chore(deps): cleanups and updates

[mandarini]

Description

Follow-up dependency cleanup that was intentionally deferred from the pnpm migration (#2368) to keep that PR scope-focused. Batches five cohesive items: replacing a sabotaged package, removing dead deps, normalizing version placeholders, an EOL ESLint upgrade with a flat-config migration, and an Expo SDK bump that lets us drop a pnpm workaround.

What changed?

1. Replace faker with @faker-js/faker

The original faker package was sabotaged by its maintainer in January 2022 and is unmaintained. Swapped for the community fork @faker-js/faker (v10.4). The only consumer is packages/core/auth-js/test/lib/utils.ts, which needed three API renames:

• import faker from 'faker' to import { faker } from '@faker-js/faker'
• faker.random.alphaNumeric(N) to faker.string.alphanumeric(N) (3 call sites)
• faker.image.imageUrl() to faker.image.url() (1 call site)

@types/faker is also removed since @faker-js/faker ships its own types.

2. Remove unused webpack-cli

Zero consumers in the repo: no webpack.config.*, no scripts invoke webpack, no source imports. Leftover from before the Nx + tsdown + vite migration.

3. Normalize version placeholders to 0.0.0-automated

auth-js and storage-js had "version": "0.0.0" in both package.json and src/lib/version.ts, while the other four core packages used "0.0.0-automated". Cosmetic only since nx release overwrites both at publish time, but it affects the X-Client-Info header value in pkg.pr.new preview builds.

4. Upgrade ESLint 8 to 10 and migrate to flat config

ESLint 8 reached EOL in October 2024. Bumps and a flat-config migration:

• eslint: ^8.57.1 to ^10.0.1
• @typescript-eslint/eslint-plugin and parser: ^7.18.0 to ^8.21.0 (v7 only supports ESLint 8)
• Added typescript-eslint, @eslint/js, globals to support the new flat configs
• Removed eslint-plugin-node (abandoned since 2020; eslint-plugin-n already present)
• Migrated three legacy configs to flat format: /.eslintrc.json to eslint.config.mjs, packages/core/auth-js/.eslintrc.json to eslint.config.mjs, and packages/core/realtime-js/.eslintrc to eslint.config.mjs (the last also drops the deprecated babel-eslint parser)
• Updated nx.json so the linting named input picks up eslint.config.mjs for cache invalidation

nx lint is not wired into CI in this PR. Lint targets exist for auth-js and realtime-js via @nx/eslint/plugin auto-detection, but invoking them surfaces a pile of latent rule violations that would need their own triage pass. Enabling lint in CI and clearing the violations is a follow-up.

5. Bump Expo SDK 53 to 54 and remove the pnpm transformIgnorePatterns workaround

The pnpm migration added a regex lookahead in packages/core/supabase-js/test/integration/expo/package.json to handle pnpm's .pnpm/ directory layout in Jest. Newer jest-expo versions (Expo SDK 54+) are pnpm-aware out of the box, so the workaround is gone:

- "node_modules/(?!(\\.pnpm/.+/node_modules/)?(isows|@supabase|@supabase/realtime-js|@react-native|react-native|expo-modules-core|expo)/)"
+ "node_modules/(?!(isows|@supabase|@react-native|react-native|expo-modules-core|expo)/)"

Pin bumps for expo, expo-router, all expo-* modules, react/react-dom/react-native, jest-expo, react-test-renderer, eslint-config-expo, and related react-native ecosystem deps.

Why was this change needed?

Reduces the attack surface (sabotaged faker, EOL eslint@8), drops dead code (webpack-cli), and modernizes the ESLint config so a future CI lint pass can be enabled without first migrating off legacy config formats. Removes a workaround that newer Expo no longer requires.

[pkg-pr-new]

Open in StackBlitz

@supabase/auth-js

npm i https://pkg.pr.new/@supabase/auth-js@2371

@supabase/functions-js

npm i https://pkg.pr.new/@supabase/functions-js@2371

@supabase/postgrest-js

npm i https://pkg.pr.new/@supabase/postgrest-js@2371

@supabase/realtime-js

npm i https://pkg.pr.new/@supabase/realtime-js@2371

@supabase/storage-js

npm i https://pkg.pr.new/@supabase/storage-js@2371

@supabase/supabase-js

npm i https://pkg.pr.new/@supabase/supabase-js@2371

commit: fffa311