Summary
Bump webpack, Babel, and other stale JS dependencies (~4 years out of date); consider migrating to Vite/Rollup/esbuild
Environment
- Product/Service: FeatureSET-Display — Build system
- File:
package.json, package-lock.json
- Current pinned versions: webpack 5.70, Babel 7.17, axios 0.26
Problem Description
package.json pins webpack 5.70, Babel 7.17, and axios 0.26 — all approximately 4 years old. Outdated toolchain versions mean missed security patches, incompatibility with modern Node.js, and slower builds compared to current alternatives. @babel/transform-runtime adds overhead that is unnecessary when targeting modern browsers (evergreen, ESM-native).
Expected Behavior
- All JS build dependencies are on current stable versions.
- Build times are comparable to or faster than current baseline.
- No known CVEs in any dependency.
package-lock.json reflects the updated dependency tree.
Actual Behavior
Dependencies are ~4 years stale. axios 0.26 carries an unpatched CVE (also tracked in issue 2c).
Tasks
Impact
Medium — Security hygiene and developer experience. Stale toolchain blocks adoption of modern JS features and may conflict with newer Node.js versions.
Additional Context
Replacing webpack with Vite or esbuild can give an order-of-magnitude build speed improvement. This change pairs naturally with issue 3b (Emscripten build flag cleanup) — both touch the build system and are good to land together. Once the toolchain is updated, 3c (test system) and 3d (CI) build on a clean base.
Summary
Bump webpack, Babel, and other stale JS dependencies (~4 years out of date); consider migrating to Vite/Rollup/esbuild
Environment
package.json,package-lock.jsonProblem Description
package.jsonpins webpack 5.70, Babel 7.17, and axios 0.26 — all approximately 4 years old. Outdated toolchain versions mean missed security patches, incompatibility with modern Node.js, and slower builds compared to current alternatives.@babel/transform-runtimeadds overhead that is unnecessary when targeting modern browsers (evergreen, ESM-native).Expected Behavior
package-lock.jsonreflects the updated dependency tree.Actual Behavior
Dependencies are ~4 years stale.
axios 0.26carries an unpatched CVE (also tracked in issue 2c).Tasks
@babel/transform-runtimeif targeting modern (evergreen) browserspackage-lock.jsonafter all dependency changesnpm run buildandnpm run build-es6still produce correct outputImpact
Medium — Security hygiene and developer experience. Stale toolchain blocks adoption of modern JS features and may conflict with newer Node.js versions.
Additional Context
Replacing webpack with Vite or esbuild can give an order-of-magnitude build speed improvement. This change pairs naturally with issue 3b (Emscripten build flag cleanup) — both touch the build system and are good to land together. Once the toolchain is updated, 3c (test system) and 3d (CI) build on a clean base.