Dependencies Inventory
package.json declares 78 runtime dependencies and 1 dev dependency (nodemon). No bundler. No tests.
Notable runtime dependencies
AWS / cloud
| Package |
Version |
Use |
aws-sdk |
^2.1659.0 |
v2 SDK — used throughout for S3. Note: AWS has marked v2 maintenance mode; v3 (@aws-sdk/*) is the path forward. The repo already has v3 for Bedrock — split usage. |
@aws-sdk/client-bedrock |
^3.614.0 |
Bedrock model management |
@aws-sdk/client-bedrock-runtime |
^3.635.0 |
Bedrock model invocation (Claude / Llama / Nova) |
googleapis |
^140.0.1 |
Google Cloud APIs |
Web / HTTP
| Package |
Version |
Use |
express |
^4.19.2 |
HTTP server |
express-fileupload |
^1.5.1 |
File upload middleware |
express-session |
^1.18.0 |
Session middleware (used; secret is hardcoded — see security.md) |
express-validator |
^7.1.0 |
Used in middlewares/validation.js |
body-parser |
^1.20.2 |
Body parsing |
cors |
^2.8.5 |
CORS (wildcard configured) |
axios |
^1.7.2 |
HTTP client |
node-fetch |
^2.6.7 |
Fetch (older v2; not the ESM v3) |
fetch |
^1.1.0 |
Spurious — unmaintained, not the standard fetch polyfill. Likely unused; verify. |
request |
^2.88.2 |
Deprecated (since Feb 2020). Used in some legacy handlers; replace with axios. |
Database
| Package |
Version |
Use |
mysql |
^2.18.1 |
Callback driver — used by modules/dbDriver/lib/mysql.js |
mysql2 |
^3.11.0 |
Promise driver — used directly by handlers |
sync-mysql |
^3.0.1 |
Blocking driver — used in some helpers |
Auth / crypto
| Package |
Version |
Use |
jsonwebtoken |
^9.0.2 |
Bearer JWT in methods.js |
bcryptjs |
^2.4.3 |
Password hashing |
crypto |
^1.0.1 |
Spurious — crypto is a built-in Node module; the npm package of that name is an empty squatter. Remove. |
crypto-js |
^4.2.0 |
AES encrypt/decrypt for the encrypted-token format (in helper/tokenGenerator.js) |
passport |
^0.7.0 |
Declared, but require("./middlewares/passport") is commented out in server.js. Likely unused; verify. |
passport-facebook |
^3.0.0 |
Same — declared, not used. |
passport-github2 |
^0.1.12 |
Same. |
passport-google-oauth20 |
^2.0.0 |
Same. |
passport-linkedin-oauth2 |
^2.0.0 |
Same. |
@superfaceai/passport-twitter-oauth2 |
^1.2.4 |
Same. |
twitter |
^1.7.1 |
Spurious for admin — Twitter client. Maybe handler residue from someli-api. |
twitter-api-v2 |
^1.17.2 |
Same. |
oauth-1.0a |
^2.2.6 |
Twitter OAuth 1.0a helper. Same. |
abort-controller, node-abort-controller |
various |
Polyfills; required for some older Node/Bedrock SDK combos. |
Payments
| Package |
Version |
Use |
stripe |
^16.2.0 |
Stripe SDK; used in some legacy admin handlers |
@paddle/paddle-node-sdk |
^1.4.1 |
Paddle SDK |
AI / NLP
| Package |
Version |
Use |
openai |
^4.52.7 |
OpenAI SDK |
natural |
^8.0.1 |
NLP toolkit (tokenisation, stemming) |
| Package |
Version |
Use |
sharp |
^0.32.1 |
Image manipulation; older version (someli-api uses ^0.33.5) |
canvas |
^3.1.0 |
Server-side canvas |
konva |
^9.3.14 |
Server-side Konva (Polotno's underlying lib) |
polotno-node |
^2.9.30 |
Polotno server SDK |
image-size |
^1.1.1 |
Image dimension probing |
images |
^3.2.4 |
Image manipulation (alternate to sharp) |
s3-image-size |
^0.1.3 |
Image dimensions from S3 |
puppeteer |
^22.13.1 |
Headless Chrome — for PDF/image generation |
puppeteer-core |
^22.13.1 |
Same |
ffmpeg-static |
^5.2.0 |
FFmpeg binary |
ffprobe-static |
^3.1.0 |
ffprobe binary |
fluent-ffmpeg |
^2.1.3 |
FFmpeg wrapper |
streamifier |
^0.1.1 |
Buffer → stream |
Email / messaging
| Package |
Version |
Use |
@sendgrid/mail |
^8.1.3 |
SendGrid |
slack |
^11.0.2 |
Slack notifications |
expo-server-sdk |
^3.10.0 |
Expo push notifications — likely unused in admin |
PDF / parsing
| Package |
Version |
Use |
pdf-extract |
^1.0.11 |
PDF text extraction |
pdf.js-extract |
^0.2.1 |
Same (different lib); both present — pick one |
cheerio |
^1.0.0-rc.12 |
jQuery-like HTML parsing |
xml2js |
^0.6.2 |
XML parsing |
node-xlsx |
^0.24.0 |
XLSX parsing |
convert-excel-to-json |
^1.7.0 |
XLSX → JSON |
feedsub |
^0.7.8 |
RSS feed subscriber |
Utilities
| Package |
Version |
Use |
moment |
^2.30.1 |
Date handling (in maintenance mode) |
uuid |
^10.0.0 |
UUIDs |
color-convert |
^2.0.1 |
Color space conversion |
unsplash-js |
^7.0.19 |
Unsplash API |
node-cron |
^3.0.3 |
Cron scheduling (declared; no scheduled jobs in this repo — verify) |
node-schedule |
^2.1.1 |
Alternate cron scheduler |
socket.io |
^4.7.5 |
WebSockets (set up in server.js, no handlers in this repo) |
async |
^3.2.5 |
Async iteration helpers |
path |
^0.12.7 |
Spurious (built-in Node module shadowed). Remove. |
http |
^0.0.1-security |
Spurious (built-in Node module shadowed). Remove. |
https (implied via std lib) |
n/a |
OK |
fs |
^0.0.1-security |
Spurious (built-in Node module shadowed). Remove. |
stream |
^0.0.3 |
Spurious (built-in Node module shadowed). Remove. |
url |
^0.11.3 |
Spurious (built-in Node module shadowed). Remove. |
Issues summary
- Many spurious built-in shadows (
path, http, fs, stream, url, crypto) — these are squatter packages. Remove all.
request is deprecated — migrate to axios.fetch@1.1.0 is an old unmaintained package; not the standard polyfill. Verify usage; remove if unused.- Passport + Twitter + Expo deps appear unused (Passport is explicitly commented out in
server.js). Audit grep -r "passport\|twitter\|expo-server" to confirm and remove.
aws-sdk v2 + v3 split — long-term plan should migrate everything to v3.sharp is at 0.32.1, but someli-api is at 0.33.5. Align.- Both
pdf-extract and pdf.js-extract are declared. Pick one.
A reasonable cleanup pass could remove ~20-25 deps without changing behaviour. Quick wins for security posture (smaller transitive tree, fewer CVEs to track).