dependency-check icon indicating copy to clipboard operation
dependency-check copied to clipboard

Published 20 hours ago verified publisher icon dependency-check-team

Unused devDependencies

Open christianbundy opened this issue 5 years ago • 9 comments

Hi. I'm using some modules for tests, and Dependency-Check keeps throwing errors:

Fail! Modules in package.json not used in code: cont, json-buffer, tape

How can I identify which files are dev-only files vs which are being deployed to production? Here's a relevant bit from my package.json:

{
  "main": "index.js",
  "directories": {
    "test": "test"
  }
}

Does Dependency-Check have some way that I can identify which modules have dependencies and which have devDependencies? Thanks!

christianbundy avatar Sep 10 '20 16:09 christianbundy

funny seeing you here :laughing:

mixmix avatar Sep 28 '20 00:09 mixmix

:~)

I'm using depcheck now and I'd recommend it. On one hand, it's less minimalist... but on the other hand, it's less minimalist.

https://github.com/depcheck/depcheck

christianbundy avatar Sep 28 '20 00:09 christianbundy

Sorry for missing this issue. You can use --no-dev to ignore all dev dependencies, or the --ignore-module module-name / -i module-name to ignore a specific module.

In your case -i cont -i json-buffer -i tape would ignore those three.

Also possible to use wildcards, like -i @types/* to ignore all @types/ modules.

voxpelli avatar Sep 28 '20 09:09 voxpelli

@voxpelli Thanks for the feedback! That's what I've been using as a workaround, but is there a way to automatically set this? These dependencies are only used in my test/ directory, which is identified in package.json (http://wiki.commonjs.org/wiki/Packages/1.0#Optional_Fields), but dependency-check doesn't automatically treat those files differently than production dependencies.

christianbundy avatar Sep 28 '20 16:09 christianbundy

I think this is the challenge I was facing. It was saying some deps were unused - e.g. tape, scuttle-testbot. But these were in fact being used in test folder. I just had to turn off checking dev deps, which felt bad because now I can't guarentee that the test setup has the deps it needs. But at least production deps are covered

mixmix avatar Sep 29 '20 19:09 mixmix

@mixmix Have you specified that it should look among the tests then?

voxpelli avatar Sep 29 '20 20:09 voxpelli

I am not sure? I copied the auto check example about checking before npm publish and assumed that would be a default that would work well with all node projects, including those with tests (as mafintosh wrote it!)

mixmix avatar Sep 29 '20 21:09 mixmix 

([ "$1" != "publish" ] || dependency-check .) && command npm "$@"

This runs dependency-check . – there are more options than that and I'm not sure whether that's still the setup that @mafintosh uses.

I myself use husky to run dependency-check: https://github.com/voxpelli/node-connect-pg-simple/blob/1b4784d2969c80ce28a4289901a8434e264926a7/package.json#L25

voxpelli avatar Oct 09 '20 09:10 voxpelli

As for the directories, none of them are added by default at the moment: https://github.com/dependency-check-team/dependency-check/blob/d22bc2dba44e4c28fb63d77bf2c9911ca8310f72/index.js#L221-L248

Adding them as default would be a breaking change now, but maybe something for next major version

voxpelli avatar Oct 09 '20 09:10 voxpelli