update deps and remove unused deps

[ahmetskilinc]

Package Dependency Updates

Description

This PR updates several package dependencies across the project:

• Updated @elevenlabs/react from 0.1.5 to 0.5.1 in mail app
• Added @elevenlabs/elevenlabs-js 2.12.2 to server app
• Removed unused dependencies: deepmerge, dexie, emblor, and react-markdown
• Added sanitize-html 2.16.0 to mail app
• Removed elevenlabs 1.59.0 from server (replaced with newer @elevenlabs/elevenlabs-js)
• Updated PNPM package manager from 10.12.1 to 10.15.0
• Updated Node types from 22.15.29 to 24.3.0
• Updated various dev dependencies including prettier, dotenv-cli, and tsx
• Updated Zod from 3.25.42 to 4.1.1
• Updated wrangler catalog version from 4.28.1 to 4.32.0

Summary by CodeRabbit

• Security
  • Safer message rendering via HTML sanitization.
• Improvements
  • Updated voice/AI integration for increased reliability and compatibility.
  • General stability and performance enhancements across the app.
• Chores
  • Upgraded core libraries, developer tooling, and package manager to latest versions.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Dependency updates across mail, server, and workspace: ElevenLabs packages swapped/updated, Markdown rendering replaced with HTML sanitization in mail, zod major bump at root, and wrangler catalog bumped. No source code or exported API changes shown.

Changes

Cohort / File(s)	Summary of changes
Mail app deps apps/mail/package.json	Bumped @elevenlabs/react 0.1.5 → 0.5.1; removed deepmerge, dexie, emblor, react-markdown; added sanitize-html.
Server ElevenLabs SDK apps/server/package.json	Replaced elevenlabs@1.59.0 with @elevenlabs/elevenlabs-js@2.12.2.
Workspace/tooling versions package.json, pnpm-workspace.yaml	Updated packageManager to pnpm@10.15.0; bumped dev tools (@types/node, dotenv-cli, prettier, prettier-plugin-tailwindcss, tsx, turbo); upgraded zod 3.x → 4.1.1; catalog bump wrangler ^4.28.1 → ^4.32.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• new ai voice assistant #1163 — Adjusts ElevenLabs integration for mail; directly related to swapping/upgrading ElevenLabs packages.
• Staging #941 — Touches mail rendering paths; relevant to replacing react-markdown with sanitize-html.
• Upgrade wrangler from 4.22.0 to 4.28.1 #1976 — Prior wrangler catalog bump; this PR advances the same entry further.

Suggested labels

high priority

Suggested reviewers

• BlankParticle
• nizzyabi
• MrgSub

Poem

New libs dock, old deps depart 🚀
Mail sanitizes, markdown’s now art
Server speaks Eleven with a fresher start
Zod v4 nods with stricter chart
Workspace hums—wrangler plays its part
Ship it fast, iterate smart ✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 08-25-update_deps_and_remove_unused_deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[ahmetskilinc]

• update deps and remove unused deps #2006 👈 (View in Graphite)
• staging

This stack of pull requests is managed by Graphite. Learn more about stacking.

[cubic-dev-ai]

1 issue found across 5 files

_{React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

pnpm-workspace.yaml (2)

7-7: Critical: catalog still pins zod v3 while root moved to v4—this will fork your type system.

If you ship both Zod 3 and Zod 4, you’ll get incompatible ZodError shapes and subtle runtime/type mismatches. Align the catalog to Zod 4 and have all packages consume it via catalog:.

Apply:

-  zod: ^3.25.42
+  zod: ^4.1.1

Then, in all packages using "zod": "catalog:", run a workspace upgrade to ensure a single version is resolved.

---

18-18: Unify Node types via catalog to prevent cross-project drift.

Catalog has @types/node at ^22.15.21, while root devDeps moved to 24.3.0. Pick one (recommend 24.3.0) and propagate via catalog.

Apply:

-  '@types/node': ^22.15.21
+  '@types/node': ^24.3.0

apps/server/package.json (2)

93-93: Pin @types/node via catalog to match workspace policy.

Local pin ^22.9.0 diverges from workspace catalog intent. Use catalog: and let pnpm resolve one version across apps.

Apply:

-    "@types/node": "^22.9.0",
+    "@types/node": "catalog:",

---

81-81: Sanitize once, consistently.

Server now depends on sanitize-html. Ensure a single, shared sanitizer policy (allowed tags/attributes, URL schemes) is used across server handlers to avoid inconsistent XSS surfaces. Centralize in src/lib/sanitize.ts and reuse.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d918210 and 6465106.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• apps/mail/package.json (2 hunks)
• apps/server/package.json (1 hunks)
• package.json (2 hunks)
• pnpm-workspace.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/package.json

📄 CodeRabbit inference engine (AGENT.md)

Workspace packages use catalog versioning for shared dependencies

Files:

• apps/server/package.json
• apps/mail/package.json
• package.json

pnpm-workspace.yaml

📄 CodeRabbit inference engine (AGENT.md)

Monorepo managed with pnpm workspaces

Files:

• pnpm-workspace.yaml

🧠 Learnings (2)

📚 Learning: 2025-08-10T08:25:22.063Z

Learnt from: CR
PR: Mail-0/Zero#0
File: AGENT.md:0-0
Timestamp: 2025-08-10T08:25:22.063Z
Learning: Applies to **/package.json : Workspace packages use catalog versioning for shared dependencies

Applied to files:

• pnpm-workspace.yaml

📚 Learning: 2025-08-10T08:25:22.063Z

Learnt from: CR
PR: Mail-0/Zero#0
File: AGENT.md:0-0
Timestamp: 2025-08-10T08:25:22.063Z
Learning: Use `pnpm go` for quick development startup

Applied to files:

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: cubic · AI code reviewer

🔇 Additional comments (5)

pnpm-workspace.yaml (1)

14-14: Confirm Wrangler v4.32.0 CLI flag compatibility

I’ve verified that Wrangler is correctly bumped to ^4.32.0 in your workspace and that both apps reference it via "wrangler": "catalog:". The only custom flag usage I found is in apps/server/package.json:

• Line 6: dev script uses --experimental-vectorize-bind-to-prod
• Line 7: deploy script (wrangler deploy)
• Line 8: types script (wrangler types --env local)
• apps/mail has no experimental flags

Next steps before liftoff:

• Run wrangler dev --help (with v4.32.0 installed) or review the 4.32.0 release notes to confirm that --experimental-vectorize-bind-to-prod (and any other flags you lean on) are still supported and behave identically.
• If any flags have been renamed, removed, or had their defaults tweaked, update your scripts accordingly.

Once you’ve validated the flag behavior, we can confidently approve this bump.

apps/server/package.json (1)

35-35: All clear — no legacy ElevenLabs imports detected.
A full-repo ripgrep scan shows zero references to either the old elevenlabs package or the new @elevenlabs/elevenlabs-js SDK.

• ✔️ No legacy imports to replace
• ✔️ No new SDK imports in code
• 📦 The dependency lives in apps/server/package.json but isn’t yet consumed

Next steps (if applicable):
• If you’ve already migrated your ElevenLabs calls, double-check your import paths.
• If you intend to use the new SDK, centralize its client instantiation in a helper module.
• Otherwise, this dependency is currently unused and safe to merge (or remove).

apps/mail/package.json (2)

1-146: No stray imports detected — deepmerge, dexie, emblor, and react-markdown fully removed

I audited every JS/TS file under apps/mail (including all subdirectories) and found zero import or require statements for those packages. All clear—no runtime breakage or lockfile bloat incoming.

---

23-23: Confirm @elevenlabs/react 0.5.1 API Surfaces

I couldn’t locate a public changelog for v0.5.1—docs still show up through v0.4.x—so it’s safest to manually validate the components/hooks you’re using. In your apps/mail code, you currently import and consume:

• useConversation (in providers/voice-provider.tsx)
• VoiceProvider / useVoice wrapper around useConversation
• Any downstream calls like conversation.startSession, conversation.sendMessage, etc.

Please:

• Check that useConversation still exists and its return value keys (startSession, sendMessage, status flags) are unchanged.
• Verify any props or config options you pass to startSession haven’t been renamed or retyped.
• Run your TypeScript build and smoke-test voice flows to catch missing or renamed APIs.

Once you’ve confirmed there are no breaking changes, we can drop a focused migration patch if needed.

package.json (1)

43-53: Ensure dependencies are installed and re-run the smoke tests

It looks like the CI sandbox didn’t have your node_modules, so prettier, turbo, and tsc weren’t found—giving us no real signal about whether those bumps broke anything. Let’s get the environment bootstrapped and then re-run the checks:

• Run pnpm install at the repo root to populate node_modules.
• Re-run the format check: pnpm run check:format
• Re-run the linter: pnpm run lint
• Re-run the full type-check: pnpm -r exec tsc --noEmit

Once you have those outputs, we can confidently verify that the @types/node, dotenv-cli, Prettier, Tailwind plugin, tsx, and turbo upgrades didn’t introduce any subtle issues.

[ahmetskilinc]

Merge activity

• Aug 25, 6:53 PM UTC: @ahmetskilinc merged this pull request with Graphite.