Skip to content

chore(deps): remove legacy packages and patch direct findings#742

Merged
meiiie merged 4 commits into
mainfrom
chore/remove-unused-dependencies
Jul 11, 2026
Merged

chore(deps): remove legacy packages and patch direct findings#742
meiiie merged 4 commits into
mainfrom
chore/remove-unused-dependencies

Conversation

@meiiie

@meiiie meiiie commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

Description

Removes five unused direct packages plus uuid/types. The sole uuid call now uses the existing
renderer convention, globalThis.crypto.randomUUID().

Also raises Electron 39.2.7 -> 39.8.10 and Vitest 4.0.16 -> 4.1.10 to clear their direct audit
findings. Active @fix-webm-duration/fix and pixi-filters remain.

Motivation

Legacy icon/Jimp/PhantomJS/request trees and vulnerable direct versions inflated the install. The
lockfile moves from 1,001 to 772 entries, direct dev dependencies from 59 to 52, and current registry
audit results from 34 findings/3 critical to 15/0 critical.

Type of Change

  • Refactor / Code Cleanup

Related Issue(s)

None found.

Screenshots / Video

Not applicable; there is no UI change.

Testing Guide

  • npm ci --no-audit --no-fund — full postinstall/native rebuild passed
  • Electron runtime: 25 files/243 tests; uiohook-napi loaded at ABI 140
  • npx tsc --noEmit --noUnusedLocals false
  • focused Biome lint — passed
  • full Vitest — 96 files, 841 tests passed
  • renderer/main/preload build, CJS smoke, Windows directory package, packaged-binary and ASAR-addon
    probes — passed
  • npm audit --json — 15 findings remain; no Electron/Vitest finding and no critical finding

Strict typecheck retains the existing unused scalePreviewBorderRadius on main (covered by #737).
Verification was Windows x64; macOS/Linux packaging and interactive capture remain.

Risk

No production API/schema change; product Vite stays 5.4.21 and IDs remain UUID v4. Electron 39.8.10
closes known findings but 39 is EOL; a supported-major compatibility ladder remains required.

Checklist

  • I have performed a self-review of my code.
  • I have added any necessary screenshots or videos (not applicable).
  • I have linked related issue(s) and updated the changelog if applicable (none).

Summary by CodeRabbit

  • Chores

    • Updated the Electron development environment and testing tools.
    • Removed unused development packages.
  • Bug Fixes

    • Improved keyframe ID generation, maintaining duplicate-prevention and timing behavior.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 668c42e3-9a4f-4525-9d2a-b7d8e5b7334a

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Development dependencies are removed or upgraded, and timeline keyframe creation now uses the platform crypto API instead of the uuid package.

Changes

Tooling and keyframe identifiers

Layer / File(s) Summary
Development dependency updates
package.json
Pixi filters, Electron packaging, animation, media, and test tooling entries are removed or updated, including Electron and Vitest version bumps.
Platform-based keyframe IDs
src/components/video-editor/timeline/hooks/useTimelineSelection.ts
The hook removes the uuid import and generates keyframe IDs with globalThis.crypto.randomUUID() while preserving existing timing and state-update behavior.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main dependency cleanup and audit-fix update in the pull request.
Description check ✅ Passed The description matches the template with purpose, motivation, type, related issues, testing, and checklist details.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/remove-unused-dependencies

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@meiiie meiiie changed the title chore(deps): remove unused legacy packages chore(deps): remove legacy packages and patch direct findings Jul 10, 2026
@meiiie meiiie marked this pull request as ready for review July 11, 2026 03:49

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
package.json (1)

81-81: 🔒 Security & Privacy | 🔵 Trivial

Electron 39.8.10 is the latest 39.x patch, but 39.x is end-of-support. If this app uses custom protocols or PDF rendering paths, 39.8.10 also has a reported regression there, so plan a move to a supported Electron major rather than staying on 39.x.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 81, Update the Electron dependency from the
end-of-support 39.x line to a currently supported major, selecting a compatible
stable version and adjusting any affected custom protocol or PDF rendering code
and related tests as needed. Verify the application builds and runs correctly
with the new Electron version.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@package.json`:
- Line 81: Update the Electron dependency from the end-of-support 39.x line to a
currently supported major, selecting a compatible stable version and adjusting
any affected custom protocol or PDF rendering code and related tests as needed.
Verify the application builds and runs correctly with the new Electron version.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 291dbeaa-f0d8-42c5-930f-876e797fbaa9

📥 Commits

Reviewing files that changed from the base of the PR and between 1ab9d68 and 6a16b4f.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (2)
  • package.json
  • src/components/video-editor/timeline/hooks/useTimelineSelection.ts

@meiiie meiiie merged commit 4fdef86 into main Jul 11, 2026
3 checks passed
@meiiie meiiie deleted the chore/remove-unused-dependencies branch July 11, 2026 03:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant