61 lines
4.0 KiB
Markdown
61 lines
4.0 KiB
Markdown
# Exact Dependency Manifest
|
|
|
|
- **Project:** RentalDriveGo Web
|
|
- **Recorded:** 2026-06-25
|
|
- **Authority:** `package.json` and `pnpm-lock.yaml`
|
|
- **Policy:** Exact direct versions, frozen lockfile in CI, reviewed automated updates
|
|
|
|
## Runtime and package manager
|
|
|
|
| Component | Exact version | Role |
|
|
| --------- | ------------: | ------------------------- |
|
|
| Node.js | 24.17.0 | Production and CI runtime |
|
|
| pnpm | 11.9.0 | Package manager |
|
|
|
|
## Production dependencies
|
|
|
|
| Package | Exact version | Role |
|
|
| --------------------------------------- | ------------: | ----------------------------------------------- |
|
|
| `next` | 16.2.9 | SSR framework and App Router |
|
|
| `react` | 19.2.7 | UI runtime |
|
|
| `react-dom` | 19.2.7 | React DOM renderer |
|
|
| `zod` | 4.4.3 | Runtime boundary schemas for later integrations |
|
|
| `@fontsource-variable/inter` | 5.2.8 | Self-hosted Latin variable font |
|
|
| `@fontsource-variable/noto-sans-arabic` | 5.2.10 | Self-hosted Arabic variable font |
|
|
|
|
## Development dependencies
|
|
|
|
| Package | Exact version | Role |
|
|
| ----------------------------- | ------------: | -------------------------------------- |
|
|
| `typescript` | 6.0.3 | Strict static type checking |
|
|
| `eslint` | 9.39.4 | Lint engine |
|
|
| `@eslint/js` | 9.39.4 | Core ESLint rules |
|
|
| `eslint-config-next` | 16.2.9 | Next.js lint rules |
|
|
| `eslint-config-prettier` | 10.1.8 | Formatting-rule conflict prevention |
|
|
| `typescript-eslint` | 8.62.0 | TypeScript lint integration |
|
|
| `globals` | 17.7.0 | Runtime global definitions |
|
|
| `prettier` | 3.8.4 | Deterministic formatting |
|
|
| `vitest` | 4.1.9 | Unit test runner |
|
|
| `@vitest/coverage-v8` | 4.1.9 | Unit coverage |
|
|
| `jsdom` | 29.1.1 | DOM test environment |
|
|
| `@testing-library/react` | 16.3.2 | React test utilities |
|
|
| `@testing-library/jest-dom` | 6.9.1 | DOM assertions |
|
|
| `@testing-library/user-event` | 14.6.1 | Interaction simulation |
|
|
| `@playwright/test` | 1.61.1 | Browser and visual testing |
|
|
| `@axe-core/playwright` | 4.12.1 | Automated browser accessibility checks |
|
|
| `@types/node` | 24.10.9 | Node.js type declarations |
|
|
| `@types/react` | 19.2.17 | React type declarations |
|
|
| `@types/react-dom` | 19.2.3 | React DOM type declarations |
|
|
|
|
## Supply-chain controls
|
|
|
|
- `pnpm-lock.yaml` locks all resolved transitive versions and integrity hashes.
|
|
- CI uses `pnpm install --frozen-lockfile`.
|
|
- The pnpm workspace enforces `minimumReleaseAge: 1440` minutes for unreviewed new releases.
|
|
- Native package build scripts are allowlisted rather than globally trusted.
|
|
- `postcss` is overridden to `8.5.15` to remove the audited vulnerable transitive resolution while retaining framework compatibility.
|
|
- Dependabot proposes weekly npm and GitHub Actions updates for review.
|
|
- `pnpm audit --audit-level low` reported no known vulnerabilities on 2026-06-25.
|
|
|
|
No dependency range in `package.json` is floating. The lockfile, rather than this narrative table, is the machine authority for the full transitive graph.
|