chore(deps): consolidate 16 dependabot PRs — eslint v10, vitest v4, cspell v9, and ecosystem updates

[katriendg]

Summary

Consolidate all 16 open dependabot PRs (#271–#294) into a single integration branch. The updates span four ecosystems (NPM, Python, Rust, GitHub Actions) and three NPM scopes (root, docs/_server, docs/assets/js), with several major version bumps requiring manual intervention for breaking changes.

Motivation

Dependabot PRs have accumulated and share overlapping lock file scopes, making individual merges prone to conflicts. Batching them into a single branch reduces churn, ensures cross-dependency compatibility, and allows breaking changes to be addressed holistically.

Scope of Work

ESLint v10 Migration

• Upgrade eslint from v9 to v10 across all three NPM scopes
• Add @eslint/js as an explicit devDependency (decoupled from eslint v10 bundle)
• Verify flat config (eslint.config.js) requires no structural changes
• Minimum Node.js raised to ^20.19.0 || ^22.13.0 || >=24

Vitest v4 and Vite 8

• Upgrade vitest to 4.x and @vitest/coverage-v8 to 4.x in docs/_server and docs/assets/js
• Adapt docs/assets/js/vitest.config.js for three breaking changes:
  • Reporter 'basic' renamed to 'default'
  • poolOptions.threads flattened to top-level maxThreads/minThreads
  • experimentalVmThreads removed
• Migrate docs/_server/vitest.config.js and docs/_server/vitest.integration.config.js from deprecated poolOptions.forks to top-level maxWorkers

cspell v9

• Upgrade cspell from v8 to v9 in root scope
• Minimum Node raised to 20

Python Dependency Updates

• Update root requirements.txt: python-hcl2 4.3.0→7.x, checkov 3.2.0→3.2.510+
• Update src/500-application/506-ros2-connector/services/requirements.txt: opencv-python 4.10→4.13, psutil 6→7.x, pytest 8→9, pytest-cov 5→7

Rust Security Patches

• Apply rustls-webpki patch (TLS certificate verification fix) in 502-rust-http-connector
• Apply tar security fix in 507-ai-inference

Other NPM Updates

• Bump markdownlint-cli to 0.48.x (root)
• Bump happy-dom to 20.x (docs/_server and docs/assets/js)
• Upgrade ajv-formats v2→v3 in docs/_server (enforces timezone in date-time format)
• Upgrade express-rate-limit v6→v8 in docs/_server

GitHub Actions

• Update azure/login action hash in cluster-test-terraform.yml

Known Post-merge Risks

These regressions surfaced during a prior integration attempt and should be validated:

• js-yaml v4 override in docs/_server/package.json can break gray-matter (requires ^3.13.1) — do not add overrides for js-yaml
• uuid may be lost as a transitive dependency after lock file regeneration — add as explicit dependency in docs/_server
• parseStepsFromMarkdown in docs/_server/services/learning-path-manifest.js needs a regex pattern for bold-title format (- [ ] [**Kata: ...**](../katas/...))
• CPU performance test in docs/_server/tests/performance/file-watch.test.js may be flaky in container environments — widen tolerance if needed
• Boundary assertions in docs/_server/tests/integration/learning-path-selections.test.js should use toBeGreaterThanOrEqual not toBeGreaterThan
• Progress endpoint test in docs/_server/tests/integration/progress-endpoint.test.js must match current API response format ({ progressData: [...] })

Merge Strategy

1. Merge in risk-prioritized sequence: security patches first, then isolated changes, then scope-grouped NPM updates
2. Resolve lock file conflicts using delete-and-reinstall strategy within each NPM scope
3. Address breaking changes with manual fix commits after each major version merge

Validation Checklist

• npm install && npm run lint passes at root
• cd docs/_server && npm install && npm run lint && npm test passes
• cd docs/assets/js && npm install && npm run lint && npm test passes
• npm run mdlint passes at root
• npm run cspell passes at root
• pip install -r requirements.txt succeeds
• Rust crates build successfully

Related PRs

#271, #272, #273, #274, #275, #276, #277, #278, #279, #280, #282, #284, #285, #286, #293, #294

[katriendg]

This was closed by PR #297