Fix security vulnerabilities, resolve deprecation warnings, and upgrade to ESLint v10 (#35)

* Fix npm security vulnerabilities and deprecation warnings

Resolved all security vulnerabilities and updated deprecated packages
to eliminate warnings during npm install.

Security vulnerabilities fixed (npm audit):
- ajv: ReDoS vulnerability with $data option (moderate)
- brace-expansion: Regular Expression Denial of Service (low)
- cross-spawn: Regular Expression Denial of Service (high)
- semver: Regular Expression Denial of Service (high)

Deprecation warnings resolved:
- Removed @types/glob stub package (glob provides its own types)
- Updated glob from ^8.0.1 to ^11.0.0 (resolved security warnings)
- Updated rimraf from ^3.0.2 to ^6.0.0 (no longer deprecated)
- Updated @typescript-eslint/eslint-plugin from ^5.4.0 to ^8.0.0
- Updated @typescript-eslint/parser from ^5.4.0 to ^8.0.0

Result:
- 0 security vulnerabilities (down from 4)
- All tests passing
- All linting checks passing
- Compatible with existing CI/CD workflows

* Update all devDependencies to latest versions

Updated all development dependencies to their latest compatible versions:

Major updates:
- @types/node: ^17.0.31 → ^25.5.0 (latest Node types)
- @types/vscode: ^1.67.0 → ^1.110.0 (latest VS Code API types)
- eslint-config-prettier: ^8.3.0 → ^10.1.8
- eslint-plugin-import: ^2.25.3 → ^2.32.0
- glob: ^11.0.0 → ^13.0.6 (latest glob)
- prettier: ^2.6.2 → ^3.8.1 (Prettier 3)
- webpack-cli: ^4.9.2 → ^7.0.2

Minor/Patch updates:
- @types/js-yaml: ^4.0.5 → ^4.0.9
- @typescript-eslint/eslint-plugin: ^8.0.0 → ^8.57.2
- @typescript-eslint/parser: ^8.0.0 → ^8.57.2
- jest: ^30.2.0 → ^30.3.0
- rimraf: ^6.0.0 → ^6.1.3
- ts-loader: ^9.3.0 → ^9.5.4
- webpack: ^5.105.0 → ^5.105.4

Notes:
- TypeScript kept at ^5.9.3 (latest 5.x) as TypeScript 6.x is not yet
  supported by @typescript-eslint packages
- ESLint kept at ^8.57.1 as v9+ requires config file migration
- All tests passing
- All linting passing
- Production build working

* Migrate ESLint from v8 to v9 with flat config

Upgraded ESLint to v9.39.4 and migrated configuration from the legacy
.eslintrc.json format to the new flat config format (eslint.config.mjs).

Changes:
- Updated eslint from ^8.57.1 to ^9.17.0
- Created eslint.config.mjs with flat config format
- Removed .eslintrc.json (legacy format)
- Removed .eslintignore (now using ignores in config)
- Migrated all existing rules and settings to flat config
- Used .mjs extension to avoid module type warnings

Config migration details:
- Converted extends/plugins to ES module imports
- Moved ignorePatterns to top-level ignores property
- Converted env/globals to languageOptions.globals
- Maintained all existing rules and settings
- Added prettier config as final config object

Result:
- All linting passing
- All tests passing
- Production build working
- No ESLint warnings

* Upgrade ESLint to v10

Updated ESLint from v9.39.4 to v10.1.0 (latest).

ESLint 10 is fully compatible with the existing flat config format
and all plugins continue to work as expected.

Note: eslint-plugin-import shows a peer dependency warning as it
doesn't officially declare support for ESLint 10 yet, but it works
correctly without issues.

Result:
- ESLint v10.1.0 installed
- All linting passing
- All tests passing
- Production build working
- 0 vulnerabilities

* Replace eslint-plugin-import with eslint-plugin-import-x

Switched from eslint-plugin-import to eslint-plugin-import-x to resolve
ESLint 10 peer dependency warning.

eslint-plugin-import-x is a maintained fork of eslint-plugin-import with
full ESLint 10 support and is a drop-in replacement.

Changes:
- Replaced eslint-plugin-import@2.32.0 with eslint-plugin-import-x@4.16.2
- Updated import in eslint.config.mjs
- All existing rules continue to work identically

Result:
- No peer dependency warnings
- All linting passing
- All tests passing
- Production build working
- 0 vulnerabilities

* Replace npm-run-all with npm-run-all2 to fix url.parse() deprecation

Replaced npm-run-all@4.1.5 (last updated 2018) with npm-run-all2@8.0.4,
a maintained fork that resolves the DEP0169 deprecation warning.

The deprecation warning was caused by old dependencies in npm-run-all:
- hosted-git-info@2.8.9 (using url.parse())
- normalize-package-data@2.5.0 (using url.parse())

npm-run-all2 is fully API compatible and uses updated dependencies that
use the WHATWG URL API instead of the deprecated url.parse().

Changes:
- Replaced npm-run-all@4.1.5 with npm-run-all2@8.0.4
- Removed 119 outdated transitive dependencies
- All scripts (run-s, run-p) work identically

Result:
- No DEP0169 deprecation warning
- All scripts working
- All tests passing
- Production build working
- 0 vulnerabilities
- 111 fewer packages in node_modules

* Update all transitive dependencies to latest allowed versions

Ran npm update to update all transitive dependencies to the most recent
versions allowed by their semver ranges.

This update:
- Changed 388 packages
- Added 68 packages
- Removed 73 packages

Most updates were patches and minor version bumps within allowed ranges,
bringing in bug fixes and performance improvements from dependencies like:
- webpack ecosystem packages
- jest ecosystem packages
- babel ecosystem packages
- various TypeScript type definitions

Remaining deprecation warnings for old glob@7/10 and inflight@1.0.6 are
from deep transitive dependencies in the jest/babel ecosystem
(test-exclude -> glob@7.2.3 -> inflight@1.0.6). These cannot be resolved
without updates from upstream packages.

Result:
- All tests passing
- All linting passing
- Production build working
- 0 vulnerabilities

* Add yarn.lock to .gitignore to prevent accidental yarn usage

This project uses npm as the package manager (package-lock.json).

Added yarn.lock to .gitignore to prevent it from being accidentally
created and committed if someone runs 'yarn install' by mistake.

Note: If yarn install is run, it will show warnings about package-lock.json
and the 'vscode' engine. These warnings are unavoidable in an npm-based
project and should be ignored. Use 'npm install' instead.

* Use overrides/resolutions to force glob@13 throughout dependency tree

Added npm overrides and yarn resolutions to force all instances of glob
to use version 13.0.6, eliminating deprecation warnings from jest's
transitive dependencies.

This resolves warnings about:
- glob@10.5.0 (used by jest internals)
- glob@7.2.3 (used by test-exclude)
- inflight@1.0.6 (dependency of old glob versions)

The overrides field works for npm, while resolutions field works for yarn.
Both package managers now install glob@13.0.6 consistently throughout the
dependency tree, and inflight is completely eliminated since glob@13 no
longer depends on it.

Changes:
- Added "overrides" field to package.json (for npm)
- Added "resolutions" field to package.json (for yarn)
- Removed 40 outdated packages from dependency tree

Result:
- No glob deprecation warnings in npm or yarn
- No inflight deprecation warnings
- All tests passing
- All builds working
- 0 vulnerabilities

* Revert yarn.lock addition to .gitignore

Removing yarn.lock from .gitignore as it should be tracked when present.

* Revert "Use overrides/resolutions to force glob@13 throughout dependency tree"

This reverts commit 26b46ec.

* Regenerate package-lock.json after rebase on main and ignore .specstory in prettier

* Add comment to .prettierignore explaining .specstory exclusion

Author: dduugg

.eslintignore

@@ -2,3 +2,6 @@ coverage
 node_modules
 
 lib
+# Auto-generated conversation history from the SpecStory VS Code extension.
+# Prettier 3 enforces stricter formatting on .md/.json that these files don't conform to.
+.specstory

.eslintrc.json

@@ -0,0 +1,82 @@
+import tseslint from '@typescript-eslint/eslint-plugin';
+import tsparser from '@typescript-eslint/parser';
+import importPlugin from 'eslint-plugin-import-x';
+import eslintConfigPrettier from 'eslint-config-prettier';
+
+export default [
+  {
+    ignores: [
+      'out/**',
+      'dist/**',
+      '**/*.d.ts',
+      'coverage/**',
+      'node_modules/**',
+    ],
+  },
+  {
+    files: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    languageOptions: {
+      parser: tsparser,
+      parserOptions: {
+        project: './tsconfig.eslint.json',
+        sourceType: 'module',
+      },
+      ecmaVersion: 2020,
+      sourceType: 'module',
+      globals: {
+        console: 'readonly',
+        process: 'readonly',
+        __dirname: 'readonly',
+        __filename: 'readonly',
+        module: 'readonly',
+        require: 'readonly',
+        exports: 'readonly',
+        Buffer: 'readonly',
+      },
+    },
+    plugins: {
+      '@typescript-eslint': tseslint,
+      import: importPlugin,
+    },
+    rules: {
+      '@typescript-eslint/adjacent-overload-signatures': 'error',
+      '@typescript-eslint/no-empty-function': 'error',
+      '@typescript-eslint/no-empty-interface': 'warn',
+      '@typescript-eslint/no-namespace': 'error',
+      '@typescript-eslint/prefer-for-of': 'warn',
+      '@typescript-eslint/triple-slash-reference': 'error',
+      '@typescript-eslint/unified-signatures': 'warn',
+      'no-param-reassign': 'error',
+      'import/no-unassigned-import': 'warn',
+      'comma-dangle': ['error', 'only-multiline'],
+      'constructor-super': 'error',
+      eqeqeq: ['warn', 'always'],
+      'no-cond-assign': 'error',
+      'no-duplicate-case': 'error',
+      'no-duplicate-imports': 'error',
+      'no-empty': [
+        'error',
+        {
+          allowEmptyCatch: true,
+        },
+      ],
+      'spaced-comment': 'error',
+      'no-invalid-this': 'error',
+      'no-new-wrappers': 'error',
+      'no-redeclare': 'error',
+      'no-sequences': 'error',
+      'no-shadow': [
+        'error',
+        {
+          hoist: 'all',
+        },
+      ],
+      'no-throw-literal': 'error',
+      'no-unsafe-finally': 'error',
+      'no-unused-labels': 'error',
+      'no-var': 'warn',
+      'prefer-const': 'warn',
+    },
+  },
+  eslintConfigPrettier,
+];