A-List — General Feedback

Observability & error monitoring — partial, with two live blind spots

Only two surfaces capture errors. Two of the actively-shipping products — the modern mobile app and the partner API — have no error or crash reporting at all, so production failures there are invisible unless a user complains. This maps to the audit's A09: Logging & Monitoring Failures, and is why the target architecture puts Sentry + CloudWatch/X-Ray across every service.

Surface	Tool	Status	Notes
alist-portal (Laravel backend)	`sentry/sentry-laravel`	Wired up	Registered in `app/Exceptions/Handler.php`; DSN from env. Error-only — no performance tracing (`traces_sample_rate` unset), release tracking commented out. Confirm `SENTRY_DSN` is set in prod & events are arriving.
a-list-ios (native Swift)	Firebase Crashlytics 10.4.0	Wired up	`GoogleService-Info.plist` + init in `AppDelegate.swift`. Crash reporting only.
alist-partner (Laravel 11 API · active)	—	None	No Sentry despite the portal having it — the API has zero error visibility.
alist-android (Expo/RN · active)	—	None	The modern mobile app has no crash reporting (no Sentry/Crashlytics) and no analytics.
alist-vendors · alist-website · creators-website · alist-cms	—	None	No client-side error monitoring on any web frontend.
Legacy (a-list-demo, alist-v2, …)	Sentry (demo, inherited)	N/A	Frozen forks — not relevant to production monitoring.

Recommendation: standardize on one error-monitoring stack (Sentry covers backend + web + React Native + iOS/Android from one vendor) and wire it into every active surface — priority: alist-android and alist-partner first. Verify the existing portal DSN is live, then add performance tracing and release/version tagging so regressions are attributable to a deploy.

Third-party tools & services

External services the codebase integrates with — what each is for, where it's used, and whether you'll likely want an account / read access for the audit (vs. just being aware it exists). Verified from manifests, config and the live site (2026-06-01).

Priority access to request from the CEO: AWS (console + IAM read), Cloudflare, Bitbucket (workspace admin), Stripe, Firebase, Sentry, Google Analytics, monday.com, Intercom, Hotjar, Apple App Store Connect & Google Play Console. These cover money, customer PII, infrastructure, source control and analytics — the high-value surfaces.

Customer & communications

Service	Purpose	Used in	For audit	Note
Intercom	Support chat & customer messaging	iOS, Android, web portal, website	Request access	Holds customer PII & conversations. A live Intercom access token was committed (iOS) and bundled (Android) — rotate.
Gmail / Google Workspace (SMTP)	Transactional email	portal (MAIL_HOST=smtp.gmail.com)	Request access	Mail is sent via Gmail SMTP. The demo fork committed a Gmail SMTP password — rotate the mailbox credential.

Payments

Service	Purpose	Used in	For audit	Note
Stripe	Payments & subscriptions	portal, iOS, vendors	Request access	Financial data. Secret/whsec keys were committed; PHP SDK is several majors behind (^10 vs 20).

Identity, auth & SMS

Service	Purpose	Used in	For audit	Note
Twilio	Phone OTP / SMS (Verify)	partner (+ portal OTP flow)	Request access	Backs phone-OTP login. Account SID/token were committed — rotate. Tied to the OTP security findings.
Google Sign-In (OAuth)	Social login	iOS, Android, portal	Be aware	Google OAuth client; one client_secret + refresh token were committed in portal/demo.
Google reCAPTCHA	Bot / form protection	alist-v2 (client recaptcha)	Be aware	Used on some forms; verify site keys and that validation is server-side.

Push & mobile platform

Service	Purpose	Used in	For audit	Note
Firebase	Push (FCM), Crashlytics, Analytics	iOS, Android, portal	Request access	A Firebase Admin service-account private key was committed in portal — can push to all users. Console access needed to audit projects & rotate.
Apple APNS	iOS push certificates/keys	iOS	Be aware	An APNS .p8 auth key was committed at the iOS repo root — revoke in the Apple Developer portal.
Apple App Store Connect	iOS app distribution & signing	iOS	Request access	Needed to review releases, signing identities, TestFlight.
Google Play Console	Android distribution	Android (Expo)	Request access	Needed to review releases, signing, data-safety declarations.
Expo / EAS	Mobile build & OTA updates	Android (Expo SDK 54)	Request access	Build pipeline + over-the-air updates. eas.json points production at the dev API.

CRM, ops & realtime

Service	Purpose	Used in	For audit	Note
monday.com	CRM / lead capture / work management	portal, partner, vendors, creators	Request access	Holds leads/PII. Its API token was committed AND inlined into the creators-website browser bundle — rotate & move server-side.
Slack	Ops notifications (incoming webhooks)	portal, partner	Be aware	Hardcoded webhook URLs committed and reused across repos — rotate via Slack app config.
Pusher	Realtime channels (broadcast)	portal	Request access	App keys/secret in config. Console access to review channels/keys.
Self-hosted socket.io / laravel-echo-server	Realtime (self-managed)	portal	Be aware	Runs with wildcard CORS and a leaked Redis endpoint — infra concern, not a SaaS account.

Analytics & marketing (web)

Service	Purpose	Used in	For audit	Note
Google Analytics 4	Web analytics	website / marketing (G-2H13HZMS8G)	Request access	Read access to GA4 to review traffic & events; ties into the SEO tab.
Google Tag Manager	Tag management	website	Request access	Controls which trackers load; review container & consent.
Meta (Facebook) Pixel	Ad conversion tracking	website, marketing	Be aware	Loaded on the site; review for consent/privacy compliance.
Hotjar	Session recording & heatmaps	website	Request access	Session recordings can capture PII — review retention & access.

Maps & location

Service	Purpose	Used in	For audit	Note
Google Maps Platform / Geocoding	Venue maps & geocoding	portal, iOS, Android, website	Request access	API key + billing. Check key restrictions (HTTP referrer / bundle) and usage.

Monitoring

Service	Purpose	Used in	For audit	Note
Sentry	Error monitoring	portal (only)	Request access	Confirm the prod DSN is set and events arrive; not wired into partner API or the mobile app (see Observability).

Infrastructure & platform

Service	Purpose	Used in	For audit	Note
AWS	S3 (file storage), ElastiCache (Redis)	portal / backend	Request access	Read/console + IAM access to see what runs where, storage buckets, and the cache. Central to any infra audit.
Cloudflare	DNS, CDN, WAF, robots.txt	alist.ae	Request access	Controls DNS, edge caching, security headers and the (auto-default) robots.txt flagged in the SEO tab.
Bitbucket (Atlassian)	Source control & CI pipelines	all repos	Request access	Workspace admin to review pipelines, branch protection, and rotate the committed app password that unlocks every repo.
Strapi (self-hosted CMS)	Website content	website, alist-cms	Be aware	Self-hosted on dev-strapi.alist.ae, ~18 months unpatched — infra to inventory, not a SaaS account.
Legacy cPanel hosting	Where older apps may still run	a-list-demo / legacy	Request access	Confirm which hosts are live; the 2020 fork's committed secrets are only a risk if a host is still serving.

Dependency currency & critical updates

Declared versions compared against current stable, End-of-Life status and known CVEs (verified live against endoflife.date, npm, Packagist and OSV on 2026-06-01). Verdict = whether an update is urgent.

9

Critical — update now

19

High — update soon

23

Moderate — routine

10

Current

What actually matters — ranked

PHP / Laravel

CRITICAL — a-list-demo: PHP 7.2 (EOL 2020) + Laravel 6 (EOL 2022, security ended 2022-01) + Guzzle 6.5 (5 CVEs) + dompdf 0.8.6 (8+ advisories, RCE-class). Unpatchable in-branch. Retire or fully isolate now; do not leave internet-facing.
CRITICAL — alist-v2: Laravel 9 (EOL 2024-02, security ended 2023-08) carries unpatched CVE-2024-52301 (HIGH env-manipulation) + CVE-2025-27515. Legacy/slated-for-retirement but live-exploitable; accelerate decommission or upgrade to Laravel 11/12.
HIGH — alist-portal & alist-partner: Laravel 11 branch reached EOL 2026-03-12 (security support ended 2025-09-03). Caret resolves to patched 11.54.0, so run composer update to clear CVE-2024-52301 / CVE-2025-27515, then plan the 11->12 migration; do not sit on an unsupported branch.
MODERATE — App libraries multiple majors behind on portal/legacy: stripe-php ^10 vs 20, sentry-laravel ^1.9 vs 4.25, sanctum ^2 vs 4, intervention/image 2.x vs 4, spatie/laravel-permission ^5/^6 vs 8. Schedule routine major upgrades; prioritize stripe-php and sentry 1.x.
NOTE — Portal npm stragglers (vue-router 3, socket.io-client 2, stripe-js 12) are EOL/abandoned majors; modernize alongside the portal frontend work.

Mobile (iOS · Expo/RN)

React Native 0.81.4 (alist-android) hit upstream EOL on 2026-02-11 — the runtime is now unsupported; plan a bump to a supported line (0.83/0.84/0.85, latest 0.85.3) — this is the single most important mobile action.
Expo SDK 54 is two SDKs behind (npm expo latest 56.0.8); SDK 54 is at the edge of Expo's ~3-version support window — upgrade SDK alongside the RN bump.
a-list-ios pods are years stale (Firebase 10.4.0 -> 12.14.0, Intercom 14 -> 19, GoogleSignIn 7 -> 9, Charts/AppAuth a major behind) — but the app is slated for retirement, so freeze rather than chase upgrades.
Siren version (6.1.3) matches upstream, but the security audit flagged a PERSONAL FORK in the iOS build — verify/replace provenance regardless of version number.
react-native-render-html is on latest (6.3.4) yet effectively unmaintained since Feb 2022 — a forward-compat risk under newer React/RN; plan a migration path. OSV returned no known CVEs for declared JS packages.

Full version comparison

Verdict	Repo	Package	Declared		Latest	EOL	CVE / risk	Action
critical	a-list-demo	php (runtime)	^7.2	→	8.4.21 (8.5 GA)	2020-11-30 (EOL)	Runtime past EOL — unpatched engine CVEs accumulate	PHP 7.2 EOL 2020-11-30 — 5.5 years unsupported, no security patches. LEGACY/retiring: do not leave internet-facing; isolate or decommission now.
critical	a-list-demo	laravel/framework	^6.2	→	6.20.45 (branch); 12.61.0 current	2022-09-06 (security ended 2022-01-25)	CVE-2024-52301, CVE-2025-27515 + older 6.x advisories (GHSA-66hf-2p6w-jqfw, GHSA-pfg4-p438-p874)	Laravel 6 EOL 2022-09-06, security ended 2022-01-25. Unpatchable in-branch beyond 6.20.45. LEGACY/retiring — accelerate decommission; if it must run, isolate behind auth/VPN.
critical	a-list-demo	guzzlehttp/guzzle	^6.5	→	7.10.6	6.x abandoned	CVE-2022-31090/31091 (SSRF+cookie), GHSA-25mq-v84q-4j7r, GHSA-f2wf-25xc-69c9, GHSA-w248-ffj2-4v5q	Guzzle 6.x is EOL (last 6.5.8) and carries 5 advisories. Cannot patch without moving to 7.x, which Laravel 6 may not support. Retire repo or upgrade stack.
critical	a-list-demo	barryvdh/laravel-dompdf (dompdf 0.8.x)	^0.8.6	→	3.1.2 (dompdf 3.0)	0.8.x abandoned	8+ advisories incl. GHSA-3cw5-7cxw-v5qg, GHSA-pf6p-25r2-fx45, GHSA-x752-qjv4-c4hc (RCE/SSRF-class)	dompdf 0.8.6 has a large CVE cluster including RCE/SSRF-class issues. LEGACY/retiring — high-value target if PDF input is user-influenced. Decommission or upgrade to dompdf 3.x.
critical	alist-android	react-native	0.81.4	→	0.85.3	EOL 2026-02-11 (0.81 line)	No known CVE (OSV clean at 0.81.4); risk is unsupported runtime	Upgrade to a supported RN line (0.83/0.84/0.85). 0.81 is past upstream EOL — no more patches. Top mobile priority.
critical	alist-cms	strapi	4.14.4	→	5.47.0			v4 to v5; CVE-2026-27886 unauth admin takeover unpatched in v4. Top priority.
critical	alist-v2	php (runtime)	^8.0.2	→	8.4.21 (8.5 GA)	2023-11-26 (EOL)	Runtime past EOL — unpatched engine CVEs	PHP 8.0 EOL 2023-11-26 — no security patches. LEGACY/retiring: move to 8.2+ if kept, else isolate/decommission.
critical	alist-v2	laravel/framework	^9.2	→	9.52.21 (branch); 12.61.0 current	2024-02-06 (security ended 2023-08-08)	CVE-2024-52301 (HIGH, fix 9.52.17), CVE-2025-27515 (fix 9.52.18)	Laravel 9 EOL 2024-02-06, security ended 2023-08-08. Carries unpatched-in-old-lock CVE-2024-52301 (HIGH) + CVE-2025-27515. LEGACY/retiring — accelerate decommission or jump to 11/12.
critical	alist-vendors+website+v2	axios	1.11.0	→	1.16.1			Bump to 1.16.1; MITM CVSS 9.4 up to 1.15.0.
high	a-list-demo	doctrine/dbal	^2.10	→	4.4.3 (2.13.9 final 2.x)	2.x unmaintained		DBAL 2.x unmaintained. Tied to Laravel 6; resolve as part of repo retirement rather than in-place.
high	a-list-demo	sentry/sentry-laravel	^1.9	→	4.25.1	1.x unmaintained		Sentry SDK 3 majors behind; 1.x unmaintained. Low security risk but no fixes/telemetry features. Address with retirement.
high	a-list-ios	Firebase (Crashlytics/Analytics/Messaging)	10.4.0	→	12.14.0	n/a (10.x superseded by 11.x/12.x)	No specific verified CVE; two majors of fixes missed	Two major versions behind. App is slated for retirement — freeze unless a security/SDK-deprecation forces a bump; do not invest in a full upgrade.
high	a-list-ios	Intercom (iOS)	14.0.6	→	19.6.1	n/a		Five majors behind. Retirement-bound app — freeze; only bump if Intercom drops backend support for v14.
high	a-list-ios	Siren	6.1.3	→	6.1.3	Upstream latest (May 2024)	Supply-chain: security audit flagged a PERSONAL FORK in use	Version matches upstream, but verify the build pulls official ArtSabintsev/Siren, not the flagged personal fork. Replace provenance regardless of retirement.
high	alist-android	expo	^54.0.7	→	56.0.8	SDK 54 (Sep 2025) ~2 behind; edge of Expo's ~3-SDK support window		Bump Expo SDK 54 -> 56 in lockstep with the RN upgrade; coordinate the two so the toolchains stay compatible.
high	alist-android	react-native-render-html	^6.3.4	→	6.3.4	Unmaintained (latest release Feb 2022)	None known; risk is abandonment	On latest but library is effectively dead — plan migration (e.g. native rendering / alternative) before it blocks the RN/React upgrade.
high	alist-cms	mysql	2.18.1	→	2.18.1			Replace unmaintained mysql with mysql2.
high	alist-cms	node	16-20	→	22 LTS			Pin Node 22 LTS; 16/18/20 all EOL.
high	alist-partner	laravel/framework	^11.31	→	11.54.0 (branch EOL); 12.61.0 current	2026-03-12 (security ended 2025-09-03)	CVE-2024-52301 fixed in 11.31.0; CVE-2025-27515 fixed in 11.44.1 — verify lock >= 11.44.1	Same as portal: constraint already past the CVE fixes; ensure lockfile updated to 11.54.0. Branch unsupported — schedule 11->12 upgrade.
high	alist-portal	laravel/framework	^11.0	→	11.54.0 (branch EOL); 12.61.0 current	2026-03-12 (security ended 2025-09-03)	CVE-2024-52301 (HIGH), CVE-2025-27515 (MOD) — fixed in 11.31.0/11.44.1	Branch EOL 2026-03-12, security ended 2025-09-03. Run composer update (caret resolves to patched 11.54.0) to clear the two CVEs, then plan 11->12 migration within months.
high	alist-portal (npm)	vue-router	^3.0.1	→	4.x	v3 EOL (Vue 2 line)		Vue Router 3 targets Vue 2 (EOL). EOL/abandoned major; modernize with the portal frontend migration to Vue 3 + Router 4.
high	alist-portal (npm)	socket.io-client	^2.5.0	→	4.x	2.x EOL	socket.io 2.x advisory class (DoS/parser)	socket.io-client 2.x is EOL and has known advisories in the 2.x server/client line. Upgrade to 4.x in coordination with the server.
high	alist-v2	moment	2.29.3	→	2.30.1			Deprecated; retire or dayjs.
high	alist-v2	laravel/sanctum	^2.14.1	→	4.3.2	2.x tied to Laravel <=9		Sanctum 2 majors behind (2.x supported only up to Laravel 9). Upgrade in lockstep with the Laravel 9->11/12 migration.
high	alist-vendors	next	15.3.3	→	15.5.18			Patch to 15.5.18; CVE-2026-44575/45109 middleware bypass.
high	alist-website	node-sass	9.0.0	→	9.0.0			Drop deprecated node-sass; sass present.
high	alist-website	vue-template-compiler	2.7.14	→	2.7.16			Remove; Vue2 pkg in a Vue3 app.
high	creators+tryalist	react-scripts	5.0.1	→	5.0.1			Migrate off deprecated CRA to Vite.
moderate	a-list-ios	GoogleSignIn (iOS)	7.1.0	→	9.1.0	n/a		Two majors behind; auth-relevant. Retirement-bound — freeze unless Google enforces a minimum SDK.
moderate	a-list-ios	Charts	4.1.0	→	5.1.0	n/a		One major behind. Retirement-bound — freeze.
moderate	a-list-ios	AppAuth	1.7.6	→	2.0.0	n/a		One major behind; auth library. Retirement-bound — freeze unless an OAuth provider requires it.
moderate	a-list-ios	Alamofire / Kingfisher / SDWebImage / lottie-ios	5.6.4 / 7.7.0 / 5.15.0 / 4.1.2	→	5.12.0 / 8.9.0 / 5.21.7 / 4.6.0	n/a	None verified at declared versions	All behind (Kingfisher a full major). Retirement-bound app — freeze; no bulk upgrade warranted.
moderate	alist-android	react-native-webview	13.15.0	→	13.16.1	n/a	None returned by OSV at 13.15.0	Patch-level behind; bump during the SDK upgrade. Re-check advisories post-upgrade (webview is a recurrent CVE surface).
moderate	alist-android	@intercom/intercom-react-native	^9.1.1	→	10.2.0	n/a	None returned by OSV at 9.1.1	One major behind; upgrade to 10.x during the SDK bump (newer native Intercom SDK + RN 0.8x compatibility).
moderate	alist-android	react-native-reanimated	~4.1.0	→	4.4.0	n/a		Minor behind within v4; will move naturally with the Expo SDK upgrade.
moderate	alist-portal	stripe/stripe-php	^10.12	→	20.2.0	10.x superseded		10 majors behind. Functional via pinned API version, but missing security hardening and newer API features. Plan a staged SDK upgrade; test webhook/signature handling.
moderate	alist-portal	intervention/image	^2.5	→	4.1.2 (2.7.2 final 2.x)	2.x unmaintained		2.x unmaintained (final 2.7.2). v3/v4 are a rewrite with API changes — plan a migration; low immediate security risk.
moderate	alist-portal	spatie/laravel-permission	^6.7	→	8.0.0	6.x superseded		2 majors behind but 6.x still works on Laravel 11. Upgrade to 7/8 when moving to Laravel 12.
moderate	alist-portal	barryvdh/laravel-dompdf	3.0.0	→	3.1.2	supported		On dompdf 3.x (good). Pinned exact 3.0.0 — bump to ^3.1.2 for patch fixes.
moderate	alist-portal	predis/predis	^1.1	→	3.4.2	1.x EOL		2 majors behind; 1.x EOL. Upgrade to predis 2/3 or switch to phpredis. Low direct security risk.
moderate	alist-portal	doctrine/dbal	^3.0	→	4.4.3	3.x maintained		On maintained 3.x (3.10.5). Move to 4.x with the Laravel 12 / PHP 8.2+ upgrade. No urgent CVE.
moderate	alist-portal (npm)	stripe (stripe-js)	^12.5.0	→	current major (~7.x stripe-js / SDK reorg)	superseded		Stripe JS pinned to an old major. Update alongside stripe-php SDK refresh and test Elements/checkout flows.
moderate	alist-v2	pusher-js	7.1.0-beta	→	8.5.0			Old beta; retire or 8.x.
moderate	alist-v2	vue	3.2.31	→	3.5.35			Legacy; note only.
moderate	alist-v2	guzzlehttp/guzzle	^7.2	→	7.10.6	7.x supported	CVE-2022-31090/31091 fixed in 7.4.5 — ensure lock past it	On supported 7.x; ^7.2 resolves forward. composer update to 7.10.6 to pick up SSRF/cookie fixes that landed in 7.4.5.
moderate	alist-v2	spatie/laravel-permission	^5.5	→	8.0.0	5.x superseded		3 majors behind; 5.x functional but unmaintained. Upgrade with the framework migration.
moderate	alist-vendor-portal	vue-vite stack	various	→	apexcharts 4.x			Legacy prototype; assess-only.
moderate	alist-website	vue-cli-service	5.0.0	→	5.0.9			Patch 5.0.9; plan Vite.
moderate	alist-website	vue	3.2.13	→	3.5.35			Raise floor to 3.5.
moderate	creators+tryalist	react	18.3.1	→	19.2.6			Upgrade to 19 with Vite.
moderate	creators+tryalist	typescript	4.9.5	→	5.x			Upgrade to TS 5.x.
current	alist-android	react	19.1.0	→	19.2.6	supported		On current major; routine patch bump only.
current	alist-android	@react-native-google-signin/google-signin	^16.1.2	→	16.1.2	supported		On latest; no action.
current	alist-android	@tanstack/react-query	^5.90.2	→	5.100.14	supported		Same major, minor behind; routine bump.
current	alist-portal	php (runtime)	^8.2	→	8.4.21 (8.5 GA)	2026-12-31		8.2 supported through 2026-12-31. Bump composer constraint toward 8.3/8.4 before year-end to stay on a security-supported line.
current	alist-portal	sentry/sentry-laravel	^4.1	→	4.25.1	supported		On the current 4.x major. Routine composer update to 4.25.1.
current	alist-portal	laravel/passport	^13.0	→	13.7.5	supported		On current major; composer update to 13.7.5. Security-relevant (OAuth) — keep patched.
current	alist-portal	maatwebsite/excel	3.1.58	→	3.1.69	supported		Same 3.1 line, a few patches behind. Routine composer update; check underlying phpspreadsheet for advisories.
current	alist-vendors	react	19.0.0	→	19.2.6			Routine patch; clean.
current	alist-vendors	sharp	0.34.4	→	0.34.5			Routine patch; clean.
current	alist-vendors	d3	7.9.0	→	7.9.0			No action; clean.

Confidence: rows were live-verified where the registry/EOL API responded; a few fall back to known advisories. CVE column lists verified IDs or the risk class — not every transitive advisory is enumerated. Legacy repos (a-list-demo, alist-v2, alist-vendor-portal) are slated for retirement; their fixes are "decommission or isolate," not "patch in place."

Full dependency inventory

Every direct dependency declared in each repo's manifests (composer.json / package.json / Podfile.lock). Transitive lockfile packages are excluded. Click a repo to expand.

alist-portal — 36 direct deps php ^8.2

composer

barryvdh/laravel-dompdf@3.0.0 doctrine/dbal@^3.0 geocoder-php/google-maps-provider@^4.7 giggsey/libphonenumber-for-php@^8.13 google/apiclient@^2.18 guzzlehttp/guzzle@^7.2.0 hashids/hashids@^4.0 intervention/image@^2.5 jdavidbakr/mail-tracker@^7.0 laravel/framework@^11.0 laravel/passport@^13.0 laravel/slack-notification-channel@^3.4 laravel/tinker@^2.5 laravel/ui@^4.0 lcobucci/jwt@^5.0 league/flysystem-aws-s3-v3@3.0 maatwebsite/excel@3.1.58 orangehill/iseed@^3.0 php-http/guzzle7-adapter@* php-http/message@^1.16 php-http/message-factory@^1.1 predis/predis@^1.1 pusher/pusher-php-server@* rap2hpoutre/laravel-log-viewer@^2.2 sentry/sentry-laravel@^4.1 spatie/laravel-permission@^6.7 stevebauman/location@^7.4 stripe/stripe-php@^10.12 yajra/laravel-datatables-oracle@^11

npm

@vue-stripe/vue-stripe@^4.5.0 chartist-plugin-axistitle@0.0.7 socket.io-client@^2.5.0 stripe@^12.5.0 sweetalert2@^10.16.9 vue-router@^3.0.1 vuex@^4.1.0

alist-partner — 6 direct deps php ^8.2

composer

laravel/framework@^11.31 laravel/passport@^13.0 laravel/slack-notification-channel@^3.6 laravel/tinker@^2.9 twilio/sdk@^8.7 vinkla/hashids@^12.0

a-list-ios — 38 direct deps

cocoapods

Alamofire@5.6.4 AppAuth@1.7.6 BSImagePicker@3.3.1 BottomPopup@0.7.0 Charts@4.1.0 Cosmos@23.0.0 DropDown@2.3.13 FSCalendar@2.8.4 Firebase@10.4.0 FirebaseAnalytics@10.4.0 FirebaseCore@10.4.0 FirebaseCoreInternal@10.4.0 FirebaseCrashlytics@10.4.0 FirebaseInstallations@10.4.0 FirebaseMessaging@10.4.0 GTMAppAuth@4.1.1 GTMSessionFetcher@3.5.0 GoogleAppMeasurement@10.4.0 GoogleDataTransport@9.2.1 GoogleSignIn@7.1.0 GoogleUtilities@7.11.0 IQKeyboardManagerSwift@7.0.3 ImageCropper@0.1.5.1 InkPageIndicator@2.0.5 Intercom@14.0.6 Kingfisher@7.7.0 ParallaxHeader@3.0.0 PhoneNumberKit@3.7.11 PromisesObjC@2.1.1 SDWebImage@5.15.0 SKPhotoBrowser@7.1.0 SVPinView@1.0.11 Siren@6.1.3 SkeletonView@1.30.4 SwiftAlgorithms@1.0.0 SwiftMessages@10.0.1 lottie-ios@4.1.2 nanopb@2.30909.0

alist-android — 61 direct deps

npm

@expo/metro-runtime@~6.1.2 @expo/vector-icons@^15.0.2 @gorhom/bottom-sheet@^5.1.8 @intercom/intercom-react-native@^9.1.1 @quidone/react-native-wheel-picker@^1.6.1 @react-native-async-storage/async-storage@^2.2.0 @react-native-google-signin/google-signin@^16.1.2 @react-native-picker/picker@2.11.1 @react-native/virtualized-lists@^0.72.8 @react-navigation/bottom-tabs@^7.3.10 @react-navigation/elements@^2.3.8 @react-navigation/native@^7.1.6 @shopify/flash-list@^2.2.0 @tanstack/react-query@^5.90.2 @tanstack/react-query-devtools@^5.90.2 @tanstack/react-query-persist-client@^5.90.12 country-flag-icons@^1.5.20 expo@^54.0.7 expo-av@~16.0.7 expo-blur@~15.0.7 expo-clipboard@~8.0.7 expo-constants@~18.0.9 expo-dev-client@~6.0.16 expo-device@~8.0.8 expo-font@~14.0.8 expo-haptics@~15.0.7 expo-image@~3.0.8 expo-image-picker@~17.0.8 expo-linking@~8.0.8 expo-notifications@^0.32.11 expo-router@~6.0.7 expo-secure-store@~15.0.7 expo-splash-screen@~31.0.10 expo-status-bar@~3.0.8 expo-symbols@~1.0.7 expo-system-ui@~6.0.7 expo-video@~3.0.11 expo-web-browser@~15.0.7 i18n-iso-countries@^7.14.0 react@19.1.0 react-dom@19.1.0 react-native@0.81.4 react-native-confirmation-code-field@^8.0.1 react-native-element-dropdown@^2.12.4 react-native-fast-shimmer@^1.3.4 react-native-gesture-handler@~2.28.0 react-native-keyboard-aware-scroll-view@^0.9.5 react-native-keyboard-controller@^1.19.2 react-native-otp-entry@^1.8.5 react-native-pager-view@6.9.1 react-native-reanimated@~4.1.0 react-native-render-html@^6.3.4 react-native-safe-area-context@~5.6.0 react-native-screens@~4.16.0 react-native-svg@15.12.1 react-native-swiper@^1.6.0 react-native-toast-message@^2.3.3 react-native-web@^0.21.0 react-native-webview@13.15.0 react-native-worklets@0.5.1 zustand@^5.0.8

alist-vendors — 16 direct deps

npm

@fontsource/poppins@^5.2.6 @headlessui/react@^2.2.7 @reduxjs/toolkit@^2.8.2 @types/crypto-js@^4.2.2 axios@^1.11.0 crypto-js@^4.2.0 d3@^7.9.0 date-fns@^4.1.0 next@15.3.3 react@^19.0.0 react-dom@^19.0.0 react-hot-toast@^2.6.0 react-redux@^9.2.0 redux-saga@^1.3.0 sharp@^0.34.4 swiper@^12.0.2

alist-website — 29 direct deps

npm

@babel/core@^7.12.16 @babel/eslint-parser@^7.12.16 @popperjs/core@^2.11.8 @vue/cli-plugin-babel@~5.0.0 @vue/cli-plugin-eslint@~5.0.0 @vue/cli-service@~5.0.0 @vueuse/head@^2.0.0 axios@^1.5.0 bootstrap@^5.3.0 core-js@^3.8.3 eslint@^7.32.0 eslint-plugin-vue@^8.0.3 gsap@^3.12.4 markdown-vue@^1.0.2 node-sass@^9.0.0 sass@^1.63.6 sass-loader@^13.3.2 scss@^0.2.4 swiper@^10.0.4 vue@^3.2.13 vue-axios@^3.5.2 vue-router@^4.2.4 vue-svg-loader@^0.16.0 vue-template-compiler@^2.7.14 vue3-marquee@^4.2.0 vue3-otp-input@^0.4.1 vue3-toastify@^0.1.13 vuex@^4.1.0 webpack@^5.88.2

creators-website — 13 direct deps

npm

@fontsource/poppins@^5.0.14 @testing-library/jest-dom@^5.17.0 @testing-library/react@^13.4.0 @testing-library/user-event@^13.5.0 @types/jest@^27.5.2 @types/node@^16.18.101 @types/react@^18.3.3 @types/react-dom@^18.3.0 react@^18.3.1 react-dom@^18.3.1 react-scripts@^5.0.1 typescript@^4.9.5 web-vitals@^2.1.4

alist-cms — 11 direct deps node >=16.0.0 <=20.x.x

npm

@strapi/design-system@^1.11.0 @strapi/plugin-i18n@^4.14.4 @strapi/plugin-users-permissions@^4.14.4 @strapi/provider-upload-local@^4.14.4 @strapi/strapi@^4.14.4 esbuild-loader@^4.0.0 express-rate-limit@^7.1.0 koa-bodyparser@^4.4.1 koa2-ratelimit@^1.1.3 mysql@2.18.1 rate-limiter-flexible@^3.0.0

a-list-demo — 15 direct deps php ^7.2

composer

barryvdh/laravel-dompdf@^0.8.6 doctrine/dbal@^2.10 fideloper/proxy@^4.0 guzzlehttp/guzzle@^6.5 hashids/hashids@^4.0 intervention/image@^2.5 jdavidbakr/mail-tracker@3.* laravel/framework@^6.2 laravel/slack-notification-channel@^2.0 laravel/tinker@^1.0 laravel/ui@^1.1 maatwebsite/excel@^3.1 rapidwebltd/php-google-contacts-v3-api@^2.0 sentry/sentry-laravel@^1.9 yajra/laravel-datatables-oracle@~9.0

alist-v2 — 49 direct deps php ^8.0.2

composer

darkaonline/l5-swagger@^8.3 doctrine/dbal@^3.4 guzzlehttp/guzzle@^7.2 hashids/hashids@^4.1 intervention/image@^2.7 jdavidbakr/mail-tracker@^6.0 laravel/framework@^9.2 laravel/sanctum@^2.14.1 laravel/tinker@^2.7 maatwebsite/excel@^3.1 predis/predis@^2.0 psr/simple-cache@^2.0 spatie/laravel-permission@^5.5 stevebauman/location@^6.4

npm

@babel/core@^7.17.8 @babel/preset-env@^7.16.11 @johmun/vue-tags-input@^2.1.0 @sipec/vue3-tags-input@^3.0.4 @vue/compiler-sfc@^3.2.31 @vueform/multiselect@^2.5.6 @vueup/vue-quill@^1.0.0-beta.9 add@^2.0.6 apexcharts@^3.35.3 babel-loader@^8.2.4 laravel-echo@^1.13.1 moment@^2.29.3 public-ip@^5.0.0 pusher-js@^7.1.0-beta socket.io-client@^2.3.0 v-calendar@^3.0.0-alpha.8 vee-validate@^4.5.11 vue@^3.2.31 vue-advanced-cropper@^2.8.6 vue-client-recaptcha@^1.0.1 vue-content-loader@^2.0.1 vue-final-modal@^3.4.4 vue-google-autocomplete@^1.1.3 vue-image-crop-upload@^3.0.3 vue-js-modal@^2.0.1 vue-loader@^17.0.0 vue-loading-skeleton@^1.1.9 vue-router@^4.0.13 vue-toastification@^2.0.0-rc.5 vue3-apexcharts@^1.4.1 vue3-editor@^0.1.1 vue3-simple-typeahead@^1.0.5 vuex@^4.0.2 yarn@^1.22.19 yup@^0.32.11

alist-vendor-portal — 16 direct deps

npm

@fancyapps/ui@^5.0.36 @videojs-player/vue@^1.0.0 apexcharts@^3.49.0 bootstrap@^5.3.3 filepond@^4.31.1 filepond-plugin-file-validate-type@^1.2.9 filepond-plugin-image-preview@^4.6.12 sass@^1.75.0 scss@^0.2.4 swiper@^11.1.1 video.js@^8.12.0 vue-file-upload@^0.1.12 vue-filepond@^7.0.4 vue-qrcode-reader@^5.5.4 vue-router@^4.3.2 vue3-apexcharts@^1.5.2

tryalist — 15 direct deps

npm

@fontsource/poppins@^5.0.14 @testing-library/jest-dom@^5.17.0 @testing-library/react@^13.4.0 @testing-library/user-event@^13.5.0 @types/jest@^27.5.2 @types/node@^16.18.101 @types/react@^18.3.3 @types/react-dom@^18.3.0 blurhash@^2.0.5 react@^18.3.1 react-blurhash@^0.3.0 react-dom@^18.3.1 react-scripts@5.0.1 typescript@^4.9.5 web-vitals@^2.1.4

pr36 — 0 direct deps

No package manifests — static HTML/CSS/JS (vendored assets only).