Dependencies Inventory¶

From package.json:

{
  "name": "dashboard",
  "version": "1.0.0",
  "scripts": { "start": "node server.js" },
  "dependencies": {
    "crypto-js":       "^4.2.0",
    "dotenv":          "^16.4.5",
    "express":         "^4.17.1",
    "express-session": "^1.17.3",
    "jsonwebtoken":    "^9.0.2",
    "moment":          "^2.29.1",
    "node-cron":       "^3.0.3",
    "path":            "^0.12.7",
    "request":         "^2.88.2",
    "sync-mysql":      "^3.0.1"
  }
}

No devDependencies. No test framework. No bundler.

Notes per dependency¶

Dependency	Version	Status / risk
`crypto-js`	^4.2.0	Used elsewhere in the platform for AES encryption of tokens. Not yet observed in this repo's code (`grep crypto-js` returns 0 hits) — probably inherited from a copy-paste of `someli-api`'s package.json. May be unused; verify and remove.
`dotenv`	^16.4.5	Standard.
`express`	^4.17.1	Express 4. Sibling repos use ^4.19.x or ^4.21.x — this one is at the older 4.17.1. Not vulnerable per se, but consider aligning.
`express-session`	^1.17.3	Used in `server.js` for a session cookie. The session is configured but never read by the routes — likely vestigial. Remove if not needed.
`jsonwebtoken`	^9.0.2	Not observed in repo code (`grep jsonwebtoken` returns 0 hits). Probably inherited from copy-paste. May be unused; verify and remove.
`moment`	^2.29.1	Heavily used in `routes/index.js` for date parsing. Note: `moment` is in maintenance mode; if rewriting, prefer `date-fns` or `luxon`.
`node-cron`	^3.0.3	Not observed in repo code (`grep cron` returns 0 hits in this repo). The `services/job_*.js` files don't use cron — they're plain helper modules. Probably unused.
`path`	^0.12.7	Spurious dependency. `path` is a built-in Node module; pulling it from npm fetches an unmaintained third-party clone. Remove.
`request`	^2.88.2	Deprecated (request is officially deprecated since Feb 2020). Not observed in repo code — probably copy-paste residue. Verify and remove.
`sync-mysql`	^3.0.1	The blocking MySQL driver used everywhere. As elsewhere in the platform, this is a performance / liveness liability.

Five of the ten dependencies are not actually used by this repo's code (crypto-js, jsonwebtoken, node-cron, path, request) — they are residue of copy-pasting someli-api's package.json. Pruning them would remove a small attack surface (especially path and request).

Hard gaps¶

No cors. The production sibling (someli-api/dashboard/server.js) has it; this standalone server.js does not. If anyone tries to run this on its own port and hit it from a browser, CORS will block.
No body-parser / express.json() middleware. All endpoints are GET, so this is fine for current use — but if a POST handler is ever added, it will receive an empty body.
No logging library. console.log only.