Dependencies Inventory¶
Reference for every npm package declared in package.json. For each: version, purpose, code-usage count (as of this audit), status, and follow-up actions where applicable.
[VERIFY]markers indicate places where the codebase doesn't tell the answer and the team needs to confirm. Each is also tracked in verify-markers.md.
1. At a Glance¶
| Metric | Value |
|---|---|
| Direct dependencies | 94 |
| Dev dependencies | 1 (nodemon) |
| Native-binary deps | 5 (sharp, polotno-node, puppeteer, ffmpeg-static, ffprobe-static) |
| Built-in shadows | 6 (fs, http, path, stream, url, crypto) |
| Zero-usage / removable | 20 immediate (14 zero-ref + 6 built-in shadows from §6) |
| Deprecated (in maintenance / EOL) | 3 (request, sync-mysql, sync-request) |
| Light-usage (1–2 refs) | 28 |
| Heavily-used (10+ refs) | 14 |
Status legend (used throughout)¶
| Symbol | Meaning |
|---|---|
| ✅ | Active, used, healthy |
| ⚠ | Light usage (1–2 refs) — verify whether load-bearing |
| ❌ | Zero refs in code — candidate for removal |
| 🔥 | Deprecated upstream / package is EOL — replace |
| 🪞 | Built-in module shadowed by a placeholder npm package |
| 🔐 | Has security finding (hardcoded key, missing CVE check, etc.) |
| 🪨 | Native-binary dep — architecture portability matters |
2. Direct Dependencies (91)¶
Sorted by usage count (heaviest at the top). The "Used" column is grep-counted across the codebase excluding node_modules, .yarn, doc, .git.
| Used | Status | Package | Version | Purpose |
|---|---|---|---|---|
| 134 | ✅ | node-cron |
^3.0.3 | Cron-style scheduling for the worker fleet (every job_*.js uses this) |
| 127 | ✅ 🔥 | sync-mysql |
^3.0.1 | Synchronous MySQL driver — deprecated antipattern; blocks the event loop. Consolidate to mysql2/promise per enterprise-readiness §5.4 |
| 88 | ✅ | aws-sdk |
^2.1659.0 | AWS SDK v2 (S3, Bedrock, Secrets Manager). v2 is in maintenance-only mode; v3 is modular. Migration is a Tier-4 consolidation candidate (~70–100 MB tree size) |
| 52 | ✅ | mysql2 |
^3.11.0 | Async MySQL driver (mysql2 direct: 16 files; mysql2/promise: 36 files). The recommended consolidation target |
| 52 | ✅ 🔐 🪨 | polotno-node |
^2.12.19 | Headless rendering of Polotno designs (Chromium-based). Hardcoded API key in 49 files. No instance pooling — 22 leak sites. See media-processing.md and Integration #16 |
| 44 | ✅ | axios |
^1.9.0 | HTTP client. Recommended consolidation target for the multiple HTTP libraries in use |
| 37 | ✅ | moment |
^2.30.1 | Date library. Note: moment is in maintenance mode upstream. Long-term replacement: date-fns or luxon. Not urgent |
| 36 | ✅ 🪨 | sharp |
^0.34.5 | Image resize / JPEG / thumbnailing. Modern version with ARM64 support. See media-processing.md |
| 24 | ✅ 🔥 | request |
^2.88.2 | HTTP client — deprecated since 2020. No security patches. Migrate to axios |
| 21 | ✅ | @sendgrid/mail |
^8.1.3 | Transactional email |
| 20 | ✅ | slack |
^11.0.2 | Slack bot SDK. Used alongside @slack/webhook. Hardcoded token concern — see Integration #11 |
| 20 | ✅ | uuid |
^10.0.0 | UUID generation |
| 13 | ✅ 🪞 | fs |
^0.0.1-security | Node built-in shadow. Listed in package.json by mistake; require('fs') always resolves to the built-in. Safe to remove |
| 12 | ✅ | @aws-sdk/client-bedrock-runtime |
^3.635.0 | Bedrock LLM inference (Llama / Claude / Nova) |
| 11 | ✅ 🪞 | path |
^0.12.7 | Node built-in shadow. Safe to remove from package.json |
| 10 | ✅ | dotenv |
^16.4.5 | Loads .env files. Used by conf.js and dashboard/conf.js |
| 10 | ✅ | openai |
^4.52.7 | OpenAI SDK (GPT-4o-mini and others) |
| 9 | ✅ | express |
^4.19.2 | The HTTP server framework |
| 7 | ✅ | jsonwebtoken |
^9.0.2 | JWT signing / verification |
| 7 | ✅ | node-xlsx |
^0.24.0 | Excel parser. Tier-4 consolidation candidate — xlsx (3 refs) is also used; pick one |
| 7 | ✅ 🔥 | sync-request |
^6.1.0 | Deprecated synchronous HTTP. Same antipattern as sync-mysql. Migrate to axios |
| 6 | ✅ | @google/generative-ai |
^0.24.1 | Gemini SDK (browser + node) |
| 5 | ✅ | lodash |
^4.17.21 | Utility library |
| 4 | ✅ | cheerio |
^1.0.0-rc.12 | jQuery-like HTML parser for web scraping |
| 4 | ✅ | color-convert |
^2.0.1 | Color-format conversions for design rendering |
| 4 | ✅ 🪞 | crypto |
^1.0.1 | Node built-in shadow. The npm package called crypto is an old polyfill; require('crypto') resolves to the built-in. Safe to remove |
| 4 | ✅ | csv-parse |
^5.6.0 | CSV parser. Tier-4 consolidation candidate — papaparse (1 ref) is also used |
| 4 | ✅ | rss-parser |
^3.13.0 | RSS feed parsing |
| 4 | ✅ 🪞 | stream |
^0.0.3 | Node built-in shadow. Safe to remove |
| 3 | ✅ | node-fetch |
^2.6.7 | Fetch polyfill. Tier-4 consolidation candidate — consolidate into axios |
| 3 | ✅ | node-schedule |
^2.1.1 | Cron-style scheduler (alternative to node-cron). Possible consolidation candidate |
| 3 | ✅ | @paddle/paddle-node-sdk |
^1.4.1 | Paddle billing SDK |
| 3 | ✅ | passport |
^0.7.0 | Authentication middleware framework |
| 3 | ✅ | socket.io |
^4.7.5 | Real-time WebSocket server |
| 3 | ✅ | stripe |
^16.2.0 | Stripe billing SDK (still active; "legacy" label is misleading — see Integration #9) |
| 3 | ✅ | xlsx |
^0.18.5 | Excel parser. Pair with node-xlsx decision |
| 2 | ✅ | @aws-sdk/client-bedrock-agent-runtime |
^3.774.0 | Bedrock agent runtime — used for the agent-style RAG path |
| 2 | ✅ | @aws-sdk/client-s3 |
^3.744.0 | AWS SDK v3 S3 client. Used alongside the heavier v2 aws-sdk. Migration target |
| 2 | ✅ | bcryptjs |
^2.4.3 | Pure-JS password hashing. Good choice (vs native bcrypt) for ARM/portability |
| 2 | ✅ | body-parser |
^1.20.2 | Request-body parsing middleware (note: bundled into Express 4.16+ but still imported separately here) |
| 2 | ✅ | cors |
^2.8.5 | CORS middleware. Currently configured open — see security.md |
| 2 | ✅ | crypto-js |
^4.2.0 | AES encryption used by the custom token-encryption layer (helper/tokenGenerator.js) |
| 2 | ✅ | express-session |
^1.18.0 | Session middleware (with hardcoded secret — see security.md) |
| 2 | ✅ | @google-cloud/vertexai |
^1.10.0 | Vertex AI SDK for Cloud RAG |
| 2 | ✅ | mammoth |
^1.9.0 | DOCX parser for the in-memory RAG pipeline |
| 2 | ✅ | oauth-1.0a |
^2.2.6 | OAuth 1.0a signing for Twitter |
| 2 | ✅ | pdf-parse |
^1.1.1 | PDF text extraction. Tier-4 consolidation candidate — pdf.js-extract (2 refs) does the same job |
| 2 | ✅ | pdf.js-extract |
^0.2.1 | PDF text extraction (alternate). Consolidate with pdf-parse |
| 2 | ✅ 🪨 | puppeteer |
^24.16.2 | Headless Chromium for web scraping (and indirectly via polotno-node) |
| 2 | ✅ | twitter |
^1.7.1 | Twitter API client. Tier-4 consolidation candidate — twitter-api-v2 (1 ref) is the modern replacement; twitter is unmaintained |
| 1 | ⚠ | chardet |
^2.1.0 | Character-encoding detection for CSV/Excel imports |
| 1 | ⚠ | express-fileupload |
^1.5.1 | Multipart-upload middleware |
| 1 | ⚠ | express-validator |
^7.1.0 | Request validation. Currently used in only one validator (registerVal) — see security.md §Input Validation |
| 1 | ⚠ | feedsub |
^0.7.8 | RSS-feed subscription helper. Pair with rss-parser decision |
| 1 | ⚠ 🪨 | ffmpeg-static |
^5.2.0 | Bundled FFmpeg binary. ARM64 supported |
| 1 | ⚠ 🪨 | ffprobe-static |
^3.1.0 | Bundled FFprobe binary. ARM64 supported |
| 1 | ⚠ | fluent-ffmpeg |
^2.1.3 | FFmpeg wrapper |
| 1 | ⚠ | @google-cloud/storage |
^7.16.0 | GCS SDK |
| 1 | ⚠ | @google/genai |
^0.10.0 | Google Generative AI SDK (separate from @google/generative-ai). Two AI SDKs from Google — verify both are needed |
| 1 | ⚠ 🪞 | http |
^0.0.1-security | Node built-in shadow. Safe to remove |
| 1 | ⚠ | iconv-lite |
^0.6.3 | Character-encoding conversion |
| 1 | ⚠ | json2csv |
^6.0.0-alpha.2 | JSON-to-CSV export. Note: alpha version pinned |
| 1 | ⚠ | mysql |
^2.18.1 | Original MySQL callback driver. One reference — should be removed once that one caller migrates to mysql2/promise |
| 1 | ⚠ | natural |
^8.1.0 | NLP toolkit, used for TF-IDF in the in-memory RAG implementation |
| 1 | ⚠ | papaparse |
^5.5.2 | CSV parser. Consolidate with csv-parse |
| 1 | ⚠ | passport-facebook |
^3.0.0 | Facebook OAuth strategy |
| 1 | ⚠ | passport-github2 |
^0.1.12 | GitHub OAuth strategy |
| 1 | ⚠ | passport-google-oauth20 |
^2.0.0 | Google OAuth strategy |
| 1 | ⚠ | passport-linkedin-oauth2 |
^2.0.0 | LinkedIn OAuth strategy |
| 1 | ⚠ | passport-tiktok-auth |
^1.0.9 | TikTok OAuth strategy |
| 1 | ⚠ | @slack/webhook |
^7.0.7 | Slack incoming-webhook client. Pair with slack decision |
| 1 | ⚠ | streamifier |
^0.1.1 | Buffer-to-stream wrapper |
| 1 | ⚠ | @superfaceai/passport-twitter-oauth2 |
^1.2.4 | Twitter OAuth 2.0 strategy |
| 1 | ⚠ | twitter-api-v2 |
^1.17.2 | Twitter API v2 client. Modern replacement for twitter |
| 1 | ⚠ | unsplash-js |
^7.0.19 | Unsplash stock images. Marked "disabled" in Integration-inventory.md — verify |
| 1 | ⚠ 🪞 | url |
^0.11.3 | Node built-in shadow. Safe to remove |
| 1 | ⚠ | winston |
^3.17.0 | Structured logger — declared but barely used. See logging-observability.md. Should be wired in or removed |
| 1 | ⚠ | xml2js |
^0.6.2 | XML parser |
| 0 | ❌ | abort-controller |
^3.0.0 | AbortController polyfill — Node 15+ has it built-in. Remove |
| 0 | ❌ | async |
^3.2.5 | Async utility lib — zero call sites. Remove |
| 0 | ❌ | @aws-sdk/client-bedrock |
^3.614.0 | Bedrock management API (vs runtime / agent-runtime which are used). Remove |
| 0 | ❌ | convert-excel-to-json |
^1.7.0 | Excel parser — covered by xlsx and node-xlsx. Remove |
| 0 | ❌ | csv |
^6.4.1 | CSV parser — covered by csv-parse and papaparse. Remove |
| 0 | ❌ | expo-server-sdk |
^3.10.0 | Expo mobile-push SDK — no Expo / push code anywhere. Remove |
| 0 | ❌ | fetch |
^1.1.0 | Old polyfill — covered by node-fetch and axios. Remove |
| 0 | ❌ | googleapis |
^140.0.1 | Generic Google APIs client — codebase uses the specific @google-cloud/* and @google/* SDKs. ~50–80 MB tree — biggest single removable. Remove |
| 0 | ❌ 🔐 | helmet |
^8.1.0 | Security headers — declared but never app.use()d. Either wire in (recommended per security.md) or remove |
| 0 | ❌ | images |
^3.2.4 | Already-confirmed unused; lacks ARM64 binary. Recommended for removal (still in package.json as of audit) |
| 0 | ❌ | image-size |
^1.1.1 | Image-dimensions reader — zero call sites. Remove |
| 0 | ❌ | konva |
^9.3.14 | Canvas library — likely a peer-dep of Polotno; verify before removing |
| 0 | ❌ | node-abort-controller |
^3.1.1 | Same as abort-controller. Remove |
| 0 | ❌ | pdf-extract |
^1.0.11 | Third PDF parser (after pdf-parse and pdf.js-extract). Remove |
| 0 | ❌ 🪨 | puppeteer-core |
^22.13.1 | Bundled inside puppeteer. Remove |
| 0 | ❌ | s3-image-size |
^0.1.3 | S3 image-size reader — zero call sites. Remove |
[VERIFY]
konvapeer-dependency status — iskonvaa true peer-dep ofpolotno-node(in which case it's installed transitively and the top-level entry is redundant), or does the top-level entry pin a specific version that polotno-node needs? Runyarn why konvato confirm before removing.
3. Dev Dependencies¶
| Package | Version | Purpose |
|---|---|---|
nodemon |
^3.1.4 | Hot-reload for npm run dev |
4. Native-Binary Dependencies¶
These ship architecture-specific binaries. Relevant for ARM/Graviton portability — see the prior architecture-portability discussion.
| Package | ARM64 | Status |
|---|---|---|
sharp |
✅ Auto-selects at install | Modern version, no action needed |
ffmpeg-static |
✅ ARM64 binary in package | No action needed |
ffprobe-static |
✅ ARM64 in bin/linux/arm64/ |
No action needed |
puppeteer |
✅ Chromium has ARM64 builds | No action needed |
polotno-node |
✅ Inherits from puppeteer | Verify on actual hardware (highest-risk dep) |
images |
❌ No linux-arm64 binding |
Already on the removal list (zero refs) |
5. Built-in Shadows (Safe to Remove)¶
These are Node.js core modules that are also listed as npm packages by mistake. The npm packages with these names are placeholders that get installed but never executed — require('fs') always resolves to the built-in.
Removing them is purely cosmetic / disk-space savings. Runtime behavior is unaffected.
6. Removable Right Now (Tier 1 + Tier 2)¶
A single batch removal of confirmed dead deps:
yarn remove \
abort-controller node-abort-controller \
async \
@aws-sdk/client-bedrock \
convert-excel-to-json \
csv \
expo-server-sdk \
fetch \
googleapis \
images \
image-size \
s3-image-size \
pdf-extract \
puppeteer-core \
fs http path stream url crypto
Total: 20 packages. Estimated node_modules saving: ~80–180 MB (the bulk from googleapis ~50–80 MB and the deduped puppeteer-core ~10 MB).
konva and helmet are listed as zero-refs but require a decision before removal (verify peer-dep status; wire helmet in or drop it).
7. Consolidation Targets (Tier 4 — Longer Term)¶
Multiple packages doing the same job. Removal here requires migrating call sites.
| Replace | With | Effort | Why |
|---|---|---|---|
request (24 uses) |
axios (44 uses already) |
Medium | request deprecated since 2020; no security patches |
sync-request (7 uses) + async handlers |
axios |
Medium | Sync HTTP blocks the event loop |
pdf-parse (2) or pdf.js-extract (2) |
One of them | Low | Two PDF parsers, same job |
node-xlsx (7) or xlsx (3) |
One of them | Low–Medium | Two Excel parsers |
csv-parse (4) or papaparse (1) |
One of them | Low | Two CSV parsers |
twitter (2) |
twitter-api-v2 (1) |
Low | twitter package on npm is unmaintained |
node-fetch (3) |
axios |
Low | One HTTP library is enough |
aws-sdk v2 (88 uses) |
@aws-sdk/client-* v3 |
High | Largest single dep; ~70–100 MB tree; v2 is in maintenance-only mode |
slack (20) |
@slack/webhook (1) |
Medium | slack is broader / older; if you only post to a webhook, @slack/webhook is leaner |
mysql (1) + sync-mysql (127) + mysql2 (53) |
mysql2/promise only |
High — architectural | Already flagged in §5.4 readiness doc |
node-cron (134) + node-schedule (3) |
One of them | Low | Two schedulers, same job |
@google/genai (1) + @google/generative-ai (6) |
One of them | Low | Two Google AI SDKs — verify both are needed |
feedsub (1) + rss-parser (4) |
One of them | Low | Two RSS-handling libraries |
body-parser (2) |
Use Express 4.16+ built-in express.json() and express.urlencoded() |
Low | Bundled into Express; separate import is unnecessary |
passport-twitter-oauth2 (1) + twitter-api-v2 (1) + oauth-1.0a (2) |
Pick the right Twitter approach | Low | Three different Twitter integrations is one too many |
8. Deprecated / EOL Packages¶
These need replacement before they become security incidents:
| Package | Status | Replacement |
|---|---|---|
request |
Deprecated 2020. No security patches | axios |
sync-request |
Built on request. Same dead-end |
axios (async) |
sync-mysql |
Architectural antipattern (blocks event loop). Sparse maintenance | mysql2/promise |
moment |
In maintenance mode (not deprecated, but "consider alternatives" per maintainers) | date-fns or luxon (long-term) |
body-parser (as separate import) |
Bundled into Express 4.16+ | express.json() / express.urlencoded() |
twitter (npm package) |
Unmaintained for years | twitter-api-v2 |
9. Security Posture (Per-Package)¶
Hardcoded credentials¶
| Package | Issue |
|---|---|
polotno-node |
API key 'FXZvloSJvAe09-bdR9iC' hardcoded in 49 files. See Integration #16, security.md |
slack / @slack/webhook |
Bot token xoxb-... and channel ID C05TS9AHBH6 hardcoded. See Integration #11 |
express-session |
Session secret hardcoded in server.js. See security.md |
CVE / vulnerability scanning¶
[VERIFY] Has
yarn auditbeen run recently? Capture the current open advisories (count and severity), and add to this doc. Any High or Critical advisories should be addressed before SOC 2 Type I audit per enterprise-readiness §5.7.[VERIFY] Is Dependabot or Snyk enabled? If not, this is a Phase 0 item per enterprise-readiness §6.1. Configure in
.github/dependabot.ymlor via Snyk integration.
Supply-chain hygiene¶
[VERIFY] Is
npm audit signatures(or equivalent) part of CI? This validates package signatures against the npm registry. With ~91 direct deps and a much larger transitive tree, supply-chain attacks via npm have become a recurring industry incident (event-stream, ua-parser-js, debug/chalk attacks). Adopting signature verification is cheap and high-value.
10. License Inventory¶
[VERIFY] Generate a license report. Run a tool like
license-checkerorlicense-reportto produce a per-package license breakdown:Expected output: dominant MIT (most JavaScript packages), with some Apache 2.0, BSD variants, ISC. Anything GPL / AGPL / proprietary should be flagged. This is required for SOC 2 / enterprise procurement vendor-questionnaire responses.
Update this section once the report is run.
| License | Approximate count |
|---|---|
| MIT | TBD |
| Apache-2.0 | TBD |
| BSD-2-Clause / BSD-3-Clause | TBD |
| ISC | TBD |
| Other (non-permissive) | TBD — should be 0 |
11. Bundle / Install Size Baseline¶
[VERIFY] Capture the current install size baseline so future cleanup wins can be measured:
Current rough estimate from earlier discussion: ~1.5 GB total. Heaviest contributors:
googleapis(~50–80 MB, removable),aws-sdkv2 (~70–100 MB, consolidation),puppeteer+ Chromium (~150 MB),polotno-node(small package + Chromium dep).Update this section after any major removal / consolidation so the team can see progress.
12. Update / Audit Cadence¶
[VERIFY] What is the team's update cadence? Recommended:
- Weekly: Dependabot patch / minor PRs auto-created; merged after CI passes.
- Monthly:
yarn outdatedreview; pick 5–10 bumps to action.- Quarterly: major-version review; pick targets for the next quarter.
- Ad-hoc: any High / Critical CVE alert is treated as an incident.
Document the actual policy (or commit to one) and reference it here.
13. Action Punchlist¶
Concrete, ordered list of dependency-related work derived from this audit:
| # | Action | Effort | Reference |
|---|---|---|---|
| 1 | Run the Tier-1 + built-in-shadows removal (yarn remove ... from §6) |
30 min | This doc §6 |
| 2 | Decide helmet: wire in or remove |
1 hr | security.md |
| 3 | Decide konva: verify peer-dep, then keep or remove |
30 min | This doc §2 |
| 4 | Run yarn audit and document open CVEs |
30 min | §9 |
| 5 | Run license-checker and document license mix |
30 min | §10 |
| 6 | Capture node_modules size baseline |
10 min | §11 |
| 7 | Configure Dependabot / Snyk in CI | 1 hr | §9 |
| 8 | Migrate request → axios (24 callers) |
1–2 days | §7 |
| 9 | Migrate sync-request → axios async (7 callers) |
1–2 days | §7 |
| 10 | Decide PDF / CSV / Excel / Twitter / RSS / scheduler consolidation pairs | 1 day each | §7 |
| 11 | Plan aws-sdk v2 → v3 migration (88 callers) |
weeks — separate ticket | §7 |
| 12 | Eliminate sync-mysql (127 callers) — architectural |
months | enterprise-readiness §5.4 |
Items 1–7 are quick wins. 8–10 are tactical migrations. 11–12 are strategic projects.
14. Maintenance Discipline¶
When adding a new dependency, the recommended hygiene checklist is:
- Justify it. Can the standard library or an existing dep cover this? Adding a dep for a 30-line problem is rarely net-positive.
- Check the license. GPL / AGPL is typically off-limits for proprietary platforms.
- Check maintenance. Last release > 12 months ago? Open-issue count growing? Any recent advisories?
- Pin the version with a caret (
^x.y.z) and lock it inyarn.lock. - Update this doc. Add the row to §2; if it's a consolidation candidate, add to §7.
When removing a dependency:
- Confirm zero references via grep (handle dynamic
require(varName)carefully — search for variable assignments too). - Run
yarn install --check-filesafter removal. - Smoke-test the affected paths.
- Update this doc — remove the row from §2.
15. Related¶
- Integration Inventory — packages organized by external service rather than by package
- Enterprise Readiness §5.4 — strategic consolidation recommendations
- Security — secrets handling, input validation, dependency-scanning posture
- Logging & Observability —
winstonis declared but unused - VERIFY Markers — index of the
[VERIFY]items above and elsewhere