Files
nick-doc/Issues/ISSUE-103-backend-react-react-dom-in-backend-production-dependencies.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.1 KiB

issue, title, severity, domain, labels, status, created, source
issue title severity domain labels status created source
103 Backend: react/react-dom in backend production dependencies medium Dependencies
backend
dependencies
cleanup
open 2026-05-30 Full Codebase Audit 2026-05-30

Backend: react/react-dom in backend production dependencies

Severity: medium Domain: Dependencies Labels: backend, dependencies, cleanup

Description

backend/package.json:83 lists react and react-dom as production dependencies. These are large packages with no apparent usage in the backend (no SSR email templates confirmed). They inflate the production bundle and increase the attack surface.

Options

  1. Remove both after confirming zero imports.
  2. Move to devDependencies if only used in tooling.
  3. Keep if some build step requires them.

Recommendation

Confirm no runtime/SSR usage, then remove. Because removal could break an unseen template render, verify all imports before removing.

Affected Files

  • backend/package.json:83

References