Upgrade major dependencies (React Router, OpenLayers, FontAwesome) #71 — Upgrade major dependencies (React Router, OpenLayers, FontAwesome)

Test plan

• npm run build passes
• npm run lint:js passes (0 errors, 150 pre-existing warnings)
• Manual smoke test of the app in browser
• Verify Prettier check still works: docker run --rm --volume "$PWD:/work" tmknom/prettier:latest --check src

[rimi-itk]

I think we should discuss (again) how much detail we need in the changelog. This is way too detailed for my taste, but it may add value for others.

[yepzdk]

Condensed to a single line:

- Security and dependency updates (8 vulnerabilities fixed, ESLint v9, React/Prettier updated)

[rimi-itk]

This project uses Prettier to check and format the code (cf. https://github.com/itk-dev/aapodwalk?tab=readme-ov-file#check-and-apply-with-prettier). Therefore we don't need this ESlint config file (I don't understand why we have/had .eslintrc.json file).

We probably have to clean up the project.

[yepzdk]

Good point — Prettier handles formatting, but ESLint catches a different class of issues: unused variables, React hooks rules violations, accessibility problems, and import ordering. They complement each other rather than overlap.

Rather than removing ESLint, I've integrated it properly:

• Added eslint-check / eslint-fix commands to the README (under Linting, between Prettier and Markdownlint)
• Added eslint-check to the CI matrix in pr.yml so it runs on every PR

Currently: 0 errors, 150 pre-existing warnings — so CI will pass. The warnings can be cleaned up incrementally over time.

[rimi-itk]

Are we sure that we can safely remove this?

[yepzdk]

Yes — these Babel packages (@babel/plugin-transform-optional-chaining, @babel/preset-env, @babel/preset-react) are safe to remove:

• The project uses Vite + @vitejs/plugin-react + esbuild for all transpilation — Babel is not in the build pipeline
• JSX transformation and optional chaining are handled natively by esbuild
• No .babelrc or Babel config existed (it was already removed in a prior commit — these were leftover CRA dependencies)
• npm run build passes without them

[yepzdk]

Thank you for your comments @rimi-itk, i have tried to update accordingly.

[rimi-itk]

A check is failing: https://github.com/itk-dev/aapodwalk/actions/runs/22565478868/job/65360616377?pr=72. Can we resolve the reported issue?