Removed heavy & vulnerable deps

[vadimpiven]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @vadimpiven, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request aims to enhance the project's security posture and reduce its overall dependency footprint by systematically removing several development dependencies identified as either heavy or potentially vulnerable. The changes involve a significant cleanup of dependency management configurations within package.json and pnpm-workspace.yaml, alongside the removal of associated tasks and tooling from mise.toml. This streamlining effort contributes to a more efficient and secure development environment.

Highlights

• Dependency Removal: Removed several development dependencies, including @google/gemini-cli, hono, and renovate, from package.json and pnpm-workspace.yaml.
• Tooling Streamlining: Eliminated pnpm-audit and renovate related tasks and their dependencies from the mise.toml configuration, simplifying the project's build and check processes.
• Dependency Management Cleanup: Refactored pnpm specific configurations by removing pnpm.overrides and pnpm.onlyBuiltDependencies from package.json, and allowBuilds from pnpm-workspace.yaml. A new, more concise onlyBuiltDependencies section was introduced in pnpm-workspace.yaml.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[greptile-apps]

Greptile Summary

Removed unused development dependencies (@google/gemini-cli, hono, renovate) and simplified pnpm configuration to reduce attack surface and dependency tree size.

• Removed renovate package and its config validator from mise tasks, but .github/renovate.json still exists - the Renovate bot should still work via GitHub App
• Removed pnpm audit check from mise tasks, but Trivy security scanning remains active for vulnerability detection
• Updated undici from ^7.18.2 to ^7.19.0 and added override for versions <6.23.0, addressing known vulnerabilities
• Simplified onlyBuiltDependencies list from 11 packages to 2 (electron, esbuild), removing unnecessary build-time dependencies
• Removed pnpm overrides section from package.json (tar, hono, diff, lodash) since the dependencies requiring these overrides are now gone
• Lockfile reduced by ~9000 lines, significantly decreasing installation time and disk space

Confidence Score: 4/5

• Safe to merge with low risk - dependency cleanup reduces attack surface
• The changes appropriately remove unused development dependencies and simplify configuration. Security scanning (Trivy) remains in place, and the undici update addresses known vulnerabilities. The main consideration is verifying that removed dependencies (gemini-cli, hono, renovate) were truly unused.
• Verify that mise run --force fix passes per .cursorrules requirement before merging

Important Files Changed

Filename	Overview
package.json	Removed @google/gemini-cli, hono, and renovate dependencies; removed pnpm overrides and onlyBuiltDependencies config
pnpm-workspace.yaml	Removed @google/gemini-cli, hono, renovate from catalog; simplified onlyBuiltDependencies and overrides; updated undici version and override rule
mise.toml	Removed pnpm-audit and renovate validation tasks from check/fix workflows

[gemini-code-assist]

Code Review

This pull request effectively removes several heavy and potentially vulnerable dependencies, including pnpm-audit, renovate, @google/gemini-cli, and hono. The associated tasks in mise.toml have been removed, and pnpm-specific configurations like onlyBuiltDependencies and overrides have been correctly relocated from package.json to pnpm-workspace.yaml. This refactoring improves maintainability and enhances the project's security posture, particularly with the explicit undici version override.

I am having trouble creating individual review comments. Click here to see my feedback.

pnpm-workspace.yaml (37-38)

The addition of the overrides section, specifically undici@<6.23.0: ">=6.23.0", is a critical security improvement. This ensures that any transitive dependencies on older, potentially vulnerable versions of undici are automatically upgraded to a secure version, mitigating known risks.

package.json (30-52)

The pnpm object, including overrides and onlyBuiltDependencies, has been removed from package.json. This configuration has been appropriately relocated to pnpm-workspace.yaml, centralizing pnpm-specific settings within the workspace configuration file. This improves the clarity and organization of dependency management.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!