Software Bill of Materials
This page is Slingr’s public Standard Inventory of the principal open-source components used in the solutions we build for clients. It is the document referenced by Section 5.4(a) of our Master Services Agreement and exists for three purposes: to give procurement and security teams a clear view of the supply chain we operate on; to let clients confirm that the licensing terms of those components are compatible with their distribution and use requirements; and to support the right-to-leave commitment in our Open Exit terms by making the dependencies visible whether or not you stay with us as your operator.
Slingr’s engagements are technology-agnostic. The list below reflects the components Slingr most commonly uses across its engagements; the specific dependencies present in any given Solution depend on the architecture chosen by Client in the applicable Work Order and may differ from the Standard Inventory. Each client’s engagement-specific Software Bill of Materials is delivered as part of the transition deliverables under Section 11 of the MSA, or on written request to security@slingr.io.
Slingr-developed framework
The core orchestration framework, authored and maintained by Slingr, is published as @slingr/framework on the npm registry and licensed under Apache License 2.0. The framework provides type-safe models, validation, JSON serialization, workflow actions, ORM integration, and the supporting building blocks Slingr uses to assemble custom applications.
| Component | Version | License | Purpose |
|---|---|---|---|
| @slingr/framework | 0.2.1 | Apache-2.0 | Slingr’s open-source orchestration framework for smart business applications. Source available at github.com/slingr-stack/framework. |
Backend dependencies (framework runtime)
The packages below are pulled in by @slingr/framework as production dependencies. Versions reflect the minimum compatible range declared in the framework’s package.json; the version actually installed in a Solution is the latest matching version at install time and is captured exactly in the engagement-specific SBOM at transition.
| Component | Version range | License | Purpose |
|---|---|---|---|
| Web and API | |||
| @apollo/server | ^5.0.0 | MIT | GraphQL server |
| @as-integrations/express5 | ^1.1.2 | MIT | Apollo Server × Express integration |
| @pothos/core | ^4.10.0 | ISC | GraphQL schema builder |
| cors | ^2.8.5 | MIT | Cross-origin resource sharing |
| express | ^5.2.1 | MIT | HTTP server framework |
| fastify | ^5.6.1 | MIT | Alternative high-performance HTTP framework |
| multer | ^2.0.2 | MIT | Multipart form / file upload handling |
| Identity, authentication, authorization | |||
| bcryptjs | ^3.0.2 | BSD-3-Clause | Password hashing |
| jsonwebtoken | ^9.0.2 | MIT | JSON Web Tokens (signing / verification) |
| express-jwt | ^8.5.1 | MIT | JWT middleware for Express |
| passport-jwt | ^4.0.1 | MIT | Passport.js JWT strategy |
| @casl/ability | ^6.7.3 | MIT | Permission / authorization rules |
| @ucast/core | ^1.10.2 | Apache-2.0 | Universal condition AST |
| @ucast/mongo | ^2.4.3 | Apache-2.0 | MongoDB-style query parser |
| @ucast/mongo2js | ^1.4.0 | Apache-2.0 | MongoDB-style query compiler |
| Data, ORM, workflow | |||
| typeorm | ^0.3.26 | MIT | SQL ORM and migrations |
| @dbos-inc/dbos-sdk | ^4.7.9 | MIT | Durable workflow / transactional execution engine |
| @dbos-inc/typeorm-datasource | ^4.7.9 | MIT | DBOS integration for TypeORM |
| cron-parser | ^5.5.0 | MIT | Cron expression parser for scheduled jobs |
| Validation and serialization | |||
| class-validator | ^0.14.2 | MIT | Decorator-based validation |
| class-transformer | ^0.5.1 | MIT | Object ↔ class serialization |
| reflect-metadata | ^0.2.2 | Apache-2.0 | Runtime metadata reflection (required by decorators) |
| tsyringe | ^4.8.0 | MIT | Lightweight dependency injection |
| Logging and observability | |||
| winston | ^3.18.3 | MIT | Structured application logging |
| winston-daily-rotate-file | ^5.0.0 | MIT | Daily log file rotation |
| Utilities | |||
| dotenv | ^16.4.7 | BSD-2-Clause | Environment variable loading |
| glob | ^11.0.3 | BlueOak-1.0.0 | File pattern matching |
| uuid | ^9.0.1 | MIT | UUID generation |
| Financial arithmetic (where elected in a Work Order) | |||
| financial-number | ^4.0.4 | WTFPL | Arbitrary-precision financial arithmetic |
| @slingr/financial-arithmetic-functions | latest | WTFPL | Slingr’s financial calculation helpers |
Frontend stack (peer dependencies)
Solutions that include a web UI use the following peer dependencies, supplied by the application that consumes the framework. The framework does not bundle these; they are installed by the application according to the Work Order. Specific UI components and themes vary by engagement.
| Component | Version range | License | Purpose |
|---|---|---|---|
| react | ^18 || ^19 | MIT | UI library |
| react-dom | ^18 || ^19 | MIT | React DOM renderer |
| @umijs/max | ^4.6.22 | MIT | UmiJS Max application framework |
| antd | ^5.0.0 | MIT | Ant Design component library |
| antd-style | ^3.7.0 | MIT | Ant Design styling utilities |
| @ant-design/icons | ^5.0.0 | MIT | Ant Design icon set |
| @ant-design/pro-components | ^2.0.0 | MIT | Higher-level Ant Design layout / form components |
| @apollo/client | ^4.0.0 | MIT | GraphQL client |
| graphql | ^16.0.0 | MIT | GraphQL reference implementation |
| @monaco-editor/react | ^4.7.0 | MIT | Monaco code editor (used in admin / configuration UIs) |
| dayjs | ^1.11.0 | MIT | Date / time utility |
Runtime and infrastructure
Solutions ship on the runtime and hosting platform elected in the applicable Work Order. The primary defaults are:
| Component | Version | License / terms | Purpose |
|---|---|---|---|
| Node.js | ≥ 20 LTS | MIT | JavaScript runtime (framework requires Node 20+) |
| npm | ≥ 10 | Artistic-2.0 | Package management |
| TypeScript | ^5.9 | Apache-2.0 | Application language (build-time) |
| PostgreSQL | 14+ (typical) | PostgreSQL License | Primary application database via TypeORM |
| Google Cloud Platform | managed | Google Cloud terms | Default Slingr-managed hosting environment |
| Kubernetes | cloud-managed (GKE) | Apache-2.0 | Container orchestration |
Where a Work Order specifies an alternative cloud provider (AWS, Azure, or Client-managed infrastructure) or an alternative database, the runtime stack reflects that election in the engagement-specific SBOM.
Third-party services
Solutions may integrate with third-party services that are not open source. These are not part of the SBOM in the strict sense, but are disclosed for completeness. The specific services used in an engagement are identified in the applicable Work Order.
- AI / ML inference — OpenAI, Google Gemini, Anthropic, AWS Bedrock, and similar providers, where the Solution includes AI features.
- Email and messaging — SendGrid, Twilio, AWS SES, and similar providers.
- Identity and authentication — Auth0, Okta, Google Identity, Microsoft Entra ID, where the Solution federates with an external IdP.
- Monitoring and observability — Datadog, Sentry, New Relic, Grafana Cloud, and similar providers.
- Payment processing — Stripe, Adyen, PayPal, and similar providers, where the Solution accepts payments.
Vulnerability monitoring
Slingr monitors public vulnerability disclosures (CVEs, GitHub Security Advisories, npm audit, the operating-system vendor advisories applicable to the runtime) against the components listed above. Where the managed solution model is elected in a Work Order, Slingr applies security patches in the ordinary course as part of the monthly subscription fee, as described in Schedule 1 §S1.8 of the MSA. Critical vulnerabilities are addressed under the Severity 1 response time in Schedule 1 §S1.10.
How to request an engagement-specific SBOM
Each Client’s engagement-specific Software Bill of Materials, reflecting the exact components and versions deployed in that engagement, is delivered as part of the transition package under Section 11 of the MSA. Clients may also request a snapshot at any time during the engagement, in a standard format (CycloneDX or SPDX, on request), by writing to security@slingr.io.
Reporting a concern
To report a vulnerability, a license question, or any other concern regarding a component listed in this inventory, contact security@slingr.io. Slingr acknowledges receipt within a commercially reasonable time and investigates as appropriate.