SK-2868 dependency upgrades (#702)

[skyflow-bharti]

• SK-2868 dependency upgrades## WHY

Dependencies in skyflow-js had accumulated significant version debt — several runtime
packages were multiple major versions behind (framebus v4→v6, inject-stylesheet v2→v7,
jwt-decode v3→v4 EOL, mime v3→v4), two production dependencies (jquery,
jquery-mask-plugin) had zero import references anywhere in the source tree, and the
test infrastructure was frozen at Jest 27 / jsdom 16. Running npm audit against the old
lockfile flagged multiple vulnerabilities including two CRITICAL findings in
handlebars (JS Injection + Prototype Pollution, pulled in transitively by Jest 27) and
HIGH ReDoS findings in cross-spawn and semver (pulled in by ESLint 7).

GOAL

Bring all dependencies to their current supported versions within the 14-day cooling
period policy, eliminate the two unused production packages (jquery, jquery-mask-plugin)
along with their types, migrate all source call sites to the breaking APIs introduced by
framebus v6, inject-stylesheet v7, and jwt-decode v4, fix all test suite failures
caused by Jest 27→30 / jsdom 16→26 breaking changes, and restore the framebus singleton
pattern that was inadvertently lost in the class-based v6 API.

---

Changes

Production runtime (dependencies)

Package	Before	After	Published	Days old	Note
framebus	4.0.5	6.0.5	2026-01-23	151	v4→v6 breaking: singleton → class; see source changes
inject-stylesheet	2.0.0	7.0.2	2026-06-06	17	New injectWithAllowlist API
mime	3.0.0	4.1.0	2025-09-23	273
core-js	3.44.0	3.49.0	2026-03-23	92
lodash	4.17.21	4.18.1	2026-03-23	92
jwt-decode	3.1.2	^4.0.0	2023-06-01	1,118	v3 EOL; named export replaces default
jquery	3.7.1	—	—	—	Removed — zero production imports
jquery-mask-plugin	1.14.16	—	—	—	Removed — zero production imports

Dev tooling — upgraded

Package	Before	After	Published	Days old
typescript	4.9.5	6.0.3	2026-04-23	61
jest + jest-environment-jsdom	27.5.1 / —	30.4.2 / ^30.4.1	2026-05-23	31
@types/jest	27.5.2	30.0.0	2025-06-23	365
@typescript-eslint/eslint-plugin	4.33.0	7.18.0	2024-07-29	694
@typescript-eslint/parser	4.33.0	7.18.0	2024-07-29	694
eslint	7.32.0	8.57.1	2024-09-07	654
eslint-config-airbnb-base	14.2.1	15.0.0	2021-06-23	1,826
eslint-config-airbnb-typescript	14.0.2	18.0.0	2024-06-23	365
@babel/* (6 packages)	7.27.x–7.28.x	7.29.7	2026-06-12	11
babel-loader	9.2.1	10.1.1	2026-04-23	61
compression-webpack-plugin	8.0.1	12.0.0	2026-04-23	61
fork-ts-checker-webpack-plugin	6.5.3	9.1.0	2025-06-23	365
html-webpack-plugin	5.6.3	5.6.7	2026-02-17	126
node-polyfill-webpack-plugin	2.0.1	4.1.0	2024-06-23	365
webpack	5.100.2	5.107.2	2026-06-01	22
webpack-bundle-analyzer	4.10.2	5.3.0	2026-03-23	92
webpack-cli	4.10.0	7.0.3	2026-06-18	5
webpack-dev-server	4.15.2	5.2.4	2026-05-23	31
webpack-manifest-plugin	4.1.1	6.0.1	2025-11-23	212
webpack-merge	5.10.0	6.0.1	2022-07-01	1,452
@types/mime	3.0.4	4.0.0	2024-06-23	365
@types/node	14.18.63	25.9.1	2026-05-24	30
@types/jquery-mask-plugin	1.14.6	—	—	Removed

ESLint 8, not 9/10: eslint-config-airbnb-base and eslint-config-airbnb-typescript
cap their peer dependency at ESLint 8 — no published version of either supports ESLint 9+.
ESLint 9+ also drops .eslintrc.json in favour of flat config, which requires a
dedicated migration. ESLint 8.57.1 is the correct landing point; it resolves the
cross-spawn and semver CVEs present in ESLint 7 without forcing a config rewrite.
Tracked separately.

@typescript-eslint v7, not v8: v8 requires ESLint ≥9. v7.18.0 is the latest
version compatible with ESLint 8 and will advance alongside the ESLint 9 migration.

Source changes

framebus v4 → v6 — singleton consolidation (src/libs/bus.ts + 16 files)

v4 exported a singleton instance; v6 exports the Framebus class. All 16 consuming files
were updated to new Framebus(), which created 17 independent window.message listeners
and silently broke Bus.teardown(). Fixed by exporting a single shared instance
(framebusInstance) from src/libs/bus.ts and replacing every
import Framebus / new Framebus() pair across the codebase with
import { framebusInstance as bus }, restoring the v4 singleton behaviour.

Also fixed a pre-existing bug in Bus.teardown() where listener.handler was referenced
instead of the stored key listener.callback, meaning teardown never removed any listeners.

jwt-decode v3 → v4 (src/utils/jwt-utils/index.ts)

Replaced the default import with the named jwtDecode export introduced in v4.

inject-stylesheet v2 → v7 (src/core/internal/frame-element-init.ts, composable-frame-element-init.ts)

Updated call sites to the new injectWithAllowlist API.

Test infrastructure

Custom jsdom environment (tests/custom-environment.js) (new)

jsdom 20+ makes window.location non-configurable; Object.defineProperty on it throws.
Added a custom JSDOMEnvironment subclass that intercepts location redefinitions and
redirects them to history.pushState.

Framebus mock (tests/__mocks__/framebus.js) (rewritten + relocated)

Rewrote the manual mock for the v6 class API: exports a constructable Framebus function
with static emit/on/off/target mock methods. A Proxy forwards every instance
property lookup back to the class so that jest.spyOn(bus, 'emit') installed on the class
is automatically visible to all source-code instances. Moved from repo-root __mocks__/
into tests/__mocks__/ alongside all other test helpers; updated jest.config.json
moduleNameMapper accordingly.

Jest 30 — removed matchers (across all test files)

Replaced all matchers removed in Jest 29/30: toBeCalled → toHaveBeenCalled,
toBeCalledWith → toHaveBeenCalledWith, toBeCalledTimes → toHaveBeenCalledTimes,
toThrowError → toThrow.

jsdom 26 — non-configurable window (tests/core/internal/*, tests/index-internal.test.js)

jest.spyOn(global, 'window', 'get') throws in jsdom 20+ because window is
non-configurable. Replaced all such patterns with direct property assignment —
window.name = '...', window.history.pushState({}, '', '/?ENCODED'),
window.parent.postMessage = jest.fn() — with save/restore in beforeEach/afterEach.

iframe-form.test.js

Changed targetSpy.mockReturnValue(...) to mockImplementation(opts => { bus.origin = opts?.origin; ... })
so bus.origin is set as a side effect of bus.target({origin}), matching the v4
behaviour that IFrameFormElement relies on for its focus-event origin guard.

threeds.test.js

Replaced the hardcoded jsdom 16 user-agent string with navigator.userAgent to stay
version-agnostic.

---

[github-actions]

✅ Gitleaks Findings: No secrets detected. Safe to proceed!

[github-actions]

✅ Gitleaks Findings: No secrets detected. Safe to proceed!

[github-actions]

Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging.

[github-actions]

Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging.

[github-actions]

✅ Gitleaks Findings: No secrets detected. Safe to proceed!

[github-actions]

✅ Gitleaks Findings: No secrets detected. Safe to proceed!

[github-actions]

Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging.

[github-actions]

Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging.