chore: remove deprecated react-hot-loader

[rusackas]

User description

Summary

This PR removes the deprecated react-hot-loader package since React Refresh is already configured and working in the project via the SWC loader.

Changes:

• Removed react-hot-loader dependency from package.json
• Removed hot() wrapper from App.tsx
• Removed setHotLoaderConfig from preamble.ts
• Removed react-hot-loader/babel plugin from babel.config.js
• Removed react-hot-loader from webpack vendor bundle
• Cleaned up related comments

Before/After

Before: Project had both react-hot-loader (deprecated) and React Refresh configured
After: Only React Refresh is used for hot module replacement

Testing Instructions

1. Run npm run dev-server
2. Make changes to React components
3. Verify hot module replacement works correctly (components update without full page refresh)
4. Verify no console errors related to hot module replacement

✅ Tested locally: Dev server compiles successfully and HMR works as expected.

Additional Information

React Refresh has been the recommended HMR solution for React since React 17. The react-hot-loader package is deprecated and no longer maintained. This migration simplifies our development setup by removing unnecessary dependencies.

🤖 Generated with Claude Code

---

CodeAnt-AI Description

Remove deprecated react-hot-loader and add dependency-checker tool

What Changed

• Removed react-hot-loader and all references (package.json, package-lock, babel plugin, webpack vendor list, and hot() wrapper); development hot module replacement continues to work via React Refresh.
• Dev server no longer triggers deprecated react-hot-loader warnings and the dev vendor bundle no longer contains react-hot-loader, reducing the development bundle size.
• Added a new CLI script (scripts/check-dependencies.py) and an agent doc (AGENTS/dependency-checker.md) that scan the frontend codebase for unused or transitive npm dependencies and produce human-readable and JSON reports with keep/remove/investigate recommendations.

Impact

✅ No deprecated HMR warnings in dev server
✅ Smaller dev vendor bundle during development
✅ Easier detection of unused frontend dependencies

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai-for-open-source]

CodeAnt AI is reviewing your PR.

[codeant-ai-for-open-source]

Suggestion: Logic error: when other packages depend on this package the code marks the package as removable. If dependents is non-empty the package is required by other packages and should not be recommended for removal; change the recommendation to keep (or investigate) instead of remove. [logic error]

Severity Level: Minor ⚠️

Suggested change

	recommendation = 'remove' # Can be removed if available through dependents
	recommendation = 'keep' # Required by other packages; do not recommend removal automatically

Why it matters? ⭐

The current logic flips the intent: if other packages depend on this package (dependents is non-empty),
the package is required transitively and should not be auto-recommended for removal. Changing the
recommendation to 'keep' (or at least 'investigate') fixes a real logic bug that would otherwise
produce unsafe/incorrect removal suggestions.

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** scripts/check-dependencies.py
**Line:** 174:174
**Comment:**
	*Logic Error: Logic error: when other packages depend on this package the code marks the package as removable. If `dependents` is non-empty the package is required by other packages and should not be recommended for removal; change the recommendation to keep (or investigate) instead of remove.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

[codeant-ai-for-open-source]

Suggestion: Incorrect boolean for transitive removal: can_be_removed is set true when there are dependents, which is backwards — if other packages require this package it should not be marked removable. Use a flag that reflects whether there are no dependents. [logic error]

Severity Level: Minor ⚠️

Suggested change

	'can_be_removed': len(dependents) > 0
	'can_be_removed': len(dependents) == 0

Why it matters? ⭐

The boolean is inverted: can_be_removed should be true only when there are NO dependents. As written,
packages that are required by other packages are incorrectly flagged removable. Fixing this corrects
the transitive usage reporting and aligns the field with the actual semantics.

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** scripts/check-dependencies.py
**Line:** 190:190
**Comment:**
	*Logic Error: Incorrect boolean for transitive removal: `can_be_removed` is set true when there are dependents, which is backwards — if other packages require this package it should not be marked removable. Use a flag that reflects whether there are no dependents.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

[codeant-ai-for-open-source]

Nitpicks 🔍

🔒 No security issues identified

⚡ Recommended areas for review Questionable Logic When dependents are found in package-lock, analyze_dependency sets status 'transitive-only' and recommendation 'remove'. This is counterintuitive: if other packages depend on this package, removing it may break those dependents or conversely it may be safe to remove if it's provided transitively. This behavior should be documented or re-checked to ensure the recommendation is correct. Missing file handling Opening package.json and package-lock.json is done without checking existence or handling JSON decoding errors. If the provided --path is incorrect or files are missing/corrupt the script will raise an unhandled exception. Consider early checks and clearer error messages or safe fallbacks. Fragile config file reading The code opens all matching config files without try/except; unreadable files or directories (or binary/large files) could raise exceptions. Also glob patterns may match unexpected files. Consider guarding file reads and skipping non-regular files. Build / config residue Ensure all build-tooling and config (SWC/Babel/webpack) have been updated consistently to use React Refresh instead of react-hot-loader. Confirm there are no remaining references or plugins that assume react-hot-loader (imports, babel plugins, vendor bundles, or webpack aliases). Removed import audit The import for react-hot-loader was removed. Make sure there are no remaining references elsewhere in the codebase or build config (Babel, webpack, vendor lists). A quick search and CI build check should confirm there are no missing symbols. HMR behavior change Removing the react-hot-loader wrapper and exporting the raw App relies on React Refresh behavior. Verify that HMR preserves component state and update behavior across the app (particularly for any class components and legacy code paths that relied on react-hot-loader's advanced state-preservation behavior). Performance Issue The search_for_imports routine invokes ripgrep/grep once per pattern per source path per package. For large dependency lists this results in many separate subprocess calls and repeated scanning of the same directories, which is slow. Consider batching patterns into a single rg invocation or searching once per package and post-filtering results. Empty dev block The development-only conditional no longer executes any code and only contains a comment. This is a code smell (and can trigger linter warnings). Either remove the conditional entirely or make it do a minimal runtime check (e.g. verify HMR is available) so the intent is explicit.

[codeant-ai-for-open-source]

CodeAnt AI finished reviewing your PR.

[bito-code-review]

Code Review Agent Run #b0d8a2

Actionable Suggestions - 2

• scripts/check-dependencies.py - 2

  • Incomplete Import Detection · Line 43-49
  • Subprocess security and check argument issues · Line 71-74

Additional Suggestions - 2

• scripts/check-dependencies.py - 2

  • Missing License Header · Line 1-16
    New files in the Superset codebase must include the Apache Software Foundation license header. This script is missing the required header, which should be added at the top before the shebang line.
  • Missing Type Hint · Line 216-216
    The main function should have a return type annotation for consistency with type hint requirements in new Python code.
    Code suggestion

     @@ -216,1 +216,1 @@
    - def main():
    + def main() -> None:

Review Details

• Files reviewed - 5 · Commit Range: d7c0d9b..d7c0d9b

  • scripts/check-dependencies.py
  • superset-frontend/babel.config.js
  • superset-frontend/src/preamble.ts
  • superset-frontend/src/views/App.tsx
  • superset-frontend/webpack.config.js
• Files skipped - 3

  • AGENTS/dependency-checker.md - Reason: Filter setting
  • superset-frontend/package-lock.json - Reason: Filter setting
  • superset-frontend/package.json - Reason: Filter setting
• Tools

  • Eslint (Linter) - ✔︎ Successful
  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

Incomplete Import Detection

The script misses dynamic imports like import('package'), which are common in the frontend for lazy loading. This could lead to false positives for unused dependencies.

Code suggestion

Check the AI-generated fix before applying

Suggested change

	patterns = [
	f"from ['\"]{{}}['\"]",
	f"require\\(['\"]{{}}['\"]",
	f"import.*['\"]{{}}['\"]",
	f"from ['\"]{{}}/.+['\"]", # Subpath imports
	f"require\\(['\"]{{}}/.+['\"]", # Subpath requires
	]
	patterns = [
	f"from ['\"]{{}}['\"]",
	f"require\\(['\"]{{}}['\"]",
	f"import.*['\"]{{}}['\"]",
	f"from ['\"]{{}}/.+['\"]", # Subpath imports
	f"require\\(['\"]{{}}/.+['\"]", # Subpath requires
	f"import\\(['\"]{{}}['\"]", # Dynamic imports
	f"import\\(['\"]{{}}/.+['\"]", # Dynamic subpath imports
	]

Code Review Run #b0d8a2

---

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

• Yes, avoid them

[bito-code-review]

Subprocess security and check argument issues

Subprocess call to grep lacks explicit check argument (PLW1510) and has security concerns (S603, S607). Add check=False and use full path for executables.

Code suggestion

Check the AI-generated fix before applying

Suggested change

	result = subprocess.run(
	["grep", "-r", "-l", "-E", search_pattern, str(src_path)],
	capture_output=True,
	text=True
	result = subprocess.run(
	["grep", "-r", "-l", "-E", search_pattern, str(src_path)],
	capture_output=True,
	text=True,
	check=False,

Code Review Run #b0d8a2

---

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

• Yes, avoid them