deslop/unused-dev-dependency

Flag a devDependencies entry (isDevDependency=true) never imported by any scanned source file.

  • Category: Dead Code
  • Severity: warn
  • Source: deslop-js
  • Framework: global
  • Enabled when: react-doctor deadCode analysis enabled (default true); whole-project scan only — skipped in --diff/--staged modes
  • Documentation: https://github.com/millionco/deslop-js

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires from deslop's detectStalePackages when a package.json devDependencies key (UnusedDependency with isDevDependency=true) is never seen as an import across the built module graph or rescued by a final source-file import rescan — note the finding carries only name and isDevDependency, with no reason or trace, so the package name is your sole signal. The detector already excludes a large set: the IMPLICIT_DEPENDENCIES allowlist (typescript, eslint, prettier, husky, lint-staged, tsx, webpack, etc.), prefix/suffix patterns (@types/, eslint-plugin-, vite-plugin-, postcss-, *-loader), and anything referenced in package.json scripts, eslint/prettier/tsconfig/nx config, peer deps, or bin entries. False positive to suppress: a build/CI/tooling dev dependency that the scan simply does not traverse — e.g. a plugin loaded by string name in an untraversed config (a custom jest/babel transformer, a commit hook, a GitHub Actions or Dockerfile-invoked CLI, a generator consumed only at codegen time) — which is genuinely required even though no source file imports it.

Fix prompt

Use this once validation confirms the diagnostic is real.

Confirm the package is truly dead before removing: ripgrep the whole repo for its name across source AND config/CI (rg -F "pkg-name" plus a check of scripts, .github/workflows, Dockerfile, *.config.*, .husky), and if nothing references it run pnpm remove -D pkg-name (or npm/yarn equivalent) to drop the devDependencies entry and prune the lockfile. If it is invoked indirectly (a config plugin, a script-only CLI, a transformer named as a string), keep it and instead make the use discoverable — reference it explicitly in a package.json script or a config file the scan reads — so the finding stops firing. Carrying unused devDependencies bloats install time and lockfile surface and invites supply-chain risk. See https://github.com/millionco/deslop-js