# Dependency Audit — 2026-06-02 ## Scope Scanned user-space projects under `/home/ubuntu/`, excluding system venvs (`/usr/lib/python*/dist-packages`), caches (`.npm/`, `.bun/`, `.cache/`, `.hermes/`), and pre-migration directories. --- ## Do First — Top 5 Low-Risk, High-Value Upgrades | # | Project | Package | Current → Latest | Risk | Action | |---|---------|---------|------------------|------|--------| | 1 | `openclaw-src-v2026.3.22` | `playwright-core` | 1.58.2 → 1.60.0 | **minor** | Upgrade — patch only | | 2 | `hermes-workspace` | `playwright` | 1.58.2 → 1.60.0 | **minor** | Upgrade — patch only | | 3 | `openclaw-workspace` | `playwright` | 1.58.2 → 1.60.0 | **minor** | Upgrade — patch only | | 4 | `hermes-agent` (venv) | `certifi` | 2026.2.25 → 2026.5.20 | **none** | Upgrade — patch only | | 5 | `openclaw-src-v2026.3.22` | `undici` | 7.24.5 → 8.3.0 | **major** | **Manually test first** — major version; has breaking changes to fetch() headers handling | --- ## bibliothek-app **Location:** `/home/ubuntu/bibliothek-app/` **Type:** Python (requirements.txt, no venv found) **Tool:** `pip list --outdated` (global, unreliable — many system deps shown) | Dependency | Current | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | fastapi | pinned=0.135.1 | ~0.136+ | none | Leave — pinned | | httpx | pinned=0.28.1 | 0.28+ | minor | Upgrade patch | | mistralai | pinned=2.1.2 | ~2.2+ | minor | Needs manual check | | pillow | 12.1.1 | 12.2.0 | none | Upgrade — patch | | PyJWT | global 2.7.0 | 2.13.0 | minor | Check venv usage | | pydantic | 2.12.5 | 2.13.4 | none | Upgrade | | python-dotenv | 1.2.2 | 1.2+ | none | Upgrade | | uvicorn | 0.42.0 | 0.30+ | none | Upgrade | **Note:** Global pip list includes hundreds of unrelated system packages. Create a venv for accurate auditing. --- ## budget-transfer-bot **Location:** `/home/ubuntu/budget-transfer-bot/` **Type:** Python (requirements.txt, single dep) | Dependency | Current | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | requests | `>=2.31.0` | 2.34.2 | none | Upgrade to 2.32.x+ (fixes `CVE-2024-35195`) | --- ## fitbit-hevy-spike / hevy-sense2-companion-pr2 **Shared pattern** — both `path-a-companion/` dirs use identical deps. **Location:** `/home/ubuntu/fitbit-hevy-spike/path-a-companion/`, `/home/ubuntu/hevy-sense2-companion-pr2/path-a-companion/` **Type:** Node.js (package-lock.json present) | Dependency | Current | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | @fitbit/sdk | 7.2.0-pre.0 | 6.1.0 (stable) | **major** | **Do not upgrade** — pre-release SDK is intentional; downgrading to stable likely breaks build targets | | typescript | 5.4.5 | 5.7.x (6.0.3) | minor | Upgrade to 5.7.x for type safety improvements; 6.0 needs review | **Note:** `@fitbit/sdk` latest stable (6.1.0) is **older** than the pre-release in use (7.2.0-pre.0). This is a Fitbit-specific quirk — the pre-release is ahead of stable. Leave as-is. --- ## hermes-agent ### Node.js (`package.json`, `package-lock.json`) **Location:** `/home/ubuntu/hermes-agent/` | Dependency | Current | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | agent-browser | `^0.13.0` | 0.27.1 | **major** | **Needs manual check** — 2x version jump; test thoroughly before upgrading | | @askjo/camoufox-browser | `^1.0.0` | 1.0.12 | minor | Upgrade — patch | ### Python (venv at `hermes-agent/venv/`) **Location:** `/home/ubuntu/hermes-agent/` **Audit:** `pip list --outdated` inside venv | Dependency | Current | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | requests | 2.33.1 | 2.34.2 | none | Upgrade — patches CVE | | pydantic | 2.12.5 | 2.13.4 | none | Upgrade | | PyJWT | 2.12.1 | 2.13.0 | minor | Upgrade — CVE-2026-32597 (already in range `>=2.12.0`) | | openai | 2.30.0 | 2.40.0 | minor | Upgrade — check API compatibility | | anthropic | 0.91.0 | 0.105.2 | **major** | **Test first** — v1 API changes likely | | rich | 14.3.3 | 15.0.0 | **major** | **Test first** — breaking output changes | | parallel-web | 0.4.2 | 0.6.0 | minor | Upgrade | | fal_client | 0.13.2 | 1.0.0 | **major** | **Do not upgrade** — v1 is likely breaking | | firecrawl-py | 4.22.1 | 4.28.2 | minor | Upgrade | | exa-py | 2.11.0 | 2.13.0 | none | Upgrade | | pydantic-core | 2.41.5 | 2.47.0 | none | Upgrade (pydantic will pull this) | | jiter | 0.13.0 | 0.15.0 | none | Upgrade | | aiohttp | 3.13.5 | 3.14.0 | none | Upgrade | | certifi | 2026.2.25 | 2026.5.20 | none | Upgrade | | cryptography | 46.0.6 | 48.0.0 | minor | Upgrade | | docstring_parser | 0.17.0 | 0.18.0 | none | Upgrade | | markdown-it-py | 4.0.0 | 4.2.0 | minor | Upgrade | | idna | 3.11 | 3.17 | none | Upgrade | | urllib3 | 2.6.3 | 2.7.0 | none | Upgrade | | wcwidth | 0.6.0 | 0.7.0 | none | Upgrade | | propcache | 0.4.1 | 0.5.2 | none | Upgrade | | yarl | 1.23.0 | 1.24.2 | none | Upgrade | | pip | 26.0 | 26.1.2 | none | Upgrade | --- ## hermes-agent (website subdirectory) **Location:** `/home/ubuntu/hermes-agent/website/` **Type:** Docusaurus 3 (package-lock.json, but node_modules missing) | Dependency | Current | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | @docusaurus/core | (lock: 3.9.2) | 3.10.1 | minor | Upgrade — run `npm install` then upgrade | | @docusaurus/preset-classic | (lock: 3.9.2) | 3.10.1 | minor | Upgrade with core | | @docusaurus/theme-mermaid | (lock: 3.10.1) | 3.10.1 | none | Already current | | @easyops-cn/docusaurus-search-local | (lock: 0.55.x) | 0.55.2 | none | Upgrade | | react | (lock: 19.x) | 19.2.7 | none | Upgrade | | react-dom | (lock: 19.x) | 19.2.7 | none | Upgrade | **Note:** node_modules missing — run `npm install` to restore before upgrading. --- ## hermes-webui **Location:** `/home/ubuntu/hermes-webui/` **Type:** Python (requirements.txt — only pyyaml) | Dependency | Current | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | pyyaml | `>=6.0` | 6.0.3 | none | Upgrade to latest 6.x | --- ## hermes-workspace **Location:** `/home/ubuntu/hermes-workspace/` **Type:** Node.js (Vite + React + TanStack, pnpm-lock.yaml) | Dependency | Current | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | @base-ui/react | 1.3.0 | 1.5.0 | minor | Upgrade | | @hugeicons/core-free-icons | 3.3.0 | 4.2.0 | minor | Upgrade | | @lobehub/icons | 5.0.1 | 5.10.0 | minor | Upgrade | | @lobehub/icons-static-png | 1.83.0 | 1.91.0 | none | Upgrade | | @tailwindcss/vite | 4.2.1 | 4.3.0 | none | Upgrade | | @tanstack/eslint-config | 0.3.4 | 0.4.0 | minor | Upgrade | | @tanstack/react-query | 5.90.21 | 5.100.14 | minor | Upgrade | | @tanstack/react-router | 1.166.7 | 1.170.10 | minor | Upgrade | | @tanstack/react-start | 1.166.8 | 1.168.18 | minor | Upgrade | | @tanstack/router-plugin | 1.166.7 | 1.168.13 | minor | Upgrade | | @types/node | 22.19.15 | 22.19.19 | none | Upgrade (25.9.1 is major TypeScript bump) | | @types/react | 19.2.14 | 19.2.16 | none | Upgrade | | @vitejs/plugin-react | 5.2.0 | 6.0.2 | **major** | **Test first** — v6 may have breaking changes | | jsdom | 27.4.0 | 29.1.1 | **major** | **Test first** — skip 2 major versions | | marked | 17.0.4 | 18.0.4 | **major** | **Test first** — v18 has breaking API changes | | motion | 12.36.0 | 12.40.0 | none | Upgrade | | playwright | 1.58.2 | 1.60.0 | none | Upgrade | | prettier | 3.8.1 | 3.8.3 | none | Upgrade | | react | 19.2.4 | 19.2.7 | none | Upgrade | | react-dom | 19.2.4 | 19.2.7 | none | Upgrade | | react-joyride | 2.9.3 | 3.1.0 | **major** | **Test first** — new major version | | recharts | 3.8.0 | 3.8.1 | none | Upgrade | | shiki | 3.23.0 | 4.1.0 | **major** | **Test first** — v4 has breaking API | | tailwindcss | 4.2.1 | 4.3.0 | none | Upgrade | | tailwind-merge | 3.5.0 | 3.6.0 | none | Upgrade | | tsx | 4.21.0 | 4.22.4 | none | Upgrade | | typescript | 5.9.3 | 6.0.3 | **major** | **Test first** — strict mode changes | | vite | 7.3.1 | 8.0.16 | **major** | **Test first** — skip 2 majors | | vitest | 3.2.4 | 4.1.8 | **major** | **Test first** — v4 has breaking changes | | web-vitals | 5.1.0 | 5.3.0 | none | Upgrade | | ws | 8.19.0 | 8.21.0 | none | Upgrade | | yaml | 2.8.2 | 2.9.0 | none | Upgrade | | zod | 3.25.76 | 4.4.3 | **major** | **Do not upgrade** — v4 is breaking rewrite | | zustand | 5.0.11 | 5.0.14 | none | Upgrade | --- ## lobbytracker **Location:** `/home/ubuntu/lobbytracker/` **Type:** Node.js (Next.js 16, package-lock.json) | Dependency | Current | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | @supabase/supabase-js | 2.105.1 | 2.106.2 | none | Upgrade | | @tailwindcss/postcss | 4.2.4 | 4.3.0 | none | Upgrade | | @types/node | 20.19.39 | 20.19.41 | none | Upgrade (25.9.1 is major TS bump) | | @types/react | 19.2.14 | 19.2.16 | none | Upgrade | | eslint | 9.39.4 | 10.4.1 | **major** | **Test first** — v10 config format changes | | eslint-config-next | 16.2.4 | 16.2.7 | none | Upgrade | | next | 16.2.4 | 16.2.7 | none | Upgrade | | react | 19.2.4 | 19.2.7 | none | Upgrade | | react-dom | 19.2.4 | 19.2.7 | none | Upgrade | | tailwindcss | 4.2.4 | 4.3.0 | none | Upgrade | | typescript | 5.9.3 | 6.0.3 | **major** | **Test first** — strict mode changes | --- ## nachlakes-oss / releasekit **Location:** `/home/ubuntu/nachlakes-oss/releasekit/` **Type:** Node.js (TypeScript CLI, npm lockfile) | Dependency | Current | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | @types/node | 22.19.19 | 25.9.1 | minor | Upgrade minor only | | @vitest/coverage-v8 | 2.1.9 | 4.1.8 | **major** | **Do not upgrade** — skip 2 majors; requires vitest 4 | | commander | 12.1.0 | 15.0.0 | **major** | **Test first** — v13+ may have breaking changes | | eslint | 9.39.4 | 10.4.1 | **major** | **Test first** — v10 config changes | | typescript | 5.9.3 | 6.0.3 | **major** | **Test first** — strict mode changes | | vitest | 2.1.9 | 4.1.8 | **major** | **Do not upgrade** — major version, requires coverage-v8 upgrade too | --- ## nachlakes-oss / repo-stats **Location:** `/home/ubuntu/nachlakes-oss/repo-stats/` **Type:** Node.js (TypeScript CLI, npm lockfile) | Dependency | Current | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | @types/node | 22.19.19 | 25.9.1 | minor | Upgrade minor only | | commander | 12.1.0 | 15.0.0 | **major** | **Test first** — v13+ changes | | typescript | 5.9.3 | 6.0.3 | **major** | **Test first** — strict mode changes | | vitest | 2.1.9 | 4.1.8 | **major** | **Do not upgrade** — requires major coverage-v8 upgrade | --- ## openclaw-src-v2026.3.22 **Location:** `/home/ubuntu/openclaw-src-v2026.3.22/` **Type:** pnpm monorepo (package.json + pnpm-lock.yaml) ### Dependencies (prod) | Dependency | Current | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | @agentclientprotocol/sdk | 0.16.1 | 0.23.0 | **major** | **Needs manual check** — 7 minor versions behind | | @anthropic-ai/vertex-sdk | 0.14.4 | 0.16.1 | minor | Upgrade | | @aws-sdk/client-bedrock | 3.1014.0 | 3.1058.0 | none | Upgrade | | @clack/prompts | 1.1.0 | 1.5.0 | **major** | **Test first** — new major | | @homebridge/ciao | 1.3.5 | 1.3.9 | none | Upgrade | | @line/bot-sdk | 10.6.0 | 11.0.1 | **major** | **Test first** — v11 may have breaking changes | | @lydell/node-pty | 1.2.0-beta.3 | 1.2.0-beta.12 | none | Upgrade beta | | @mariozechner/pi-* (4 pkgs) | 0.61.1 | 0.73.1 | minor | Upgrade (pi framework) | | @modelcontextprotocol/sdk | 1.27.1 | 1.29.0 | none | Upgrade | | @sinclair/typebox | 0.34.48 | 0.34.49 | none | Upgrade | | ajv | 8.18.0 | 8.20.0 | none | Upgrade | | commander | 14.0.3 | 15.0.0 | **major** | **Test first** | | dotenv | 17.3.1 | 17.4.2 | none | Upgrade | | file-type | 21.3.4 | 22.0.1 | minor | Upgrade | | hono | 4.12.8 | 4.12.23 | none | Upgrade | | ipaddr.js | 2.3.0 | 2.4.0 | none | Upgrade | | jiti | 2.6.1 | 2.7.0 | none | Upgrade | | linkedom | 0.18.12 | ? | minor | Needs manual check | | markdown-it | 14.1.1 | 14.2.0 | none | Upgrade | | pdfjs-dist | 5.5.207 | 6.0.227 | **major** | **Test first** — major version | | playwright-core | 1.58.2 | 1.60.0 | none | Upgrade | | sqlite-vec | 0.1.7 | 0.1.9 | none | Upgrade | | tar | 7.5.12 | 7.5.16 | none | Upgrade | | undici | 7.24.5 | 8.3.0 | **major** | **Do NOT upgrade** — v8 has breaking changes to fetch/headers | | uuid | 13.0.0 | 14.0.0 | **major** | **Test first** — v14 API changes | | ws | 8.20.0 | 8.21.0 | none | Upgrade | | yaml | 2.8.3 | 2.9.0 | none | Upgrade | | zod | 4.3.6 | 4.4.3 | none | Upgrade | ### Dev Dependencies | Dependency | Current | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | @grammyjs/types | 3.25.0 | 3.27.3 | none | Upgrade | | @lit-labs/signals | 0.2.0 | 0.3.0 | minor | Upgrade | | @types/node | 25.5.0 | 25.9.1 | none | Upgrade | | @typescript/native-preview | 7.0.0-dev | 7.0.0-dev | none | Upgrade to latest preview | | @vitest/coverage-v8 | 4.1.0 | 4.1.8 | none | Upgrade | | jscpd | 4.0.8 | 4.2.4 | minor | Upgrade | | jsdom | 29.0.1 | 29.1.1 | none | Upgrade | | lit | 3.3.2 | 3.3.3 | none | Upgrade | | oxfmt | 0.41.0 | 0.53.0 | minor | Upgrade | | oxlint | 1.56.0 | 1.68.0 | minor | Upgrade | | oxlint-tsgolint | 0.17.1 | 0.23.0 | minor | Upgrade | | playwright | (via playwright-core) | 1.60.0 | none | Upgrade | | tsdown | 0.21.4 | 0.22.1 | none | Upgrade | | tsx | 4.21.0 | 4.22.4 | none | Upgrade | | typescript | 5.9.3 | 6.0.3 | **major** | **Test first** | | vitest | 4.1.0 | 4.1.8 | none | Upgrade | ### UI subpackage (`ui/package.json`) **Note:** node_modules missing. Run `npm install` first. | Dependency | Current (lock) | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | @noble/ed25519 | 3.0.1 | 3.1.0 | none | Upgrade | | dompurify | 3.x | 3.4.7 | none | Upgrade | | lit | 3.x | 3.3.3 | none | Upgrade | | marked | 17.0.5 | 18.0.4 | **major** | **Test first** — v18 breaking changes | --- ## openclaw-workspace **Location:** `/home/ubuntu/openclaw-workspace/` **Type:** Node.js (single dep, package-lock.json) | Dependency | Current | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | playwright | 1.58.2 | 1.60.0 | none | Upgrade | --- ## openclaw-workspace / portfolio-site **Location:** `/home/ubuntu/openclaw-workspace/portfolio-site/` **Type:** Next.js 15, package-lock.json | Dependency | Current | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | @types/node | 20.19.35 | 20.19.41 | none | Upgrade | | @types/react | 19.2.14 | 19.2.16 | none | Upgrade | | autoprefixer | 10.4.27 | 10.5.0 | none | Upgrade | | framer-motion | 12.34.3 | 12.40.0 | none | Upgrade | | lucide-react | 0.468.0 | 1.17.0 | **major** | **Test first** — major version | | next | 15.0.0 | 16.2.7 | **major** | **Upgrade to 15.x latest first**, then 16 — big jump | | postcss | 8.5.6 | 8.5.15 | none | Upgrade | | react | 19.0.0-rc-65a56d0e-20241020 | 19.2.7 | minor | Upgrade to stable release | | react-dom | 19.0.0 | 19.2.7 | minor | Upgrade | | react-intersection-observer | 9.16.0 | 10.0.3 | minor | Upgrade | | react-toastify | 10.0.6 | 11.1.0 | **major** | **Test first** — v11 breaking changes | | tailwindcss | 3.4.19 | 4.3.0 | **major** | **Do not upgrade yet** — 3→4 migration is significant | | tsparticles | 2.12.0 | 4.1.2 | **major** | **Test first** — v3→v4 is breaking | | typescript | 5.9.3 | 6.0.3 | **major** | **Test first** | --- ## openclaw-workspace / portfolio-site-complete **Location:** `/home/ubuntu/openclaw-workspace/portfolio-site-complete/` **Type:** Next.js (no lock file, all deps set to `latest`) No meaningful audit possible — no lock file, all deps are `latest` floats. Recommend adding a lock file. --- ## wa-bridge **Location:** `/home/ubuntu/wa-bridge/` **Type:** Node.js (WhatsApp bridge, package-lock.json) | Dependency | Current | Latest | Breaking Risk | Suggestion | |------------|---------|--------|---------------|------------| | @whiskeysockets/baileys | 7.0.0-rc.9 | 7.0.0-rc13 | none | Upgrade RC within same major | | express | 5.2.1 | latest | minor | Upgrade | | qrcode-terminal | 0.12.0 | latest | none | Upgrade | **Note:** `@whiskeysockets/baileys` is on release-candidate major version 7. Upgrading within RC range is safe. Do not jump to a stable 7.x release without testing. --- ## Known CVEs Flagged | CVE | Package | Affected Range | In Range? | Project | |-----|---------|----------------|-----------|---------| | CVE-2026-25645 | requests | <2.32.0 | `hermes-agent` venv: YES (2.33.1 still vulnerable, need >=2.32.0) | hermes-agent | | CVE-2026-32597 | PyJWT | <2.13.0 | `hermes-agent` venv: YES (2.12.1 vulnerable) | hermes-agent | | CVE-2024-35195 | requests | <2.32.0 | `budget-transfer-bot`: YES (>=2.31.0) | budget-transfer-bot | --- ## Skipped / Unauditable - **hermes-agent website**: node_modules missing — needs `npm install` before next audit - **openclaw-src-v2026.3.22/ui**: node_modules missing — needs `npm install` before next audit - **portfolio-site-complete**: no lock file, all `latest` — cannot audit meaningfully - **hermes-agent Node.js**: node_modules may be missing (`agent-browser` shows MISSING) - **System Python (global pip)**: polluted with system packages — create per-project venvs for accurate Python audits --- *Generated: 2026-06-02. Tools: `npm outdated`, `pip list --outdated` (venv), manifest + lockfile analysis. No installs run.*