Dependencies Inventory¶
Status: Audit v0.1 (2026-05-09).
At a glance¶
| Project | Production deps | Dev deps | Source |
|---|---|---|---|
Root (someli-platform) |
91 | 7 | jq '.dependencies \| length' package.json / jq '.devDependencies \| length' package.json |
Polotno editor (polotno-editor) |
26 | 2 | Same on polotno-editor/package.json |
| Total | 117 production | 9 dev | Sum |
Built-bundle output sizes (verified 2026-05-09 via stat -c%s polotno-bundle.*):
| Artifact | Bytes | Approximate |
|---|---|---|
polotno-bundle.js (root of repo) |
221,172 | ~216 KB |
polotno-bundle.css (root of repo) |
9,697 | ~9.5 KB |
Note: dev/production split is misleading in this codebase. Many runtime libraries (webpack, babel-eslint, @nuxtjs/dotenv, @nuxtjs/style-resources) live in dev-deps because they're build-time tools, not because they're actually optional. The 91 production deps are mostly real runtime libs.
Lockfile state¶
| Lockfile | Lines | Source |
|---|---|---|
yarn.lock |
11,423 | wc -l yarn.lock |
package-lock.json |
22,271 | wc -l package-lock.json |
polotno-editor/yarn.lock |
4,154 | wc -l polotno-editor/yarn.lock |
Finding [WC-DEP-1] (Severity: Low–Medium): Both yarn.lock and package-lock.json are committed at the repo root. The codebase uses yarn (per Jenkinsfile, project conventions), so the npm lockfile is unnecessary at best and a drift hazard at worst. Recommendation: delete package-lock.json, add to .gitignore. Phase 0a (this week).
Root project — production dependencies (alphabetical)¶
Pinned versions are from package.json:14-106.
Framework & Vue ecosystem¶
| Package | Version | Notes |
|---|---|---|
vue |
2.7.16 |
EOL 2023-12-31. See architecture-overview.md §8. |
vue-template-compiler |
^2.7.10 |
Tied to Vue 2 |
vue-server-renderer |
^2.7.10 |
Unused at runtime (ssr: false); transitively required by Nuxt 2 |
nuxt |
2.18.1 |
EOL 2024-06-30 |
vuex |
3.6.2 |
Vue 2 generation; runs in non-strict mode |
bootstrap-vue |
^2.22.0 |
Targets Bootstrap 4; loaded with { css: false } (Bootstrap 5 from CDN) |
React (for Polotno)¶
| Package | Version | Notes |
|---|---|---|
react |
^18.3.1 |
Only used by Polotno bundle in main app; pulled into root deps because some npm-installed components also need it |
react-dom |
^18.3.1 |
Same |
react-filepond |
^7.1.2 |
FilePond's React wrapper (the Vue wrapper is also installed) |
react-highlight-within-textarea |
3.2.2 |
Same — React lib in a Vue codebase |
react-sortablejs |
6.1.1 |
Pinned; force-resolved via resolutions and overrides in package.json:117-121 |
react-toastify |
8.0.0 |
React toast lib alongside vue-snotify and vue-toastification |
mobx |
6.13.5 |
Polotno store backbone |
mobx-react-lite |
^4.0.7 |
Same |
mobx-state-tree |
^6.0.0 |
Same |
draft-js |
^0.11.7 |
Rich-text editing in editor pages |
State & API¶
| Package | Version | Notes |
|---|---|---|
@nuxtjs/auth |
^4.9.1 |
Auth strategy module; pulled in nuxt.config.js |
cookie-universal-nuxt |
^2.2.2 |
Cookie handling |
@nuxtjs/gtm |
^2.4.0 |
Google Tag Manager |
@nuxtjs/pwa |
^3.3.5 |
PWA + service worker (workbox) |
lodash |
^4.17.21 |
Used heavily; full library imported in some files (defeats tree-shaking) |
nanoid |
^5.0.7 |
ID generation |
localforage |
^1.10.0 |
Storage abstraction (not used much in main app — Polotno uses it) |
js-cookie |
^3.0.5 |
Alternate cookie lib (alongside cookie-universal-nuxt) — likely vestigial |
dotenv |
^16.4.5 |
Loaded via @nuxtjs/dotenv build module |
UI components & widgets¶
| Package | Version | Notes |
|---|---|---|
bootstrap |
5.2.0 |
npm-installed; also loaded from CDN in nuxt.config.js → head.link |
@fortawesome/fontawesome-free |
^6.5.2 |
npm-installed; also loaded from CDN |
@fullcalendar/core and 5 plugins |
~6.1.14 / ^6.1.14 |
Content planner calendar |
@blueprintjs/popover2 |
2.1.11 |
BlueprintJS popover (used inside Polotno UI) |
chart.js |
3.8.0 |
Dashboard charts |
vue-chartjs |
4.0.0 |
Vue wrapper for chart.js |
konva |
9.3.16 |
Canvas drawing primitives (Polotno dep) |
vue-color |
^2.8.1 |
Color picker |
vue-emoji-picker |
^1.0.3 |
Emoji picker |
vue-burger-menu |
^2.0.5 |
Mobile menu |
vue-masonry-wall |
^0.3.2 |
Image grid |
vue-no-ssr |
^1.1.1 |
SSR escape hatch |
vue-niege |
^0.1.1 |
Snowfall effect ("niege" = neige; loaded via plugins/snowfall.js) |
vue-password-strength-meter |
^1.7.2 |
+ zxcvbn ^4.4.2 |
vue-select |
^3.20.3 |
Combobox/select |
vue-country-code |
^1.1.3 |
Country dial-code picker |
vue-ctk-date-time-picker |
2.5.0 |
Date/time picker |
vue2-timepicker |
^1.1.6 |
Alternate time picker |
flatpickr |
^4.6.13 |
Yet another date picker |
@zaichaopan/emoji-picker |
^0.1.7 |
Alternate emoji picker (alongside vue-emoji-picker) |
vuebar |
^0.0.20 |
Custom scrollbar; pre-1.0 version |
@tinymce/tinymce-vue |
^3.2.8 |
Rich-text editor; TinyMCE 6+ requires API key — see security.md |
qrcode |
^1.5.3 |
QR code generation |
plyr |
^3.8.4 |
Video player |
Finding [WC-DEP-2] (Severity: Medium): Visible library duplication in the dependency tree:
- 3 emoji pickers: vue-emoji-picker, @zaichaopan/emoji-picker, plus FontAwesome's emoji-like icons
- 3 date/time pickers: vue-ctk-date-time-picker, vue2-timepicker, flatpickr
- 3 toast libraries: vue-snotify, vue-toastification, react-toastify
- 2 cookie libraries: cookie-universal-nuxt, js-cookie
- 2 sortable libraries: sortablejs, react-sortablejs
- 2 filepond wrappers: vue-filepond, react-filepond
This adds ~MB of bundle weight per duplicate set and creates code-style inconsistency. Consolidation is a Phase 1 effort.
Filepond (file uploads)¶
| Package | Version |
|---|---|
filepond |
4.31.4 |
vue-filepond |
6.0.3 |
react-filepond |
^7.1.2 |
filepond-plugin-file-metadata |
^1.0.8 |
filepond-plugin-file-validate-size |
^2.2.8 |
filepond-plugin-file-validate-type |
^1.2.9 |
filepond-plugin-image-exif-orientation |
^1.0.11 |
filepond-plugin-image-preview |
^4.6.12 |
filepond-plugin-image-transform |
^3.8.7 |
filepond-plugin-image-validate-size |
^1.2.7 |
Date / time¶
| Package | Version | Notes |
|---|---|---|
moment |
^2.30.1 |
Moment is a "deprecated/legacy" project per its maintainers (https://momentjs.com/docs/#/-project-status/). New code should use date-fns or native Intl. |
moment-timezone |
0.5.46 |
Same status |
vue-moment |
^4.1.0 |
Vue filter for moment |
Billing / payments¶
| Package | Version | Notes |
|---|---|---|
stripe |
16.12.0 |
Server-side Stripe SDK in a frontend-only package — should not be imported into client code (would leak secret key); confirm via grep -rn "from 'stripe'\|require('stripe'" pages components |
@stripe/stripe-js |
4.9.0 |
Client-side Stripe.js wrapper |
@paddle/paddle-js |
^1.3.2 |
Paddle billing |
Finding [WC-DEP-3] (Severity: High — pending verification): stripe (the server-side Node SDK) is in production deps. If imported anywhere in the bundle, the client bundle would expose Stripe's server SDK code path, which is intended for backend use and may be a vehicle for accidentally referencing STRIPE_SECRET_KEY. [VERIFY-DEP-1]: Grep for from 'stripe' or require('stripe') in source. If unused, remove. If used legitimately, justify.
Email / external services¶
| Package | Version | Notes |
|---|---|---|
@sendgrid/mail |
8.1.4 |
Server-side SendGrid SDK in a frontend package. Likely consumed only from api/ server middleware — verify it isn't bundled into client. |
aws-sdk |
2.1691.0 |
Massive (~80 MB unpacked). Frontend-side use of v2 SDK is generally a mistake; the modular v3 SDK should be preferred. [VERIFY-DEP-2]: which AWS services does the frontend use? Likely just S3 uploads — would be replaced by ~3 MB of v3 modules. |
bcryptjs |
^2.4.3 |
Password hashing on the client side. [VERIFY-DEP-3]: usage site? Hashing passwords client-side is rarely correct (the hash becomes the password). |
passport |
^0.7.0, passport-twitter ^1.0.4 |
Server-side OAuth. Used by api/twitter-middleware.js. Should not bundle into client. |
express |
4.21.1 |
Used by Nuxt server middleware (api/index.js). |
Other¶
| Package | Version | Notes |
|---|---|---|
@nuxtjs/auth |
^4.9.1 |
Auth |
@types/sortablejs |
1 |
Stray TS-types package in a JS project — vestigial |
core-js |
3.38.1 |
Polyfills |
css-loader |
^5.2.7 |
Webpack loader |
glob |
9.3.5 |
File globbing — only useful in Node code paths |
jquery |
3 |
Required by Bootstrap 5 templates and slick-carousel (CDN-loaded) |
rsvp |
^4.8.5 |
Promise library — predates native Promises; vestigial. Used in middleware/sociallink.js. |
sass |
1.70.0, sass-loader ^10.4.1 |
SCSS preprocessing |
sortablejs |
1.15.3 |
Drag-drop |
Twitter / Passport (server-side helpers)¶
passport, passport-twitter, express are pulled in for the Nuxt server middleware that handles Twitter OAuth (api/twitter-middleware.js). They should not be in the client bundle; webpack tree-shaking should keep them out, but [VERIFY-DEP-4]: confirm with webpack-bundle-analyzer.
Dev dependencies (root)¶
| Package | Version | Notes |
|---|---|---|
@nuxtjs/device |
2.1.0 |
Device detection |
@nuxtjs/dotenv |
^1.4.2 |
Loads .env |
@nuxtjs/style-resources |
^1.2.1 |
SCSS variables import |
babel-eslint |
^10.1.0 |
ESLint parser for JS |
vue-loader |
^15.9.8 |
Webpack loader for .vue |
webpack |
^4.46.0 |
Webpack 4 — unsupported (Webpack 5 has been stable since 2020) |
webpack-cli |
^3.3.12 |
Same generation |
Finding [WC-DEP-4] (Severity: Medium): Webpack 4 is unsupported. Bundled by Nuxt 2 — upgrading to Webpack 5 requires upgrading to Nuxt 3. Bundled with the framework EOL story.
Polotno editor — production dependencies¶
| Package | Version | Notes |
|---|---|---|
polotno |
^2.10.11 |
Design SDK; license key hardcoded in polotno-editor/index.js:14 |
react |
^18.3.1 |
|
react-dom |
^18.3.1 |
|
mobx |
^6.3.0 |
|
mobx-react-lite |
^4.0.7 |
|
mobx-state-tree |
^6.0.0 |
|
@blueprintjs/core |
^5.10.5 |
UI primitives |
@blueprintjs/icons |
^5.10.0 |
|
@blueprintjs/popover2 |
^2.1.7 |
|
@meronex/icons |
^4.0.0 |
|
axios |
^1.7.2 |
(Note: main app uses @nuxtjs/axios which is built on axios; this is a separate copy) |
draft-js |
^0.11.7 |
|
filepond |
^4.31.1 + 4 plugins |
(separate copy from main app) |
qrcode |
^1.5.3 |
|
react-filepond |
^7.1.2 |
|
react-highlight-within-textarea |
^3.2.1 |
|
react-toastify |
^10.0.5 |
(different version from main app's ^8.0.0) |
localforage |
^1.10.0 |
|
lodash |
^4.17.21 |
|
parcel |
^2.12.0 |
Build tool |
npm |
^10.8.1 |
Bundling npm itself as a dep — almost certainly accidental |
install |
^0.13.0 |
install is a tiny npm package whose only purpose is to install other packages — very likely accidentally added |
Finding [WC-DEP-5] (Severity: Medium): polotno-editor/package.json includes npm@^10.8.1 and install@^0.13.0 as production dependencies. Both are almost certainly mistakes — npm is the package manager itself, and install is a now-unmaintained 12-line shim package. Recommendation: remove both. Phase 0a.
Finding [WC-DEP-6] (Severity: Medium): react-toastify exists at v8 in main app and v10 in Polotno (different versions). Each is bundled separately because the bundles don't share a module graph. Bundle weight cost.
Vulnerability surface¶
A full yarn audit was not run as part of this audit (output would need to be inspected and is environment-dependent). [VERIFY-DEP-5]: run yarn audit --groups dependencies against the root and against polotno-editor/, capture critical/high counts, and append to this doc.
The known-stale package set already provides a strong signal:
vue@2.7.16— Vue 2 EOL; CVE patches are no longer issued.nuxt@2.18.1— same, Nuxt 2 EOL.webpack@^4.46.0— Webpack 4 unsupported.bootstrap-vue@^2.22.0— last released Apr 2022; targets Bootstrap 4.bootstrap@5.2.0— older 5.x point release; current is 5.3.x.bootstrapfrom CDN is loaded as5.0.2,5.2.0-beta1, and5.0.2again innuxt.config.js → head— three versions side-by-side.react-toastify@8.0.0— current is v10.x; 8 is from 2021.chart.js@3.8.0— current is v4.4.x; 3.x is in maintenance.react-highlight-within-textarea@3.2.2— last released Jan 2023.vue-niege@^0.1.1— pre-1.0; effectively unmaintained.vuebar@^0.0.20— pre-1.0; last published 2018.
Automated dependency-update pipeline¶
| Tool | Wired? | Source |
|---|---|---|
| Dependabot | Not configured | No .github/dependabot.yml |
| Renovate | Not configured | No renovate.json / .renovaterc |
| Snyk | Not visible from repo | No .snyk config |
yarn audit in CI |
Not run | Inspect .github/workflows/dev_app.yml |
Finding [WC-DEP-7] (Severity: High): There is no automated dependency-update mechanism. Combined with the EOL framework stack, this means CVE patches are only applied manually. Setting up Dependabot or Renovate is a Phase 0 (this month) task; even if the framework can't be upgraded immediately, point upgrades for transitive vulnerabilities should be automated.
Recommendations summary¶
| Priority | Action | Effort |
|---|---|---|
| Phase 0a | Delete package-lock.json, add to .gitignore |
<1h |
| Phase 0a | Remove npm and install from polotno-editor/package.json |
<1h |
| Phase 0a | Verify and remove unused server-side packages from frontend bundle (stripe Node SDK, @sendgrid/mail, passport* if not needed) |
4h |
| Phase 0 | Set up Dependabot or Renovate with security-only auto-PRs | 1d |
| Phase 0 | Run yarn audit and triage high/critical |
1d |
| Phase 0 | Migrate aws-sdk v2 → v3 modules (S3 only, ~80% bundle savings on this dep) |
2d |
| Phase 1 | Consolidate library duplicates (emoji, date pickers, toast libs, sortable, filepond wrappers) | 1–2 weeks |
| Phase 1 | Replace moment with date-fns or native Intl |
1 week |
| Phase 2 | Vue 2 / Nuxt 2 → Vue 3 / Nuxt 3 migration | Multi-month, see enterprise-readiness.md |
[VERIFY-DEP-1]–[VERIFY-DEP-5] are tracked in ./verify-markers.md.