twenty/package.json

{
  "private": true,
  "devDependencies": {
    "@nx/jest": "22.7.5",
    "@nx/js": "22.7.5",
    "@nx/react": "22.7.5",
    "@nx/storybook": "22.7.5",
    "@nx/vite": "22.7.5",
    "@nx/web": "22.7.5",
    "@types/react": "^18.2.39",
    "@types/react-dom": "^18.2.15",
    "@yarnpkg/types": "^4.0.0",
    "concurrently": "^8.2.2",
    "http-server": "^14.1.1",
    "nx": "22.7.5",
    "oxfmt": "0.50.0",
    "tsx": "^4.17.0",
    "verdaccio": "^6.3.1"
  },
  "engines": {
    "node": "^24.5.0",
    "npm": "please-use-yarn",
    "yarn": ">=4.0.2"
  },
  "license": "AGPL-3.0",
  "name": "twenty",
  "packageManager": "yarn@4.13.0",
  "resolutions": {
    "graphql": "16.8.1",
    "graphql-redis-subscriptions/ioredis": "5.10.1",
    "@types/qs": "6.9.16",
    "@opentelemetry/api": "1.9.1",
    "chokidar": "^3.6.0",
    "tmp": "^0.2.7",
    "make-fetch-happen": "^15.0.0",
    "@electron/rebuild/tar": "npm:^7.5.16",
    "@electron/node-gyp/tar": "npm:^7.5.16",
    "@angular-devkit/core": "19.2.24",
    "yeoman-environment": "6.0.1",
    "@electron-forge/plugin-webpack/webpack-dev-server": "5.2.4",
    "express/qs": "6.15.2",
    "@cypress/request/qs": "6.15.2",
    "next/postcss": "8.5.15",
    "sockjs/uuid": "11.1.1",
    "@cypress/request/uuid": "11.1.1",
    "@ptc-org/nestjs-query-typeorm/uuid": "11.1.1",
    "googleapis-common/uuid": "11.1.1",
    "@cyntler/react-doc-viewer/ajv": "8.20.0",
    "wrangler/esbuild": "0.28.1",
    "@react-email/ui/esbuild": "0.28.1",
    "react-email/esbuild": "0.28.1"
  },
  "//resolutions": "Each entry is load-bearing: it forces a version OUTSIDE some parent's declared range where no fixed upstream release exists; remove each once its blocker ships. graphql 16.8.1 -> singleton pin held below msw's ^16.12.0 dep and @nestjs/graphql's ^16.11.0 peer; drop after a validated repo-wide bump to latest 16.x; graphql-redis-subscriptions/ioredis 5.10.1 -> TS type-identity dedup: twenty-server passes its ioredis client into RedisPubSub, so this must equal the exact ioredis version pinned by twenty-server and bullmq (bump in lockstep); @types/qs 6.9.16 -> holdback below the 6.9.17 ParsedQs typing break (node-saml wants ^6.9.18); @opentelemetry/api 1.9.1 -> singleton guard for the NoopMeterProvider bug (#20231): ai 6.0.x pins 1.9.0 exact vs @sentry/node ^1.9.1, drop when workspace ai >=6.0.178 AND @scalar/agent-chat moves off ai 6.0.33; chokidar ^3 -> NestJS CLI watch needs fsevents on macOS, removed in chokidar 4/5 (#20316); tmp ^0.2.7 -> CVE, zapier-platform-cli 19 (latest) pins 0.2.5 and inquirer 7/8's external-editor wants ^0.0.33; make-fetch-happen ^15 + @electron/{rebuild,node-gyp}/tar ^7.5.16 -> tar CVE eviction for the @electron/rebuild 3.x toolchain (rebuild 3.x pins tar ^6, its node-gyp fork pins tar ^6.2.1 + mfh ^10), drop when electron-forge declares @electron/rebuild >=4; @angular-devkit/core 19.2.24 -> picomatch CVE, blocked on @nestjs/cli >11.0.23 fixing the dist/src output regression (repo held at 11.0.16); yeoman-environment 6.0.1 -> CVE, zapier-platform-cli 19 (latest) pins 4.4.3; webpack-dev-server 5.2.4 -> CVE, @electron-forge/plugin-webpack (incl. 8.x alphas) still declares ^4; express/qs + @cypress/request/qs 6.15.2 -> qs CVE for old express 4.22.0/4.22.1 pinned by @mintlify/previewing and verdaccio (verdaccio also pins @cypress/request 3.0.10; all other qs parents resolve safe naturally); next/postcss 8.5.15 -> postcss CVE, every stable next pins 8.4.31 exact (fix only in 16.3.0 canaries; @react-email/ui also pins next 16.2.6); <pkg>/uuid 11.1.1 -> uuid CVE for parents pinning uuid <11 with no fixed release (sockjs dormant since 2021; @cypress/request 3.0.10 via verdaccio; @ptc-org/nestjs-query-typeorm at latest; googleapis 105 -> common 8 drops uuid but needs the googleapis >=152 migration). Preserves the intentional uuid 13.x; @cyntler/react-doc-viewer/ajv 8.20.0 -> CVE, upstream (latest 1.17.1) pins ajv ^7 but never imports it, forcing v8 is safe; wrangler/esbuild + @react-email/ui/esbuild + react-email/esbuild 0.28.1 -> esbuild dev-server path-traversal GHSA-g7r4-m6w7-qqqr (Windows, vulnerable >=0.27.3 <0.28.1, fixed in 0.28.1): wrangler exact-pins esbuild 0.27.3 (still 0.27.3 in latest 4.100.0) and @react-email/ui exact-pins 0.28.0 (still 0.28.0 in latest 6.6.0) with no fixed upstream release; react-email allows ^0.28.0 but the npmMinimalAgeGate down-selects it to the still-vulnerable 0.28.0 until 0.28.1 ages past the gate (published 2026-06-11), so it is pinned forward here. Drop the exact-pin parents once they ship an esbuild >=0.28.1 pin; drop react-email once 0.28.1 clears the age gate (it then resolves to it naturally). Our own twenty-client-sdk raises its esbuild floor to ^0.28.1 directly in its package.json instead of via a resolution",
  "version": "0.2.1",
  "nx": {},
  "scripts": {
    "docs:generate": "tsx packages/twenty-docs/scripts/generate-docs-json.ts",
    "docs:generate-navigation-template": "tsx packages/twenty-docs/scripts/generate-navigation-template.ts",
    "docs:generate-paths": "tsx packages/twenty-docs/scripts/generate-documentation-paths.ts",
    "start": "npx concurrently --kill-others 'npx nx run-many -t start -p twenty-server twenty-front' 'npx wait-on tcp:3000 && npx nx run twenty-server:worker'"
  },
  "workspaces": {
    "packages": [
      "packages/twenty-front",
      "packages/twenty-server",
      "packages/twenty-emails",
      "packages/twenty-ui",
      "packages/twenty-ui-deprecated",
      "packages/twenty-utils",
      "packages/twenty-zapier",
      "packages/twenty-website",
      "packages/twenty-docs",
      "packages/twenty-e2e-testing",
      "packages/twenty-shared",
      "packages/twenty-sdk",
      "packages/twenty-front-component-renderer",
      "packages/twenty-client-sdk",
      "packages/twenty-cli",
      "packages/create-twenty-app",
      "packages/twenty-codex-plugin",
      "packages/twenty-oxlint-rules",
      "packages/twenty-companion",
      "packages/twenty-claude-skills"
    ]
  },
  "prettier": {
    "singleQuote": true,
    "trailingComma": "all",
    "endOfLine": "lf"
  }
}