chore(deps): bump @vitejs/plugin-react 4.7.0 to 5.2.0 (replaces #16)

[saagpatel]

What

Bump @vitejs/plugin-react from 4.7.0 to 5.2.0 in package.json + pnpm-lock.yaml.

Why

Supersedes #16 — blocked by branch-name governance. Re-created on a codex-compliant branch per docs/SECURITY.md.

Major version bump (v4 → v5), but our usage surface is vanilla: vite.config.ts:12 is a bare plugins: [react()] with no babel options, no include/exclude, no jsxImportSource override. The project already satisfies every v5 requirement:

v5 requirement	Current state
Vite ≥ 5	Vite 7.3.1
React 18 or 19	React 19.1
Node ≥ 20	CI pins Node 20 everywhere
Standard "react-jsx" transform	tsconfig.json uses "jsx": "react-jsx"

Wave 4 (remainder, pre-Wave 5) of the audit remediation plan.

How

Single package.json line change (^4.6.0 → ^5.2.0), pnpm install to re-resolve.

Testing

• Commands run: pnpm install, pnpm build, pnpm test, pnpm typecheck
• Results:
  • pnpm install resolved cleanly to @vitejs/plugin-react 5.2.0; only dep that moved (per pnpm's devDependencies diff output)
  • pnpm build → 638ms, dist/ shape identical (same entry points, same chunk names/sizes)
  • pnpm test → 127/127 pass
  • pnpm typecheck → clean

Performance impact

• Bundle delta: none (chunk sizes identical — verified via build output)
• Build time delta: negligible (<50ms variance)
• Lighthouse delta: none expected
• API latency delta: none
• DB query delta: none

Risk / Notes

• No behavioral change to HMR, Fast Refresh, or production bundle
• The peer-dep warning @commitlint/cz-commitlint → inquirer is pre-existing and unrelated
• Close build(deps): bump @vitejs/plugin-react from 4.7.0 to 5.2.0 #16 after merge

Screenshots (UI only)

• N/A (no UI changes; build/test pass end-to-end)

Lockfile rationale (if lockfile changed)

• pnpm-lock.yaml regenerated for the dep bump. 90 insertions / 53 deletions reflects only plugin-react's own resolution + a handful of its internal transitive updates; no other top-level deps moved.

🤖 Generated with Claude Code