chore(deps): consolidate 16 dependabot PRs with eslint v10, vitest v4, and cspell v9

[katriendg]

Summary

Consolidate all 16 open dependabot PRs (#271–#294) into a single integration branch, covering dependency updates across NPM, Python, Rust, and GitHub Actions. Manual fix commits are needed to address breaking changes from eslint v10, vitest v4, and post-merge regressions from dependency resolution conflicts.

Scope

ESLint v10 Migration

• Upgrade eslint from v9 to v10 across all three NPM scopes (root, docs/_server, docs/assets/js)
• Add @eslint/js as an explicit devDependency in root package.json (decoupled from eslint v10 bundle)
• No structural changes needed to eslint.config.js
• Minimum Node.js raised to ^20.19.0 || ^22.13.0 || >=24

Vitest v4 and Vite 8

• Upgrade vitest to 4.x and @vitest/coverage-v8 to 4.x in docs/_server and docs/assets/js
• Adapt docs/assets/js/vitest.config.js for three breaking changes:
  • Reporter 'basic' renamed to 'default'
  • poolOptions.threads flattened to top-level maxThreads/minThreads
  • experimentalVmThreads removed
• Migrate docs/_server/vitest.config.js and docs/_server/vitest.integration.config.js from deprecated poolOptions.forks to top-level maxWorkers

cspell v9

• Upgrade cspell from v8 to v9 in root scope
• Minimum Node raised to 20

Python Dependency Updates

• Update root requirements.txt: python-hcl2 4.3.0→7.3.1, checkov 3.2.0→3.2.510
• Update src/500-application/506-ros2-connector/services/requirements.txt with 7 package bumps including opencv-python 4.10→4.13, psutil 6→7.2, pytest 8→9, pytest-cov 5→7

Rust Security Patches

• Apply rustls-webpki 0.103.7→0.103.10 (TLS certificate verification fix) in 502-rust-http-connector
• Apply tar 0.4.44→0.4.45 (security fix) in 507-ai-inference

Other Updates

• Bump markdownlint-cli 0.47.0→0.48.0 (root)
• Bump happy-dom to 20.8.4 (docs/_server and docs/assets/js)
• Upgrade ajv-formats v2→v3.0.1 in docs/_server (enforces timezone in date-time format)
• Upgrade express-rate-limit v6→v8.3.1 in docs/_server
• Update azure/login action hash in cluster-test-terraform.yml

Post-merge Fixes Required

• Remove erroneous "overrides": { "js-yaml": "^4.1.0" } from docs/_server/package.json (breaks gray-matter frontmatter parsing)
• Add uuid as a direct dependency in docs/_server/package.json (lost after lock file regeneration)
• Add bold-title regex pattern to parseStepsFromMarkdown in docs/_server/services/learning-path-manifest.js for learning path kata references
• Fix flaky CPU performance test in docs/_server/tests/performance/file-watch.test.js (widen tolerance from 1.2x to 2x)
• Correct 9 boundary assertions in docs/_server/tests/integration/learning-path-selections.test.js (change toBeGreaterThan to toBeGreaterThanOrEqual)
• Update response format expectations in docs/_server/tests/integration/progress-endpoint.test.js to match current API format

Merge Strategy

1. Merge all 16 dependabot PRs in risk-prioritized sequence using an integration branch based on origin/main
2. Security patches (Rust) and isolated changes first
3. Scope-grouped NPM updates with sequential merging within shared lock file scopes
4. Lock file conflicts resolved using delete-and-reinstall strategy

Validation Checklist

• npm install && npm run lint passes at root
• cd docs/_server && npm install && npm run lint && npm test passes
• cd docs/assets/js && npm install && npm run lint && npm test passes
• npm run mdlint passes at root
• npm run cspell passes at root
• pip install -r requirements.txt succeeds

Related PRs

#271, #272, #273, #274, #275, #276, #277, #278, #279, #280, #282, #284, #285, #286, #293, #294