chore(preview-server): cleanup dependencies, move most to devDependencies

[hillac]

As previously discussed in #2371 many of the deps for preview-server aren't actually needed at runtime because they are bundled by next. This leads to hundreds of unnecessary packages being installed for end users of the preview-server. I've moved all the unneeded deps to devDeps.

• All front end imports get bundled, only packages imported in next actions need to be installed.
• @types packages are not needed for runtime

I built, packed, and installed it in another project and everything runs fine. I double checked with a loader and require tracer that all imported packages are installed.

In light of constant npm supply chain attacks, I think this is important.

I also think sharp and spamc could be removed. I can't see where sharp is being used, and next seems to get it's own version as a transitive dep anyway. spamc seems strange, it's not imported anywhere in the code (only reference to it is in an error message in send-to-spamd.ts), deleting it from node modules at runtime seems to have no impact on functionality of the preview server. It's a really old and obscure package. I haven't removed these two yet as I'm not certain.

---

Summary by cubic

Moved non-runtime packages in preview-server to devDependencies to shrink install size for consumers and lower supply-chain risk. No behavior change; build and runtime imports verified.

• Dependencies
  • Moved UI libraries, TypeScript types, and build tools to devDependencies; kept only runtime deps (Next, React/DOM, esbuild, Babel parser/traverse, ora, json5, log-symbols, source-map-js, punycode).
  • Updated @types/node to 22.14.1 and refreshed lockfile (detect-libc, semver).
  • Sharp and spamc left in devDependencies for now; not confirmed as needed at runtime.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 77bfeaf

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

@hillac is attempting to deploy a commit to the resend Team on Vercel.

A member of the Team first needs to authorize it.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/resend/react-email/@react-email/preview-server@2473

commit: 77bfeaf

[cubic-dev-ai]

1 issue found across 2 files

Prompt for AI agents (all 1 issues)

Understand the root cause of the following 1 issues and fix them.


<file name="packages/preview-server/package.json">

<violation number="1" location="packages/preview-server/package.json:19">
json5 appears unused in preview-server; carrying it as a runtime dependency increases install size and supply-chain risk. Consider removing or moving to devDependencies if only needed for tooling.</violation>
</file>

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Ask questions if you need clarification on any suggestion

_{React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.}