# Third-Party Library Audit

Date: 2026-05-17

## Summary

The project currently uses the expected browser-side typography/story libraries plus additional runtime packages:

- inkjs
- SmartyPants.js
- Hyphenopoly
- Knuth-Plass line breaking support (`knuth-and-plass.js`, `linebreak.js`, `linked-list.js`)
- Kokoro JS browser bundle
- Server/runtime npm packages: Express, Socket.IO, OpenAI SDK, Axios, cors, dotenv, js-yaml, ifvms
- EB Garamond font files

## Browser-vendored files

| Component | Files | Upstream/latest check | Local status |
| --- | --- | --- | --- |
| SmartyPants.js | `public/js/smartypants.js` | Local header says `smartypants.js 0.0.6`; npm `smartypants` latest is `0.2.2`. The old `smartypants.js` package name is unpublished from npm. | Not byte-identical to npm `smartypants` 0.0.5, 0.0.9, or 0.2.2. Treat as modified/older vendor code. |
| Hyphenopoly browser files | `public/js/Hyphenopoly.js`, `public/js/Hyphenopoly_Loader.js`, `public/js/hyphenopoly.module.js`, `public/js/patterns/*.wasm` | Browser header says `5.2.0-beta.1`; npm dependency is `6.0.0`; npm latest is `6.1.0`. | `Hyphenopoly.js` is effectively 5.2.0-beta.1 after line-ending normalization. `Hyphenopoly_Loader.js` has a small local/prototype difference in `H.hide`. Browser copy is older than package/latest. |
| Knuth-Plass adapter | `public/js/knuth-and-plass.js` | No authoritative upstream identified from headers or npm metadata. | Modified from the prototype copy and currently application-owned adapter code. |
| Line breaking support | `public/js/linebreak.js`, `public/js/linked-list.js` | No authoritative upstream identified from headers. Not the npm `linebreak` package 1.1.0. | Identical to prototype copies. `linked-list.js` still has a suspicious `get last() { return this.last; }` accessor inherited from the prototype. |
| Kokoro JS browser bundle | `public/js/kokoro-js.js` | npm `kokoro-js` latest is `1.2.1`; installed is `1.2.0`. | Byte-identical to `kokoro-js@1.2.0/dist/kokoro.web.js`; not latest. |

## Direct runtime npm packages

| Package | Installed | Latest checked | License | Status |
| --- | --- | --- | --- | --- |
| `inkjs` | 2.4.0 | 2.4.0 | MIT | Current. |
| `hyphenopoly` | 6.0.0 | 6.1.0 | MIT | Not latest. Browser vendored files are older than this dependency. |
| `kokoro-js` | 1.2.0 | 1.2.1 | Apache-2.0 | Not latest. |
| `ifvms` | 1.1.6 | 1.1.6 | MIT | Current. |
| `openai` | 4.91.0 | 6.38.0 | Apache-2.0 | Not latest major. |
| `socket.io` | 4.8.1 | 4.8.3 | MIT | Not latest patch. |
| `express` | 5.1.0 | 5.2.1 | MIT | Not latest patch. |
| `axios` | 1.8.4 | 1.16.1 | MIT | Not latest. |
| `cors` | 2.8.5 | 2.8.6 | MIT | Not latest patch. |
| `dotenv` | 16.4.7 | 17.4.2 | BSD-2-Clause | Not latest major. |
| `js-yaml` | 4.1.0 | 4.1.1 | MIT | Not latest patch. |

## Notices

The UI-readable license and credit notice is `public/THIRD_PARTY_NOTICES.md`.

The root `THIRD_PARTY_NOTICES.md` points to that served file so the repository has an obvious project-level notice entry.