Hi, and first of all thanks for a great piece of code.

Have you considered adding support for ES6 files – run via babel or traceur?

It should be as simple as looking for import .+ from "<dependency>(/.+)?"; as well as require\("<dependency>(/.+)?"\);.

Something like

Unused Dependencies
* express
* connect

Unused devDependencies
* mocha
* jasmine

I know it's kind of the inverse of what it does right now, but I was just wondering if you'd be open to having this kind of functionality added to depcheck.

There is a separate tool that already does this (dependency-check), but it doesn't support ES6 syntax yet. Depcheck may have better infrastructure ready to cover both cases.

And by the way - this is a great tool, thanks for all your work on it.

• Peer dependencies
• Optional dependencies

The peer and optional dependencies may not work when host dep is scoped package. If open an issue if you get into that trouble.

In package.json:

  "main": "bin/depcheck",
  "bin": {
    "depcheck": "bin/depcheck"
  },

Main should point to index.

False positives are reported when having done a dedupe. Would be nice to have an option to exclude deduped packages.

$ devdep in a directory that has a package.json should just assume by default that's the directory you care about and not require a path.

depcheck doesn't appear to take into account files without a .js extension but that contain a node shebang (eg #!/usr/bin/env node). Example:

$ tree -L 1
.
├── executable
├── node_modules
└── package.json

1 directory, 2 files

$ cat package.json
{
    "dependencies": {
        "through": "latest"
    }
}

$ cat executable
#!/usr/bin/env node
var through = require("through");

$ depcheck
Unused Dependencies
* through

Renaming executable to executable.js resolves the problem, though.

Reference issue: dylang/npm-check#22

Reference document: http://mochajs.org/#mocha-opts

From the source code, there are two bullets:

• The default value could be test/mocha.opts
• User could specify the file via --opts argument.

package.json:

"dependencies": {
  "bootstrap-sass": "^3.3.6",
  "font-awesome": "^4.5.0",
}

styles.scss:

@import "node_modules/bootstrap-sass/assets/stylesheets/bootstrap";
@import "node_modules/font-awesome/scss/font-awesome.scss";

depcheck:

Unused Dependencies
* bootstrap-sass
* font-awesome

Proposal with --debug-performance parameter, it calculates how much time on each file for process (parse, detect). With such information, we can find out where the bottleneck is.

• Local performance debugging
• Test and CI for performance
• Custom real time performance debug parameter
• Others?

Reference: #100

I am using scoped packages and depcheck is telling me that I have both unused dependencies and devDependencies.

https://docs.npmjs.com/misc/scope

The with-dev parameter makes with missing dependencies results being wrong.

• deprecate it in 0.6.x
• remove it from 0.7.x 👉 tracked by #117

From @lijunle on September 26, 2015 14:28

Currently, depCheck looks for all files under directory to get dependency result.

Some strategies can be used to optimize the performance:

1. First, it get packages from a part of files, compare with declaring packages.
2. If all declaring packages are used, stop reading files. Return everything is good. ✅
3. If not all declaring packages are used, continue the step 1.
4. If all files are searched, but there are some declaring packaged not fulfilled, show them as unused. ❌

Concretely, it need to convert the promise queue in checkDirectory to Array<Func<Promise>> queue. The promises are triggered only then function is invoked.

Copied from original issue: lijunle#49

returns https://github.com/depcheck/depcheck#usage

get arguments always need to look at the document you want to support the more convenient

seems like it detects all my client-side dependences as unused as they have a different entry point which isn't defined in main. also, our grunt dependencies are not included either. can we have an option to manually input multiple entry points?

Right now depcheck walks every directory except node_modules

finder.on("directory", function (dir) {
    if (path.basename(dir) === "node_modules") {
      return;
    }
    directories.push(dir);
  });

It would be helpful if we could provide an array of directories to ignore so we could avoid scanning our build directory which happens to be huge.

For example

depcheck(root, {
    ignoreDirs: [ 
        // node_modules is assumed
        'build',
        'bower_components'
    ]  
    }, cb);

if (typeof String.prototype.startsWith !== "function") {
  String.prototype.startsWith = function (str) {
    return this.slice(0, str.length) === str;
  };
}

This means you are changing how string works for all code that depends on your code.

It would be prefered to use a function or something like underscore.string. https://github.com/epeli/underscore.string

I'm not sure if this is related, but a co-worker is seeing this:

depcheck/index.js:95
      if (usedDependency === definedDependency || usedDependency.startsWith(de
                                                                 ^
TypeError: Object 11 has no method 'startsWith'
    at node_modules/npm-check/node_modules/depcheck/index.js:95:66

Need to update .npmignore file.

https://www.npmjs.com/package/depcheck

Found while running CI test, refer to this.

I'm running into an issue where files in subdirectories aren't correctly checked (at least for peerDependancies) for require statements

Quick test:

./package.json and npm install

{
  "name": "test-dep",
  "version": "1.0.0",
  "description": "test peerdeps",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "devDependencies": {
    "css-modules-require-hook": "^2.1.0",
    "postcss-modules-extract-imports": "^1.0.0",
    "postcss-modules-local-by-default": "^1.0.0",
    "postcss-modules-scope": "^1.0.0",
    "postcss-modules-values": "^1.1.1"
  }
}

./entry.js

require('css-modules-require-hook');

Running depcheck:

No unused dependencies

Working as intended

Breaks:

make a folder test/ and move entry.js there:

$ mkdir test && mv entry.js test

Running depcheck:

Unused devDependencies

• postcss-modules-extract-imports
• postcss-modules-local-by-default
• postcss-modules-scope
• postcss-modules-values

Debug info:

$ npm --version
3.3.12
$ node --version
v5.1.0

depcheck is latest installed with npm install -g depcheck

Is this desired behavior? Quick look at the folder scanning, it seems to be going into (sub)directories unless they're ignored.

Commitizen is a tool for enforcing style of git commit messages, it's quite useful. However, npm-check is giving me a hard time about unused dependencies.

test-cz       😕  NOTUSED?  Possibly never referenced in the code.
                            npm uninstall --save-dev test-cz to remove.

My package.json looks like this:

{
  "devDependencies": {
    "test-cz": "^0.1.0"
  },
  "config": {
    "commitizen": {
      "path": "./node_modules/test-cz"
    }
  }

From @lijunle on September 19, 2015 21:20

Webpack loaders are a special way to "load" code into webpack.

There are two syntax to use webpack loader:

• Via require function
• Via webpack config file

Copied from original issue: lijunle#14

There are several syntaxes about Webpack loaders:

• The require calls. (example) [3]
• CLI --module-bind options. (example) [2]
• Configuration properties.
  • Single loader in module.loaders.loader string (example) [1]
  • Multiple loaders concatenated with ! in module.loaders.loader string (example) [1]
  • Multiple loaders in module.loaders.loaders array (example) [1]
  • Loader with queries in module.loaders.loader string (example) [1]

Other considerations about loader:

• Configuration file requires other module or references global variables. [2]
• Loader can be used in module.loaders, module.preLoaders and module.postLoaders [1]
• Configuration will be set inside node.js API call. (example) [3]
• The configuration file can be specified from CLI via --config option. The default configuration file webpack.config.js will be leveraged if not specified. [2]
• It is possible to pass multiple configurations. [3]
• Loader naming convention is specified via resolveLoader.moduleTemplates setting in configuration file. Default is ["*-webpack-loader", "*-web-loader", "*-loader", "*"]. [2]

Notes:

• The items marked as [1] will be implemented and supported.
• The items marked as [2] will be supported with the default values. If someone request and provide his meaningful scenario, open an issue and let us how to support it.
• The items marked as [3] are considered as not supported. If you think they are necessary and have a good reason, please open an issue.

From @js08 on October 28, 2015 18:20

Is it possble to identify the package name in package.json file when that module is not present. I mean can we do a vice versa function in depcheck-es6

Copied from original issue: lijunle#99

Related #114

.eslintrc

....
  "extends": [
    "react",
    "eslint:recommended"
  ],
  "parser": "babel-eslint",
  "plugins": [
    "react"
  ],
....

run results:

develop@develop-vm ~/Projects/project (master*) $ depcheck                       

Unused devDependencies
* babel-eslint
* eslint-config-react
* eslint-plugin-react

It does not seem to depend on the correct handling of devDependencies?

Is this project dead? I see some pull requests asking for feedback from the maintainer but no follow up.

Looks like you moved it to devDependencies
https://github.com/rumpl/depcheck/blob/master/package.json#L30

Not a bug, just a friendly request. 😄

By bumping to 1.0.0 it means minor and patch releases are backwards compatible and projects that depend on depcheck like npm-check can easily upgrade.

If you think the API is not stable enough for a 1.0.0 I still wouldn't worry. I personally don't mind frequent major bumps - it tells me the API is evolving and that's great too. Browserify is on version 13.x.y.

On a totally different note, I just noticed the release notes with each deploy, thank you for taking the time to do this! I wish I could be as disciplined.

First of all it's a great tool and I wanted to integrate it into my project, though the use case of mine is a little bit different how you prefer to use it. Acutally I wanted to parse only a specific file list within the root directory so ignoring dirs doesn't help.

Reading the codebase I realised that I have another option, namely I can define parsers for patterns which is a cool a feature though it cannot be used for my use case, at least not for now.

Let's assume that we have two JS files within the src folder, and I want to use this pattern:
src/*.js

Currently it does not work as you get the basename from the absolute path of the file.
line 124 in check.js:
const basename = path.basename(filename);
This prevents to use a prefix pattern for the absolute path like mentioned before.

Can you please omit the basename call and pass the filename to the minimatch?

Thank you for fixing this.

Related:

• dylang/npm-check#88 (comment)
• https://github.com/feross/standard#can-i-use-a-custom-js-parser-for-bleeding-edge-es6-or-es7-support

/cc @LinusU

crazy timing, i went to go publish this today https://github.com/maxogden/dependency-check and found out you picked the same name 4 days ago! haha! I just renamed it to dependency-check instead

my use case was to do a consistency check before I publish a module to make sure all of the modules used are listed in the package.json. that way I can have dependency-check run as a pre-publish hook and since it does process.exit(1) if it find missing deps it should halt the publish

feel free to close this, I mostly just wanted to comment on the funny coincidence

Currently, I manually setup an environment with yoeman and yoeman-web-app to test depcheck on it. We should automate the process and integrate it into CI build.

Using node v0.10.38. All I did was npm install -g depcheck and try to run it. I need to remember where Promise comes from, but seems like depcheck's package.json dependencies is incomplete.

>>$ depcheck 

/home/colbblai/.nvm/v0.10.38/lib/node_modules/depcheck/dist/cli.js:39
  return new Promise(function (resolve, reject) {
             ^
ReferenceError: Promise is not defined
    at checkPathExist (/home/colbblai/.nvm/v0.10.38/lib/node_modules/depcheck/dist/cli.js:39:14)
    at /home/colbblai/.nvm/v0.10.38/lib/node_modules/depcheck/dist/cli.js:87:7
    at cli (/home/colbblai/.nvm/v0.10.38/lib/node_modules/depcheck/dist/cli.js:113:7)
    at Object.<anonymous> (/home/colbblai/.nvm/v0.10.38/lib/node_modules/depcheck/bin/depcheck:5:23)
    at Module._compile (module.js:456:26)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Function.Module.runMain (module.js:497:10)
    at startup (node.js:119:16)

I think that depcheck should accept package.json metadata from the options, so we could use it dynamically.

var path = require("path");
var depcheck = require("depcheck");
var options = {
  "withoutDev": false, // Check against devDependencies too
  "package": {
    "dependencies": {
      "express": "^4.0.0"
    }
  },
  "ignoreDirs": [      // Pathnames to ignore
    "sandbox",
    "dist",
    "bower_components"
  ],
  "ignoreMatches": [  // Ignore dependencies that match these minimatch patterns
    "grunt-*"
  ]
};
var root = path.resolve("some path");

depcheck(root, options, function(unused) {
  console.log(unused.dependencies);
  console.log(unused.devDependencies);
  console.log(unused.invalidFiles); // JS files that couldn't be parsed
});

Hi there,

I'm looking for a Gulp support for addressing this problem... Have you integrated your app to Gulp or Grunt? Any suggestions? I can submit a PR if there's interest...

thanks!

Hello,

Was looking around at how to determine un-used npm packages and found your project.

When I ran it the following report was generated. However, due to the way I'm loading gulp plugins (using gulp-load-plugins, my guess is this tool is not picking up anything that is dynamically loaded. Similarly, I'm asking it to use the jshint-stylish reporter for my jshint, which I presume is another dynamically loaded thing...

Unused Dependencies
* gulp-debug

Unused devDependencies
* gulp-markdown
* gulp-mocha
* gulp-plumber
* gulp-jshint
* gulp-jscs
* jshint-stylish
* gulp-istanbul

I can't say I have any bright ideas on how you can solve these problems, but in case you hadn't heard of them, they might be interesting ones to look into.

See its changelog: https://github.com/airbnb/javascript/tree/master/packages/eslint-config-airbnb#100

npm@2 is installing the peer dependencies which is an unexpected behavior, as they are optional for depcheck, and this means when using npm@2, they are always installed.

npm@3 won't install them, but gives unexpected warnings:

├── UNMET PEER DEPENDENCY node-sass@^3.4.0
└── UNMET PEER DEPENDENCY typescript@^1.8.0

npm WARN [email protected] requires a peer of node-sass@^3.4.0 but none was installed.
npm WARN [email protected] requires a peer of typescript@^1.8.0 but none was installed.

I feel like the feature of using the dependencies when they are available is great, but instead of including them as peer dependencies, just include instructions in the docs what users need to do.

How difficult would it be to add coffee-script support so that the "unused" checks are accurate in coffee projects?

For easier debug CLI issues, like #73 .

Treat --json as --debug output, output as many information as possible.

Enhancement:

To compliment your ignoreDirs how about includeDirs? Default is all directories below the cwd or a given path if not used. Otherwise just the array of given includeDirs.

In a project typically I would have only one or two directories I want checked. Using ignoreDirs I must specify a longer list of directories that changes and is thus harder to maintain.

Seems like maybe you aren't doing much with this repo at this time. I might eventually get around to a PR for this.

Error: toString failed when used with node v4.3.1

$ depcheck

buffer.js:388
    throw new Error('toString failed');
    ^

Error: toString failed
    at Buffer.toString (buffer.js:388:11)
    at FSReqWrap.readFileAfterClose [as oncomplete] (fs.js:378:21)

I'm not sure why you wouldn't want devDependencies.

Related: #44

NPM document: https://www.npmjs.com/package/babel-plugin-react-transform

Example:

{
  "stage": 2,
  "env": {
    "development": {
      "plugins": [
        "react-transform"
      ],
      "extra": {
        "react-transform": {
          "transforms": [{
            "transform": "react-transform-hmr",
            "imports": ["react"],
            "locals":  ["module"]
          }]
        }
      }
    }
  }
}

From @lijunle on October 26, 2015 19:29

In .babelrc:

{
  "stage": 2,
  "env": {
    "development": {
      "plugins": [
        "react-transform"
      ],
      "extra": {
        "react-transform": {
          "transforms": [{
            "transform": "react-transform-hmr",
            "imports": ["react"],
            "locals":  ["module"]
          }]
        }
      }
    }
  }
}

Expected packages:

• babel-plugin-react-transform
• react-transform-hmr

Work items:

• The configs in .babelrc file.
• Configs with options (example).
• The configs in envionment (example).
• The configs in package.json (example).
• The configs in Babel CLI. (see note below)
• The configs in API calls. (see note below)

Note: It need more affect to support Babel plugins in CLI and API calls. They are not recommended by Babel. Please open an issue and let me know the reason if anybody think they are necessary.

Copied from original issue: lijunle#97