4.0 KiB
4.0 KiB
Exact Dependency Manifest
- Project: RentalDriveGo Web
- Recorded: 2026-06-25
- Authority:
package.jsonandpnpm-lock.yaml - Policy: Exact direct versions, frozen lockfile in CI, reviewed automated updates
Runtime and package manager
| Component | Exact version | Role |
|---|---|---|
| Node.js | 24.17.0 | Production and CI runtime |
| pnpm | 11.9.0 | Package manager |
Production dependencies
| Package | Exact version | Role |
|---|---|---|
next |
16.2.9 | SSR framework and App Router |
react |
19.2.7 | UI runtime |
react-dom |
19.2.7 | React DOM renderer |
zod |
4.4.3 | Runtime boundary schemas for later integrations |
@fontsource-variable/inter |
5.2.8 | Self-hosted Latin variable font |
@fontsource-variable/noto-sans-arabic |
5.2.10 | Self-hosted Arabic variable font |
Development dependencies
| Package | Exact version | Role |
|---|---|---|
typescript |
6.0.3 | Strict static type checking |
eslint |
9.39.4 | Lint engine |
@eslint/js |
9.39.4 | Core ESLint rules |
eslint-config-next |
16.2.9 | Next.js lint rules |
eslint-config-prettier |
10.1.8 | Formatting-rule conflict prevention |
typescript-eslint |
8.62.0 | TypeScript lint integration |
globals |
17.7.0 | Runtime global definitions |
prettier |
3.8.4 | Deterministic formatting |
vitest |
4.1.9 | Unit test runner |
@vitest/coverage-v8 |
4.1.9 | Unit coverage |
jsdom |
29.1.1 | DOM test environment |
@testing-library/react |
16.3.2 | React test utilities |
@testing-library/jest-dom |
6.9.1 | DOM assertions |
@testing-library/user-event |
14.6.1 | Interaction simulation |
@playwright/test |
1.61.1 | Browser and visual testing |
@axe-core/playwright |
4.12.1 | Automated browser accessibility checks |
@types/node |
24.10.9 | Node.js type declarations |
@types/react |
19.2.17 | React type declarations |
@types/react-dom |
19.2.3 | React DOM type declarations |
Supply-chain controls
pnpm-lock.yamllocks all resolved transitive versions and integrity hashes.- CI uses
pnpm install --frozen-lockfile. - The pnpm workspace enforces
minimumReleaseAge: 1440minutes for unreviewed new releases. - Native package build scripts are allowlisted rather than globally trusted.
postcssis overridden to8.5.15to remove the audited vulnerable transitive resolution while retaining framework compatibility.- Dependabot proposes weekly npm and GitHub Actions updates for review.
pnpm audit --audit-level lowreported no known vulnerabilities on 2026-06-25.
No dependency range in package.json is floating. The lockfile, rather than this narrative table, is the machine authority for the full transitive graph.