Files
Rental-operations-platform/docs/DEPENDENCY_MANIFEST_v1.0.md
2026-06-25 19:06:59 -04:00

61 lines
4.0 KiB
Markdown

# Exact Dependency Manifest
- **Project:** RentalDriveGo Web
- **Recorded:** 2026-06-25
- **Authority:** `package.json` and `pnpm-lock.yaml`
- **Policy:** Exact direct versions, frozen lockfile in CI, reviewed automated updates
## Runtime and package manager
| Component | Exact version | Role |
| --------- | ------------: | ------------------------- |
| Node.js | 24.17.0 | Production and CI runtime |
| pnpm | 11.9.0 | Package manager |
## Production dependencies
| Package | Exact version | Role |
| --------------------------------------- | ------------: | ----------------------------------------------- |
| `next` | 16.2.9 | SSR framework and App Router |
| `react` | 19.2.7 | UI runtime |
| `react-dom` | 19.2.7 | React DOM renderer |
| `zod` | 4.4.3 | Runtime boundary schemas for later integrations |
| `@fontsource-variable/inter` | 5.2.8 | Self-hosted Latin variable font |
| `@fontsource-variable/noto-sans-arabic` | 5.2.10 | Self-hosted Arabic variable font |
## Development dependencies
| Package | Exact version | Role |
| ----------------------------- | ------------: | -------------------------------------- |
| `typescript` | 6.0.3 | Strict static type checking |
| `eslint` | 9.39.4 | Lint engine |
| `@eslint/js` | 9.39.4 | Core ESLint rules |
| `eslint-config-next` | 16.2.9 | Next.js lint rules |
| `eslint-config-prettier` | 10.1.8 | Formatting-rule conflict prevention |
| `typescript-eslint` | 8.62.0 | TypeScript lint integration |
| `globals` | 17.7.0 | Runtime global definitions |
| `prettier` | 3.8.4 | Deterministic formatting |
| `vitest` | 4.1.9 | Unit test runner |
| `@vitest/coverage-v8` | 4.1.9 | Unit coverage |
| `jsdom` | 29.1.1 | DOM test environment |
| `@testing-library/react` | 16.3.2 | React test utilities |
| `@testing-library/jest-dom` | 6.9.1 | DOM assertions |
| `@testing-library/user-event` | 14.6.1 | Interaction simulation |
| `@playwright/test` | 1.61.1 | Browser and visual testing |
| `@axe-core/playwright` | 4.12.1 | Automated browser accessibility checks |
| `@types/node` | 24.10.9 | Node.js type declarations |
| `@types/react` | 19.2.17 | React type declarations |
| `@types/react-dom` | 19.2.3 | React DOM type declarations |
## Supply-chain controls
- `pnpm-lock.yaml` locks all resolved transitive versions and integrity hashes.
- CI uses `pnpm install --frozen-lockfile`.
- The pnpm workspace enforces `minimumReleaseAge: 1440` minutes for unreviewed new releases.
- Native package build scripts are allowlisted rather than globally trusted.
- `postcss` is overridden to `8.5.15` to remove the audited vulnerable transitive resolution while retaining framework compatibility.
- Dependabot proposes weekly npm and GitHub Actions updates for review.
- `pnpm audit --audit-level low` reported no known vulnerabilities on 2026-06-25.
No dependency range in `package.json` is floating. The lockfile, rather than this narrative table, is the machine authority for the full transitive graph.