chore(deps): remove unused dependencies and harden CI supply chain

[waleedlatif1]

Summary

Two related efforts to reduce dependency surface and strengthen the CI supply chain. No runtime behavior change for end users; one signup-validation plugin is removed (details below).

Dependency cleanup

• Removed unused dependencies (verified zero imports across apps/ + packages/): papaparse, unified, @tanstack/react-query-devtools, and six unused Radix primitives (react-alert-dialog, react-radio-group, react-scroll-area, react-separator, react-toggle, react-visually-hidden).
• Consolidated jwt-decode → jose — jose was already a dependency and exposes decodeJwt, so the two ID-token decode sites now use it. Removes one library.
• Migrated react-window → @tanstack/react-virtual — the app already used @tanstack/react-virtual elsewhere; this drops the second, redundant virtualization library. Behavior preserved (overscan, scroll-to-index, dynamic measurement) across the terminal, structured-output, and code viewer.
• Removed better-auth-harmony and its gating env flag (SIGNUP_EMAIL_VALIDATION_ENABLED / isSignupEmailValidationEnabled), including the Helm value and test mock.

Supply-chain hardening

• SHA-pinned every GitHub Action to a full commit SHA with a # vX version comment (69 uses: lines across 10 workflows). Each SHA was resolved from the action's tag via the GitHub API.
• Pinned CI bun-version to 1.3.13 (the release job used latest).
• Raised minimumReleaseAge cooldown from 3 → 7 days in bunfig.toml.
• Added a non-blocking bun audit step in test-build.yml (informational until the existing advisory backlog is triaged, then it can become a required gate).
• Added a CODEOWNERS rule routing changes to dependency manifests (package.json, lockfile, bunfig.toml, .npmrc) to @simstudioai/deps.

Validation

• All removed packages: zero remaining references repo-wide.
• bun install --frozen-lockfile consistent; apps/sim typecheck has no source errors.
• Affected tests pass: OAuth connections + get-credentials (jose swap) 9/9, terminal (react-virtual) 22/22, auth + email-validation suites green.
• All 17 distinct action SHAs independently re-verified against the GitHub API; all workflow YAML parses.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Jun 17, 2026 9:43pm

[cursor]

PR Summary

Medium Risk
Medium: signup no longer blocks disposable emails via harmony (behavior change), plus broad dependency and virtualization library swaps in workflow UI; CI pinning and audit are low-risk hardening.

Overview
This PR shrinks the dependency tree and tightens CI supply-chain controls, with one user-facing signup change: disposable-email blocking via better-auth-harmony is removed along with SIGNUP_EMAIL_VALIDATION_ENABLED / Helm and env-flag wiring.

Dependencies: Drops unused packages (e.g. papaparse, unified, @tanstack/react-query-devtools, several unused Radix primitives, docs-only deps). Replaces jwt-decode with jose (decodeJwt) for OAuth ID-token display names. Replaces react-window with @tanstack/react-virtual in the terminal log list, structured output panel, and virtualized code viewer (scroll-to-match/index behavior preserved).

Auth: Removes the emailHarmony() plugin and related config/transpile; MX and other signup controls remain.

CI / repo policy: GitHub Actions uses: lines are pinned to full commit SHAs across workflows; release CI pins Bun to 1.3.13. bunfig.toml raises minimumReleaseAge to 7 days. test-build.yml adds a non-blocking bun audit step. CODEOWNERS routes package.json, lockfiles, bunfig.toml, and .npmrc to @simstudioai/deps.

Minor UX: Command palette moves New chat from static pages into a global action; Invite teammates uses a different icon.

^{Reviewed by Cursor Bugbot for commit 8f7b3b5. Configure here.}

[greptile-apps]

Greptile Summary

This PR removes a significant number of unused dependencies, migrates two virtualization call-sites from react-window to the already-present @tanstack/react-virtual, swaps jwt-decode for jose's decodeJwt, drops better-auth-harmony (and its env gate), and hardens the CI supply chain with SHA-pinned actions, a pinned Bun version, a non-blocking bun audit step, and a CODEOWNERS rule for dependency manifests.

• Dep cleanup: removes papaparse, unified, @tanstack/react-query-devtools, six unused Radix primitives, jwt-decode, react-window, better-auth-harmony, and their associated type stubs and env flags — all verified to have zero remaining imports.
• react-window → @tanstack/react-virtual: three virtualized components (terminal.tsx, structured-output.tsx, code.tsx) are re-implemented using useVirtualizer; dynamic row-height measurement in the code viewer is handled via virtualizer.measureElement refs instead of the previous useDynamicRowHeight/ResizeObserver approach.
• CI hardening: all 69 uses: entries across 10 workflows are SHA-pinned with a # vX comment; bun-version is pinned to 1.3.13; minimumReleaseAge raised from 3 → 7 days; a non-blocking bun audit step surfaces known CVEs informally until the backlog is triaged.

Confidence Score: 5/5

Safe to merge — all removed packages are verified zero-import, the react-virtual migration follows the library's documented patterns, and the jwt-decode → jose swap is drop-in with existing try/catch coverage.

Every dependency removal is backed by a zero-import audit. The three react-window → react-virtual migrations are structurally sound: fixed-height rows in terminal and structured-output use straightforward absolute positioning, and the code viewer correctly delegates dynamic wrap-mode measurement to virtualizer.measureElement refs. The jose decodeJwt swap is behaviorally identical and stays inside existing error handling. CI workflow changes are mechanical SHA substitutions with version comments. No auth, data, or correctness regressions were identified.

No files require special attention. The code.tsx virtualizer implementation (dynamic row heights via measureElement) is the most novel part of the change and would benefit from manual wrap-mode smoke testing.

Important Files Changed

Filename	Overview
apps/sim/components/emcn/components/code/code.tsx	Replaces react-window List with useVirtualizer; drops useDynamicRowHeight in favor of measureElement refs for wrap-mode height tracking; setRefs correctly assigns the same div as both containerRef and scrollRef.
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/terminal/terminal.tsx	Migrates TerminalLogsPane to useVirtualizer; removes manual listHeight/ResizeObserver (TanStack Virtual reads clientHeight from the scroll element directly); TerminalLogListRow no longer receives a react-window style prop.
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/terminal/components/output-panel/components/structured-output.tsx	Replaces react-window List with useVirtualizer; introduces setVirtualizedScrollRef to share the scroll container between the virtualizer and the container-height ResizeObserver; scroll-to-match uses virtualizer.scrollToIndex.
apps/sim/lib/auth/auth.ts	Removes emailHarmony plugin and isSignupEmailValidationEnabled gate; cleans up the comment describing the synthetic-user field set accordingly.
apps/sim/app/api/auth/oauth/connections/route.ts	Swaps jwtDecode (jwt-decode) for decodeJwt (jose); call is inside an existing try/catch so error handling is preserved.
.github/workflows/test-build.yml	SHA-pins all actions, pins bun-version to 1.3.13, and adds a non-blocking bun audit step with continue-on-error: true.
.github/CODEOWNERS	Adds @simstudioai/deps ownership for package.json, bun.lock, bunfig.toml, and .npmrc at all depths; bun.lock and **/bun.lock entries are redundant but harmless.
apps/sim/package.json	Removes papaparse, unified, better-auth-harmony, jwt-decode, react-window, @tanstack/react-query-devtools, six Radix primitives, and their type stubs.
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/search-modal/search-modal.tsx	Moves 'New chat' from the pages useMemo (which had no workspaceId dep) to the actions list (which now correctly includes workspaceId in its deps), fixing a latent stale-closure bug; changes Invite teammates icon from User to Send.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    subgraph Removed["Removed Dependencies"]
        A[react-window]
        B[jwt-decode]
        C[better-auth-harmony]
        D[papaparse and unified]
        E[6x Radix primitives]
    end

    subgraph Consolidated["Consolidated Into Existing Deps"]
        G["@tanstack/react-virtual\nalready present"]
        H["jose decodeJwt\nalready present"]
    end

    A -->|migrated to| G
    B -->|replaced by| H

    subgraph Virt["Virtualized Components"]
        V1["terminal.tsx\nfixed-height rows"]
        V2["structured-output.tsx\nfixed-height rows"]
        V3["code.tsx\ndynamic wrap-mode heights\nvia measureElement"]
    end

    G --> V1
    G --> V2
    G --> V3

    subgraph CI["CI Supply-Chain Hardening"]
        CI1["SHA-pin 69 action uses\nacross 10 workflows"]
        CI2["Pin bun-version 1.3.13"]
        CI3["bun audit step\nnon-blocking"]
        CI4["CODEOWNERS for manifests"]
        CI5["minimumReleaseAge 3d to 7d"]
    end

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    subgraph Removed["Removed Dependencies"]
        A[react-window]
        B[jwt-decode]
        C[better-auth-harmony]
        D[papaparse and unified]
        E[6x Radix primitives]
    end

    subgraph Consolidated["Consolidated Into Existing Deps"]
        G["@tanstack/react-virtual\nalready present"]
        H["jose decodeJwt\nalready present"]
    end

    A -->|migrated to| G
    B -->|replaced by| H

    subgraph Virt["Virtualized Components"]
        V1["terminal.tsx\nfixed-height rows"]
        V2["structured-output.tsx\nfixed-height rows"]
        V3["code.tsx\ndynamic wrap-mode heights\nvia measureElement"]
    end

    G --> V1
    G --> V2
    G --> V3

    subgraph CI["CI Supply-Chain Hardening"]
        CI1["SHA-pin 69 action uses\nacross 10 workflows"]
        CI2["Pin bun-version 1.3.13"]
        CI3["bun audit step\nnon-blocking"]
        CI4["CODEOWNERS for manifests"]
        CI5["minimumReleaseAge 3d to 7d"]
    end

Loading

_{Reviews (2): Last reviewed commit: "feat(search-modal): add Secrets to the p..." | Re-trigger Greptile}

[waleedlatif1]

@greptile review

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 8f7b3b5. Configure here.}