Skip to content

February 22: The ESLint Rabbit Hole

A marathon session: 12 pull requests merged (1 feature, 2 refactors, 8 maintenance, 1 dependency update).

Developer Journal

The ESLint upgrade turned into a rabbit hole. Someone changed a 9 to a 10 in a version number and suddenly there's a cascade of new linter rules, breaking changes, and refactoring — which means regression testing. Hard to explain to leadership why you need half a day just to get back to where you already were. But deprecation warnings are intolerable, and this is the kind of maintenance work that compounds if you ignore it.

GitHub PR list showing 2 open Dependabot PRs for ESLint and react-hooks upgrades

Terminal showing ESLint 10 migration research report with plugin compatibility table and recommended path

Had to stop Claude from plowing ahead and redirect it to fix the linter issues first. Explored @eslint-react/eslint-plugin as a plan B. Shared screenshots of the linter output — not magic, but progress. A friend's reaction: "Fixing issues, making new issues?" Pretty much.

Terminal showing ESLint 10 migration status update posted to issue #347 with upstream blocker details

Terminal showing 96 new @eslint-react warnings breakdown and eslint config update to disable noisy rule

Terminal showing clean lint results — 0 errors, 26 warnings after eliminating noisy rules, all 51 tests pass

Terminal showing final ESLint 9 to 10 upgrade state — 0 errors, 0 warnings, 51 tests pass

The stance: this is my project and I set the process. Using a tool means following its standards, not cherry-picking the convenient parts.

Highlights

#429 hash refresh tokens with SHA-256 before storage

SHA-256 hash refresh tokens before storing in MongoDB to prevent token replay if the database is compromised. Raw tokens are only held in memory and returned to the client — the DB never sees them. Also cleans up stale issue references in the development roadmap.

- Refresh tokens were stored as plaintext Base64 in MongoDB - If the database is compromised, an attacker could replay tokens to maintain persistent access - OWASP recommends SHA-256 (not BCrypt) for ...

What Changed

Features (1)

  • #429 hash refresh tokens with SHA-256 before storage

Refactoring (2)

  • #426 replace eslint-plugin-react with @eslint-react
  • #430 reduce redundant MAST model types (25 → 21)

Maintenance (8)

  • #412 bump httpx from 0.27.0 to 0.28.1
  • #413 bump pytest from 7.4.3 to 9.0.2
  • #414 bump eslint-plugin-react-hooks from 5.2.0 to 7.0.1
  • #415 bump uvicorn from 0.24.0 to 0.41.0
  • #416 bump fastapi from 0.128.4 to 0.129.0
  • #421 bump BCrypt.Net-Next from 4.0.3 to 4.1.0
  • #428 upgrade ESLint from 9 to 10
  • #431 remove dead DTO types from backend and frontend

Dependencies (1 updates: upgrade pytest-asyncio)

Issues

Opened:

  • #433 — Add CI coverage thresholds — starting with Python

Closed:

  • #3 — Processing job queue system
  • #252 — Add API Documentation (OpenAPI/Swagger)
  • #257 — Set up MCP Servers
  • #262 — Refresh Tokens Stored in Plaintext
  • #273 — Require PR Approving Reviews on Branch Protection
  • #274 — Add Test Coverage — Frontend & Processing Engine
  • #281 — No Network Isolation Between Services
  • #282 — Missing CSRF Protection
  • #347 — chore: migrate eslint 9 → 10

13 commits across 12 pull requests. Next: February 23, 2026 — add Python CI coverage threshold at 50%, add Python tests for statistics, utils, and filter..., add enhancement and detection tests, bump coverage...