chore: consolidate dependency updates (#154, #155, #157, #158, #159, #160, #162, #163, #164, #165, #173)

[Mtze]

Description

Consolidates 11 open dependency update PRs into a single update to reduce noise and ensure all updates are tested together. Two of the updates are security fixes.

Root package (package.json):

Package	Before	After	Notes
markdown-it	^14.1.0	^14.1.1	Security fix
@types/assert	^1.5.10	^1.5.11
@types/webpack-env	^1.18.5	^1.18.8
@vscode/test-web	^0.0.62	^0.0.80
eslint	^9.12.0	^9.39.3	Requires flat config migration (see below)

Webview package (webview/package.json):

Package	Before	After	Notes
dompurify	^3.1.7	^3.2.4	Security fix
markdown-it	^14.1.0	^14.1.1	Security fix
rxjs	~7.8.1	~7.8.2
bootstrap	^5.3.3	^5.3.8
@vscode/markdown-it-katex	^1.1.0	^1.1.2
@types/katex	^0.16.7	^0.16.8

ESLint flat config migration (eslint.config.js):

ESLint v9 dropped support for the legacy .eslintrc.json format and requires the new flat config format. The existing .eslintrc.json has been migrated to eslint.config.js. The deprecated @typescript-eslint/semi rule (removed in @typescript-eslint v8) was also dropped. The lint script in package.json was updated to remove the now-unnecessary --ext ts flag (flat config handles file targeting via files globs).

The extension builds successfully (webpack + Angular build) and lint passes with 0 errors.

Closes #154, #155, #157, #158, #159, #160, #162, #163, #164, #165, #173

Steps for Testing

1. Check out this branch: git checkout feature/scorpio-dependency-update
2. Install root dependencies: npm ci
3. Install webview dependencies: cd webview && npm ci && cd ..
4. Run the full build: npm run build
   • Expected: webpack and Angular builds complete with no errors
5. Run the linter: npm run lint
   • Expected: 0 errors, 0 warnings (or only pre-existing warnings)
6. Run the extension in the browser sandbox: npm run run-in-browser
   • Expected: Scorpio extension loads without errors in the browser-based VS Code instance
7. Open an exercise in Scorpio (login, select a course and exercise, clone the repository)
   • Expected: Markdown rendering in the problem statement webview works correctly (validates markdown-it, dompurify, @vscode/markdown-it-katex)
8. Verify submit and result views render correctly (validates bootstrap, rxjs)

Review Progress

Code Review

• Review 1
• Review 2

Manual Tests

• Test 1
• Test 2

Screenshots

N/A — no UI changes. This is a dependency-only update.

---

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated project dependencies including UI frameworks, markup processing libraries, type definitions, and development tools to latest compatible versions.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request introduces a GitHub Actions workflow for automatic PR author assignment, adds a new ESLint configuration file for TypeScript linting, and updates multiple dependencies across the root and webview packages to newer versions.

Changes

Cohort / File(s)	Summary
GitHub Actions Automation .github/workflows/auto-assign.yml	New workflow that automatically assigns the PR author as the assignee when a PR is opened, reopened, or marked ready for review using the GitHub API.
ESLint Configuration eslint.config.js	New ESLint configuration file for TypeScript that ignores declaration files (\*.d.ts), enables the TypeScript ESLint plugin and parser, and configures rules for naming conventions, curly braces, equality checks, and literal throws.
Dependency Updates package.json	Updated lint script to lint all files in src directory; bumped dependencies including markdown-it, and dev dependencies like @types/assert, @types/webpack-env, @vscode/test-web, and eslint to newer versions.
Webview Dependency Updates webview/package.json	Version bumps for multiple dependencies including @vscode/markdown-it-katex, bootstrap, dompurify, markdown-it, rxjs, and @types/katex dev dependency.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 With workflows set and configs clean,
The finest linting ever seen!
Dependencies hop to latest cheer,
Auto-assign brings joy right here!
A rabbit's delight, so tidy and bright! 🌟

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The PR includes an unexpected auto-assign GitHub Actions workflow (.github/workflows/auto-assign.yml) not mentioned in any linked issues, representing an out-of-scope addition.	Remove .github/workflows/auto-assign.yml as it is unrelated to the dependency consolidation objective and should be addressed in a separate PR.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and specifically summarizes the main changes: consolidating multiple dependency updates and indicating which issue numbers are being addressed.
Linked Issues check	✅ Passed	The PR consolidates all listed dependency updates including dompurify v3.2.4 security fix from issue #154, with ESLint migration and all other package versions matching the objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/scorpio-dependency-update

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/auto-assign.yml (1)

1-23: Well-structured workflow with appropriate permissions.

The workflow correctly:

• Uses minimal pull-requests: write permission
• Leverages actions/github-script@v7 for direct API access
• Avoids unnecessary repository checkout

One consideration: This will also assign bot accounts (like Renovate or Dependabot) as assignees on their automated PRs. If this isn't desired, you could add a condition to skip bot users.

💡 Optional: Skip bot-generated PRs

     steps:
       - name: Auto assign PR author
         uses: actions/github-script@v7
         with:
           script: |
+            const author = context.payload.pull_request.user;
+            if (author.type === 'Bot') {
+              console.log('Skipping bot-generated PR');
+              return;
+            }
             await github.rest.issues.addAssignees({
               owner: context.repo.owner,
               repo: context.repo.repo,
               issue_number: context.issue.number,
-              assignees: [context.payload.pull_request.user.login]
+              assignees: [author.login]
             });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/auto-assign.yml around lines 1 - 23, The workflow
currently assigns the PR author unconditionally; update the script in the "Auto
assign PR author" step of the "auto-assign" job to skip bot-generated PRs by
checking the PR author identity (use context.payload.pull_request.user.type ===
'Bot' and/or context.payload.pull_request.user.login.endsWith('[bot]') and
return early if true) before calling github.rest.issues.addAssignees with
context.payload.pull_request.user.login.

eslint.config.js (1)

16-19: Consider updating ecmaVersion for modern TypeScript.

ecmaVersion: 6 (ES2015) is quite conservative. Modern TypeScript projects typically target ES2020+ to support features like optional chaining, nullish coalescing, and BigInt in the parser.

💡 Suggested update

     languageOptions: {
       parser: tsParser,
       parserOptions: {
-        ecmaVersion: 6,
+        ecmaVersion: "latest",
         sourceType: "module",
       },
     },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@eslint.config.js` around lines 16 - 19, The ESLint config's parserOptions
currently sets ecmaVersion: 6 which prevents modern JS/TS syntax; update
parserOptions.ecmaVersion from 6 to a modern target (e.g., 2020 or 2022, or
"latest") so features like optional chaining, nullish coalescing and BigInt are
parsed correctly, and keep sourceType: "module" as-is; verify the
TypeScript/ESLint parser in use accepts the chosen ecmaVersion value.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/auto-assign.yml:
- Around line 1-23: The workflow currently assigns the PR author
unconditionally; update the script in the "Auto assign PR author" step of the
"auto-assign" job to skip bot-generated PRs by checking the PR author identity
(use context.payload.pull_request.user.type === 'Bot' and/or
context.payload.pull_request.user.login.endsWith('[bot]') and return early if
true) before calling github.rest.issues.addAssignees with
context.payload.pull_request.user.login.

In `@eslint.config.js`:
- Around line 16-19: The ESLint config's parserOptions currently sets
ecmaVersion: 6 which prevents modern JS/TS syntax; update
parserOptions.ecmaVersion from 6 to a modern target (e.g., 2020 or 2022, or
"latest") so features like optional chaining, nullish coalescing and BigInt are
parsed correctly, and keep sourceType: "module" as-is; verify the
TypeScript/ESLint parser in use accepts the chosen ecmaVersion value.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 61b5c733-5bf2-4265-9491-9b9f725ee286

📥 Commits

Reviewing files that changed from the base of the PR and between 35f3aeb and afa82d5.

⛔ Files ignored due to path filters (2)

• package-lock.json is excluded by !**/package-lock.json
• webview/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (4)

• .github/workflows/auto-assign.yml
• eslint.config.js
• package.json
• webview/package.json