Skip to content

Modernize all dependencies#43

Merged
DavidLiedle merged 7 commits into
mainfrom
dep-modernize
Apr 16, 2026
Merged

Modernize all dependencies#43
DavidLiedle merged 7 commits into
mainfrom
dep-modernize

Conversation

@DavidLiedle
Copy link
Copy Markdown
Contributor

@DavidLiedle DavidLiedle commented Apr 16, 2026

Summary

Multi-phase dependency modernization across the whole stack. Each phase was validated with a build + Electron launch before committing, so any phase can be cherry-picked or reverted independently.

Phase Change
1 Minors/patches: rollup, typescript 5.9, postcss, autoprefixer, svelte tooling plugins, tslib, @tsconfig/svelte + actions/checkout@v4 → v6
2 @rollup/plugin-commonjs 25 → 28, @rollup/plugin-node-resolve 15 → 16
3 Electron 28 → 38 (and eventually 41, see Phase 6), electron-builder 24 → 26, dropped unused electron-is-dev dep
4 Tailwind 3 → 4 via official @tailwindcss/upgrade tool — CSS-first config, @tailwindcss/postcss, @tailwindcss/cli added; autoprefixer dropped
5 Svelte 4 → 5, svelte-check 3 → 4, svelte-preprocess 5 → 6 (legacy mode — no runes conversion forced); fixed one preexisting TS error in ResourceCard.svelte surfaced by svelte-check
6 Audit fixes: @rollup/plugin-terser 0.4 → 1.0, Electron 38 → 41, transitive svgo/yaml bumps; README Node min 14 → 20

Result: npm audit reports 0 vulnerabilities (down from 24). Build, launch, and npm run dist (DMG + ZIP) all pass.

Notable non-upgrades

  • TypeScript 6 is latest stable but breaks svelte-preprocess 5 in Svelte 4's toolchain. Deferred — safe to try again now that Svelte 5 is in place, but out of scope here.
  • electron-is-dev 3 is ESM-only. The dep was only used in a commented-out devtools toggle, so it was removed entirely rather than adding a dynamic import. The comment now references !app.isPackaged, the zero-dep equivalent.

Files of note

  • tailwind.config.js deleted — Tailwind 4 is CSS-first. Theme now lives in src/global.css and src/app.css via @theme.
  • main.js lost its electron-is-dev require.
  • No build config changes in package.json.

Test plan

  • npm install clean
  • npm run build succeeds
  • npm run electron launches the app
  • npx svelte-check has 0 errors
  • npm audit reports 0 vulnerabilities
  • npm run dist produces a working .dmg and .zip (arm64 mac)
  • Visual regression pass on the UI (cards, dark mode toggle, search) — reviewer check, since Tailwind 4 is a real migration

🤖 Generated with Claude Code

DavidLiedle and others added 7 commits April 16, 2026 08:44
@DavidLiedle @claude
chore(deps): bump minors and GitHub Actions
71902c2 
Within-major bumps to rollup, typescript (5.9.3), tslib, postcss,
autoprefixer, @tsconfig/svelte, @rollup/plugin-typescript,
rollup-plugin-css-only, rollup-plugin-svelte, plus actions/checkout v4→v6.

TypeScript 6 is latest stable but breaks svelte-preprocess 5; deferring
the TS 6 bump until after the Svelte 5 migration in a later phase.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@DavidLiedle @claude
chore(deps): rollup plugin majors
647cb47 
@rollup/plugin-commonjs 25 → 28 and @rollup/plugin-node-resolve 15 → 16.

Default behavior changes (strictRequires=true, NODE_ENV export conditions)
are fine for this codebase — only svelte is bundled through these plugins
and it doesn't rely on CJS wrap semantics.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@DavidLiedle @claude
chore(deps): electron ecosystem update
6795752 
electron 28 → 38 and electron-builder 24 → 26. No API surface used
(ipcMain.handle, contextBridge, BrowserWindow, shell.openExternal, Menu)
has breaking changes in this range.

Dropped electron-is-dev entirely — the only reference was a commented-out
devtools toggle. Swapped the comment to !app.isPackaged so re-enabling
doesn't need the dep. Avoids the v3 ESM/CJS interop issue.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@DavidLiedle @claude
chore(deps): tailwind v4 migration
4147f02 
Ran the official @tailwindcss/upgrade tool:
- tailwindcss 3.4 → 4.2
- @tailwind directives → @import 'tailwindcss'
- theme colors, animations, and keyframes moved to @theme block in CSS
- tailwind.config.js removed (config now CSS-first)
- postcss plugin replaced with @tailwindcss/postcss
- autoprefixer dropped (v4 handles vendor prefixing via Lightning CSS)
- utility renames applied by the tool (shadow-sm → shadow-xs,
  outline-none → outline-hidden)

Tailwind v4 split the CLI into @tailwindcss/cli; added it so the existing
build:css script continues to resolve the tailwindcss binary.

Dark mode config preserved via @custom-variant (class-based, as before).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@DavidLiedle @claude
feat(deps): svelte 5 migration
5695d10 
svelte 4 → 5, svelte-check 3 → 4, svelte-preprocess 5 → 6.

The 4 component files build and run cleanly in Svelte 5's legacy mode,
so the migration tool's runes conversion was not forced — per Svelte's
guidance, legacy Svelte 4 code continues to work in v5.

Fixed one svelte-check error surfaced by the newer type definitions:
currentTarget.style access in ResourceCard.svelte needed an
HTMLImageElement cast. The error predated this bump but was hidden
because svelte-check wasn't in the build script.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@DavidLiedle @claude
chore(deps): finalize — audit fixes, electron 41, Node 20 min
78733c0 
- @rollup/plugin-terser 0.4 → 1.0 to drop vulnerable serialize-javascript
- npm audit fix resolved transitive svgo and yaml advisories
- electron 38 → 41 closes the last high-severity advisory (offscreen
  paint UAF and related). No impact on our API surface — verified with
  a build, launch, and full electron-builder dist pass (dmg + zip).
- README Node minimum bumped v14 → v20 (electron-builder and Node 22
  baseline in the ecosystem make v14 non-viable).

npm audit now reports zero vulnerabilities.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@DavidLiedle @claude
fix: use mount() for Svelte 5 entry
439d44c 
Svelte 5 removed the new Component({ target }) instantiation API; the
compat shim doesn't cover bare new App() without going through
svelte/legacy's createClassComponent. Switching the entry to the
supported mount() from 'svelte' fixes an effect_orphan runtime error
that left the window blank.

Caught via devtools after the Phase 5 migration. The build, svelte-check,
and Electron launch all succeeded — only the renderer-initialization
path threw.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@DavidLiedle DavidLiedle merged commit 4a21748 into main Apr 16, 2026
@DavidLiedle DavidLiedle deleted the dep-modernize branch April 16, 2026 15:13
DavidLiedle added a commit that referenced this pull request Apr 16, 2026
@DavidLiedle @claude
chore: bump to v2.0.0
6e17b6a 
Reflects the Svelte 5 + Tailwind 4 + Electron 41 stack from PR #43.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DavidLiedle