studio/frontend: drop unused next dependency

[danielhanchen]

Summary

• Removes next from studio/frontend/package.json (and its transitive subtree from package-lock.json).
• The Studio frontend is a Vite SPA wrapped by Tauri for desktop and served by FastAPI StaticFiles in web mode. The Next.js package was an unused dependency.
• Net change: 1 insertion, 798 deletions. The lockfile shrinkage is the Next.js subtree being pruned, broken down below.

What got removed from the lockfile (42 packages, all Next.js transitives)

Category	Count	Notes
Next.js framework + env	2	next, @next/env
@next/swc-* platform binaries	8	Next's SWC compiler, one per OS/arch
Next.js runtime helpers	3	@swc/helpers, client-only, styled-jsx (Next-only CSS-in-JS)
sharp + @img/sharp-* + libvips	25	Optional dep of next/image for server-side image optimization (10 sharp binaries + 13 libvips binaries + @img/colour + sharp's nested semver)
postcss (top-level)	2	Pulled by Next's built-in CSS pipeline; includes its nested nanoid. Tailwind v4 via @tailwindcss/vite runs its own pipeline and does not need top-level postcss.

31 of the 42 entries are just per-platform native binary wrappers, which is why the diff looks bigger than the actual surface change.

About the lone +1

The single inserted line is npm resyncing the root-package dep map in package-lock.json to match what package.json already declares:

- "@tanstack/react-router": "^1.159.10",
+ "@tanstack/react-router": "1.169.2",

package.json already pins this to "1.169.2" (and also lists it in overrides). The lockfile's root dep map was stale at "^1.159.10", while the installed entry node_modules/@tanstack/react-router was already on 1.169.2. npm install corrected the spec string to match. Installed version is identical before and after; no runtime behavior change.

Why this is safe

• src/ has zero from "next/..." imports. The only next-prefixed import is next-themes, which is a separate package whose peer deps are just react and react-dom.
• src/ also has zero from "sharp", from "postcss", or from "styled-jsx" imports.
• No next.config.{js,ts,mjs} exists.
• package.json scripts are vite, tsc -b && vite build, eslint, vite preview, tsc -b, biome check. None invoke next start, next dev, or next build.
• vite.config.ts uses @vitejs/plugin-react and @tailwindcss/vite. No Next plugin.
• components.json (shadcn) has "rsc": false, confirming this is not a Next/RSC project.
• Reverse-dependency scan of package-lock.json shows only the root package listed next as a dep. Nothing transitive needed it.
• Tauri side: tauri.conf.json points frontendDist at ../frontend/dist (Vite's output) and devUrl at port 5173 (Vite's default). beforeDevCommand and beforeBuildCommand shell out to npm run dev / npm run build, both of which are Vite scripts. Cargo.toml has no Next bindings.
• Backend serves the built dist/ via app.mount("/assets", StaticFiles(...)) and a catch-all serve_frontend route in studio/backend/main.py. The Next.js Node server was never instantiated at runtime.

Related security note

This also clears the noise from SCA scanners flagging the lockfile under CVE-2026-44578 (Next.js SSRF via WebSocket upgrade, fixed in 15.5.16 and 16.2.5). The vulnerable code path is only reachable when the Next.js Node server is actually serving requests, which is not the case in Studio, but the dependency entry kept the warning live.

Test plan

• npm install succeeds, node_modules/next no longer present, node_modules/next-themes preserved.
• npm run build (tsc -b && vite build) completes with exit 0, dist/ produced.
• CSS output intact: dist/assets/index-*.css (356K) and dist/assets/data-recipes-*.css (16K) emitted by Tailwind v4.
• Full dev install on a Linux x86_64 box: ./install.sh --local --no-torch runs end to end with exit 0, all 10 setup steps green, llama.cpp prebuilt installed.
• unsloth studio -H 127.0.0.1 boots, default admin account is created, server reports Application startup complete and Frontend loaded from .../studio/frontend/dist.
• Live HTTP probes against the running server:
  • GET / returns 200 text/html
  • GET /assets/index-Cv0kvyjR.js returns 200, 3,628,414 bytes (main bundle, byte-for-byte match with dist/)
  • GET /assets/index-mOHsBWzF.css returns 200, 363,441 bytes (Tailwind v4 output)
  • All other JS chunks referenced in the live index.html return 200
  • GET /api/health returns 200 {"status":"healthy"}
• importlib.util.find_spec("next") and find_spec("next_themes") both return None in the installed venv (Python side is untouched, as expected).
• CI: studio-frontend-ci green.
• Tauri desktop build green on release-desktop workflow if triggered.

[gemini-code-assist]

Code Review

This pull request removes the next dependency and its associated transitive packages from the frontend project. A review comment identified an inconsistency where @tanstack/react-router was updated in the lockfile but not in the project's manifest, and suggested reverting this change to maintain consistency.

[gemini-code-assist]

The update to @tanstack/react-router in package-lock.json (from ^1.159.10 to 1.169.2) is inconsistent with package.json, which was not updated in this pull request. This results in the lockfile being out of sync with the project manifest. Additionally, this change appears unrelated to the primary goal of removing the next dependency.

If this upgrade was intentional, please update package.json to match. Otherwise, please revert this change to maintain consistency and keep the PR focused.

Suggested change

	"@tanstack/react-router": "1.169.2",
	"@tanstack/react-router": "^1.159.10",

[danielhanchen]

This review is reversed. package.json already pins "@tanstack/react-router": "1.169.2" (literal, no caret) on main; the previous commit bbd0ba0 introduced that pin. The lockfile's root dep-map at line 36 was stale at "^1.159.10" while node_modules/@tanstack/react-router was already resolving to 1.169.2. npm install resynced the spec string to match the manifest, which is the correct direction.

Reverting to ^1.159.10 would re-introduce the manifest/lockfile drift and break npm ci.

Evidence (git output, this PR's tree):

package.json line 44 (main and this branch, unchanged):
    "@tanstack/react-router": "1.169.2",

package.json line 87 (overrides block, unchanged):
    "@tanstack/react-router": "1.169.2",

package-lock.json line 36 BEFORE this PR:
    "@tanstack/react-router": "^1.159.10",   # stale, did not match manifest

package-lock.json line 36 AFTER this PR:
    "@tanstack/react-router": "1.169.2",     # now matches manifest

node_modules/@tanstack/react-router (installed version):
    1.169.2  -- same before and after this PR

git --no-pager diff main...studio/drop-unused-next-dep -- studio/frontend/package.json shows the only change to package.json in this PR is the removed next entry. No tanstack lines were touched in the manifest.

Security clearance for the installed versions, given GHSA-g7cv-rxg3-hmpx (Mini Shai-Hulud, May 11 2026):

Package	Installed	Compromised versions	Status
@tanstack/react-router	1.169.2	1.169.5, 1.169.8	clean (precedes both)
@tanstack/router-core	1.169.2	1.169.5, 1.169.8	clean (precedes both)
@tanstack/history	1.161.6	1.161.9, 1.161.12	clean (precedes both)

npm audit on the new lockfile reports zero tanstack vulnerabilities. GHSA-9m65-766c-r333 only affects @tanstack/start-server-core, which this project does not use.

Leaving the lockfile resync in.