Bump frontend deps (all prod, some dev)

[imnasnainaec]

Also dedup to avoid loading in @mui/x-date-pickers's MUIv7 peer deps.

Devin: https://app.devin.ai/review/sillsdev/TheCombine/pull/4274

This change is 

Summary by CodeRabbit

• Chores
  • Updated multiple frontend libraries to latest versions for improved stability and performance.
  • Refreshed license and attribution documentation.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR upgrades multiple frontend dependencies including axios, motion, i18next stack, and react-router in package.json, with corresponding license manifest updates. Additionally, the embedded @marsidev/react-turnstile documentation is refreshed with updated examples, badges, and new MIT license blocks for @mui packages.

Changes

Cohort / File(s)	Summary
Dependency Version Bumps package.json	Upgraded 9 dependencies: @marsidev/react-turnstile (1.4.1→1.5.0), axios (1.13.5→1.15.2), dayjs (1.11.19→1.11.20), i18next (25.7.3→25.10.10), i18next-browser-languagedetector (8.2.0→8.2.1), i18next-http-backend (3.0.2→3.0.6), motion (12.23.26→12.38.0), react-i18next (16.5.0→16.6.6), react-router (7.12.0→7.13.2).
License Manifest & Turnstile Docs docs/user_guide/assets/licenses/frontend_licenses.txt	Updated version records for 20+ dependencies (babel/runtime, axios, lodash, react-router, etc.); refreshed @marsidev/react-turnstile documentation with updated version badge, new npm→pnpm install command, rewritten features list, TypeScript form+imperative API example, and restructured sections; appended MIT license blocks for @mui/private-theming, @mui/styled-engine, @mui/system, @mui/types, @mui/utils (7.3.x/7.4.12).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Bump lodash from 4.17.21 to 4.17.23 #4104: Bumps lodash version in frontend licenses to match version in this PR's manifest update.
• Bump frontend production deps #4071: Overlapping frontend dependency updates and frontend_licenses.txt modifications affecting the same packages and files.

Suggested labels

dependencies, javascript, documentation

Suggested reviewers

• jasonleenaylor
• myieye

Poem

🐰✨ A hop and a bump, dependencies soar,
From axios to motion, and so many more,
The turnstile gleams bright with TypeScript in sight,
While licenses shimmer with @mui delight! 📜🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: bumping multiple frontend dependencies in package.json and related files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch frontend-prod-deps-2026-04

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.94%. Comparing base (6d00401) to head (c75fba6).
⚠️ Report is 4 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #4274   +/-   ##
=======================================
  Coverage   75.94%   75.94%           
=======================================
  Files         303      303           
  Lines       11352    11352           
  Branches     1403     1403           
=======================================
  Hits         8621     8621           
  Misses       2330     2330           
  Partials      401      401           

Flag	Coverage Δ
backend	87.23% <ø> (ø)
frontend	66.79% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

package.json (1)

76-76: Add a defensive guard for the private router.subscribe API before the react-router version bump.

The codebase relies on router.subscribe() in src/router/browserRouter.tsx:17 for analytics/page navigation. The developers explicitly documented that this is a private API (lines 14–16) and flagged it as needing verification with future react-router updates. With ~7.13.2 allowing minor patch updates, a router change could break app bootstrap. Wrap the subscribe call with a try-catch or feature detection to ensure the app remains stable even if the private API is removed or changed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 76, Wrap the private router.subscribe() call in a
defensive guard that detects availability and handles failures: check that the
router object and router.subscribe are functions (or use typeof router.subscribe
=== "function") before calling, and surround the call with a try-catch to log
and swallow any errors so bootstrap won’t crash; update the subscribe usage in
the browserRouter (the function/module that calls router.subscribe) to use this
feature-detection + try-catch pattern and ensure any analytics callback
registration failure is safely no-oped.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/user_guide/assets/licenses/frontend_licenses.txt`:
- Around line 1063-1085: The project currently has mixed MUI majors—root
packages like `@mui/private-theming`, `@mui/styled-engine`, `@mui/system`, and
`@mui/utils` at v7.3.10 (pulled in by `@mui/x-date-pickers` v7.29.4) while
`@mui/material` remains at 6.5.0; inspect package.json and the lockfile for the
explicit dependency on `@mui/x-date-pickers` and decide whether to (a) upgrade
`@mui/material` to v7 to align with `@mui/x-date-pickers` v7, (b) downgrade
`@mui/x-date-pickers` to a v6 release to match `@mui/material`, or (c) accept dual
majors and document the trade-offs; then implement the chosen path (update
package.json, run yarn/npm install, and regenerate the lockfile) and, if keeping
mixed versions, add a note in docs mentioning potential theming/context risks
and why `@mui/x-date-pickers` v7 is required.

---

Nitpick comments:
In `@package.json`:
- Line 76: Wrap the private router.subscribe() call in a defensive guard that
detects availability and handles failures: check that the router object and
router.subscribe are functions (or use typeof router.subscribe === "function")
before calling, and surround the call with a try-catch to log and swallow any
errors so bootstrap won’t crash; update the subscribe usage in the browserRouter
(the function/module that calls router.subscribe) to use this feature-detection
+ try-catch pattern and ensure any analytics callback registration failure is
safely no-oped.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2ab45a71-9eec-46a2-ae1a-1cc330373c47

📥 Commits

Reviewing files that changed from the base of the PR and between 6d00401 and 612bd99.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• docs/user_guide/assets/licenses/frontend_licenses.txt
• package.json

[jasonleenaylor]

@jasonleenaylor reviewed 4 files and all commit messages, and made 1 comment.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on imnasnainaec).