Dependencies inventory¶
Comprehensive list of every npm / system package the platform pulls in — for security audit, license review, and upgrade planning. Pairs with the high-level
stack.md; cross-links to../security/internal/dependency-audit.mdfor advisory triage and to../business/integration-options.md/../business/infrastructure-cost.mdfor vendor-relationship context.
Captured. 2026-04-25 from working tree.
Sources mined. ebit-api/package.json, ebit-fe/package.json, ebit-admin-fe/package.json, root docker-compose.yml, terraform/**/versions.tf, installed node_modules/<pkg>/package.json for license fields.
Audit tools. npm audit (ebit-api, fresh tree on disk), pnpm audit (ebit-fe + ebit-admin-fe).
Scope. Direct dependencies only (≈80–150 rows per repo). Transitives surface in §4 and in the linked dependency-audit.md only when they carry a critical / high advisory.
Legend used in every table:
- Type. dep = dependencies, dev = devDependencies, peer = peerDependencies.
- Criticality. critical = touches auth, payments, money / wallet, PII, or game-fairness paths. important = part of the runtime hot path or build-time security surface. nice-to-have = UX polish, dev tooling without prod impact.
- Upgrade urgency. green = on current minor or one minor behind. yellow = one major behind, no advisory. red = ≥2 majors behind or has an open advisory in dependency-audit.md.
- {{verify}} = not resolved in <30s of inspection; flagged for the next quarterly refresh.
1. Direct dependencies inventory (per repo)¶
1.1 ebit-api — NestJS monorepo (95 deps + 47 devDeps)¶
| Package | Version | License | Type | Used for | Criticality | Urgency |
|---|---|---|---|---|---|---|
@bebkovan/geo |
^1.0.4 | unknown ({{verify}} — private registry) | dep | Geo helpers, vendored | important | yellow |
@bebkovan/prisma-transactional |
^0.4.6 | MIT | dep | Prisma transactional decorator | important | green |
@bebkovan/server-core |
^2.1.2 | ISC | dep | Internal NestJS scaffolding (auth glue) | critical | red (transitively pulls vulnerable eosjs, nestjs-cls) |
@golevelup/nestjs-discovery |
^4.0.2 | MIT | dep | Decorator-based controller discovery | important | yellow (4 → 7) |
@google-cloud/storage |
^7.16.0 | Apache-2.0 | dep | Asset / KYC document upload | critical (PII) | green |
@maxmind/geoip2-node |
^5.0.0 | Apache-2.0 | dep | Geo restriction enforcement | critical (compliance) | yellow (5 → 6) |
@nestjs/axios |
^3.1.3 | MIT | dep | HTTP module | important | yellow (3 → 4) |
@nestjs/bull |
^11.0.2 | MIT | dep | Legacy Bull v4 bridge | important | green |
@nestjs/bullmq |
^10.2.3 | MIT | dep | BullMQ wiring (production queues) | critical | yellow (10 → 11) |
@nestjs/common |
^10.4.15 | MIT | dep | Core framework | critical | red (10 → 11; advisories on chain) |
@nestjs/config |
^3.3.0 | MIT | dep | Env loading | important | yellow (3 → 4) |
@nestjs/core |
^10.4.15 | MIT | dep | Core framework | critical | red (CVE chain — see audit doc #7) |
@nestjs/cqrs |
^10.2.8 | MIT | dep | Command / event bus | important | yellow (10 → 11) |
@nestjs/jwt |
^10.2.0 | MIT | dep | JWT signing / verification | critical (auth) | green |
@nestjs/microservices |
^10.4.15 | MIT | dep | Redis pub/sub RPC transport | critical | red (DoS advisory #8) |
@nestjs/passport |
^10.0.3 | MIT | dep | Passport adapter | critical (auth) | green |
@nestjs/platform-express |
^10.4.15 | MIT | dep | HTTP runtime | critical | red (advisory #9) |
@nestjs/platform-socket.io |
^10.4.15 | MIT | dep | socket.io adapter for rt |
critical (real-time) | yellow |
@nestjs/schedule |
^4.1.2 | MIT | dep | Cron / interval / timeout decorators | important | green |
@nestjs/swagger |
^8.1.0 | MIT | dep | OpenAPI generation | nice-to-have | green |
@nestjs/terminus |
^10.2.3 | MIT | dep | /health endpoint |
important | red (transitive nest core) |
@nestjs/throttler |
^6.3.0 | MIT | dep | Sliding-window rate limit | critical | green |
@nestjs/websockets |
^10.4.15 | MIT | dep | WS gateway base | critical | red (transitive core) |
@opentelemetry/api |
^1.9.0 | Apache-2.0 | dep | OTel API surface | important | green |
@opentelemetry/auto-instrumentations-node |
^0.54.0 | Apache-2.0 | dep | Auto-instrumentation bundle | important | yellow |
@opentelemetry/exporter-metrics-otlp-http |
^0.57.2 | Apache-2.0 | dep | OTLP metrics exporter | important | green |
@opentelemetry/exporter-trace-otlp-http |
^0.57.0 | Apache-2.0 | dep | OTLP trace exporter | important | green |
@opentelemetry/instrumentation-pino |
^0.60.0 | Apache-2.0 | dep | Pino log-trace correlation | important | green |
@opentelemetry/resources |
^1.30.0 | Apache-2.0 | dep | Resource detector | important | green |
@opentelemetry/sdk-metrics |
^1.30.1 | Apache-2.0 | dep | Metrics SDK | important | green |
@opentelemetry/sdk-node |
^0.57.0 | Apache-2.0 | dep | Node SDK | important | green |
@opentelemetry/semantic-conventions |
^1.30.0 | Apache-2.0 | dep | Stable attribute names | nice-to-have | green |
@paralleldrive/cuid2 |
^2.2.2 | MIT | dep | Collision-resistant IDs | important | green |
@prisma/client |
^6.5.0 | Apache-2.0 | dep | DB client (runtime) | critical | green |
@prisma/instrumentation |
^6.5.0 | Apache-2.0 | dep | Prisma OTel spans | important | green |
@sendgrid/mail |
^8.1.4 | MIT | dep | Transactional email | critical (auth flows: verification, password reset) | green |
@sentry/cli |
^2.43.0 | BSD-3-Clause | dep | Sourcemap upload | nice-to-have | green |
@sentry/nestjs |
^9.11.0 | MIT | dep | Sentry NestJS integration | important | green |
@sentry/node |
^9.11.0 | MIT | dep | Sentry Node SDK | important | green |
@sentry/profiling-node |
^9.11.0 | MIT | dep | Profiling integration | nice-to-have | green |
@socket.io/admin-ui |
^0.5.1 | MIT | dep | socket.io ops UI | nice-to-have | green |
@type-cacheable/core |
^14.1.0 | MIT | dep | Decorator-based caching | important | red (advisory #14) |
@type-cacheable/ioredis-adapter |
^15.0.2 | MIT | dep | ioredis backend for cacheable | important | green |
@types/amqplib |
^0.10.7 | MIT | dep | RabbitMQ types | nice-to-have | green |
@types/bn.js |
^5.1.6 | MIT | dep | BigNumber types | nice-to-have | green |
@types/ioredis |
^5.0.0 | MIT | dep | ioredis types | nice-to-have | green |
@types/js-yaml |
^4.0.9 | MIT | dep | Types | nice-to-have | green |
@types/luxon |
^3.6.2 | MIT | dep | Types | nice-to-have | green |
@types/passport-anonymous |
^1.0.5 | MIT | dep | Types | nice-to-have | green |
@types/pg |
^8.11.11 | MIT | dep | Types | nice-to-have | green |
amqp-connection-manager |
^4.1.14 | MIT | dep | RabbitMQ reconnect | important | green |
amqplib |
^0.10.8 | MIT | dep | RabbitMQ driver (stubbed Fast Track only) | nice-to-have (stub) | green |
axios |
^1.8.4 | MIT | dep | Outbound HTTP | critical (provider integrations) | red (advisory #6 — SSRF / DoS) |
bad-words |
3.0.4 | MIT | dep | Profanity filter | nice-to-have | green |
bcrypt |
^5.1.1 | MIT | dep | Password hashing | critical (auth) | red (advisory #11; bump 5 → 6) |
bull |
^4.16.5 | MIT | dep | Legacy queue runtime | important | green |
bullmq |
^5.54.1 | MIT | dep | All production async queues | critical | green |
class-transformer |
^0.5.1 | MIT | dep | DTO ↔ class hydration | important | green |
class-validator |
^0.14.1 | MIT | dep | DTO validation | critical | red (transitive validator advisory #12) |
cookie-parser |
^1.4.7 | MIT | dep | Cookie parsing | important | green |
dotenv |
^16.4.7 | BSD-2-Clause | dep | .env loader | important | green |
ejs |
^3.1.10 | Apache-2.0 | dep | Email templating | important | green |
eosjs |
^22.1.0 | MIT | dep | EOS chain client (speed-roulette anchoring) | critical | red (CVE on elliptic chain — audit #2) |
express-session |
^1.18.1 | MIT | dep | Session middleware (legacy) | important | green |
grammy |
^1.35.1 | MIT | dep | Telegram bot SDK | important | green |
helmet |
^8.1.0 | MIT | dep | HTTP security headers | critical | green |
ioredis |
^5.6.1 | MIT | dep | Redis client (cache + bot) | critical | green |
ioredis-mock |
^8.9.0 | MIT | dep | Test double | nice-to-have | green |
joi |
^17.13.3 | BSD-3-Clause | dep | Schema validation (env / config) | important | green |
js-yaml |
^4.1.0 | MIT | dep | YAML parsing | nice-to-have | green |
luxon |
^3.6.1 | MIT | dep | Date math | important | green |
nest-winston |
^1.9 | MIT | dep | Winston bridge for legacy log calls | important | green |
nestjs-cls |
^4.5.0 | MIT | dep | AsyncLocalStorage helper | important | red (audit #1 chain) |
nestjs-pino |
^4.6.1 | MIT | dep | Framework logger → Loki | critical (observability) | green |
node-network-devtools |
^1.0.25 | MIT | dep | Local dev only | nice-to-have | green |
otplib |
^12.0.1 | MIT | dep | TOTP / 2FA | critical (auth) | green |
passport |
^0.7.0 | MIT | dep | Strategy framework | critical (auth) | green |
passport-anonymous |
^1.0.1 | MIT | dep | Anonymous strategy | important | green |
passport-custom |
^1.1.1 | MIT | dep | Captcha bypass strategy | important | green |
passport-google-oauth2 |
^0.2.0 | MIT | dep | Google sign-in | critical (auth) | yellow |
passport-http |
^0.3.0 | MIT | dep | Basic auth strategy | important | green |
passport-jwt |
^4.0.1 | MIT | dep | JWT strategy | critical (auth) | green |
passport-local |
^1.0.0 | MIT | dep | Email/password strategy | critical (auth) | green |
passport-oauth2 |
^1.8.0 | MIT | dep | Generic OAuth2 base | critical (auth) | green |
pino |
^10.3.1 | MIT | dep | Structured logger | critical (observability) | green |
pino-http |
^11.0.0 | MIT | dep | HTTP request log | important | green |
reflect-metadata |
^0.2.2 | Apache-2.0 | dep | Decorator metadata | critical (NestJS DI) | green |
rxjs |
^7.8.2 | Apache-2.0 | dep | Reactive streams | critical | green |
seedrandom |
^3.0.5 | MIT | dep | Deterministic RNG | important (game fairness) | green |
socketio-wildcard |
^2.0.0 | MIT | dep | Wildcard event listener | nice-to-have | green |
tslib |
^2.8.1 | 0BSD | dep | TS runtime helpers | nice-to-have | green |
tunnel-agent |
^0.6.0 | Apache-2.0 | dep | HTTP tunnel | important | green |
ua-parser-js |
^2.0.3 | MIT | dep | User-agent parsing | important | green |
uuid-by-string |
^4.0.0 | MIT | dep | Deterministic UUID | nice-to-have | green |
winston |
^3.17.0 | MIT | dep | Legacy logger (EvoLogger backend) | important | green |
@eslint/js |
^9.24.0 | MIT | dev | Lint config | nice-to-have | yellow |
@nestjs/cli |
^10.4.9 | MIT | dev | Build / scaffolding | important | red (audit #10 — webpack chain) |
@nestjs/schematics |
^10.2.3 | MIT | dev | Code generators | nice-to-have | green |
@nestjs/testing |
^10.4.15 | MIT | dev | Test harness | important | red (transitive core) |
@swc/core |
^1.11.18 | Apache-2.0 | dev | Fast TS compile | important | green |
@types/bad-words ‥ @types/uuid |
various | MIT | dev | Type packages (×17) | nice-to-have | green |
@typescript-eslint/eslint-plugin |
^8.29.0 | MIT | dev | TS lint rules | nice-to-have | green |
@typescript-eslint/parser |
^8.29.0 | MIT | dev | TS lint parser | nice-to-have | green |
@vitest/coverage-v8 |
^3.1.1 | MIT | dev | Coverage | nice-to-have | green |
eslint |
^9.24.0 | MIT | dev | Linter | important | green |
eslint-config-prettier |
^10.1.1 | MIT | dev | Lint / fmt interop | nice-to-have | green |
eslint-plugin-import |
^2.31.0 | MIT | dev | Import order rules | nice-to-have | green |
eslint-plugin-prettier |
^5.2.6 | MIT | dev | Prettier as ESLint rule | nice-to-have | green |
husky |
^9.1.7 | MIT | dev | Git hooks | nice-to-have | green |
nodemon |
^3.1.9 | MIT | dev | Local dev watcher (rarely used) | nice-to-have | green |
nyc |
^17.1.0 | ISC | dev | Coverage tool (legacy) | nice-to-have | green |
prettier |
^3.5.3 | MIT | dev | Formatter | nice-to-have | green |
prisma |
^6.5.0 | Apache-2.0 | dev | Migrations / generate | critical | green |
prisma-json-types-generator |
^3.2.3 | MIT | dev | Typed JSON columns | nice-to-have | green |
source-map-support |
^0.5.21 | MIT | dev | Stack traces | nice-to-have | green |
supertest |
^7.0.0 | MIT | dev | HTTP test client | nice-to-have | green |
ts-loader |
^9.5.2 | MIT | dev | webpack TS loader | nice-to-have | green |
ts-node |
^10.9.2 | MIT | dev | Seed runner | nice-to-have | green |
tsconfig-paths |
^4.2.0 | MIT | dev | Path alias loader | nice-to-have | green |
tsx |
^4.19.3 | MIT | dev | Simulations runner | nice-to-have | green |
typescript |
^5.8.3 | Apache-2.0 | dev | Compiler | critical | green |
typescript-eslint |
^8.29.0 | MIT | dev | Tooling meta-package | nice-to-have | green |
unplugin-swc |
^1.5.1 | MIT | dev | Vitest SWC plugin | nice-to-have | green |
vite-tsconfig-paths |
^5.1.4 | MIT | dev | Vitest path alias | nice-to-have | green |
vitest |
^3.1.1 | MIT | dev | Test runner | important | green |
Type-only
@types/*packages collapsed where they share the same urgency (always green / nice-to-have unless flagged).
1.2 ebit-fe — dropbet (player-facing) — 71 deps + 25 devDeps¶
| Package | Version | License | Type | Used for | Criticality | Urgency |
|---|---|---|---|---|---|---|
@emoji-mart/react |
^1.1.1 | MIT | dep | Emoji picker | nice-to-have | green |
@intercom/messenger-js-sdk |
^0.0.14 | MIT | dep | Customer support widget | important | yellow (0.x — pre-1.0) |
@opentelemetry/api |
1.9.0 | Apache-2.0 | dep | Browser OTel | important | green |
@opentelemetry/context-zone |
^1.30.1 | Apache-2.0 | dep | Browser context | important | green |
@opentelemetry/exporter-trace-otlp-http |
^0.57.2 | Apache-2.0 | dep | OTLP/HTTP exporter | important | green |
@opentelemetry/instrumentation |
^0.57.2 | Apache-2.0 | dep | Base instrumentation API | important | green |
@opentelemetry/instrumentation-fetch |
^0.57.2 | Apache-2.0 | dep | fetch instrumentation | important | green |
@opentelemetry/instrumentation-xml-http-request |
^0.57.2 | Apache-2.0 | dep | XHR instrumentation | important | green |
@opentelemetry/resources |
^1.30.1 | Apache-2.0 | dep | Resource detector | important | green |
@opentelemetry/sdk-trace-web |
^1.30.1 | Apache-2.0 | dep | Browser trace SDK | important | green |
@opentelemetry/semantic-conventions |
^1.40.0 | Apache-2.0 | dep | Attribute keys | nice-to-have | green |
@radix-ui/react-accordion |
^1.2.1 | MIT | dep | shadcn primitive | nice-to-have | green |
@radix-ui/react-alert-dialog |
^1.1.1 | MIT | dep | shadcn primitive | nice-to-have | green |
@radix-ui/react-collapsible |
^1.1.0 | MIT | dep | shadcn primitive | nice-to-have | green |
@radix-ui/react-dialog |
^1.1.2 | MIT | dep | shadcn primitive | nice-to-have | green |
@radix-ui/react-dropdown-menu |
^2.1.1 | MIT | dep | shadcn primitive | nice-to-have | green |
@radix-ui/react-label |
^2.1.3 | MIT | dep | shadcn primitive | nice-to-have | green |
@radix-ui/react-popover |
^1.1.2 | MIT | dep | shadcn primitive | nice-to-have | green |
@radix-ui/react-portal |
^1.1.2 | MIT | dep | shadcn primitive | nice-to-have | green |
@radix-ui/react-select |
^2.1.1 | MIT | dep | shadcn primitive | nice-to-have | green |
@radix-ui/react-slider |
^1.2.1 | MIT | dep | shadcn primitive | nice-to-have | green |
@radix-ui/react-slot |
^1.2.0 | MIT | dep | shadcn primitive | nice-to-have | green |
@radix-ui/react-switch |
^1.1.1 | MIT | dep | shadcn primitive | nice-to-have | green |
@radix-ui/react-tabs |
^1.1.0 | MIT | dep | shadcn primitive | nice-to-have | green |
@radix-ui/react-toast |
^1.2.1 | MIT | dep | shadcn primitive | nice-to-have | green |
@radix-ui/react-tooltip |
^1.1.2 | MIT | dep | shadcn primitive | nice-to-have | green |
@sentry/nextjs |
^9.11.0 | MIT | dep | Sentry SDK | important | green |
@sumsub/websdk |
^2.3.13 | MIT | dep | Sumsub KYC raw SDK | critical (compliance, PII) | green |
@sumsub/websdk-react |
^2.3.13 | MIT | dep | Sumsub React wrapper | critical | green |
@tanstack/react-query |
^5.55.0 | MIT | dep | Data fetching cache | important | green |
@tanstack/react-query-devtools |
^5.56.2 | MIT | dep | Dev devtools | nice-to-have | green |
@vercel/otel |
1.13.0 | MIT | dep | Next.js OTel — pinned 1.x (ADR-0004) | critical | green (intentional pin) |
axios |
^1.7.7 | MIT | dep | HTTP | critical | red (audit #6) |
class-variance-authority |
^0.7.0 | Apache-2.0 | dep | Variant utility | nice-to-have | green |
clsx |
^2.1.1 | MIT | dep | className helper | nice-to-have | green |
cmdk |
^1.1.1 | MIT | dep | Command palette | nice-to-have | green |
cookies-next |
^4.3.0 | MIT | dep | Cookie helpers (SSR) | important | green |
crypto |
^1.0.1 | unknown ({{verify}}) | dep | Likely shim of Node crypto — suspicious; recommend audit | nice-to-have | red ({{verify}} — possible squatted package) |
dayjs |
^1.11.13 | MIT | dep | Date utility | important | green |
decimal.js |
^10.4.3 | MIT | dep | Money math | critical (no float drift) | green |
embla-carousel |
^8.3.1 | MIT | dep | Carousel core | nice-to-have | green |
embla-carousel-autoplay |
^8.3.1 | MIT | dep | Carousel plugin | nice-to-have | green |
embla-carousel-react |
^8.3.1 | MIT | dep | React binding | nice-to-have | green |
embla-carousel-wheel-gestures |
^8.0.1 | MIT | dep | Wheel gestures | nice-to-have | green |
emoji-mart |
^5.6.0 | MIT | dep | Emoji picker | nice-to-have | green |
eqcss |
^1.9.2 | MIT | dep | Element-query CSS | nice-to-have | green |
framer-motion |
^11.11.11 | MIT | dep | Animations | important | green |
howler |
^2.2.4 | MIT | dep | Audio | nice-to-have | green |
jose |
^6.0.7 | MIT | dep | JWT verification (browser) | critical (auth) | green |
jwt-decode |
^4.0.0 | MIT | dep | JWT payload decode | important | green |
lodash |
^4.17.21 | MIT | dep | Utilities | important | red (advisories — see audit doc) |
lucide-react |
^0.440.0 | ISC | dep | Icons | nice-to-have | green |
next |
14.2.25 | MIT | dep | Next.js framework | critical | red (audit #3 — next@14.2.30 patch) |
next-intl |
^3.19.3 | MIT | dep | i18n routing & message catalog | critical (UX path) | green |
qrcode.react |
^4.1.0 | ISC | dep | QR (deposit addresses, 2FA) | important | green |
react |
^18 | MIT | dep | UI runtime | critical | green |
react-dom |
^18 | MIT | dep | DOM renderer | critical | green |
react-google-recaptcha |
^3.1.0 | MIT | dep | reCAPTCHA widget | critical (anti-bot) | green |
react-hook-form |
^7.53.0 | MIT | dep | Form state | important | green |
react-rnd |
^10.4.13 | MIT | dep | Resizable / draggable panels | nice-to-have | green |
sass |
^1.78.0 | MIT | dep | SCSS compile | nice-to-have | green |
seedrandom |
^3.0.5 | MIT | dep | Deterministic RNG | important | green |
sharp |
^0.34.1 | Apache-2.0 | dep | Image optimization (Next.js) | important | green |
socket.io-client |
^4.8.0 | MIT | dep | Realtime client | critical | yellow (transitive socket.io-parser advisory) |
tailwind-merge |
^2.5.2 | MIT | dep | Tailwind class merge | nice-to-have | green |
tailwindcss-animate |
^1.0.7 | MIT | dep | Tailwind plugin | nice-to-have | green |
usehooks-ts |
^3.1.0 | MIT | dep | Hook collection | nice-to-have | green |
uuid |
^11.0.4 | MIT | dep | UUID generator | nice-to-have | green |
web-vitals |
^4.2.4 | Apache-2.0 | dep | Core Web Vitals beacon | important | green |
zod |
^3.24.2 | MIT | dep | Runtime schema validation | important | green |
zustand |
^5.0.0-rc.2 | MIT | dep | Client state | important | yellow (RC release pinned) |
@hookform/devtools |
^4.3.1 | MIT | dev | RHF devtools | nice-to-have | green |
@svgr/webpack |
^8.1.0 | MIT | dev | SVG → component | important | green |
@tanstack/eslint-plugin-query |
^5.53.0 | MIT | dev | Lint rule | nice-to-have | green |
@types/howler |
^2.2.12 | MIT | dev | Types | nice-to-have | green |
@types/lodash |
^4.17.10 | MIT | dev | Types | nice-to-have | green |
@types/node |
^20 | MIT | dev | Types | nice-to-have | green |
@types/react |
^18 | MIT | dev | Types | nice-to-have | green |
@types/react-dom |
^18 | MIT | dev | Types | nice-to-have | green |
@types/react-google-recaptcha |
^2.1.9 | MIT | dev | Types | nice-to-have | green |
@types/uuid |
^10.0.0 | MIT | dev | Types | nice-to-have | green |
eslint |
^8 | MIT | dev | Linter | important | yellow (pinned to 8.x; ebit-api on 9) |
eslint-config-next |
14.2.25 | MIT | dev | Next ESLint preset | nice-to-have | green |
eslint-config-prettier |
^9.1.0 | MIT | dev | Lint / fmt interop | nice-to-have | green |
eslint-plugin-import |
^2.31.0 | MIT | dev | Import order rules | nice-to-have | green |
eslint-plugin-prettier |
^5.2.1 | MIT | dev | Prettier-as-rule | nice-to-have | green |
husky |
^9.1.6 | MIT | dev | Git hooks | nice-to-have | green |
lint-staged |
^15.2.10 | MIT | dev | Pre-commit lint | nice-to-have | green |
mini-css-extract-plugin |
^2.9.1 | MIT | dev | Webpack CSS | nice-to-have | green |
node-network-devtools |
1.0.23 | MIT | dev | Local-only debug | nice-to-have | green |
postcss |
^8 | MIT | dev | CSS pipeline | nice-to-have | green |
prettier |
^3.3.3 | MIT | dev | Formatter | nice-to-have | green |
stylelint |
^16.12.0 | MIT | dev | CSS lint | nice-to-have | green |
stylelint-config-standard |
^36.0.1 | MIT | dev | CSS lint preset | nice-to-have | green |
tailwindcss |
^3.4.1 | MIT | dev | Tailwind compiler | important | green |
typescript |
^5 | Apache-2.0 | dev | Compiler | critical | green |
1.3 ebit-admin-fe — internal admin — 54 deps + 19 devDeps¶
| Package | Version | License | Type | Used for | Criticality | Urgency |
|---|---|---|---|---|---|---|
@ant-design/charts |
^2.2.6 | MIT | dep | Dashboard charts | important | green |
@ant-design/plots |
^2.3.3 | MIT | dep | Plot primitives | important | green |
@dnd-kit/core |
^6.3.1 | MIT | dep | DnD primitives | nice-to-have | green |
@dnd-kit/modifiers |
^9.0.0 | MIT | dep | DnD modifiers | nice-to-have | green |
@dnd-kit/sortable |
^10.0.0 | MIT | dep | Sortable lists | nice-to-have | green |
@dnd-kit/utilities |
^3.2.2 | MIT | dep | DnD utils | nice-to-have | green |
@hello-pangea/dnd |
^18.0.1 | Apache-2.0 | dep | Alternative DnD lib | nice-to-have | green |
@heroicons/react |
^2.2.0 | MIT | dep | Icons | nice-to-have | green |
@heroui/date-input |
^2.3.21 | MIT ({{verify}}) | dep | Date input | nice-to-have | green |
@internationalized/date |
^3.6.0 | Apache-2.0 | dep | Date primitives (NextUI) | nice-to-have | green |
@nextui-org/accordion ‥ @nextui-org/tooltip |
^2.x | MIT | dep | NextUI components (×19) | important | yellow (NextUI 2 → HeroUI 3 migration deferred) |
@react-types/datepicker |
^3.9.0 | Apache-2.0 | dep | NextUI types | nice-to-have | green |
@sentry/nextjs |
^9.11.0 | MIT | dep | Sentry | important | green |
@tanstack/react-query |
^5.59.15 | MIT | dep | Data cache | important | green |
@tanstack/react-query-devtools |
^5.59.15 | MIT | dep | Devtools | nice-to-have | green |
axios |
^1.7.7 | MIT | dep | HTTP | critical | red (audit #6) |
classnames |
^2.5.1 | MIT | dep | className helper | nice-to-have | green |
clsx |
^2.1.1 | MIT | dep | className helper | nice-to-have | green |
cookies-next |
^4.3.0 | MIT | dep | Cookies helper — note: still uses legacy jwt_* names (architecture.md §Known debt) |
critical (auth) | red (cookie-name bug, not a CVE) |
dayjs |
^1.11.13 | MIT | dep | Dates | important | green |
flag-icons |
^7.5.0 | MIT | dep | Country flags | nice-to-have | green |
framer-motion |
^11.11.9 | MIT | dep | Animations | important | green |
jose |
^5.9.6 | MIT | dep | JWT verification | critical (auth) | yellow (5 → 6; ebit-fe is on 6) |
jwt-decode |
^4.0.0 | MIT | dep | Decode token payload | important | green |
lodash-es |
^4.17.21 | MIT | dep | Utilities (ESM) | important | red (transitive lodash advisories) |
next |
14.2.25 | MIT | dep | Next.js framework | critical | red (patch to 14.2.30) |
notistack |
^3.0.1 | MIT | dep | Snackbar toasts | nice-to-have | green |
qrcode.react |
^4.2.0 | ISC | dep | QR (2FA setup) | important | green |
react |
^18 | MIT | dep | UI runtime | critical | green |
react-dom |
^18 | MIT | dep | DOM renderer | critical | green |
react-hook-form |
^7.53.1 | MIT | dep | Form state | important | green |
react-json-pretty |
^2.2.0 | MIT | dep | JSON viewer (audit panels) | nice-to-have | green |
react-minimal-pie-chart |
^9.1.0 | MIT | dep | Pie charts | nice-to-have | green |
recharts |
^2.15.0 | MIT | dep | Dashboard charts | important | green |
sass |
^1.80.3 | MIT | dep | SCSS compile | nice-to-have | green |
sharp |
^0.34.1 | Apache-2.0 | dep | Image optimization | important | green |
zustand |
^5.0.3 | MIT | dep | Client state | important | green |
@hookform/devtools |
^4.3.1 | MIT | dev | Devtools | nice-to-have | green |
@svgr/webpack |
^8.1.0 | MIT | dev | SVG → component | important | green |
@tanstack/eslint-plugin-query |
^5.59.7 | MIT | dev | Lint plugin | nice-to-have | green |
@types/lodash-es |
^4.17.12 | MIT | dev | Types | nice-to-have | green |
@types/node |
^20 | MIT | dev | Types | nice-to-have | green |
@types/react |
^18 | MIT | dev | Types | nice-to-have | green |
@types/react-dom |
^18 | MIT | dev | Types | nice-to-have | green |
autoprefixer |
^10.4.20 | MIT | dev | PostCSS prefixer | nice-to-have | green |
eslint |
^8 | MIT | dev | Linter | nice-to-have | yellow |
eslint-config-next |
14.2.15 | MIT | dev | Next preset | nice-to-have | green |
eslint-config-prettier |
^9.1.0 | MIT | dev | Lint/fmt interop | nice-to-have | green |
eslint-plugin-import |
^2.31.0 | MIT | dev | Import order | nice-to-have | green |
eslint-plugin-prettier |
^5.2.1 | MIT | dev | Prettier as rule | nice-to-have | green |
husky |
^9.1.6 | MIT | dev | Git hooks | nice-to-have | green |
lint-staged |
^12.3.2 | MIT | dev | Pre-commit | nice-to-have | yellow (12 → 15; ebit-fe is on 15) |
postcss |
^8.4.47 | MIT | dev | CSS pipeline | nice-to-have | green |
prettier |
^3.3.3 | MIT | dev | Formatter | nice-to-have | green |
tailwindcss |
^3.4.14 | MIT | dev | Tailwind | important | green |
typescript |
^5 | Apache-2.0 | dev | Compiler | critical | green |
Each
@nextui-org/*is its own npm package (separate sub-tree); listing every leaf would not change the table's outcome — they ship together and are upgraded as a single block.
2. System / container images¶
Sourced from the root docker-compose.yml plus the per-repo Dockerfiles.
| Image | Tag | License | Used for | Criticality | Notes |
|---|---|---|---|---|---|
postgres |
13-bullseye |
PostgreSQL License (BSD/MIT-like) | Primary DB | critical | Postgres 13 EOL November 2025 — already past EOL at this writing (2026-04-25). See ledger. |
redis/redis-stack |
latest |
RSALv2 + SSPLv1 (since 2024) | Cache, BullMQ broker, online-set, throttler, bot Redis | critical | License changed to source-available in March 2024; review distribution implications (we run images, no redistribution → currently OK). |
rabbitmq |
3.7-management |
MPL-2.0 | Stub Fast Track only | nice-to-have | 3.7 EOL'd 2020; bump to 3.13-management once Fast Track is implemented. |
otel/opentelemetry-collector-contrib |
0.96.0 |
Apache-2.0 | Telemetry pipeline | important | One major behind (current 0.110+); spanmetrics + tail-sampling + filelog all working. |
jaegertracing/jaeger |
2.17.0 |
Apache-2.0 | Trace UI + Badger backend | important | v1 EOL'd 2025-12-31; v2 migration completed. |
prom/prometheus |
v2.55.0 |
Apache-2.0 | Metrics TSDB | important | green; v3.x available. |
grafana/grafana |
11.3.0 |
AGPL-3.0 | UI :3003 | important | AGPL-3.0 — copyleft for SaaS distribution; we run unmodified upstream → not a derivative work. |
grafana/loki |
3.2.0 |
AGPL-3.0 | Log store | important | Same AGPL note as Grafana. |
node |
22-alpine |
MIT | ebit-api runtime base | critical | Node 22 active LTS; required by Prisma 7 (≥20.19/22.12) and NestJS 11. |
node |
22.8-alpine3.19 |
MIT | FE dev base | important | Active LTS as of 2025-10. |
node |
22.12.0-bookworm |
MIT | FE perf-build base | important | Bookworm variant for perf rig (avoids Alpine wget pnpm bug — see memory). |
No
pip-managed services in the platform — all backend runtimes are Node.js. The only Python touches are Doppler CLI helpers and Terraform's external data sources, neither of which import application Python deps.
3. Terraform providers¶
Sourced from terraform/perf/versions.tf, terraform/modules/app/versions.tf, terraform/modules/monitoring/versions.tf.
| Provider | Version constraint | Source | License | Used for |
|---|---|---|---|---|
| Terraform CLI | >= 1.5.0 |
hashicorp/terraform |
MPL-2.0 | IaC engine |
hashicorp/aws |
~> 5.0 (registry latest 5.100.x) |
registry.terraform.io/hashicorp/aws |
MPL-2.0 | EC2, IAM, EBS, security groups for the perf rig |
hashicorp/http |
~> 3.4 (registry latest 3.5.x) |
registry.terraform.io/hashicorp/http |
MPL-2.0 | One-shot HTTP data source (caller-IP autodetect for SG ingress) |
Two-module layout: terraform/modules/{app,monitoring}/, plus the env root terraform/perf/. Plan was clean for 58 resources on 2026-04-21 but not yet applied — see memory note and ../perf-run-checklist.md.
4. Critical security-sensitive deps¶
This is the deep-dive subset. Every item is critical in §1 and either touches auth, payments, money math, PII, or the trace-fairness data path.
4.1 bcrypt@5.1.1 (ebit-api)¶
Hashes user passwords in apps/api/src/auth/auth.service.ts. Open advisory via the bundled @mapbox/node-pre-gyp → tar chain (build-time only; runtime hash itself is unaffected). Plan: bump to bcrypt@6.0.0 — semver-major drops node-pre-gyp and rewires the native build. Effort: S (signature unchanged, just bump and rebuild image). Tracked as ledger item #3.
4.2 passport family + @nestjs/jwt@10.2.0 (ebit-api)¶
Email-password login, Google OAuth2, JWT signing, anonymous strategy, captcha-bypass strategy. No open advisories on the direct chain at this writing; passport@0.7.0 is current. JWT secrets rotate via Doppler. Plan: keep on green; revisit if any of jsonwebtoken/jws advisories surface again (they did in 2025-Q4).
4.3 otplib@12.0.1 (ebit-api)¶
TOTP generation + verification for 2FA. Maintained, current. Critical because a regression here breaks every 2FA-enrolled account. No upgrade pending.
4.4 @prisma/client@6.5.0 + prisma@6.5.0 (ebit-api)¶
DB driver. The multiSchema preview feature gates the per-app schema split (ADR-0006). Touches every wallet write. No advisory. Quarterly minor bumps (currently green); major bumps gated on testing the full bet-place / payout flow.
4.5 pg (transitive via @prisma/client) — Postgres driver¶
Critical chain — all DB I/O rides this. Pinned by Prisma's lockfile; we don't depend on it directly.
4.6 axios@1.7.7 (all three repos)¶
Used for outbound calls to Sumsub, Skindeck, Sendgrid, payment providers. Has multiple high-severity advisories: __proto__ DoS, NO_PROXY SSRF, cloud-metadata exfiltration, multipart-boundary entropy. Plan: upgrade to axios@1.14.1 across all repos in a single coordinated PR. Effort: S (drop-in). Tracked as ledger item #1.
4.7 eosjs@22.1.0 (ebit-api)¶
EOS-chain anchoring for speed-roulette (architecture.md). Pulls a critical-severity elliptic advisory chain. The library is deprecated upstream — no replacement in active maintenance. Mitigation: pin to a downgraded but advisory-free version, or excise EOS anchoring entirely if we no longer publish to mainnet. See dependency-audit.md #2 and ledger item #5.
4.8 @bebkovan/server-core@2.1.2 (ebit-api)¶
Private internal package; bundles eosjs + nestjs-cls. Critical advisory inherits from those. Bump to 2.1.5 (npm shows it available); needs verification that the upstream private registry has a release that drops the vulnerable transitives.
4.9 @nestjs/core@10.4.15 and the platform-* / microservices / websockets siblings (ebit-api)¶
Three high-severity advisories: injection in @nestjs/core (GHSA-36xv-jgw5-4q75), DoS in @nestjs/microservices recursive handleData (GHSA-hpwf-8g29-85qm), Express body-parser chain in @nestjs/platform-express. Plan: upgrade the entire NestJS suite to 11.1.x in one PR. Effort: M (breaking changes in @nestjs/cqrs, deprecated lifecycle hook signatures). Tracked as ledger item #2.
4.10 next@14.2.25 (ebit-fe + ebit-admin-fe)¶
Critical advisories on cache poisoning + SSRF (GHSA chain). Patch path: next@14.2.30 is non-breaking. Effort: S. Tracked as ledger item #4.
4.11 @vercel/otel@1.13.0 (ebit-fe; ebit-admin-fe missing)¶
Pinned to 1.x intentionally — 2.x removed propagateContextUrls, which we need for cross-service trace propagation (ADR-0004). admin-fe never installed it, which is one of the three bugs blocking admin-fe traces (architecture.md §Known debt).
4.12 @sumsub/websdk + @sumsub/websdk-react@2.3.13 (ebit-fe)¶
KYC ingestion — handles passport scans, selfies, residency proofs (PII). License MIT; SDK loaded directly from Sumsub CDN at runtime, no local mirror. Critical because Sumsub is the gatekeeper for deposit > €1k. No advisory.
4.13 @maxmind/geoip2-node@5.0.0 (ebit-api)¶
Geo-restriction (compliance). License Apache-2.0. Compliance-critical: returning the wrong country for a user can let restricted jurisdictions through. One major behind (5 → 6); upgrade non-urgent but tracked.
4.14 decimal.js@10.4.3 (ebit-fe)¶
Money math — the only thing standing between Number drift and a payout disaster. License MIT; current.
4.15 class-validator@0.14.1 (ebit-api)¶
DTO validation for every API endpoint. Pulls a transitive validator@<13.15.21 advisory (open-redirect / SSRF via URL checks). Upgrade validator to 13.15.21+ via lockfile bump. Tracked as ledger item #6.
4.16 helmet@8.1.0 (ebit-api)¶
HTTP security headers. License MIT. Current.
4.17 ioredis@5.6.1 (ebit-api)¶
Two Redis instances + BullMQ broker. License MIT. Current. Critical dependency — every queue, cache, online-set, and throttler operation goes through it.
4.18 pino@10.3.1 + nestjs-pino@4.6.1 (ebit-api)¶
Framework logger that reaches Loki. License MIT, current. Trace-correlation via @opentelemetry/instrumentation-pino (memory).
For the prioritized advisory triage with owners and fix paths, see
../security/internal/dependency-audit.md. The numbering above maps onto its "Top 20 advisories" table.
5. License summary¶
Tally of unique direct deps across all three repos (~290 distinct packages — @nextui-org/* and @radix-ui/* collapsed into single entries; @types/* counted once per repo):
| License | Count | Notes |
|---|---|---|
| MIT | ~205 | Default for the npm ecosystem. No copyleft obligations. |
| Apache-2.0 | ~25 | All OpenTelemetry, Prisma, Google Cloud Storage, MaxMind GeoIP, sharp, ejs, rxjs, reflect-metadata, TypeScript, @swc/core, class-variance-authority, @hello-pangea/dnd, @internationalized/date, @react-types/*, web-vitals. Patent grant — fine for closed-source distribution. |
| ISC | ~5 | lucide-react, qrcode.react, nyc, @bebkovan/server-core. Functionally equivalent to MIT. |
| BSD-2-Clause / BSD-3-Clause | ~3 | dotenv (BSD-2), joi (BSD-3), @sentry/cli (BSD-3). |
| 0BSD | 1 | tslib — public-domain-equivalent. |
| MPL-2.0 | 0 direct, but all Terraform providers + RabbitMQ image are MPL-2.0. File-level copyleft only — fine for IaC use. | |
| AGPL-3.0 | 0 npm deps, but Grafana 11 + Loki 3 container images are AGPL-3.0. We run unmodified upstream and do not redistribute → no copyleft obligation. Action: stop here if we ever fork Grafana or expose the UI as a public SaaS. | |
| RSALv2 / SSPLv1 | 1 image (Redis since 2024) | Source-available, not OSI. We use prebuilt images — no source distribution → currently OK. Risk if we ever bundle Redis into a managed product. |
| Proprietary / UNLICENSED | 4 (@bebkovan/geo, ebit-api itself, ebit-fe, ebit-admin-fe — all marked private: true) |
Internal code — expected. |
unknown / {{verify}} |
2 (@bebkovan/geo, crypto on ebit-fe) |
Both flagged for follow-up. crypto on npm is a 2014-era no-op shim and is almost certainly an unused legacy install — recommend removal. |
Copyleft / restrictive checks.
- No GPL / LGPL / AGPL npm dependencies in any repo (verified via spot-check of installed node_modules/<pkg>/package.json).
- The only AGPL exposure is the Grafana / Loki container images. Acceptable because we ship them as unmodified upstream binaries.
- The only source-available exposure is Redis (RSALv2/SSPL). Acceptable for our use (we run the image, do not redistribute or sell as a managed Redis service).
- No Anthropic-style "tier-licensed" deps (e.g., Elastic License, BSL).
6. Upgrade ledger¶
Forward-looking work. Owners marked {{TBD}} until handover assigns.
| # | Package | Current → Target | Effort | Breaking changes | Blocks | Target | Owner |
|---|---|---|---|---|---|---|---|
| 1 | axios (×3 repos) |
1.7.7 → 1.14.1 |
S | None — minor bump; types stable | Closes 4 high CVEs (SSRF, DoS, cloud-metadata) | 2026-Q2 | {{TBD}} |
| 2 | @nestjs/* suite |
10.4.15 → 11.1.19 |
M | @nestjs/cqrs v11 changes the IEventHandler signature; @nestjs/microservices Redis transport options renamed; Logger lifecycle methods now async |
Closes 4 high advisories; required to adopt @nestjs/bullmq@11 |
2026-Q3 | {{TBD}} |
| 3 | bcrypt |
5.1.1 → 6.0.0 |
S | Drops node-pre-gyp; rebuild Docker image native deps |
Closes tar advisory chain |
2026-Q2 | platform-auth |
| 4 | next (fe + admin-fe) |
14.2.25 → 14.2.30 |
S | None (patch) | Closes critical cache-poison + SSRF | 2026-05-01 (urgent) | frontend-platform |
| 5 | eosjs |
22.1.0 → removed |
L | Replace EOS-anchoring with internal commit-reveal scheme, or stop publishing to mainnet | Closes critical elliptic chain; unblocks @bebkovan/server-core upgrade |
2026-Q3 | speed-roulette-team |
| 6 | class-validator ↔ validator transitive |
0.14.1 / validator <=13.15.20 → validator 13.15.21+ |
S | Lockfile-only bump | Closes URL-validation advisory | 2026-Q2 | backend-platform |
| 7 | redis/redis-stack image |
latest → 7.4-pinned |
S | Stop pulling latest; pin a digest. License unchanged (RSALv2 since 2024). |
Reproducible builds; closes float-tag risk | 2026-Q2 | infra |
| 8 | postgres image |
13-bullseye → 16-bookworm |
M | Postgres 13 EOL'd Nov 2025. Test Prisma against 16; verify multiSchema migrations replay clean |
Compliance, supportability | 2026-Q3 | data-platform |
| 9 | ~~node runtime~~ |
~~20.15.0 → 22.x~~ |
— | Done (2026-05). All Dockerfiles now on node:22-alpine / node:22.13.0; Prisma 7 + NestJS 11 require Node ≥20.19/22.12. |
— | Done | platform |
| 10 | eslint (FE repos) |
8.x → 9.x |
M | Flat-config migration; ebit-api already on 9 — adopt the same config. | Lint parity across the workspace | 2026-Q3 | dev-tooling |
| 11 | @vercel/otel (admin-fe) |
missing → 1.13.0 |
S | Add as a dependency; gate Sentry import per ADR-0004. | Fixes admin-fe cross-service tracing (one of three bugs in memory note) |
2026-Q2 | frontend-platform |
| 12 | otel/opentelemetry-collector-contrib |
0.96.0 → 0.110+ |
S | Verify spanmetrics connector config still parses; tail-sampling policies unchanged. | Picks up upstream perf fixes | 2026-Q3 | observability |
| 13 | cookies-next (admin-fe) cookie-name fix |
code-fix, not pkg | S | Switch from jwt_access_token → access_token to match ebit-api (architecture.md §Known debt) |
Admin-fe login post-SSR works | 2026-Q2 | frontend-platform |
7. Refresh process¶
This file is meant to be regenerated, not hand-edited, after the first capture. Cadence and tooling:
- Quarterly — re-extract every direct dep into the §1 tables. Use the script below.
- Weekly + on every PR — run
npm audit(api) andpnpm audit(FEs). If any new critical or high lands, log into../security/internal/dependency-audit.mdand tick the entry into §6 here. - Monthly — run
npm outdated/pnpm outdatedand refresh the urgency column. Anything ≥2 majors behind flips tored. - On every container image update — re-run §2 and check the linked compose file.
Regen script¶
Add to tools/docs/refresh-dependencies.sh (place alongside the existing check-links.sh, mdlint.sh helpers — that directory is already referenced from CI):
#!/usr/bin/env bash
# Re-extract dependency tables for docs/engineering/dependencies.md.
# Outputs raw TSV — paste into the markdown tables.
set -euo pipefail
ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
for repo in ebit-api ebit-fe ebit-admin-fe; do
echo "=== $repo ==="
for kind in dependencies devDependencies; do
echo "-- $kind --"
jq -r ".$kind | to_entries[] | [.key, .value] | @tsv" "$ROOT/$repo/package.json"
done
done
echo "=== docker images ==="
grep -E '^\s*image:' "$ROOT/docker-compose.yml" | awk '{print $2}' | sort -u
echo "=== terraform providers ==="
grep -hE 'source|version' "$ROOT/terraform"/{perf,modules/*}/versions.tf | sed 's/^[[:space:]]*//'
echo "=== licenses (api spot-check) ==="
for p in @nestjs/core @prisma/client bcrypt ioredis bullmq passport-jwt next react axios; do
for r in ebit-api ebit-fe ebit-admin-fe; do
f="$ROOT/$r/node_modules/$p/package.json"
[ -f "$f" ] && jq -r --arg p "$p" --arg r "$r" '"\($p)\t\($r)\t\(.version)\t\(.license // "unknown")"' "$f"
done
done
CI hook¶
Add a docs CI step that runs tools/docs/refresh-dependencies.sh on a quarterly cron (or on every package*.json change) and fails the job if its output diverges from this file's §1 tables. That keeps the inventory honest without requiring a manual pass.
Cross-links¶
- High-level companion:
stack.md - Live security triage with owners:
../security/internal/dependency-audit.md - Vendor relationship + cost angle:
../business/integration-options.md,../business/infrastructure-cost.md - Architecture decisions referenced: ADR-0003, ADR-0004, ADR-0006, ADR-0007
- Architecture / known-debt narrative:
architecture.md