depcheck is a tool that helps you to find unused dependencies in your project. It scans your project files and identifies which dependencies are not being used, which can help you to clean up your package.json file and reduce the size of your project.
Check for unused dependencies
This feature allows you to check for unused dependencies in your project. You can specify options to ignore certain directories or dependencies that match specific patterns.
const depcheck = require('depcheck');
const options = {
ignoreDirs: [
'sandbox',
'dist',
'bower_components'
],
ignoreMatches: [
'grunt-*'
]
};
depcheck('/path/to/your/project', options, (unused) => {
console.log(unused.dependencies); // an array containing the unused dependencies
console.log(unused.devDependencies); // an array containing the unused devDependencies
});Check for missing dependencies
This feature allows you to check for dependencies that are used in your project but are not listed in your package.json file.
const depcheck = require('depcheck');
depcheck('/path/to/your/project', {}, (unused) => {
console.log(unused.missing); // a lookup containing the dependencies missing in package.json but used in the code
});Check for invalid files
This feature allows you to identify files in your project that could not be parsed, which might indicate issues with those files.
const depcheck = require('depcheck');
depcheck('/path/to/your/project', {}, (unused) => {
console.log(unused.invalidFiles); // a lookup containing the files that could not be parsed
});npm-check is a similar tool that checks for outdated, incorrect, and unused dependencies. It provides a more interactive experience compared to depcheck, allowing you to update and uninstall packages directly from the command line.
dependency-check is another tool that checks for missing or unused dependencies. It is more focused on ensuring that all dependencies are correctly listed in your package.json file, rather than identifying unused dependencies.
madge is a tool that provides a visual representation of your project's dependency graph. While it does not specifically focus on unused dependencies, it can help you understand the structure of your project and identify potential issues.
Depcheck is a tool to analysis the dependencies in a project, and figures out which dependencies are useless, which dependencies are missing in package.json, how does each dependencies is used.
grunt.tasks.loadNpmTasks call.npm install depcheck -g
Notice: depcheck needs node.js >= 0.12.
depcheck [directory] [arguments]
The directory argument is the root directory of your project (where the package.json file is). It will be the current directory when not specified.
All the arguments are optional:
--dev=[true|false]: A flag indicates if depcheck looks at devDependencies. By default, it is true. It means, depcheck looks at both dependencies and devDependencies.
--ignore-bin-package=[true|false]: A flag indicates if depcheck ignores the packages containing bin entry. The default value is true.
--json: Output results to JSON. When not specified, depcheck outputs in human friendly format.
--ignores: A comma separated array containing package names to ignore. It can be glob expressions. Example, --ignores=eslint,babel.
--ignores-dirs: A comma separated array containing directory names to ignore. Example, --ignore-dirs=dist,coverage.
--help: Show the help message.
--parsers, --detectors and --specials: These arguments are for advanced usage. They provide an easy way to customize the file parser and dependency detection. Check the pluggable design document for more information.
Similar options are provided to depcheck function for programming.
import depcheck from 'depcheck';
const options = {
withoutDev: false, // check against devDependencies
ignoreBinPackage: false, // ignore the packages with bin entry
ignoreDirs: [ // folder with these names will be ignored
'sandbox',
'dist',
'bower_components'
],
ignoreMatches: [ // ignore dependencies that matches these globs
'grunt-*'
],
parsers: { // the target parsers
'**/*.js': depcheck.parser.es6,
'**/*.jsx': depcheck.parser.jsx
},
detectors: [ // the target detectors
depcheck.detector.requireCallExpression,
depcheck.detector.importDeclaration
],
specials: [ // the target special parsers
depcheck.special.eslint,
depcheck.special.webpack
],
};
depcheck('/path/to/your/project', options, (unused) => {
console.log(unused.dependencies); // an array containing the unused dependencies
console.log(unused.devDependencies); // an array containing the unused devDependencies
console.log(unused.missing); // an array containing the dependencies missing in `package.json`
console.log(unused.using); // a lookup indicating each dependency is used by which files
console.log(unused.invalidFiles); // files that cannot access or parse
console.log(unused.invalidDirs); // directories that cannot access
});
The following example checks the dependencies under /path/to/my/project folder.
$> depcheck /path/to/my/project
Unused dependencies
* underscore
Unused devDependencies
* jasmine
Missing dependencies
* lodash
It figures out:
underscore is declared in the package.json file, but not used by any code.jasmine is declared in the package.json file, but not used by any code.lodash is used somewhere in the code, but not declared in the package.json file.Please note that, if a subfolder has a package.json file, it is considered another project and should be checked with another depcheck command.
The following example checks the same project, however, outputs as a JSON blob. Depcheck's JSON output is in one single line for easy pipe and computation. The json command after the pipe is a node.js program to beautify the output.
$> depcheck /path/to/my/project --json | json
{
"dependencies": [
"underscore"
],
"devDependencies": [
"jasmine"
],
"missing": {
"lodash": [
"/path/to/my/project/file.using.lodash.js"
]
},
"using": {
"react": [
"/path/to/my/project/file.using.react.jsx",
"/path/to/my/project/another.file.using.react.jsx"
],
"lodash": [
"/path/to/my/project/file.using.lodash.js"
]
},
"invalidFiles": {
"/path/to/my/project/file.having.syntax.error.js": "SyntaxError: <call stack here>"
},
"invalidDirs": {
"/path/to/my/project/folder/without/permission": "Error: EACCES, <call stack here>"
}
}
dependencies, devDependencies and missing properties have the same meanings in the previous example.using property is a lookup indicating each dependency is used by which files.missing and using lookup is an array. It means the dependency may be used by many files.invalidFiles property contains the files having syntax error or permission error. The value is the error details. However, only one error is stored in the lookup.invalidDirs property contains the directories having permission error. The value is the error details.Depcheck just walks through all files and try to figure out the dependencies according to some predefined rules. However, the predefined rules may not enough or even be wrong.
There may be some cases that, a dependency is using but reported as unused, or a dependency is not used but reported as missing. These are false alert situations.
If you find that depcheck is reporting a false alert, please open an issue with the following information to let us know:
depcheck --json command. Beautified JSON is better.MIT License.
FAQs
Check dependencies in your node module
The npm package depcheck receives a total of 438,706 weekly downloads. As such, depcheck popularity was classified as popular.
We found that depcheck demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.