Land dependency modernization stack: security bumps, TS6+Vite8, lazy catalogs, MUI 9, dep-shedding

[devin-ai-integration]

Summary

This PR now carries the entire 5-PR modernization stack (the children #165/#164/#163/#167 were merged downward into this branch):

• Security/minor bumps — wrangler 4.98.0 (4.99.0 has a wrangler dev assets-404 regression), npm audit = 0 vulnerabilities
• Toolchain majors (chore: upgrade toolchain majors (TypeScript 6, Vite 8, svgr 5, tsconfig-paths 6) #165) — TypeScript 6.0, Vite 8 (rolldown), vite-plugin-svgr 5, vite-tsconfig-paths 6, tsconfig ES2022, src/css.d.ts for TS6 side-effect CSS imports
• Perf (perf: lazy-load term catalogs + vendor code splitting (8.2 MB → ~1.0 MB initial JS) #164) — term catalogs lazy-loaded via dynamic import() + function-form manualChunks (rolldown-compatible): initial JS 8,221 kB → ~1.0 MB (1,883 → ~319 kB gzip)
• MUI 9 (chore: upgrade MUI to v9.1.0 #163) — @mui/material/@mui/icons-material 9.1.0; HelpOutlineOutlined icon preserves the original glyph
• Dep-shedding (Shed legacy deps: flatpickr/react-select → native+MUI, auto-animate 0.9 #167) — flatpickr/react-flatpickr → native <input type="time">, react-select → MUI Autocomplete (fzf fuzzy search preserved via filterOptions), auto-animate 0.9, README note that preact/@preact/signals are Schedule-X peers

Merge-resolution note: the old react-select options/firstLoad state workaround (and its async-catalog re-sync fixes) was removed entirely — the MUI Autocomplete derives options={courses} from the catalog on every render, so it handles async catalog loading without extra state; the search placeholder shows "Loading courses..." while the term catalog chunk loads.

npm run verify and npm audit (0 vulns) pass; all CI checks green.

Link to Devin session: https://app.devin.ai/sessions/3b5cf4353db148c09b27d04099b86357
Requested by: @rchalamala

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	caltech-dev	015eb5e	Commit Preview URL Branch Preview URL	Jun 11 2026, 11:21 PM

[devin-ai-integration]

Test Results

Ran the production build (vite 7.3.5) served by npx wrangler dev (wrangler 4.98.0) locally and exercised the core scheduling flow end-to-end; also confirmed the vite dev server.

Deviations from the original request (intentional):

• wrangler pinned to 4.98.0, not 4.99.0 — 4.99.0 (released 2026-06-09) has a regression where wrangler dev 404s all static assets (bisected: 4.90/4.95/4.98 serve dist/ fine; 4.99.0 404s even with a bare --assets ./dist). 4.98.0 already clears all undici/ws/miniflare advisories.
• temporal-polyfill stays 0.3.0, not 0.3.2 — @schedule-x/calendar@4.6.0 pins exact peer temporal-polyfill@"0.3.0"; 0.3.2 fails npm install with ERESOLVE. No advisory affects 0.3.0.

Results:

• It should serve the working app via wrangler dev 4.98.0 (production build, vite 7.3.5) — passed
• It should add a course and render it on the weekly calendar (exercises temporal-polyfill/Schedule-X at runtime) — passed; console clean
• It should serve the app via vite 7.3.5 dev server (npm start) — passed

Search results (wrangler dev :8787)	Course added to calendar

Shell evidence

• npm run verify (oxlint + prettier check + tsc + vite build): passes
• npm audit: found 0 vulnerabilities
• npx wrangler dev → HTTP 200 on /; npm start → HTTP 200 on :3000

Devin session: https://app.devin.ai/sessions/44f717e165344a86812f49b427651bc6

[devin-ai-integration]

Devin Review found 2 new potential issues.

[devin-ai-integration]

📝 Info: New css.d.ts declaration covers all CSS imports needed by the project

The new src/css.d.ts file declares *.css as a module. This is likely needed because Vite 8 (or TypeScript 6) changed how CSS imports are typed. The project imports CSS in four places (src/index.tsx, src/Planner.tsx × 3), all as side-effect-only imports (import "./foo.css"). The broad declare module "*.css" declaration covers all of these. This is a standard pattern for Vite projects.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Acknowledged — informational only. The declare module "*.css" shim covers the project's four side-effect CSS imports under the TypeScript 6 / Vite 8 toolchain from commit e6c7bf1, and npm run verify (tsc included) passes. No action needed.

[devin-ai-integration]

Devin Review found 6 new potential issues.

[devin-ai-integration]

📝 Info: Fzf instance recreated on every render in WorkspaceSearch

The Fzf instance at src/Workspace.tsx:428-430 is created on every render of WorkspaceSearch, rebuilding its index over the full course list each time. This includes during every keystroke in the Autocomplete input. While functionally correct (each render gets a fresh fzf matching the current courses), wrapping it in useMemo(() => new Fzf(courses, {...}), [courses]) would avoid redundant index construction, especially since the courses array only changes when the catalog loads or the term switches.

(Refers to lines 428-430)

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Acknowledged — correct that useMemo(() => new Fzf(courses, ...), [courses]) would avoid rebuilding the index per keystroke. Functionally fine today; noted as a possible perf follow-up rather than expanding this PR further.

[devin-ai-integration]

🚩 Async loading guards silently discard user interactions during catalog load

All state-modifying callbacks (addCourse, removeCourse, toggleCourse, toggleSectionLock, setCourses, nextArrangement, prevArrangement, updateAvailableTimes) now early-return when !catalogReady (e.g. src/useAppState.ts:144-146). This means if a user has courses from localStorage and interacts with them (toggling, locking, changing sections, navigating arrangements) before the async loadCourseIndex resolves, all those actions are silently ignored with no feedback. The WorkspaceSearch shows "Loading courses..." as placeholder, but the existing workspace entries appear fully interactive. Consider disabling the controls or showing a loading indicator over the workspace during the async load window.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Valid observation, but the window is narrow: the catalog chunk is a single local dynamic import (~135 kB gzip, cached after first load), so catalogReady flips within tens of ms in practice, and the search input already shows a "Loading courses..." placeholder. The guards exist to prevent corrupting persisted workspaces against an empty index, which is the worse failure mode. Leaving as-is for this PR; a loading overlay on the workspace list could be a follow-up if the gap proves noticeable.

[devin-ai-integration]

📝 Info: useLayoutEffect used for async side effect is unusual but intentional

The useLayoutEffect at src/useAppState.ts:69-89 is used to kick off an async loadCourseIndex() call. Typically useLayoutEffect is reserved for synchronous DOM measurement/mutation. However, the intent here is to synchronously check the cache (getCachedCourseIndex) and set indexedCourses before paint when navigating between terms, so the calendar doesn't flash stale data. The async promise resolution happens after paint regardless. This is a valid pattern — the synchronous cache path benefits from useLayoutEffect while the async fallback is harmless. The cleanup function correctly cancels stale loads via the cancelled flag.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

📝 Info: Module-level courseIndexCache is a process-global singleton

The courseIndexCache at src/courseData.ts:21 is a module-level mutable object that persists across the entire application lifetime. This is fine for a client-side SPA, but if this module were ever imported in an SSR context, the cache would be shared across requests. Given this is a Vite + Cloudflare Workers (wrangler) project, verify that this module is only used on the client side. Currently it appears to be client-only based on the usage in useAppState.ts (a React hook), so this is safe.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Devin Review found 4 new potential issues.

[devin-ai-integration]

📝 Info: SectionDropdown value lookup is redundant but necessary for MUI Autocomplete referential identity

The value computation at lines 215-222 uses sections.find(...) to look up the section object by number, even though sections[course.sectionId!] would directly return it. This is intentional: MUI Autocomplete requires the value to be referentially identical to one of the options array elements. Since find searches the same sections array used as options, it guarantees the correct reference. The ?? null fallback handles the unlikely case where findIndex returns -1.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

📝 Info: loadCourseIndex does not cache empty results for unknown terms

When loadCourseIndex is called with an unknown term (no matching loader), it returns {} without caching the result (src/courseData.ts:33-34). This means each call for an unknown term creates a new Promise and returns a new {} object. In the current code, useLayoutEffect only calls loadCourseIndex once per realPath change, so this isn't a performance issue. However, repeated navigation to an invalid term would repeatedly invoke the function. This is minor since there's no actual I/O for unknown terms.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🚩 Wrangler version pinned without caret, unlike other dependencies

In package.json, wrangler changed from ^4.49.1 (allows minor/patch updates) to 4.98.0 (exact version). All other dependencies use ^ ranges. This inconsistency might be intentional (to pin a known-good version) but could lead to the project falling behind on wrangler patches. Worth confirming this was deliberate.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Deliberate: wrangler 4.99.0 (latest at time of writing) has a regression where wrangler dev returns 404 for all static assets (bisected — 4.98.0 and earlier work). The exact pin prevents ^ from pulling in the broken version; it can be relaxed back to ^ once a fixed wrangler release ships.

[devin-ai-integration]

E2E test results — combined stack branch

Built this branch locally and served the production bundle via npx wrangler dev (wrangler 4.98.0), exercising the merge-resolution hot spots in the browser. All 4 tests passed.

Tests (4/4 passed)

• Lazy catalog + MUI Autocomplete search (lazy-load × dep-shedding merge): passed. No IndexedTotal* chunk in initial load; IndexedTotalFA2026-27-*.js fetched on demand. fzf fuzzy search returns matches; selecting "Ae/APh/CE/ME 101 a - Fluid Mechanics" adds it to the workspace and renders MWF 10:00 events on the Schedule-X calendar.
• Native time inputs (flatpickr removal): passed. Monday start is a native <input type="time">; setting 11:00 AM + Unlock All correctly excludes the MWF 10:00 section.
• On-demand catalog for /wi2026: passed. IndexedTotalWI2025-26-*.js fetched on navigation; WI courses searchable.
• Regression — workspace persistence: passed. Fluid Mechanics (9 units) restored from localStorage after reload.

Also at branch head: npm run verify passes, npm audit = 0 vulnerabilities, CI 6/6 green (incl. react-doctor).

T1: fzf search (fa2027)	T1: course added, calendar events

Preexisting bug found (NOT from this stack)

After unlocking a course and narrowing then re-widening the time window, "No arrangements found :(" persists and the section can't be re-selected. Root cause: src/parseTimes.ts builds section intervals on a 2018 reference date while src/appContext.ts availableTimes use 2025 reference dates, and src/scheduler.ts:87-88 compares absolute getTime() values — the window check always fails once the scheduler runs. Reproduced identically on a local build of main (came in with #160), so it predates this PR. Worth a follow-up fix.

This branch	main (same behavior)

Notes

• Initial "No options" for "cs 124" was a false alarm — CS 124 isn't offered in the fa2027 catalog; search works correctly.
• wrangler is pinned to exactly 4.98.0 because 4.99.0/4.100.0 404 on assets under local wrangler dev.

Tested by Devin

[devin-ai-integration]

Devin Review found 2 new potential issues.

[devin-ai-integration]

📝 Info: loadCourseIndex has benign duplicate-call race but no deduplication

In src/courseData.ts:27-38, if loadCourseIndex is called concurrently for the same term (e.g., via React strict mode double-effects), both calls will miss the cache and independently call loader(). Both will resolve to the same module.default and both write it to the cache. This is harmless since the data is identical, but a pending-promise cache (storing the promise itself) would avoid the duplicate network/parse work. The useLayoutEffect in src/useAppState.ts:69-89 has a proper cancelled flag that handles this scenario correctly on the consumer side.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Acknowledged — the duplicate-call race is benign (same module record resolves for both callers; dynamic import() is deduped by the module loader, so there's no double network/parse in practice). A pending-promise cache would be a fine micro-optimization but isn't needed. Leaving as-is.

[devin-ai-integration]

📝 Info: SectionDropdown.onChange directly mutates course.sectionId before calling addCourse

At src/Workspace.tsx:201, course.sectionId is mutated in-place (a direct state mutation) before state.addCourse(course) is called. This is a pre-existing pattern (existed before this PR), not introduced by the migration. It works because addCourse subsequently triggers a state update that persists the change. However, if addCourse returns early (e.g., due to the catalogReady guard), the mutation would persist on the object without a corresponding React state update, which could cause subtle inconsistencies. In practice this shouldn't happen since sections are only shown when courses are loaded.

(Refers to lines 200-208)

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Acknowledged — pre-existing mutation pattern, not introduced by this PR. As noted, SectionDropdown only renders for courses already resolved from the catalog, so the catalogReady early-return path is effectively unreachable here. Leaving as-is; an immutable-update refactor could be a separate cleanup.