3.0 KiB
3.0 KiB
Third-Party Library Audit
Date: 2026-05-17
Summary
The project currently uses the expected browser-side typography/story libraries plus additional runtime packages:
- inkjs
- SmartyPants.js
- Hyphenopoly
- Knuth-Plass line breaking support (
knuth-and-plass.js,linebreak.js,linked-list.js) - Kokoro JS browser bundle
- Server/runtime npm packages: Express, Socket.IO, OpenAI SDK, Axios, cors, dotenv, js-yaml, ifvms
- EB Garamond font files
Browser-vendored files
| Component | Files | Upstream/latest check | Local status |
|---|---|---|---|
| SmartyPants.js | public/js/smartypants.js |
Local header says smartypants.js 0.0.6; npm smartypants latest is 0.2.2. The old smartypants.js package name is unpublished from npm. |
Not byte-identical to npm smartypants 0.0.5, 0.0.9, or 0.2.2. Treat as modified/older vendor code. |
| Hyphenopoly browser files | public/js/Hyphenopoly.js, public/js/Hyphenopoly_Loader.js, public/js/hyphenopoly.module.js, public/js/patterns/*.wasm |
Browser header says 5.2.0-beta.1; npm dependency is 6.0.0; npm latest is 6.1.0. |
Hyphenopoly.js is effectively 5.2.0-beta.1 after line-ending normalization. Hyphenopoly_Loader.js has a small local/prototype difference in H.hide. Browser copy is older than package/latest. |
| Knuth-Plass adapter | public/js/knuth-and-plass.js |
No authoritative upstream identified from headers or npm metadata. | Modified from the prototype copy and currently application-owned adapter code. |
| Line breaking support | public/js/linebreak.js, public/js/linked-list.js |
No authoritative upstream identified from headers. Not the npm linebreak package 1.1.0. |
Identical to prototype copies. linked-list.js still has a suspicious get last() { return this.last; } accessor inherited from the prototype. |
| Kokoro JS browser bundle | public/js/kokoro-js.js |
npm kokoro-js latest is 1.2.1; installed is 1.2.0. |
Byte-identical to kokoro-js@1.2.0/dist/kokoro.web.js; not latest. |
Direct runtime npm packages
| Package | Installed | Latest checked | License | Status |
|---|---|---|---|---|
inkjs |
2.4.0 | 2.4.0 | MIT | Current. |
hyphenopoly |
6.0.0 | 6.1.0 | MIT | Not latest. Browser vendored files are older than this dependency. |
kokoro-js |
1.2.0 | 1.2.1 | Apache-2.0 | Not latest. |
ifvms |
1.1.6 | 1.1.6 | MIT | Current. |
openai |
4.91.0 | 6.38.0 | Apache-2.0 | Not latest major. |
socket.io |
4.8.1 | 4.8.3 | MIT | Not latest patch. |
express |
5.1.0 | 5.2.1 | MIT | Not latest patch. |
axios |
1.8.4 | 1.16.1 | MIT | Not latest. |
cors |
2.8.5 | 2.8.6 | MIT | Not latest patch. |
dotenv |
16.4.7 | 17.4.2 | BSD-2-Clause | Not latest major. |
js-yaml |
4.1.0 | 4.1.1 | MIT | Not latest patch. |
Notices
The UI-readable license and credit notice is public/THIRD_PARTY_NOTICES.md.
The root THIRD_PARTY_NOTICES.md points to that served file so the repository has an obvious project-level notice entry.