# Dependency Audit Status 2026

**Last Updated:** 2026-03-02

Comprehensive status of all frameworks, libraries, and tools in the project.

## Executive Summary

| Category | Status | Latest Available | Action Required |
|----------|--------|------------------|-----------------|
| **Tailwind CSS** | ✅ v4.2.1 | v4.2.1 | None - Latest |
| **npm Packages** | ✅ All up to date | - | None |
| **Composer Packages** | ⚠️ PHPStan 2.x available | PHPStan 2.1.40 | Evaluate major upgrade |
| **Python Packages** | ⏳ Requires venv | Updated in requirements.txt | Install in venv |
| **Node.js** | ✅ 22.22.0 LTS | 22.22.0 | None - Latest |
| **PHP** | ✅ 8.5.3 | 8.5.3 | None - Latest |
| **GitHub Actions** | ✅ All updated | Latest | PHP version updated to 8.4 |
| **GitHub Actions PHP** | ✅ 8.4 | 8.4 | Updated from 8.2 to match dependencies |

## Tailwind CSS v4 Status

**Current Version:** ✅ **v4.2.1** (Latest stable)

- **Installed:** `tailwindcss@4.2.1` and `@tailwindcss/postcss@4.2.1`
- **Release Date:** February 23, 2025
- **Status:** Fully up to date

**Key Features:**
- High-performance Oxide engine (Rust-based)
- CSS-first configuration
- Native support for modern CSS features
- Unified toolchain

## npm Packages Audit

**Status:** ✅ **All packages up to date**

`npm outdated` returned empty - no updates available.

### Current Versions

| Package | Version | Status |
|---------|---------|--------|
| tailwindcss | 4.2.1 | ✅ Latest |
| @tailwindcss/postcss | 4.2.1 | ✅ Latest |
| eslint | 10.0.2 | ✅ Latest |
| prettier | 3.8.1 | ✅ Latest |
| playwright | 1.58.2 | ✅ Latest |
| lint-staged | 16.3.1 | ✅ Latest |
| postcss-cli | 11.0.1 | ✅ Latest |
| globals | 17.4.0 | ✅ Latest |
| husky | 9.1.7 | ✅ Latest |
| markdown-link-check | 3.14.2 | ✅ Latest |
| cssnano | 7.1.2 | ✅ Latest |
| sharp | 0.34.5 | ✅ Latest |
| postcss | 8.5.6 | ✅ Latest |
| @fullhuman/postcss-purgecss | 8.0.0 | ✅ Latest |
| @lhci/cli | 0.15.1 | ✅ Latest |
| terser | 5.46.0 | ✅ Latest |

## Composer Packages Audit

**Status:** ⚠️ **PHPStan 2.x available (major version)**

### Current Versions

| Package | Current | Latest Available | Status |
|---------|---------|------------------|--------|
| phpoffice/phpspreadsheet | 5.5.0 | 5.5.0 | ✅ Latest |
| google/apiclient | ^2.19 | ^2.19 | ✅ Latest |
| phpstan/phpstan | 1.12.33 | 2.1.40 | ⚠️ Major update available |
| php-webdriver/webdriver | ^1.15 | ^1.15 | ✅ Latest |

### PHPStan 2.x Upgrade Consideration

**Available:** PHPStan 2.1.40 (released February 23, 2026)

**Migration Requirements:**
1. **Preparation Phase:**
   - Update to latest PHPStan 1.12.x
   - Enable Bleeding Edge configuration
   - Install `phpstan/phpstan-deprecation-rules`
   - Fix all deprecation warnings
   - Achieve green build

2. **Upgrade Phase:**
   - Update `composer.json`: `"phpstan/phpstan": "^2.0"`
   - Update all PHPStan extensions to v2.0
   - Run: `composer update 'phpstan/*' -W`
   - Fix new errors or add to baseline

**Current Project Status:**
- **Baseline Issues:** 1900+ errors (CI uses `continue-on-error`)
- **Recommendation:** Defer PHPStan 2.x upgrade until baseline is reduced
- **Priority:** Low (PHPStan 1.12.33 is actively maintained)

**Benefits of PHPStan 2.x:**
- Level 10: Enhanced mixed type checking
- List type: New array type for sequential arrays
- 50-70% lower memory consumption
- New rules for magic constants, serialization, file existence

## Python Packages Audit

**Status:** ⏳ **Updated in requirements.txt, requires venv installation**

### Current Requirements

| Package | Requirement | Latest Available | Status |
|---------|------------|------------------|--------|
| pandas | >=3.0.0 | 3.x | ⏳ Requires venv |
| jsonschema | >=4.26.0 | 4.26+ | ⏳ Requires venv |
| pytest | >=9.0.0 | 9.x | ⏳ Requires venv |
| openpyxl | >=3.1.0 | 3.1.5+ | ⏳ Requires venv |

**Installation Required:**
```bash
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt --upgrade
```

**Note:** macOS PEP 668 restrictions require virtual environment for Python package installation.

## Node.js Status

**Current:** ✅ **22.22.0 LTS** (Latest)

- **EOL Date:** April 30, 2027
- **Status:** Fully up to date
- **Migration:** Completed from Node 20 (March 2, 2026)

## PHP Status

**Current:** ✅ **8.5.3** (Latest stable)

- **Release Date:** January 29, 2026
- **Support:** Until December 31, 2027
- **Status:** Fully up to date

**Project Requirement:** ✅ **>=8.4** (Updated from >=8.1)

- **Rationale:** Required by transitive dependencies:
  - `maennchen/zipstream-php` 3.2.1 requires PHP ^8.3
  - `symfony/process` v8.0.5 requires PHP >=8.4
- **GitHub Actions:** Updated to PHP 8.4 (from 8.2) to match dependency requirements
- **Deployment Fix:** Resolved deployment failure by updating GitHub Actions PHP version

## GitHub Actions Status

**Status:** ✅ **All actions updated to latest**

| Action | Current | Status |
|--------|---------|--------|
| actions/checkout | v6 | ✅ Latest |
| actions/setup-node | v6.2.0 | ✅ Latest |
| shivammathur/setup-php | v2 (major tag) | ✅ Latest |
| PHP Version | 8.4 | ✅ Updated from 8.2 |

**Deployment Fix (2026-03-02):**
- **Issue:** Deployment failed due to PHP version mismatch
- **Fix:** Updated workflows to use PHP 8.4 (from 8.2) to match composer.lock dependencies
- **Files Updated:**
  - `.github/workflows/production-deployment.yml`
  - `.github/workflows/code-quality.yml`

## Security Vulnerabilities

**Status:** ⚠️ **4 low-severity vulnerabilities (deferred)**

- **Package:** `tmp` (via @lhci/cli dependency chain)
- **Severity:** Low
- **Issue:** Allows arbitrary temporary file/directory write via symbolic link
- **Affected:** @lhci/cli → inquirer → external-editor → tmp
- **Action:** Deferred (fix would downgrade @lhci/cli from v0.15.1 to v0.1.0)

**Monitoring:** Continue monitoring for @lhci/cli updates that resolve this vulnerability.

## Recommendations

### Immediate Actions

1. ✅ **Tailwind CSS v4:** Already on latest version - no action needed
2. ✅ **npm packages:** All up to date - no action needed
3. ✅ **Node.js 22:** Migration complete - no action needed
4. ✅ **PHP 8.5.3:** Latest version - no action needed
5. ✅ **GitHub Actions:** All updated - no action needed

### Deferred Actions

1. ⏳ **Python packages:** Install in virtual environment when needed
   - Priority: Low (requirements.txt already updated)
   - Action: Set up venv and install packages when Python scripts are actively used

2. ⚠️ **PHPStan 2.x:** Evaluate major upgrade
   - Priority: Low (1.12.33 is actively maintained)
   - Prerequisites: Reduce baseline errors from 1900+ to manageable level
   - Timeline: Consider after baseline cleanup (Q2 2026)

### Future Considerations

1. **PHPStan Baseline Cleanup:** Reduce 1900+ errors to enable PHPStan 2.x upgrade
2. **ESLint Warnings:** Address 165 warnings incrementally
3. **Security Vulnerabilities:** Monitor @lhci/cli for updates resolving tmp vulnerability

## Conclusion

✅ **All critical dependencies are up to date:**
- Tailwind CSS v4.2.1 (latest)
- Node.js 22.22.0 LTS (latest)
- PHP 8.5.3 (latest)
- All npm packages (latest)
- All GitHub Actions (latest)
- PhpSpreadsheet 5.5.0 (latest)

⚠️ **Optional upgrades available:**
- PHPStan 2.x (major version, requires preparation)
- Python packages (requires venv setup)

**Overall Status:** ✅ **Project dependencies are current and well-maintained.**