Files
Rental-operations-platform/docs/DEPENDENCY_MANIFEST_v1.0.md
2026-06-25 19:06:59 -04:00

4.0 KiB

Exact Dependency Manifest

  • Project: RentalDriveGo Web
  • Recorded: 2026-06-25
  • Authority: package.json and pnpm-lock.yaml
  • Policy: Exact direct versions, frozen lockfile in CI, reviewed automated updates

Runtime and package manager

Component Exact version Role
Node.js 24.17.0 Production and CI runtime
pnpm 11.9.0 Package manager

Production dependencies

Package Exact version Role
next 16.2.9 SSR framework and App Router
react 19.2.7 UI runtime
react-dom 19.2.7 React DOM renderer
zod 4.4.3 Runtime boundary schemas for later integrations
@fontsource-variable/inter 5.2.8 Self-hosted Latin variable font
@fontsource-variable/noto-sans-arabic 5.2.10 Self-hosted Arabic variable font

Development dependencies

Package Exact version Role
typescript 6.0.3 Strict static type checking
eslint 9.39.4 Lint engine
@eslint/js 9.39.4 Core ESLint rules
eslint-config-next 16.2.9 Next.js lint rules
eslint-config-prettier 10.1.8 Formatting-rule conflict prevention
typescript-eslint 8.62.0 TypeScript lint integration
globals 17.7.0 Runtime global definitions
prettier 3.8.4 Deterministic formatting
vitest 4.1.9 Unit test runner
@vitest/coverage-v8 4.1.9 Unit coverage
jsdom 29.1.1 DOM test environment
@testing-library/react 16.3.2 React test utilities
@testing-library/jest-dom 6.9.1 DOM assertions
@testing-library/user-event 14.6.1 Interaction simulation
@playwright/test 1.61.1 Browser and visual testing
@axe-core/playwright 4.12.1 Automated browser accessibility checks
@types/node 24.10.9 Node.js type declarations
@types/react 19.2.17 React type declarations
@types/react-dom 19.2.3 React DOM type declarations

Supply-chain controls

  • pnpm-lock.yaml locks all resolved transitive versions and integrity hashes.
  • CI uses pnpm install --frozen-lockfile.
  • The pnpm workspace enforces minimumReleaseAge: 1440 minutes for unreviewed new releases.
  • Native package build scripts are allowlisted rather than globally trusted.
  • postcss is overridden to 8.5.15 to remove the audited vulnerable transitive resolution while retaining framework compatibility.
  • Dependabot proposes weekly npm and GitHub Actions updates for review.
  • pnpm audit --audit-level low reported no known vulnerabilities on 2026-06-25.

No dependency range in package.json is floating. The lockfile, rather than this narrative table, is the machine authority for the full transitive graph.