Merge branch 'chore/ui-vite-eslint9-cve-fixes' into 'master'

chore(ui): migrate to Vite, ESLint 9, and fix npm CVEs

Closes #320, #315, #288, #287, #236, #235, and #229

See merge request postgres-ai/database-lab!1122

Author: NikolayS

ui/.gitlab-ci.yml

@@ -11,7 +11,7 @@ include:
 
 .ui_cache: &ui_cache
   image:
-    name: node:21.1.0-alpine
+    name: node:22-alpine
     pull_policy: if-not-present
   cache: &cache
     key: "$CI_COMMIT_REF_SLUG"
@@ -26,7 +26,7 @@ check-code-style:
   stage: test
   before_script:
     - corepack enable
-    - corepack prepare pnpm@8.9.2 --activate
+    - corepack prepare pnpm@8.15.9 --activate
     - export PNPM_HOME=/usr/local/bin
     - pnpm config set store-dir /builds/postgres-ai/database-lab/.pnpm-store/
 
@@ -63,7 +63,7 @@ semgrep-sast:
 e2e-ce-ui-test:
   <<: *ui_checks
   image:
-    name: node:21.1.0
+    name: node:22
     pull_policy: if-not-present
   stage: integration-test
   variables:
@@ -72,10 +72,7 @@ e2e-ce-ui-test:
     - apt update
     - apt install -y curl libgtk2.0-0 libgtk-3-0 libgbm-dev libnotify-dev libgconf-2-4 libnss3 libxss1 libasound2 libxtst6 xauth xvfb
     - npm install -g wait-on
-    - npm install -g pnpm
-    - pnpm config set verify-store-integrity false
-    # TODO: Set up caching.
-    #- pnpm config set store-dir /builds/postgres-ai/database-lab/.pnpm-store/
+    - npm install -g pnpm@8.15.9
   script:
     - pnpm --dir ui/ --filter @postgres.ai/ce install
     - pnpm --dir ui/ --filter @postgres.ai/ce build

ui/README.md

@@ -22,26 +22,29 @@ For example, cloning a 10 TiB PostgreSQL database can take less than 2 seconds.
 
 At the repository root, you can run commands for all packages or individual packages:
 
-- `<npm command> -ws` – run the specified command on all packages.
-- `<npm command> -w <package-name>` – run the specified command on a single package.
+- `pnpm --filter <package-name> <command>` – run the specified command on a single package.
 
 #### Examples
-- `npm ci -ws` – install all dependencies.
-- `npm run build -ws` – build all packages.
-- `npm run start -w @postgres.ai/ce` – run the Community Edition UI locally in development mode.
+- `pnpm install` – install all dependencies.
+- `pnpm --filter @postgres.ai/ce build` – build the Community Edition UI.
+- `pnpm --filter @postgres.ai/ce start` – run the Community Edition UI locally in development mode.
 
 _Important note: do not run or build the `@postgres.ai/shared` package directly; it is a dependency._
 
 ### How to start the Community Edition UI
 - `cd ui`
-- `npm ci -ws` – install dependencies for all packages (run once).
-- `npm run start -w @postgres.ai/ce` – start the development server.
+- `pnpm install` – install dependencies for all packages (run once).
+- `pnpm --filter @postgres.ai/ce start` – start the development server.
+
+The dev server proxies `/api` and `/ws` to `http://localhost:446` by default.
+Set the `VITE_DEV_PROXY_TARGET` environment variable to override the proxy target, for example:
+`VITE_DEV_PROXY_TARGET=https://demo.dblab.dev:446 pnpm --filter @postgres.ai/ce start`
 
 ### How to build the Community Edition UI
 
 - `cd ui`
-- `npm ci -ws` – install dependencies for all packages (run once).
-- `npm run build -w @postgres.ai/ce` – build the Community Edition UI.
+- `pnpm install` – install dependencies for all packages (run once).
+- `pnpm --filter @postgres.ai/ce build` – build the Community Edition UI.
 
 ### CI pipelines for UI code
 
@@ -58,7 +61,7 @@ Vulnerabilities, CVEs, and security issues can be reported on GitLab or GitHub t
 #### Package Issues
 Ways to resolve (in descending order of preference):
 1. Update the package – search npm for a newer version, as the vulnerability may already be fixed.
-2. If the vulnerability is in a sub-package, use [npm-force-resolutions](https://www.npmjs.com/package/npm-force-resolutions) to override it. Use this technique with caution—it may break the project during build or at runtime. Perform a full end-to-end test afterward.
+2. If the vulnerability is in a sub-package, use [`pnpm.overrides`](https://pnpm.io/package_json#pnpmoverrides) in the root `package.json` to pin the transitive dependency to a patched version. Use this technique with caution—it may break the project during build or at runtime. Perform a full end-to-end test afterward.
 3. Fork the package and include it locally in this repository.
 4. If the issue is a false positive vulnerability, ignore it using your SAST tool's ignore directives. **This should be the last resort; apply other solutions first.**