chore(deps): audit and clean up dependencies by waleedlatif1 · Pull Request #4529 · simstudioai/sim

waleedlatif1 · 2026-05-09T04:39:56Z

Summary

Removed unused deps: chalk, chart.js, dotenv, encoding, entities, thread-stream, uuid, @opentelemetry/exporter-jaeger, critters, marked, redis, soap
Replaced soap with a hand-rolled Workday SOAP client (XXE-safe XML parser, WS-Security UsernameToken)
Migrated marked to a unified/remark/rehype pipeline for inbox response rendering
Bumped zustand v5, @react-email/*, biome 2.4.14
Aligned all @aws-sdk/* packages to 3.1032.0 (exact pins)
Moved concurrently to root, type-only deps to devDependencies
Removed duplicate drizzle-orm/postgres overrides

Type of Change

Chore / dependency cleanup

Testing

Tested manually — type-check and lint pass across the monorepo.

Checklist

Code follows project style guidelines
Self-reviewed my changes
Tests added/updated and passing
No new warnings introduced
I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

vercel · 2026-05-09T04:40:01Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	May 9, 2026 5:28am

cursor · 2026-05-09T04:40:06Z

PR Summary

Medium Risk
Broad removal of !important and class reordering across global/styles could subtly change UI precedence/layout. Runtime logic changes are minor (optional chaining and explicit parseInt(..., 10)), but touch multiple API routes and workflow execution paths.

Overview
Primarily a consistency/safety cleanup across the monorepo.

Docs and app styling is adjusted by removing widespread !important overrides and reordering Tailwind class strings for consistency, which may change CSS specificity/override behavior in some edge cases.

Backend/UI logic is lightly hardened by switching many null checks to optional chaining (e.g., session?.user, sub?.stripeSubscriptionId) and standardizing numeric parsing to Number.parseInt(..., 10) across API routes, tools, and resize/positioning hooks; several tests are reformatted without behavior changes.

^{Reviewed by Cursor Bugbot for commit 1944ad7. Configure here.}

waleedlatif1 · 2026-05-09T05:02:30Z

@greptile

waleedlatif1 · 2026-05-09T05:02:37Z

@cursor review

cursor

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1944ad7. Configure here.}

cursor · 2026-05-09T05:08:07Z

+    animation-duration: 0.01ms;
+    animation-iteration-count: 1;
+    transition-duration: 0.01ms;
+    scroll-behavior: auto;


Reduced-motion accessibility rule ineffective without !important

High Severity

The prefers-reduced-motion block uses the universal selector * which has zero specificity (0,0,0). Without !important, any class-based animation rule (specificity ≥ 0,1,0) overrides it. This makes the accessibility rule ineffective against every animation in the file — .landing-loop-animated-dash, .loading-dot, .loading-placeholder::placeholder, .status-indicator.streaming::before, and others — as well as any inline animation styles set by JavaScript. The WCAG 2.3.3 technique (C39) explicitly requires !important for this pattern to work.

^{Reviewed by Cursor Bugbot for commit 1944ad7. Configure here.}

cursor · 2026-05-09T05:08:07Z

-  padding-right: 0 !important;
-  margin-right: 0 !important;
+  padding-right: 0;
+  margin-right: 0;


Scroll-lock layout shift prevention defeated without !important

Medium Severity

The comment explicitly states the purpose is to "Prevent modals/dialogs from shifting layout via scroll-lock compensation." Scroll-lock libraries (used by Radix UI / Fumadocs search dialog) add inline padding-right styles to the body. Inline styles have specificity (1,0,0,0) and always beat regular CSS declarations. Without !important, these padding-right: 0 and margin-right: 0 rules cannot override inline styles, so the layout shift they were designed to prevent will now occur when dialogs open.

^{Reviewed by Cursor Bugbot for commit 1944ad7. Configure here.}

greptile-apps · 2026-05-09T05:09:03Z

Greptile Summary

Large dependency audit that removes ~12 unused packages, aligns all @aws-sdk/* to 3.1032.0, upgrades Zustand to v5, and replaces two notable dependencies with hand-rolled alternatives.

soap → hand-rolled SOAP client (apps/sim/tools/workday/soap.ts): builds WS-Security UsernameToken envelopes directly, replaces WSDL fetch with a static endpoint map, and adds a custom XML parser that ignores DOCTYPE/entity expansion (XXE-safe). The API surface is preserved so existing call sites are unchanged.
marked → unified/remark/rehype pipeline (apps/sim/lib/mothership/inbox/response.ts): renderEmailHtml is now async, the shared processor instance is stateless between calls, and remarkRehype defaults block raw-HTML pass-through.
Biome 2.4.14 auto-removed many !important declarations from globals.css and added the radix argument to parseInt calls across the stores.

Confidence Score: 3/5

The dependency cleanup is mostly clean, but the biome-driven removal of !important from React Flow class selectors in globals.css introduces a likely visual regression that would surface in production.

The Workday SOAP replacement is well-structured and SSRF-safe, with the only gaps being dead code and a missing encodeURIComponent on the tenant path segment. The bigger concern is globals.css: .react-flow__selection and .react-flow__nodesselection are single-class overrides that share identical specificity with React Flow's injected stylesheet. Next.js injects third-party CSS after globals.css, so without !important these brand-color and pointer-events overrides will silently revert to library defaults in every environment.

apps/sim/app/_styles/globals.css (the .react-flow__selection and .react-flow__nodesselection-rect overrides that lost !important) and apps/sim/tools/workday/soap.ts (dead service field and un-encoded tenant in URL).

Important Files Changed

Filename	Overview
apps/sim/tools/workday/soap.ts	Replaces the `soap` npm dependency with a hand-rolled SOAP client (hand-built XML envelope, custom XML parser, WS-Security UsernameToken). Core logic is sound and the SSRF guard is preserved, but `WD_OPERATIONS.service` is unused dead code, attribute key names are not escaped in `serializeAttributes`, and the `tenant` URL segment is not `encodeURIComponent`-encoded.
apps/sim/lib/mothership/inbox/response.ts	Migrates Markdown rendering from `marked` to a unified/remark/rehype pipeline. `remarkRehype` safely discards raw HTML by default and `stripRawHtml` provides belt-and-suspenders pre-filtering. The module-level `unified` processor instance is stateless between invocations so concurrent calls are safe.
apps/sim/app/_styles/globals.css	Removes `!important` from React Flow class-level overrides (`.react-flow__selection`, `.react-flow__nodesselection-rect`, `.react-flow__nodesselection`) — these share identical specificity with React Flow's own injected styles and will likely regress to the library defaults in production.
apps/sim/package.json	Removes unused deps (soap, marked, chalk, chart.js, dotenv, redis, uuid, etc.), aligns all @aws-sdk/* packages to 3.1032.0 exact pins, upgrades zustand to v5, adds unified/remark pipeline, and moves type-only deps to devDependencies.
apps/sim/next.config.ts	Removes pino, pino-pretty, and thread-stream from serverExternalPackages; these were transitive-only dependencies so the removal is safe.
package.json	Upgrades @biomejs/biome from 2.0.0-beta.5 to 2.4.14 and moves concurrently to the root devDependencies.

_{Reviews (1): Last reviewed commit: "fix(ui): restore leading spaces in condi..." | Re-trigger Greptile}

greptile-apps · 2026-05-09T05:09:07Z

 */
 .react-flow__selection {
-  background: rgba(51, 180, 255, 0.08) !important;
-  border: 1px solid var(--brand-secondary) !important;
+  background: rgba(51, 180, 255, 0.08);
+  border: 1px solid var(--brand-secondary);
 }

 .react-flow__nodesselection-rect,
 .react-flow__nodesselection {
-  background: transparent !important;
-  border: none !important;
-  pointer-events: none !important;
+  background: transparent;
+  border: none;
+  pointer-events: none;


!important removal from React Flow class selectors may regress selection visuals

.react-flow__selection and .react-flow__nodesselection-rect/.react-flow__nodesselection share the same CSS specificity (0,1,0) as React Flow's own internal stylesheet. Without !important, whichever rule appears later in the final style sheet wins. Next.js injects third-party library CSS after global styles, so React Flow's default background (rgba(0, 89, 220, 0.08)) and transparent/no-border values will silently override the brand-colored and pointer-events overrides added here. The original !important declarations were necessary to win the specificity battle; removing them for lint compliance reverts these visual customisations.

Rule Used: Avoid editing the globals.css file unless absolute... (source)

Learned From
simstudioai/sim#367

greptile-apps · 2026-05-09T05:09:08Z

+const WD_OPERATIONS = {
+  Get_Workers: { service: 'humanResources', soapAction: 'Get_Workers' },
+  Get_Organizations: { service: 'humanResources', soapAction: 'Get_Organizations' },
+  Put_Applicant: { service: 'recruiting', soapAction: 'Put_Applicant' },
+  Hire_Employee: { service: 'staffing', soapAction: 'Hire_Employee' },
+  Change_Job: { service: 'staffing', soapAction: 'Change_Job' },
+  Terminate_Employee: { service: 'staffing', soapAction: 'Terminate_Employee' },
+  Change_Personal_Information: {
+    service: 'humanResources',
+    soapAction: 'Change_Personal_Information',
+  },
+  Put_Onboarding_Plan_Assignment: {
+    service: 'humanResources',
+    soapAction: 'Put_Onboarding_Plan_Assignment',
+  },
+} as const satisfies Record<string, { service: WorkdayServiceKey; soapAction: string }>


Dead service field in WD_OPERATIONS may mislead future maintainers

Each entry in WD_OPERATIONS carries a service field (e.g. 'recruiting' for Put_Applicant, 'staffing' for Hire_Employee), but callOperation — and the bind helper in createWorkdaySoapClient — never reads it. The endpoint is determined solely by the service argument passed to createWorkdaySoapClient at call time. A developer reading this table could reasonably assume these fields drive per-operation routing; instead they are silently ignored. If a caller ever creates a single client and calls an operation from a different service, the request will silently hit the wrong Workday endpoint and likely return a SOAP fault with no clear explanation.

greptile-apps · 2026-05-09T05:09:09Z

+function serializeAttributes(attrs?: Record<string, string>): string {
+  if (!attrs) return ''
+  let out = ''
+  for (const [k, v] of Object.entries(attrs)) {
+    if (v === undefined || v === null) continue
+    out += ` ${k}="${escapeXml(String(v))}"`
+  }
+  return out


Attribute key names are not XML-escaped in serializeAttributes

The value of each attribute is passed through escapeXml, but the key k is emitted verbatim. Currently all attribute keys originate from hardcoded JS object literals (e.g. { 'wd:type': idType }), so there is no real exposure today. However, if any future caller passes a key containing ", >, or whitespace — or if args objects ever include user-derived keys — the resulting SOAP envelope would be malformed XML that the Workday endpoint would reject with an opaque parse error rather than a clear validation message.

greptile-apps · 2026-05-09T05:09:10Z

  const svc = WORKDAY_SERVICES[service]
  const baseUrl = (validation.sanitized ?? tenantUrl).replace(/\/$/, '')
-  return `${baseUrl}/ccx/service/${tenant}/${svc.name}/${svc.version}?wsdl`
+  return `${baseUrl}/ccx/service/${tenant}/${svc.name}/${svc.version}`


The tenant value is interpolated directly into the URL path without encodeURIComponent. A tenant string containing /, ?, or # would alter the URL structure and silently send the SOAP request to an unintended path on the Workday host. While Workday tenant identifiers are normally alphanumeric, a defensive URL-encode here is low cost.

Suggested change

return `${baseUrl}/ccx/service/${tenant}/${svc.name}/${svc.version}`

return `${baseUrl}/ccx/service/${encodeURIComponent(tenant)}/${svc.name}/${svc.version}`

- Remove unused: chalk, chart.js, dotenv, encoding, entities, thread-stream, uuid, @opentelemetry/exporter-jaeger, critters, marked, redis, soap - Replace soap with hand-rolled Workday SOAP client - Migrate marked to unified pipeline for inbox responses - Bump zustand v5, @react-email/* - Align all @aws-sdk/* to 3.1032.0 - Move type-only deps to devDependencies - Remove duplicate drizzle-orm/postgres overrides

waleedlatif1 · 2026-05-09T05:30:56Z

Closing in favor of a tighter PR — scope is much smaller now (just the dep cleanup + soap rewrite + marked migration).

cursor Bot reviewed May 9, 2026

View reviewed changes

vercel Bot deployed to Preview May 9, 2026 04:43 View deployment

vercel Bot temporarily deployed to Preview May 9, 2026 04:51 Inactive

vercel Bot temporarily deployed to Preview May 9, 2026 05:00 Inactive

cursor Bot reviewed May 9, 2026

View reviewed changes

greptile-apps Bot reviewed May 9, 2026

View reviewed changes

vercel Bot deployed to Preview May 9, 2026 05:15 View deployment

waleedlatif1 force-pushed the waleedlatif1/audit-deps branch from 64691dd to 2710879 Compare May 9, 2026 05:25

vercel Bot deployed to Preview May 9, 2026 05:28 View deployment

waleedlatif1 closed this May 9, 2026

waleedlatif1 deleted the waleedlatif1/audit-deps branch May 9, 2026 22:05

	return `${baseUrl}/ccx/service/${tenant}/${svc.name}/${svc.version}`
	return `${baseUrl}/ccx/service/${encodeURIComponent(tenant)}/${svc.name}/${svc.version}`

Conversation

waleedlatif1 commented May 9, 2026

Summary

Type of Change

Testing

Checklist

Uh oh!

vercel Bot commented May 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cursor Bot commented May 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

PR Summary

Uh oh!

Uh oh!

Uh oh!

Uh oh!

waleedlatif1 commented May 9, 2026

Uh oh!

waleedlatif1 commented May 9, 2026

Uh oh!

cursor Bot left a comment

Choose a reason for hiding this comment

Uh oh!

cursor Bot May 9, 2026

Choose a reason for hiding this comment

Reduced-motion accessibility rule ineffective without !important

Uh oh!

cursor Bot May 9, 2026

Choose a reason for hiding this comment

Scroll-lock layout shift prevention defeated without !important

Uh oh!

greptile-apps Bot commented May 9, 2026

Greptile Summary

Confidence Score: 3/5

Important Files Changed

Uh oh!

greptile-apps Bot May 9, 2026

Choose a reason for hiding this comment

Uh oh!

greptile-apps Bot May 9, 2026

Choose a reason for hiding this comment

Uh oh!

greptile-apps Bot May 9, 2026

Choose a reason for hiding this comment

Uh oh!

greptile-apps Bot May 9, 2026

Choose a reason for hiding this comment

Uh oh!

waleedlatif1 commented May 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

vercel Bot commented May 9, 2026 •

edited

Loading

cursor Bot commented May 9, 2026 •

edited

Loading

Reduced-motion accessibility rule ineffective without `!important`

Scroll-lock layout shift prevention defeated without `!important`