# Dependency Baseline

## Purpose

This document records the active dependency baseline for the project after upgrading runtime and tooling packages.

## Active Applications

The active applications are:

- `frontend/`
- `backend/`

Both active applications use npm lockfiles:

- `frontend/package-lock.json`
- `backend/package-lock.json`

The root production scripts use npm commands. Do not add Yarn lockfiles back to the active apps unless the package-manager decision is explicitly changed.

## Frontend Baseline

The frontend dependency baseline has been updated to current stable npm versions for the active Vite app.

Key tooling/runtime updates:

- React 19
- Vite 8
- TypeScript 6
- Tailwind 4 with `@tailwindcss/postcss`
- Vitest 4
- ESLint 10
- `@vitejs/plugin-react`
- Playwright for frontend smoke tests

Verification:

- `npm run lint` passes.
- `npm run test` passes.
- `npm run test:e2e` passes when a local browser install is available.
- `npm run build` passes and runs typecheck before Vite.
- `npm audit --audit-level=low` reports 0 vulnerabilities.
- `npm outdated` reports no outdated stable dependencies.

## Backend Baseline

The backend dependency baseline has been updated to current stable npm versions for the active Express app.

Key tooling/runtime updates:

- Express 5
- bcrypt 6
- helmet 8
- jsonwebtoken 9
- Sequelize 6.37
- ESLint 10 flat config
- `eslint-plugin-import-x` for unresolved import checks with ESLint 10

The backend uses an npm `overrides` entry for `uuid` so transitive dependency trees resolve to the patched stable line.

Verification:

- `npm audit --audit-level=low` reports 0 vulnerabilities.
- `npm outdated` reports only `json2csv@6.0.0-alpha.2` above the installed stable `5.0.7`; prerelease packages are not part of the stable baseline.
- `npm run lint` still fails on existing generated/template code debt. The ESLint 10 `.eslintignore` warning is resolved, and the remaining lint failures should be fixed as backend cleanup instead of hidden with broad ignores.

## Reference Frontend

`ref-frontend/` is a temporary reference artifact, not the active runtime frontend. Keep it frozen until integration work no longer needs it, then delete it.