chore: update all NPM deps and migrate configs

[justlevine]

What?

Closes

This PR updates all NPM deps to their latest compatible versions. Specifically

• @wordpress/eslint-plugin v25 and eslint v10.
  • As a result, the eslint config is now a flatConfig at eslint.config.mjs and several existing issues have been remediated.
• @wordpress/env to v11
  • As a result, there are now separate .wp-env.json and .wp-env.test.json files`.
  • The .wp-env.test.json is used for both phpunit and e2e, and negates the need of the old playwright script.
• @wordpress/route and @wordpress/theme are pinned at nonconflicting versions to workaround the bug in @wordpress/build.

As a result:

• npm run test:e2e:env:start and npm run test:e2e:env:stop => npm run wp-env:test <wp-env command>

Why?

This was the fastest way to detangle the bug in @wordpress/build that was introduced in #340 (comment) .

Turns out the old version of @wordpress/scripts wasnt even reading our eslintrc.cjs file (only *.js), and because the required fixes were all cosmetic too.

Closes

• fix(deps-dev): bump the npm-dev-minor-patch group across 1 directory with 2 updates #408
• fix(deps): bump the npm-prod-minor-patch group across 1 directory with 17 updates #443
• fix(deps): bump @wordpress/components from 30.9.0 to 32.3.0 #412

How?

Use of AI Tools

• GLM-5.1 in opencode to migrate the eslint config to v10 and to remediate the (now-working) npm run lint:js results.
• GPT-5.4 (thinking: high) in opencode to debug the failing licence-check CI

Testing Instructions

1. run nvm use && npm install && npm run build and ensure build passes successfully.
2. run npm run wp-env destroy and npm run wp-env start and ensure the new environment builds, and can be visited at localhost:8888. Ensure the built admin screen is visible.
3. run npm run wp-env:test start -- --xdebug=coverage and ensure the test environment builds, and then npm run test:php && npm run test:e2e and ensure tests are running on the test environment.

Screenshots or screencast

Before	After

Changelog Entry

Added - New feature.
Changed - Existing functionality.
Deprecated - Soon-to-be removed feature.
Removed - Feature.
Fixed - Bug fix.
Security - Vulnerability.
Development Update - Development related updates.

@jeffpaul not sure what you want here mate. Would more broadly suggest we adopt conventional commits and start quash-merging PRs because as-is the commit-history of this repo is hell.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: justlevine <justlevine@git.wordpress.org>
Co-authored-by: dkotter <dkotter@git.wordpress.org>
Co-authored-by: jeffpaul <jeffpaul@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.90%. Comparing base (43d3bde) to head (90df684).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@            Coverage Diff             @@
##             develop     #447   +/-   ##
==========================================
  Coverage      66.90%   66.90%           
  Complexity       907      907           
==========================================
  Files             59       59           
  Lines           4699     4699           
==========================================
  Hits            3144     3144           
  Misses          1555     1555           

Flag	Coverage Δ
unit	66.90% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[justlevine]

Not sure the deal with this dependency-review workflow but both those are coming from @wordpress/* deps, not our own.

 npm ls  argparse uri-js
ai@ /home/justl/work/sites/wptest/repos/ai
├─┬ @wordpress/env@11.4.0
│ ├─┬ @wp-playground/cli@3.1.20
│ │ └─┬ ajv@8.12.0
│ │   └── uri-js@4.4.1
│ └─┬ js-yaml@3.14.2
│   └── argparse@1.0.10
└─┬ @wordpress/scripts@32.0.0
  ├─┬ @wordpress/eslint-plugin@25.0.0
  │ └─┬ eslint@9.39.4
  │   ├─┬ @eslint/eslintrc@3.3.5
  │   │ ├─┬ ajv@6.14.0
  │   │ │ └── uri-js@4.4.1 deduped
  │   │ └─┬ js-yaml@4.1.1
  │   │   └── argparse@2.0.1
  │   └─┬ ajv@6.14.0
  │     └── uri-js@4.4.1 deduped
  ├─┬ eslint@10.2.1
  │ └─┬ ajv@6.14.0
  │   └── uri-js@4.4.1 deduped
  ├─┬ markdownlint-cli@0.31.1
  │ ├─┬ js-yaml@4.1.1
  │ │ └── argparse@2.0.1
  │ └─┬ markdownlint@0.25.1
  │   └─┬ markdown-it@12.3.2
  │     └── argparse@2.0.1
  ├─┬ npm-package-json-lint@6.4.0
  │ ├─┬ ajv@6.14.0
  │ │ └── uri-js@4.4.1 deduped
  │ └─┬ cosmiconfig@8.3.6
  │   └─┬ js-yaml@4.1.1
  │     └── argparse@2.0.1
  ├─┬ stylelint@16.26.1
  │ └─┬ cosmiconfig@9.0.1
  │   └─┬ js-yaml@4.1.1
  │     └── argparse@2.0.1
  └─┬ url-loader@4.1.1
    └─┬ schema-utils@3.3.0
      └─┬ ajv@6.14.0
        └── uri-js@4.4.1 deduped

[justlevine]

@jeffpaul @dkotter I ran out of time, if you really want me to slice this up into individual PRs I can.

[justlevine]

Not sure the deal with this dependency-review workflow but both those are coming from @wordpress/* deps, not our own.

• BSD-2-Clause : https://github.com/WordPress/gutenberg/blob/c994c186704ce38fd6ed8ce5b02e42219183bf2f/packages/scripts/utils/license.js#L62

• argparse's license was approved here: Update Appium dependency version to 1.20.2 gutenberg#28890 and listed here: https://github.com/WordPress/gutenberg/blob/c994c186704ce38fd6ed8ce5b02e42219183bf2f/packages/scripts/utils/license.js#L85-L98

[jeffpaul]

We would need to update https://github.com/WordPress/ai/blob/develop/.github/dependency-review-config.yml to explicitly include BSD-2-Clause AND BSD-2-Clause-Views. Unfortunately the Gutenberg repo doesn't make their check reusable nor its base list of approved licenses, so we're trying to mirror that with our config file (because then at least other WPORG repos could make use of our config file; some argument that it would be better in the wordpress/.github repo).

[justlevine]

We would need to update https://github.com/WordPress/ai/blob/develop/.github/dependency-review-config.yml to explicitly include BSD-2-Clause AND BSD-2-Clause-Views

@jeffpaul I tried that in b9d7c2f but it didnt help, also the actually package is a plain old BSD-2-Clause so not even sure what its complaining about .

I'm trying to debug now with some local agents, but if you have any other suggestions from experience with the 10up prior art lmk 🙇

[jeffpaul]

Perhaps garycourt/uri-js#87 is causing an issue here, maybe try ALSO adding a line for the BSD-2-Clause-Views on its own alongside the AND variant as well?

[justlevine]

GPT-5.4 agrees with you:

The package metadata you can see is still BSD-2-Clause, and your package-lock.json agrees. The important detail is that the upstream LICENSE text includes the extra “views and conclusions…” clause, which scanners often classify as BSD-2-Clause-Views rather than plain BSD-2-Clause; that is why GitHub can surface the package as BSD-2-Clause AND BSD-2-Clause-Views even though npm shows the simpler label.

And regarding why BSD-2-Clause AND BSD-2-Clause-Views didnt work:

The fix is to add BSD-2-Clause-Views as its own entry in .github/dependency-review-config.yml. actions/dependency-review-action does not match allow-licenses against the full expression string; it strips out entries containing AND/OR and then checks whether each component of the dependency’s SPDX expression is individually allowed.

I didn't do any further sleuthing because between GH issue you linked and the change it recommended that I applied in 8028690 , ci is now passing 🚀

[dkotter]

Ugh, sorry @justlevine. I merged develop in here and fix merge conflicts, hoping to get this merged in. But now getting CI failures when it runs npm run build: sass --embedded is unavailable in pure JS mode. Not seeing that locally so not sure. Tried re-installing node dependencies a few different times with different node/npm versions but nothing seemed to work.

Hoping it's something minor that you can see that just needs the package lock refreshed to clear things out.

[dkotter]

@justlevine Okay, think I got this figured out. I had to regenerate the package-lock.json file to fix merge conflicts and I didn't delete the node_modules directory first. In doing some research, seems there's a known issue in that scenario where npm won't properly include optional dependencies in the lock file. Deleted node_modules and package-lock.json and ran npm install again and committed the new lock file and that seemed to clear things out

[justlevine]

(Recommending we squash-merge this 😅 )