deslop/unused-dependency

Flag a package.json dependencies entry that no scanned source file imports as an unused dependency (deslop detectStalePackages, UnusedDependency name/isDevDependency=false).

  • Category: Dead Code
  • Severity: warn
  • Source: deslop-js
  • Framework: global
  • Enabled when: react-doctor deadCode analysis enabled (default true); whole-project scan only — skipped in --diff/--staged modes
  • Documentation: https://github.com/millionco/deslop-js

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires from deslop's detectStalePackages when a name in package.json "dependencies" (isDevDependency=false) matches no import specifier across the graph (collectUsedPackages reads each module's imports) AND survives every rescue pass: it is not in the always-used set (@types/*, babel-/postcss-/vite-plugin-/rollup-plugin- companions, *-loader, framework peers), not peer-satisfied, and the raw-text scanSourceFilesForPackageImports pass found no static import/require specifier for it. False positive: the package is loaded at runtime through a path the text scan cannot see because matchesPackageImportReference only matches static string/template-prefix specifiers (a dynamic import() or require() whose package name is built from a variable), or it is a side-effect/polyfill import (import "the-pkg/register") relied on purely for effects, or a peer truly needed transitively but absent from node_modules; note that package.json scripts, config files, tsconfig, and nx project.json are ALREADY rescued, so the only config-related residue worth keeping is a build/loader reference living in a directory outside both the import graph and those scanners.

Fix prompt

Use this once validation confirms the diagnostic is real.

Confirm nothing imports it: grep the repo for the bare name and for dynamic require("pkg")/import("pkg") built from variables; if genuinely dead, remove it from package.json dependencies (pnpm remove pkg) and re-lock. If it is loaded via a string/dynamic path, add a static import or a /* used by ... */ note so the link is visible; if it is pulled in purely for side effects, keep an explicit import "pkg" so the reference exists; if it is really a build/test tool, move it to devDependencies. Unused dependencies inflate install time, lockfile size, and supply-chain surface for no benefit. See https://docs.npmjs.com/cli/v10/configuring-npm/package-json#dependencies