Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
depcheck is a tool that helps you to find unused dependencies in your project. It scans your project files and identifies which dependencies are not being used, which can help you to clean up your package.json file and reduce the size of your project.
Check for unused dependencies
This feature allows you to check for unused dependencies in your project. You can specify options to ignore certain directories or dependencies that match specific patterns.
const depcheck = require('depcheck');
const options = {
ignoreDirs: [
'sandbox',
'dist',
'bower_components'
],
ignoreMatches: [
'grunt-*'
]
};
depcheck('/path/to/your/project', options, (unused) => {
console.log(unused.dependencies); // an array containing the unused dependencies
console.log(unused.devDependencies); // an array containing the unused devDependencies
});
Check for missing dependencies
This feature allows you to check for dependencies that are used in your project but are not listed in your package.json file.
const depcheck = require('depcheck');
depcheck('/path/to/your/project', {}, (unused) => {
console.log(unused.missing); // a lookup containing the dependencies missing in package.json but used in the code
});
Check for invalid files
This feature allows you to identify files in your project that could not be parsed, which might indicate issues with those files.
const depcheck = require('depcheck');
depcheck('/path/to/your/project', {}, (unused) => {
console.log(unused.invalidFiles); // a lookup containing the files that could not be parsed
});
npm-check is a similar tool that checks for outdated, incorrect, and unused dependencies. It provides a more interactive experience compared to depcheck, allowing you to update and uninstall packages directly from the command line.
dependency-check is another tool that checks for missing or unused dependencies. It is more focused on ensuring that all dependencies are correctly listed in your package.json file, rather than identifying unused dependencies.
madge is a tool that provides a visual representation of your project's dependency graph. While it does not specifically focus on unused dependencies, it can help you understand the structure of your project and identify potential issues.
Depcheck is a tool for analyzing the dependencies in a project to see: how each dependency is used, which dependencies are useless, and which dependencies are missing from package.json
.
npm install -g depcheck
Or simply using npx which is a package runner bundled in npm
:
$ npx depcheck
Notice: depcheck needs node.js >= 10.
Depcheck not only recognizes the dependencies in JavaScript files, but also supports these syntaxes:
typescript
dependency)@vue/compiler-sfc
dependency)To get the syntax support by external dependency, please install the corresponding package explicitly. For example, for TypeScript user, install depcheck with typescript
package:
npm install -g depcheck typescript
The special component is used to recognize the dependencies that are not generally used in the above syntax files. The following scenarios are supported by specials:
babel
- Babel presets and pluginsbin
- Dependencies used in npm commands, Travis scripts or other CI scriptscommitizen
- Commitizen configuration adaptoreslint
- ESLint configuration presets, parsers and pluginsfeross-standard
- Feross standard format parsergatsby
- Gatsby configuration parsergulp-load-plugins
- Gulp-load-plugins lazy loaded pluginshusky
- Husky configuration parseristanbul
- Istanbul nyc configuration extensionsjest
- Jest properties in Jest Configurationkarma
- Karma configuration frameworks, browsers, preprocessors and reporterslint-staged
- Lint-staged configuration parsermocha
- Mocha explicit required dependenciesprettier
- Prettier configuration moduletslint
- TSLint configuration presets, parsers and pluginsttypescript
- ttypescript transformerswebpack
- Webpack loadersserverless
- Serverless pluginsThe logic of a special is not perfect. There might be false alerts. If this happens, please open an issue for us.
depcheck [directory] [arguments]
The directory
argument is the root directory of your project (where the package.json
file is). If unspecified, defaults to current directory.
All of the arguments are optional:
--ignore-bin-package=[true|false]
: A flag to indicate if depcheck ignores the packages containing bin entry. The default value is false
.
--skip-missing=[true|false]
: A flag to indicate if depcheck skips calculation of missing dependencies. The default value is false
.
--json
: Output results in JSON. When not specified, depcheck outputs in human friendly format.
--oneline
: Output results as space separated string. Useful for copy/paste.
--ignores
: A comma separated array containing package names to ignore. It can be glob expressions. Example, --ignores="eslint,babel-*"
.
--ignore-dirs
: DEPRECATED, use ignore-patterns instead. A comma separated array containing directory names to ignore. Example, --ignore-dirs=dist,coverage
.
--ignore-path
: Path to a file with patterns describing files to ignore. Files must match the .gitignore spec. Example, --ignore-path=.eslintignore
.
--ignore-patterns
: Comma separated patterns describing files to ignore. Patterns must match the .gitignore spec. Example, --ignore-patterns=build/Release,dist,coverage,*.log
.
--quiet
: Suppress the "No depcheck issue" log. Useful in a monorepo with multiple packages to focus only on packages with issues.
--help
: Show the help message.
--parsers
, --detectors
and --specials
: These arguments are for advanced usage. They provide an easy way to customize the file parser and dependency detection. Check the pluggable design document for more information.
--config=[filename]
: An external configuration file (see below).
Depcheck can be used with an rc configuration file. In order to do so, create a .depcheckrc file in your project's package.json folder, and set the CLI keys in YAML, JSON, and JavaScript formats.
For example, the CLI arguments --ignores="eslint,babel-*" --skip-missing=true
would turn into:
.depcheckrc
ignores: ["eslint", "babel-*"]
skip-missing: true
Important: if provided CLI arguments conflict with configuration file ones, the CLI ones will take precedence over the rc file ones.
The rc configuration file can also contain the following extensions: .json
, .yaml
, .yml
.
Similar options are provided to depcheck
function for programming:
import depcheck from 'depcheck';
const options = {
ignoreBinPackage: false, // ignore the packages with bin entry
skipMissing: false, // skip calculation of missing dependencies
ignorePatterns: [
// files matching these patterns will be ignored
'sandbox',
'dist',
'bower_components',
],
ignoreMatches: [
// ignore dependencies that matches these globs
'grunt-*',
],
parsers: {
// the target parsers
'**/*.js': depcheck.parser.es6,
'**/*.jsx': depcheck.parser.jsx,
},
detectors: [
// the target detectors
depcheck.detector.requireCallExpression,
depcheck.detector.importDeclaration,
],
specials: [
// the target special parsers
depcheck.special.eslint,
depcheck.special.webpack,
],
package: {
// may specify dependencies instead of parsing package.json
dependencies: {
lodash: '^4.17.15',
},
devDependencies: {
eslint: '^6.6.0',
},
peerDependencies: {},
optionalDependencies: {},
},
};
depcheck('/path/to/your/project', options).then((unused) => {
console.log(unused.dependencies); // an array containing the unused dependencies
console.log(unused.devDependencies); // an array containing the unused devDependencies
console.log(unused.missing); // a lookup containing the dependencies missing in `package.json` and where they are used
console.log(unused.using); // a lookup indicating each dependency is used by which files
console.log(unused.invalidFiles); // files that cannot access or parse
console.log(unused.invalidDirs); // directories that cannot access
});
The following example checks the dependencies under /path/to/my/project
folder:
$> depcheck /path/to/my/project
Unused dependencies
* underscore
Unused devDependencies
* jasmine
Missing dependencies
* lodash
It figures out:
underscore
is declared in the package.json
file, but not used by any code.jasmine
is declared in the package.json
file, but not used by any code.lodash
is used somewhere in the code, but not declared in the package.json
file.Please note that, if a subfolder has a package.json
file, it is considered another project and should be checked with another depcheck command.
The following example checks the same project, however, outputs as a JSON blob. Depcheck's JSON output is in one single line for easy pipe and computation. The json
command after the pipe is a node.js program to beautify the output.
$> depcheck /path/to/my/project --json | json
{
"dependencies": [
"underscore"
],
"devDependencies": [
"jasmine"
],
"missing": {
"lodash": [
"/path/to/my/project/file.using.lodash.js"
]
},
"using": {
"react": [
"/path/to/my/project/file.using.react.jsx",
"/path/to/my/project/another.file.using.react.jsx"
],
"lodash": [
"/path/to/my/project/file.using.lodash.js"
]
},
"invalidFiles": {
"/path/to/my/project/file.having.syntax.error.js": "SyntaxError: <call stack here>"
},
"invalidDirs": {
"/path/to/my/project/folder/without/permission": "Error: EACCES, <call stack here>"
}
}
dependencies
, devDependencies
and missing
properties have the same meanings in the previous example.using
property is a lookup indicating each dependency is used by which files.missing
and using
lookup is an array. It means the dependency may be used by many files.invalidFiles
property contains the files having syntax error or permission error. The value is the error details. However, only one error is stored in the lookup.invalidDirs
property contains the directories having permission error. The value is the error details.Depcheck just walks through all files and tries to find the dependencies according to some predefined rules. However, the predefined rules may not be enough or may even be wrong.
There may be some cases in which a dependency is being used but is reported as unused, or a dependency is not used but is reported as missing. These are false alert situations.
If you find that depcheck is reporting a false alert, please open an issue with the following information to let us know:
depcheck --json
command. Beautified JSON is better.We use the GitHub release page to manage changelog.
This project exists thanks to all the people who contribute. [Contribute].
Become a financial contributor and help us sustain our community. [Contribute]
Support this project with your organization. Your logo will show up here with a link to your website. [Contribute]
MIT License.
FAQs
Check dependencies in your node module
We found that depcheck demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.