feat(eslint-config): use @eslintplugin/* packages

[gameroman]

Switching to more modern, smaller, alternative eslint plugins.
Also see https://github.com/eslint-plugin/eslint-plugins/blob/main/README.md

[netlify]

👷 Deploy request for cedarjs pending review.

Visit the deploys page to approve it

Name	Link
🔨 Latest commit	9ac0182

[nx-cloud]

🤖 Nx Cloud AI Fix

Ensure the fix-ci command is configured to always run in your CI pipeline to get automatic fixes in future runs. For more information, please see https://nx.dev/ci/features/self-healing-ci

---

View your CI Pipeline Execution ↗ for commit 9ac0182

Command	Status	Duration	Result
nx run-many -t build:pack --exclude create-ceda...	✅ Succeeded	1m 12s	View ↗
nx run-many -t build	✅ Succeeded	4m 6s	View ↗
nx run-many -t test --minWorkers=1 --maxWorkers=4	✅ Succeeded	4m 18s	View ↗
nx run-many -t test:types	✅ Succeeded	10s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-04-28 08:10:12 UTC

[greptile-apps]

Greptile Summary

This PR replaces eslint-plugin-react@7.37.5 and eslint-plugin-jsx-a11y@6.10.2 with aliased packages from the @eslintplugin npm scope (@eslintplugin/eslint-plugin-react@0.0.1 and @eslintplugin/eslint-plugin-jsx-a11y@0.0.3) using the npm: alias syntax, across both the root package.json and packages/eslint-config/package.json. The project overview doc (2026-03-26-cedarjs-project-overview.md) remains factually accurate — the eslint-config package description ("Flat config. TS+React+a11y+react-compiler+prettier") is unchanged by this swap.

Confidence Score: 3/5

Not safe to merge until the provenance and functional equivalence of the @eslintplugin/* packages are confirmed.

The prior review thread raised a substantive supply chain concern about the unverified @eslintplugin npm scope and pre-alpha (0.0.x) versions replacing widely-audited, high-download packages. That concern remains unaddressed in the PR, which keeps the confidence below the P1 ceiling of 4/5. The transitive dependency graph also changes significantly (axe-core, ast-types-flow, several string/array polyfills, and resolve@2.x are all dropped), making functional equivalence harder to confirm without testing.

packages/eslint-config/package.json and package.json — both pull in the unverified @eslintplugin/* packages.

Important Files Changed

Filename	Overview
packages/eslint-config/package.json	Replaces eslint-plugin-react@7.37.5 and eslint-plugin-jsx-a11y@6.10.2 with pre-alpha @eslintplugin/* alternatives via npm package aliasing; supply chain concern already flagged in prior thread.
package.json	Root devDependency for eslint-plugin-react also switched to npm:@eslintplugin/eslint-plugin-react@0.0.1 alias, consistent with the workspace package change.
yarn.lock	Lock file updated to resolve the aliased @eslintplugin/* packages; drops several transitive dependencies (axe-core, ast-types-flow, es-iterator-helpers, string.prototype., array.prototype., resolve@2.x) and adds @eslintplugin/jsx-ast-utils@0.0.0, @eslintplugin/resolve@0.0.0, emoji-regex-xs.

_{Reviews (2): Last reviewed commit: "update `@eslintplugin/eslint-plugin-jsx-..." | Re-trigger Greptile}