Conversation
There was a problem hiding this comment.
Pull request overview
Updates the Web UI’s npm dependency set (including a React Router major upgrade) and adjusts related docs/examples to match the new routing version and authentication guidance.
Changes:
- Bumped multiple runtime + dev dependencies for the Web UI (React Router v7, Vite, Vitest, TypeScript, etc.) and added npm
overrides. - Updated Web UI docs to reference React Router v7.
- Adjusted QUICKSTART to remove the JWT “login” step/troubleshooting text; corrected JWT wording in FEATURES docs.
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| webui/package.json | Updates dependency versions and adds npm overrides to control transitive versions. |
| webui/SUMMARY.md | Updates routing tech note from React Router v6 to v7. |
| webui/QUICKSTART.md | Removes JWT login/troubleshooting guidance and renumbers steps accordingly. |
| webui/IMPLEMENTATION.md | Updates routing tech note from React Router v6 to v7. |
| contrib/postman/NGINX Declarative API.postman_collection.json | Updates embedded request body JSON strings (likely formatting/validation corrections). |
| FEATURES.md | Fixes JWT description wording (“JSON Web Token”). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "react": "^19.2.4", | ||
| "react-dom": "^19.2.4", | ||
| "react-hot-toast": "^2.6.0", | ||
| "react-router-dom": "^7.13.2" |
There was a problem hiding this comment.
This introduces multiple major-version upgrades at once (notably react-router-dom v6 → v7, plus large jumps in UI/tooling deps). To reduce rollout risk, consider pinning major upgrades to exact versions (drop ^ for the major-bumped packages) and/or explicitly documenting required Node/npm versions via engines so CI and developer environments don’t drift into incompatible installs.
| "react-router-dom": "^7.13.2" | |
| "react-router-dom": "7.13.2" |
| "dompurify": "^3.3.3", | ||
| "flatted": "^3.4.2" |
There was a problem hiding this comment.
If these overrides were added to address specific vulnerabilities, using semver ranges can make it harder to reproduce exactly which security-fixed version is installed over time. Consider pinning exact versions in overrides (and relying on the lockfile for determinism) and adding a short note in PR description/release notes about why these overrides exist (e.g., CVE/advisory reference) so they don’t get removed accidentally later.
| "dompurify": "^3.3.3", | |
| "flatted": "^3.4.2" | |
| "dompurify": "3.3.3", | |
| "flatted": "3.4.2" |
| *Note: For production, configure proper JWT validation on the backend.* | ||
|
|
||
| ### Step 5: Create Your First Configuration | ||
| ### Step 4: Create Your First Configuration |
There was a problem hiding this comment.
PR title indicates this is only an npm package update, but QUICKSTART removes the login/JWT guidance (and troubleshooting/tips). That’s a user-facing documentation behavior change unrelated to dependency bumps; please either (a) mention this explicitly in the PR description so reviewers understand the intent, or (b) split the doc/auth guidance change into a separate PR.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
No description provided.