chore(nx): dedupe npm packages, move common dependencies to root [WPB-20913]

[aweiss-dev]

WPB-20913 [Web] Secure & Time-limited Public Links

Pull Request

Summary

This pull request primarily focuses on cleaning up and updating dependencies across multiple packages in the monorepo. It removes several unused or redundant dependencies, upgrades some packages to newer versions, and makes minor improvements to test files for consistency. The changes help streamline the codebase, reduce unnecessary package bloat, and ensure more up-to-date tooling.

---

Security Checklist (required)

• External inputs are validated & sanitized on client and/or server where applicable.
• API responses are validated; unexpected shapes are handled safely (fallbacks or errors).
• No unsafe HTML is rendered; if unavoidable, sanitization is applied and documented where it happens.
• Injection risks (XSS/SQL/command) are prevented via safe APIs and/or escaping.

Accessibility (required)

• I have read and this PR upholds our Accessibility Best Practices.

Standards Acknowledgement (required)

• I have read and this PR upholds our Coding Standards and Tech Radar Choices.

---

Screenshots or demo (if the user interface changed)

Notes for reviewers

• Trade-offs:
• Follow-ups (linked issues):
• Linked PRs (e.g. web-packages):

[Copilot]

Pull request overview

This pull request aims to deduplicate and consolidate npm packages across the monorepo by moving common dependencies to the root package.json and removing them from individual library packages (core, config, api-client, webapp, server). Additionally, it updates several package versions and makes minor improvements to test files by properly managing fake timers.

Changes:

• Moved common dependencies (axios, commons, dotenv, fs-extra, http-status-codes, logdown, long, tslib, uuid, zod) to the root package.json
• Removed duplicate dependencies from library packages (core, config, api-client, server, webapp)
• Updated several package versions across devDependencies
• Fixed test timer management in MLS and E2E identity service tests

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
package.json	Moved common dependencies to root and updated versions for prettier, dotenv, axios, zod, uuid and others
libraries/core/package.json	Removed dependencies now hoisted to root (axios, commons, logdown, long, uuid, zod, http-status-codes, fake-indexeddb, nock, types/tough-cookie)
libraries/config/package.json	Removed all dependencies now hoisted to root (dotenv, dotenv-extended, fs-extra, logdown, tslib)
libraries/api-client/package.json	Removed dependencies now hoisted to root and updated AWS SDK, ws versions
apps/webapp/package.json	Removed hoisted dependencies and updated babel-core, dexie, removed lint-staged
apps/server/package.json	Removed all hoisted dependencies (commons, dotenv, dotenv-extended, fs-extra, http-status-codes, logdown, tslib)
libraries/core/src/messagingProtocols/mls/MLSService/MLSService.test.ts	Added afterEach hook to restore real timers
libraries/core/src/messagingProtocols/mls/E2EIdentityService/E2EIServiceExternal.test.ts	Improved test by moving jest.useFakeTimers() after service initialization and removing timer-related assertions
libraries/core/src/conversation/SubconversationService/SubconversationService.test.ts	Fixed timer management by moving jest.useFakeTimers() after service creation and wrapping async calls with Promise.all

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 45.31%. Comparing base (6ffe7b4) to head (7eae47f).
⚠️ Report is 1 commits behind head on dev.

Additional details and impacted files

@@            Coverage Diff             @@
##              dev   #20114      +/-   ##
==========================================
- Coverage   45.32%   45.31%   -0.01%     
==========================================
  Files        1623     1623              
  Lines       39804    39804              
  Branches     8201     8201              
==========================================
- Hits        18041    18039       -2     
- Misses      19877    19878       +1     
- Partials     1886     1887       +1     

Flag	Coverage Δ
app_webapp	43.46% <ø> (-0.01%)	⬇️
lib_api_client	50.39% <ø> (ø)
lib_core	58.90% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔗 Download Full Report Artifact

🧪 Playwright Test Summary

• ✅ Passed: 107
• ❌ Failed: 10
• ⏭ Skipped: 12
• 🔁 Flaky: 6
• 📊 Total: 135
• ⏱ Total Runtime: 596.4s (~ 9 min 56 sec)

specs/AccountSettingsSpecs/accountSettings.spec.ts (❌ 1 failed, ⚠️ 0 flaky)

• ❌ account settings > I should not be able to change email of user managed by SCIM (tags: TC-60, regression)

specs/AppLock/AppLock.spec.ts (❌ 1 failed, ⚠️ 1 flaky)

• ❌ AppLock > Web: App should not lock if I switch back to webapp tab in time (during inactivity timeout) (tags: TC-2752, TC-2753, regression)
• ⚠️ AppLock > I should not be able to switch off app lock if it is enforced for the team (tags: TC-2770, TC-2767, regression)

specs/ArchiveSpecs/archive.spec.ts (❌ 0 failed, ⚠️ 1 flaky)

• ⚠️ Accessibility > I want to archive the 1on1 conversation from conversation details (tags: TC-105, regression)

specs/Authentication/authentication.spec.ts (❌ 1 failed, ⚠️ 1 flaky)

• ❌ Authentication > Make sure user does not see data of user of previous sessions on same browser (tags: TC-1311, regression)
• ⚠️ Authentication > Verify current browser is set as temporary device (tags: TC-3460, regression)

specs/Block/block.spec.ts (❌ 0 failed, ⚠️ 1 flaky)

• ⚠️ Block: User A and User B are NOT in the same team > I want to cancel blocking a 1:1 conversation from conversation list (tags: TC-137, regression)

specs/CriticalFlow/Cells/editMultipartMessage-TC-8786.spec.ts (❌ 1 failed, ⚠️ 0 flaky)

• ❌ Edit multipart message in a group conversation (tags: crit-flow-cells, regression, TC-8786)

specs/CriticalFlow/Cells/replyingToMultipartMessage-TC-8787.spec.ts (❌ 1 failed, ⚠️ 0 flaky)

• ❌ Replying to multipart message in a group conversation (tags: crit-flow-cells, regression, TC-8787)

specs/CriticalFlow/Cells/uploadingFileInGroupConversation.spec.ts (❌ 1 failed, ⚠️ 0 flaky)

• ❌ Uploading an file in a group conversation (tags: crit-flow-cells, regression)

specs/CriticalFlow/conversationManagement-TC-8636.spec.ts (❌ 0 failed, ⚠️ 1 flaky)

• ⚠️ Conversation Management (tags: TC-8636, crit-flow-web)

specs/CriticalFlow/oneOnOneCall-TC-8754.spec.ts (❌ 1 failed, ⚠️ 0 flaky)

• ❌ 1:1 Video call with device switch and screenshare (tags: TC-8754, crit-flow-web)

specs/CriticalFlow/personalAccountLifecycle-TC-8638.spec.ts (❌ 1 failed, ⚠️ 0 flaky)

• ❌ Personal Account Lifecycle (tags: TC-8638, crit-flow-web)

specs/Edit/edit.spec.ts (❌ 0 failed, ⚠️ 1 flaky)

• ⚠️ Edit > I can see the changed message was edited from another user (tags: TC-692, regression)

specs/LoginSpecs/login.spec.ts (❌ 1 failed, ⚠️ 0 flaky)

• ❌ Verify you can sign in by email (tags: TC-3461, regression)

specs/RegressionSpecs/block-messages.spec.ts (❌ 1 failed, ⚠️ 0 flaky)

• ❌ Block specs (tags: TC-141, regression)

[Copilot]

Pull request overview

Copilot reviewed 9 out of 10 changed files in this pull request and generated 1 comment.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud