Modernize web app: Vite + React 18, Python 3.11 runtime

[feruzm]

Why

The web app was an ejected CRA 1.x (webpack 3 / babel 6 / node-sass 4) built on the EOL node:8 / Debian-stretch / Python 3.5 base. That base is what blocked the remaining security updates after the dependency bundle (#43): the build-toolchain alerts (webpack/babel/loader-utils/handlebars-in-webpack/…), the two build-breaking Dependabot PRs, and the Python deps whose patched releases dropped 3.5. This migration clears that whole class and gets us off archived base images.

Frontend

• Vite 5 + @vitejs/plugin-react replaces the ejected webpack/babel config (config/, scripts/ removed). Build output stays in react_app/build, so app.py serves it unchanged.
• React 16.5 → 18.3 (createRoot).
• react-router 4 → 6 (Routes/element). A small withRouter shim reconstructs the v4-style history/location props the class components use, so the screens didn't need rewriting.
• react-intl 2 → 6. FormattedHTMLMessage and FormattedRelative were removed upstream — small compat shims preserve the existing behaviour.
• react-redux 5 → 8; dropped connected-react-router.
• node-sass 4 → dart-sass, react-html-parser → html-react-parser, remarkable 1 → 2, typeface-roboto → @fontsource/roboto, axios 0.18 → 1.x, immutable 3 → 4.
• Tests migrated jest → vitest (+ a render smoke test); snapshots regenerated (also fixes the long-stale steemit.com linkify fixture).

Backend / runtime

• Dockerfile-web is now multi-stage: node:20 builds the SPA, python:3.11-slim runs Flask/gunicorn (image ~155 MB).
• requirements.txt bumped to a modern, fully-patched set (Flask 3, Werkzeug 3, requests 2.32, urllib3 2.2, certifi 2024.x, …) — this is what lets the Python Dependabot PRs (Bump jinja2 from 2.10.1 to 2.11.3 #16 Bump flask-cors from 3.0.6 to 3.0.9 #18 Bump urllib3 from 1.24.2 to 1.26.5 #23 Bump certifi from 2018.8.24 to 2022.12.7 #38) resolve.
• Replaced the unmaintained xonfig (crashes on Python 3.10+) with a tiny stdlib configparser reader (appconfig.py) — same get_option API and config-file behaviour (incl. ast.literal_eval typing and __ENV__ overrides).

Verification (all on this PR's code)

• yarn build (Vite, node:20) ✅
• vitest run ✅ 16/16 (unit + render smoke)
• Full multi-stage Docker image builds ✅
• Runtime smoke: container boots gunicorn, GET / serves the SPA, /api-docs (SPA fallback) + hashed JS asset + favicon all return 200 ✅
• app.py imports on Python 3.11 with typed config values ✅

Notes for review

• Bundle is ~187 kB gzip (react-intl v6 is the bulk). Functional parity was the goal; route-level code-splitting is an easy follow-up if we want it smaller.
• This finishes the security cleanup started in Bump dependencies to patched versions (security bundle) #43: with this merged, the remaining build-tool alerts and the node-sass/react-dev-utils/Python Dependabot PRs (Bump react-dev-utils from 5.0.3 to 11.0.4 in /react_app #15 Bump node-sass from 4.12.0 to 7.0.0 in /react_app #28 Bump jinja2 from 2.10.1 to 2.11.3 #16 Bump flask-cors from 3.0.6 to 3.0.9 #18 Bump urllib3 from 1.24.2 to 1.26.5 #23 Bump certifi from 2018.8.24 to 2022.12.7 #38) are addressed.
• I couldn't exercise the live /api/* flow (needs redis + the search backend) or click through in a real browser; a quick look on staging/preview before deploy is worth it.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: aae8ed328f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep the counter's config dependency available

After this dependency list drops xonfig, the counter image is broken: Dockerfile-counter still installs this same requirements.txt and runs counter/main.py, which imports from xonfig import get_option. Any deployment that starts the counter container will exit with ModuleNotFoundError before it can update doc_count in Redis.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Parse env overrides without dropping underscored sections

In environments that override config via variables such as __ENV__ESEARCH_API_URL, this split stores the value under section ESEARCH and option API_URL, but app.py reads get_option('ESEARCH_API', 'URL') and the sample config defines [ESEARCH_API]. Those production API URL/token/timeout overrides are therefore ignored and the app falls back to file config.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Preserve sanitizing when parsing highlighted snippets

For search results containing escaped user text like <img src=x> in a marked title/body, markedHtml() strips tags before its final he.decode, so decoding can reintroduce real tags after sanitization. The previous ReactHtmlParser transform removed every parsed tag except <mark>, but these new parse(...) calls render whatever tags are reintroduced, allowing untrusted snippets to inject unexpected DOM into result links.

Useful? React with 👍 / 👎.