# Exact Dependency Manifest - **Project:** RentalDriveGo Web - **Recorded:** 2026-06-25 - **Authority:** `package.json` and `pnpm-lock.yaml` - **Policy:** Exact direct versions, frozen lockfile in CI, reviewed automated updates ## Runtime and package manager | Component | Exact version | Role | | --------- | ------------: | ------------------------- | | Node.js | 24.17.0 | Production and CI runtime | | pnpm | 11.9.0 | Package manager | ## Production dependencies | Package | Exact version | Role | | --------------------------------------- | ------------: | ----------------------------------------------- | | `next` | 16.2.9 | SSR framework and App Router | | `react` | 19.2.7 | UI runtime | | `react-dom` | 19.2.7 | React DOM renderer | | `zod` | 4.4.3 | Runtime boundary schemas for later integrations | | `@fontsource-variable/inter` | 5.2.8 | Self-hosted Latin variable font | | `@fontsource-variable/noto-sans-arabic` | 5.2.10 | Self-hosted Arabic variable font | ## Development dependencies | Package | Exact version | Role | | ----------------------------- | ------------: | -------------------------------------- | | `typescript` | 6.0.3 | Strict static type checking | | `eslint` | 9.39.4 | Lint engine | | `@eslint/js` | 9.39.4 | Core ESLint rules | | `eslint-config-next` | 16.2.9 | Next.js lint rules | | `eslint-config-prettier` | 10.1.8 | Formatting-rule conflict prevention | | `typescript-eslint` | 8.62.0 | TypeScript lint integration | | `globals` | 17.7.0 | Runtime global definitions | | `prettier` | 3.8.4 | Deterministic formatting | | `vitest` | 4.1.9 | Unit test runner | | `@vitest/coverage-v8` | 4.1.9 | Unit coverage | | `jsdom` | 29.1.1 | DOM test environment | | `@testing-library/react` | 16.3.2 | React test utilities | | `@testing-library/jest-dom` | 6.9.1 | DOM assertions | | `@testing-library/user-event` | 14.6.1 | Interaction simulation | | `@playwright/test` | 1.61.1 | Browser and visual testing | | `@axe-core/playwright` | 4.12.1 | Automated browser accessibility checks | | `@types/node` | 24.10.9 | Node.js type declarations | | `@types/react` | 19.2.17 | React type declarations | | `@types/react-dom` | 19.2.3 | React DOM type declarations | ## Supply-chain controls - `pnpm-lock.yaml` locks all resolved transitive versions and integrity hashes. - CI uses `pnpm install --frozen-lockfile`. - The pnpm workspace enforces `minimumReleaseAge: 1440` minutes for unreviewed new releases. - Native package build scripts are allowlisted rather than globally trusted. - `postcss` is overridden to `8.5.15` to remove the audited vulnerable transitive resolution while retaining framework compatibility. - Dependabot proposes weekly npm and GitHub Actions updates for review. - `pnpm audit --audit-level low` reported no known vulnerabilities on 2026-06-25. No dependency range in `package.json` is floating. The lockfile, rather than this narrative table, is the machine authority for the full transitive graph.