calcom/cal.com
Dependencies
A guided tour of the most important runtime and dev dependencies. Full lists live in the per-workspace package.json files; the root package.json aggregates the dev deps and pins resolutions.
Build and orchestration
- Turborepo (
turbo2.7.1) — task pipelines + cache - Yarn 4 (Berry) — package manager + workspaces
- TypeScript 5.9.3 — strict mode across the monorepo
- Biome 2.3.10 — formatter + linter (replaces Prettier + most of ESLint)
- Husky 9 + lint-staged 12 — git hooks
- Changesets 2.29 — release versioning + publishing
Web stack
- Next.js 13+ — App Router + Pages Router (migration in progress)
- React 19 — pinned via
resolutionsto a patched version - Tailwind CSS — styling
- Radix UI — accessibility primitives behind
@calcom/ui - react-hook-form + Zod — forms + validation
- react-query — caching layer for the tRPC client
API stack
- tRPC 11 — type-safe internal API
- Zod — validation
- NestJS 11 —
apps/api/v2 - @nestjs/throttler + @nest-lab/throttler-storage-redis — rate limiting
- @nestjs/bull + bullmq — background jobs
- class-validator / class-transformer — DTO validation
Database
- Prisma 6.16 — ORM + migrations
- zod-prisma-types — generates Zod schemas from the schema
- prisma-kysely — generates Kysely types
- prisma-enum-generator — runtime enum file
- prismock — in-memory Prisma double for tests
Auth
- NextAuth.js — web app auth
- bcrypt / bcryptjs — password hashing
- jsonwebtoken 9 (resolutions-pinned) — JWTs
- otplib — TOTP
Observability
- Sentry —
@sentry/nextjs,@sentry/nestjs - tslog — structured logging
- Checkly — synthetic monitoring
Email and SMS
- @sendgrid/mail — transactional email
- nodemailer — SMTP fallback
- mailhog 4 (dev only) — for tests
- Twilio — SMS
Background jobs
- Trigger.dev — managed background-job platform
- BullMQ (via NestJS) — in-process queue inside API v2
Day / date
- Day.js 1.11.4 (patched via
.yarn/patches/dayjs-npm-1.11.4-97921cd375.patch) with plugins (utc,timezone,customParseFormat,relativeTime,localizedFormat,weekOfYear,isBetween,minMax,duration) - date-fns — used wherever timezone awareness isn't needed
- rrule — recurring event rules
Embeds
- Vite — bundler for the embed packages
- Web Components / Custom Elements —
EmbedElementbase class
Testing
- Vitest 4 — unit + component
- @vitest/coverage-v8 — coverage
- @testing-library/react — component tests
- next-router-mock
- vitest-fetch-mock
- vitest-mock-extended
- Playwright 1.57 — end-to-end
- Jest (inside
apps/api/v2) - mailhog + custom helpers — email assertions
- prismock — Prisma double
Markdown / rich text
- markdown-it + DOMPurify — sanitized markdown rendering
- Lexical — rich-text editor in
@calcom/ui
Internationalization
- next-i18next 13 (patched via
.yarn/patches/next-i18next-npm-13.3.0-bf25b0943c.patch) - i18n-unused 0.13 — dead-key detection
Security
- DOMPurify — XSS sanitization
- libphonenumber-js (patched) — phone validation
- node-forge 1.4 — TLS / signing helpers
- crypto-js / native crypto — AES via
packages/lib/crypto.ts
Notable patches
.yarn/patches/ contains patches against:
dayjs1.11.4 — timezone bugfixnext-i18next13.3.0 — locale buglibphonenumber-js1.12.38 — bugfix
Notable resolutions
The root package.json resolutions block pins many transitive dependencies for security or compatibility, including path-to-regexp, axios, form-data, qs, multer, jsonwebtoken, node-forge, react, vite, and many others. Consult the file before bumping any of these.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.