Plan: Sequence dependency upgrade PRs

[pamelafox]

There are 6 open dependency-upgrade PRs; 1 is obsolete (#2715), 2 are superseded by cleaner alternatives (#2900, #2921), and 3 should be merged in order: #2960 (React 19) → #2946 (MSAL minor) → #2162 (Fluent UI v8 patch). The failing PRs should be closed. A future MSAL v5 upgrade should be planned as a separate effort after these land.

Phase 0: Close stale/superseded PRs

1. Close PR Bump azure-ai-documentintelligence from 1.0.0b4 to 1.0.2 #2715 (azure-ai-documentintelligence 1.0.0b4 → 1.0.2) — already applied to main; the package is at 1.0.2 in app/backend/requirements.txt.
2. Close PR Bump react-dom and @types/react-dom in /app/frontend #2900 (react-dom + React 19 + Fluent UI combined) — superseded by PR Upgrade React from 18 to 19 #2960, which takes a cleaner, minimal approach and passes all CI. Leave a comment explaining Upgrade React from 18 to 19 #2960 is the replacement.
3. Close PR Bump @azure/msal-browser from 4.16.0 to 5.0.2 in /app/frontend #2921 (@azure/msal-browser v5 major) — CI failing, requires breaking-change code migration across auth files, and is superseded by PR Bump @azure/msal-react from 3.0.16 to 5.0.3 in /app/frontend #2946's safer minor-version approach. Leave a comment noting future msal-browser v5 work should be tracked in a dedicated issue.

Phase 1: Merge PR #2960 — React 18 → 19 (all CI green)

• Why first: This is the largest foundational change. All 26/26 CI checks pass. It touches app/frontend/package.json, app/frontend/package-lock.json, app/frontend/.npmrc, and 3 component files for JSX type import fixes.
• Key approach: Adds legacy-peer-deps=true to .npmrc to accommodate Fluent UI v8's React 18 peer dep declaration — a pragmatic workaround until the Fluent UI v9 migration (tracked in issue Migrate from @fluentui/react (v8) to @fluentui/react-components (v9) #2961).
• After merge: PRs Bump @azure/msal-react from 3.0.16 to 5.0.3 in /app/frontend #2946 and Bump @fluentui/react from 8.112.5 to 8.121.11 in /app/frontend #2162 will have merge conflicts in package.json / package-lock.json and need rebasing.

Phase 2: Rebase & merge PR #2946 — MSAL minor bump (all CI green)

• Why second: Independent of React 19 at the code level, but will conflict on lockfile after Upgrade React from 18 to 19 #2960 merges. Currently passes CI (22/22 checks).
• What it does: Bumps @azure/msal-react 3.0.16 → 3.0.25 and @azure/msal-browser 4.16.0 → 4.28.1 (transitive). These are minor/patch bumps within the same major versions — no code changes needed.
• Action needed: Rebase onto main (post-Upgrade React from 18 to 19 #2960), regenerate package-lock.json, verify CI passes.

Phase 3: Rebase & merge PR #2162 — Fluent UI v8 patch bump

• Why third: Lowest priority (very stale, open since Nov 2024), purely patch-level fixes within @fluentui/react v8 (8.112.5 → 8.121.11). No CI ran on it.
• Risk: Low — same major version, release notes show only minor bugfixes (SwatchColorPicker, DatePicker aria-required, SuggestionItem alignment).
• Action needed: Rebase onto main (post-Upgrade React from 18 to 19 #2960 and Bump @azure/msal-react from 3.0.16 to 5.0.3 in /app/frontend #2946), regenerate package-lock.json, verify CI passes. The target version (8.121.11) may be outdated by now — consider having Dependabot open a fresh PR for the latest v8.x instead.

Phase 4: Future work (not in these PRs)

• MSAL Browser v5 + MSAL React v4 migration: PR Bump @azure/msal-browser from 4.16.0 to 5.0.2 in /app/frontend #2921 showed this requires non-trivial code changes across app/frontend/src/index.tsx, app/frontend/src/authConfig.ts, and app/frontend/src/components/LoginButton/LoginButton.tsx — refactored event types, renamed config options, removed deprecated APIs. This should be a dedicated branch with manual migration work, not a Dependabot auto-upgrade.
• Fluent UI v8 → v9 migration: Tracked in issue Migrate from @fluentui/react (v8) to @fluentui/react-components (v9) #2961. This is a separate large effort involving component API changes across the entire frontend.

Verification

• After each merge, confirm all CI checks pass on main.
• After Phase 1 (Upgrade React from 18 to 19 #2960), manually verify the app starts (npm run dev + quart run) and basic chat functionality works with React 19.
• After Phase 2 (Bump @azure/msal-react from 3.0.16 to 5.0.3 in /app/frontend #2946), verify login/auth flows still work (if auth is enabled in the environment).
• After Phase 3 (Bump @fluentui/react from 8.112.5 to 8.121.11 in /app/frontend #2162), verify Fluent UI components render correctly (no visual regressions in settings panels, buttons, callouts).

Rationale

• Chose to close Bump react-dom and @types/react-dom in /app/frontend #2900 in favor of Upgrade React from 18 to 19 #2960: Upgrade React from 18 to 19 #2960 is a minimal, focused React 19 upgrade that passes CI, while Bump react-dom and @types/react-dom in /app/frontend #2900 combined too many upgrades (React + Fluent UI) and fails CI.
• Chose to close Bump @azure/msal-browser from 4.16.0 to 5.0.2 in /app/frontend #2921 in favor of Bump @azure/msal-react from 3.0.16 to 5.0.3 in /app/frontend #2946: MSAL Browser v5 is a major version with many breaking changes that need manual migration; Bump @azure/msal-react from 3.0.16 to 5.0.3 in /app/frontend #2946's minor-version bump is safe and sufficient for now.
• Chose to close Bump azure-ai-documentintelligence from 1.0.0b4 to 1.0.2 #2715: The upgrade is already applied to main — the PR is a no-op.
• Ordered React 19 (Upgrade React from 18 to 19 #2960) first because it's the most foundational change and all other frontend PRs will need to rebase against it anyway.