Modernize runtime tooling and upgrade dependencies

[rendall]

Phase 01 modernizes the runtime/tooling baseline and upgrades dependencies in isolated slices, while explicitly avoiding product behavior changes.

Scope (Phase 01)

• Align Node + CI baseline.
• Upgrade dependency/tooling units iteratively.
• Resolve ts-jest deprecation path.
• Document decisions, audit deltas, and deferred items.

What Changed

• Set Node baseline to 22.22.0 in .nvmrc.
• Updated CI to Node 22 in netlify-api-test.yml.
• Upgraded GitHub Actions usage to current majors:
• actions/checkout@v4
• actions/setup-node@v4
• github/codeql-action/*@v3
• Resolved ts-jest deprecation by moving isolatedModules into tsconfig.frontend.json and making Jest-compatible TS config adjustments.
• Dependency loop upgrades (isolated commits):
• netlify-cli -> ^24.0.1
• @babel/core / presets upgrades
• @sendgrid/mail -> ^8.1.6 (modern axios transitively)
• webpack-dev-server -> ^5.2.3
• jsonwebtoken patch uplift
• mongodb lockfile uplift to 5.9.2 within existing range
• Updated phase docs/checklist to reflect:
• QC decisions
• Integration/sanity pass outcome
• Execution notes
• Residual risk/defer rationale
• Completed checklist status

Key Decision Notes

• Latest Node LTS was attempted first (v24.14.0) but failed locally with Exec format error.
• Applied approved fallback policy and selected Node 22.x.
• Attempted mongodb major upgrade to 6.x caused backend behavioral regressions (multiple PUT paths returning 500 in backend tests), so it was deferred to preserve Phase 01’s no-runtime-behavior-change boundary.

Validation

• yarn lint -> pass
• yarn test:backend (with generated test .env) -> pass
• yarn test:frontend -> known pre-existing locale/ICU assertion failures remain; no new failure class introduced by Phase 01 changes

Audit Delta (yarn audit --json)

• Baseline: low=53, moderate=90, high=107, critical=42
• Current: low=46, moderate=81, high=94, critical=42

Deferred / Follow-up

• Remaining high/critical advisories are predominantly in dev/test/optional tooling paths and larger dependency-family migrations.

• Runtime-impacting major migration (mongodb 6.x) deferred due to observed behavior regressions.

• Proposed next step: Phase 1.5 to target deferred tooling/security families in controlled slices.

• Establish governance

• docs: refine phase-01 checklist and loop decisions

• chore: align node baseline and ci actions

• chore(test): move isolatedModules to tsconfig

• fix(test): set verbatimModuleSyntax false for jest

• chore(deps): upgrade netlify-cli to 24

• chore(deps): upgrade babel core and presets

• chore(deps): upgrade sendgrid mail to v8

• chore(deps): upgrade webpack dev server to v5

• chore(deps): bump jsonwebtoken patch release

• chore(deps): refresh mongodb lockfile to 5.9.2

• docs: finalize phase-01 checklist and implementation notes

• docs: clarify phase-01 validation baseline