fix: Bump runtime and development dependencies

[asheshv]

Summary

Consolidated dependency bump covering all open Dependabot PRs plus additional minor/patch updates discovered during audit.

Python (requirements.txt)

• Authlib 1.6.9 → 1.7.0 (introduces joserfc transitive dep)
• Flask-Security-Too 5.7.* → 5.8.* (py>3.9)
• certifi 2026.2.25 → 2026.4.22
• Flask-WTF 1.2.* → 1.3.*

Python test (web/regression/requirements.txt)

• selenium 4.41.0 → 4.43.0
• testscenarios 0.5.0 → 0.6.1
• testtools 2.8.7 → 2.9.0

JavaScript web (web/package.json)

• @mui/material ^7.3.7 → ^7.3.10, @mui/x-date-pickers ^8.27.2 → ^8.28.3, @mui/icons-material ^7.3.6 → ^7.3.10
• dompurify ^3.3.3 → ^3.4.1 (security-relevant)
• axios ^1.13.5 → ^1.15.2, react/react-dom ^19.2.3 → ^19.2.5
• typescript ^5.9.2 → ^6.0.3, marked ^17.0.1 → ^18.0.2, react-checkbox-tree ^1.7.2 → ^2.0.1
• eslint ^9.39.2 → ^9.39.4
• ~60 more minor/patch bumps across build, test, and runtime deps

JavaScript runtime (runtime/package.json)

• electron 41.2.0 → 41.3.0
• axios ^1.15.0 → ^1.15.2, eslint ^10.2.0 → ^10.2.1, globals ^17.4.0 → ^17.5.0

Not included (need dedicated migration)

• @mui/material 9.0.0 (Javascript dependency: Bump @mui/material from 7.3.10 to 9.0.0 in /web #9843) — major version, breaking API changes
• @mui/x-date-pickers 9.0.0 (Javascript dependency: Bump @mui/x-date-pickers from 8.28.3 to 9.0.2 in /web #9842) — major version, breaking API changes
• ESLint 10 in web/ — parser scope API incompatible, needs .eslintrc.js migration

Supersedes these Dependabot PRs

#9856, #9855, #9862, #9860, #9859, #9845, #9844, #9853, #9851, #9849, #9850, #9840, #9861, #9858, #9857, #9841, #9788, #9765

Test plan

• ESLint passes (web/ and runtime/)
• 824/824 JS tests pass
• Webpack dev bundle builds successfully
• pip install clean for both requirements.txt files
• Python regression
• Feature tests

[coderabbitai]

Walkthrough

Multiple dependency versions updated across Python and Node.js ecosystems. Updates include Authlib, certifi, Flask packages in requirements.txt; electron, eslint, globals, axios in runtime/package.json; extensive web framework and development tooling in web/package.json; and Selenium, testscenarios, testtools in regression tests.

Changes

Cohort / File(s)	Summary
Python Backend Dependencies requirements.txt	Bumped Authlib (1.6.9→1.7.0), certifi (2026.2.25→2026.4.22), Flask-Security-Too (5.7.\→5.8.\), and Flask-WTF (1.2.\→1.3.\).
Node.js Runtime Dependencies runtime/package.json	Updated electron (41.2.0→^41.3.0), eslint (^10.2.0→^10.2.1), globals (^17.4.0→^17.5.0), and axios (^1.15.0→^1.15.2).
Web Frontend Dependencies web/package.json	Incremented versions across Babel, ESLint, Jest, webpack tooling, TypeScript, and build utilities in devDependencies; updated editor, date, MUI, TanStack, React component, and runtime utility packages in dependencies.
Regression Test Dependencies web/regression/requirements.txt	Bumped Selenium (4.41.0→4.43.0), testscenarios (0.5.0→0.6.1), and testtools (2.8.7→2.9.0).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• PR #9834: Runtime dependency updates (electron, eslint, axios, globals) are refined continuations of version bumps introduced in that PR.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: consolidated dependency bumps across Python, JavaScript web, and JavaScript runtime environments.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch worktree-bump-dependencies

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

runtime/package.json (1)

16-16: Consider keeping Electron exact-pinned.

The previous spec was "electron": "41.2.0" (exact); this change switches it to a caret range "^41.3.0". For the desktop runtime shipped in DEB/RPM/installer packages, exact-pinning is generally safer so that reproducible builds don't silently pick up a new 41.x patch between CI and a release build. The other runtime deps are already using caret ranges, but Electron is the one that defines the shipped Chromium/Node ABI.

Optional pin

-    "electron": "^41.3.0",
+    "electron": "41.3.0",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@runtime/package.json` at line 16, The electron dependency in package.json was
changed from an exact pin to a caret range ("^41.3.0"); change the "electron"
entry back to an exact version (e.g., "41.3.0") to ensure reproducible builds,
then regenerate the lockfile by running your package manager (npm/yarn/pnpm
install) so the lockfile matches the exact pin; update any related packaging
scripts if they assume the range.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@runtime/package.json`:
- Line 16: The electron dependency in package.json was changed from an exact pin
to a caret range ("^41.3.0"); change the "electron" entry back to an exact
version (e.g., "41.3.0") to ensure reproducible builds, then regenerate the
lockfile by running your package manager (npm/yarn/pnpm install) so the lockfile
matches the exact pin; update any related packaging scripts if they assume the
range.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 819de4fc-93d3-4b3d-a957-6a1a28d48346

📥 Commits

Reviewing files that changed from the base of the PR and between 3294e74 and 900ae04.

⛔ Files ignored due to path filters (2)

• runtime/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
• web/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (4)

• requirements.txt
• runtime/package.json
• web/package.json
• web/regression/requirements.txt