SOFTWARE BILL OF MATERIALS

Every line of code transparent

Complete list of every dependency, version, license, and purpose. Last updated: March 2026.

34

Dependencies

8

Security-Critical

50%

MIT Licensed

🔐

Security Packages (Internal)

(4)

@nodatachat/crypto

workspaceProprietaryAES-256-GCM, RSA-OAEP, PBKDF2 - encryption core

@nodatachat/filter

workspaceProprietaryContent filtering and PII detection

@nodatachat/db

workspaceProprietaryDatabase abstraction + RLS enforcement

@nodatachat/shared

workspaceProprietaryShared security utilities

📦

Internal Packages (Monorepo)

(10)

@nodatachat/core

workspaceProprietaryCore business logic

@nodatachat/relay

workspaceProprietaryMessage relay - encrypted routing

@nodatachat/email

workspaceProprietaryEmail templates and delivery

soc-scanner

workspaceProprietarySOC compliance scanner - 51 controls

capsule

workspaceProprietaryAlways-on security monitoring daemon

guard

workspaceProprietarySecurity scanning and auto-fix engine

vault-server

workspaceProprietaryEncrypted vault backend (GCP Cloud Run)

chrome-shield

workspaceProprietaryChrome extension - vault browser access

sdk

workspaceProprietaryPublic SDK for customers

proxy

workspaceProprietaryAPI proxy / Blind Relay

⚡

Runtime Dependencies

(6)

16.1.6MITPrimary framework - App Router, SSR, API routes

react

19.2.3MITUI rendering engine

react-dom

19.2.3MITDOM rendering

@supabase/supabase-js

2.97.0MITDatabase client - Postgres + RLS + Realtime

zustand

4.5.7MITState management (client-side stores)

stripe

20.4.0MITPayment processing

📡

Monitoring

(2)

@sentry/nextjs

10.43.0MITError tracking and performance monitoring

@serwist/next

9.5.6MITPWA / Service Worker

🔧

Utilities

(7)

jszip

3.10.1MIT / GPLv3ZIP file creation (scan reports)

qrcode

1.5.4MITQR code generation (vault sharing)

html-to-image

1.11.13MITScreenshot capture (proof generation)

pdfjs-dist

3.11.174Apache-2.0PDF parsing (document analysis)

node-html-parser

7.1.0MITHTML parsing (scanner)

@sparticuz/chromium

143.0.4MITHeadless browser (serverless PDF/screenshot)

nodemailer

8.0.3MITEmail sending

🏗️

Build & Dev

(5)

typescript

5.9.3Apache-2.0Type safety and compile-time checks

tailwindcss

4.xMITCSS framework (utility-first)

eslint

9.xMITCode linting and security rules

vitest

4.0.18MITTesting framework

esbuild

0.27.3MITJavaScript bundler (fast builds)

Notes

• workspace = internal monorepo package - not published to npm (except @nodatachat/protect)

• Red dot = security-critical dependency - gets special review on every update

• All dependencies managed with lock files (npm ci). No unpinned installs.

• npm audit runs in CI. Known CVEs addressed within 48h for critical, 7 days for high.