Releases: FlorianBruniaux/node-dep-scope
Release list
v0.4.0 — config file detection (fix false REMOVE for scripts, storybook, vitest, next)
What's new
Config file detection — dep-scope now scans config files at the project root to detect packages referenced as strings. Five built-in detectors ship enabled by default, fixing false REMOVE verdicts reported by the community.
Fixed false positives
| Package | Was detected via |
|---|---|
oxfmt, oxlint |
package.json scripts |
@storybook/addon-mcp |
.storybook/main.ts addons array |
@svgr/webpack |
next.config.mjs turbopack loaders |
jsdom |
vitest.config.ts environment: "jsdom" |
Built-in detectors
| Detector | Config file |
|---|---|
package-json-scripts |
package.json scripts |
vitest-config |
vitest.config.* |
vite-config |
vite.config.* |
next-config |
next.config.* |
storybook-config |
.storybook/main.* |
Opt-out
{ "stringReferences": { "disable": ["storybook-config"] } }Architecture
String references are converted to synthetic ImportInfo entries injected before groupByPackage — verdict engine untouched. Detection is gated against declared dependencies to prevent false KEEPs.
Full changelog: CHANGELOG.md
v0.3.8 — init wizard + false-positive REMOVE fix
What's new
dep-scope init — interactive wizard
init is now a guided setup instead of a static config dump. It detects your framework and existing directories, then asks 4 questions: scan scope, devDependencies, RECODE threshold, config format (JSON or TypeScript).
dep-scope init # interactive
dep-scope init --yes # CI-safe, writes defaults--root flag (scan, analyze)
Shorthand for --src . — scans the full project root including scripts/, tools/, bin/, and any other top-level directory.
dep-scope scan --root
dep-scope analyze gray-matter --rootBug fix: false-positive REMOVE on packages used in scripts/
Packages imported only in scripts/, tools/, or bin/ were incorrectly flagged as unused, generating dangerous npm remove suggestions. Auto-detection now covers those directories. A warning is also printed in "Next steps" when the scan scope may be incomplete.
Scope warning
When a REMOVE verdict is shown with a narrow scan scope:
⚠ Scanned src/ only — verify these aren't used in scripts/, tools/, etc.
→ Use --root . to scan the full project before removing
Installation
npm install -g @florianbruniaux/dep-scopev0.3.6 — fix double header + patterns express/prisma-cli/superjson
Fixes
Double header in --each-workspace: printScanSummary now accepts skipHeader option. Workspace mode uses it so the per-package header (package name) is not followed by a second "dep-scope Analysis Report" header.
New KEEP patterns: express, express-*, hono, @hono/*, koa, koa-*, superjson, http-status-codes, http-status
New IGNORE patterns: prisma (CLI tool, not imported — distinct from @prisma/client), tsx, ts-node, zod-prisma-types, prisma-* generators, *-prisma-* generators
Update
npm install -g @florianbruniaux/dep-scope@latestv0.3.5 — --each-workspace: monorepo support
Feature
dep-scope scan --each-workspaceScans each workspace package individually and shows a per-package report followed by an aggregate summary. Useful for monorepos where the root package.json has no direct app dependencies.
Output format:
Workspace detected (pnpm): 4 packages
═══════════════════════════════════════════
apps/web
═══════════════════════════════════════════
Summary: 45 deps — 40 KEEP, 2 RECODE_NATIVE, 1 REMOVE
═══════════════════════════════════════════
apps/api
═══════════════════════════════════════════
Summary: 28 deps — 27 KEEP, 1 INVESTIGATE
═══════════════════════════════════════════
Workspace Summary (4 packages)
═══════════════════════════════════════════
Total deps: 89 across 4 packages
✗ Remove: 1
↻ Recode Native: 2
Supported workspace layouts: pnpm-workspace.yaml, package.json#workspaces (npm/yarn), turbo.json, lerna.json.
Packages with no package.json or 0 dependencies are skipped automatically.
Update
npm install -g @florianbruniaux/dep-scope@latestv0.3.4 — +60 singleton SDK patterns (feature flags, search, CMS, storage, Web3...)
Fix
Mass addition of KEEP patterns for singleton-init SDKs that were incorrectly flagged as INVESTIGATE. Sourced via Perplexity deep research on the 2024-2025 npm ecosystem.
Feature flags: @growthbook/*, @launchdarkly/*, launchdarkly-*, flagsmith, unleash-client, @statsig/*
Search: algoliasearch, @algolia/*, typesense, meilisearch, @elastic/elasticsearch, @elastic/*
CMS clients: @sanity/*, contentful, @contentful/*, @storyblok/*, @prismicio/*, tinacms, @tinacms/*
File storage/CDN: @aws-sdk/*, aws-sdk, cloudinary, @cloudinary/*, uploadthing, @uploadthing/*
Auth providers: @auth0/*, @okta/*, @stytch/*, @descope/*, firebase, @firebase/*
Observability: @opentelemetry/*, dd-trace, newrelic
Background jobs: inngest, @trigger.dev/*, bull
Payment: squareup, @paypal/*, @paddle/*
Realtime: @liveblocks/*, partykit
Notifications: mailgun.js, postmark, @mailchimp/*
Third-party clients: @linear/sdk, octokit, @octokit/*, @supabase/*, replicate
Analytics: @amplitude/*, mixpanel-browser
Web3/Blockchain: viem, ethers, wagmi, @rainbow-me/*, web3, @privy-io/*, @thirdweb-dev/*, thirdweb
Update
npm install -g @florianbruniaux/dep-scope@latestv0.3.3 — KEEP patterns for payment, realtime, notifications, analytics
Fix
Integration SDKs with a singleton init pattern were incorrectly flagged as INVESTIGATE. Added KEEP patterns for:
Payment: stripe, @stripe/*
Realtime/WebSocket: pusher, pusher-js, ably, socket.io, socket.io-client, ws
Notifications/Messaging: @knocklabs/*, @novu/*, twilio
Third-party API clients: @notionhq/*, @airtable/*, airtable
Analytics/Monitoring: @sentry/*, posthog-js, posthog-node, @posthog/*, @segment/*, mixpanel
These packages are initialized once (one server instance, one client connection, one provider). Low symbol count is expected — not a smell.
Update
npm install -g @florianbruniaux/dep-scope@latestv0.3.2 — KEEP patterns for infrastructure clients
Fix
Infrastructure packages initialized in a single connection file were incorrectly flagged as INVESTIGATE. Added KEEP patterns for:
@upstash/redis,@upstash/ratelimit,@upstash/*— Upstash clients@neondatabase/*— Neon serverless PostgreSQL@prisma/*— Prisma adapters and extensions@libsql/*,libsql— Turso/libSQL@planetscale/*— PlanetScale driver
These follow a singleton pattern by design (one connection file, one or two imports). Low symbol count is expected, not a smell.
Update
npm install -g @florianbruniaux/dep-scope@latestv0.3.1 — Next-steps guidance after transitive echoes
Fix
After dep-scope scan --check-transitive, the console output now includes actionable next-steps:
These packages cannot be removed from your package.json directly.
Next steps:
1. Report to upstream — open an issue or link to https://e18e.dev
2. Force a version via overrides (npm/pnpm) or resolutions (Yarn):
# package.json
"overrides": {
"es-define-property": "npm:es-define-property@*"
"function-bind": "npm:function-bind@*"
...
}
dep-scope analyze <package> — deep-dive any direct dep to see which transitives it pulls
Update
npm install -g @florianbruniaux/dep-scope@latestv0.3.0 — Transitive echo detection + 207 well-known patterns
What's new
--check-transitive — Transitive dependency graph analysis
dep-scope scan --check-transitiveWalks the full transitive dependency graph (BFS from your direct deps) and surfaces packages that have native JS alternatives in the e18e database (169 packages). These are the real problem: is-string pulls 160M downloads/month, almost always as a transitive, not a direct install.
Transitive echoes (reportable upstream or via overrides):
↗ is-string via lodash → typeof x === 'string'
↗ has-flag via chalk → process.argv.includes('--flag')
Symbol ↗ is intentional: transitive packages can't be removed from your package.json directly. The action is to report upstream or force a version via overrides (npm/pnpm) / resolutions (Yarn). These findings do not trigger exit code 1.
Supported layouts: npm (flat), pnpm (strict + non-strict, .pnpm/ store), Bun (same as npm). Yarn PnP is detected and skipped with a warning.
Performance: BFS with caching. Typical time: ~1s for 1500 packages.
207 well-known patterns (up from 120)
67 new KEEP patterns added to eliminate false positives on common stacks:
- NestJS:
@nestjs/*,rxjs,reflect-metadata,class-validator,class-transformer - Fastify:
fastify,@fastify/* - React Router v7:
@react-router/*,react-router - Loggers:
winston,pino,bunyan,log4js - Email:
nodemailer,resend,@sendgrid/* - HTTP middleware:
cors,helmet,cookie-parser,isbot - AI SDKs:
@anthropic-ai/*,@google/genai,@azure/openai,openai - Auth/secrets:
@workos-inc/*,@infisical/* - ORMs:
typeorm,sequelize,mikro-orm,@mikro-orm/* - Security:
dompurify
Update
npm install -g @florianbruniaux/dep-scope@latestv0.2.0 — e18e integration + migrate command
What's new in v0.2.0
dep-scope migrate — LLM-ready migration prompts
New command that generates structured markdown prompts for Claude Code, Cursor, or any LLM to remove a dependency and replace its usages with native alternatives.
# Preview what would be targeted
dep-scope migrate --dry-run
# Generate prompts for everything migratable
dep-scope migrate
# Target one package
dep-scope migrate lodash
# Pipe directly into Claude Code
claude -p "$(cat .dep-scope/migrate-lodash.md)"Each generated prompt includes: exact file locations, per-symbol native replacement code, ES-target-aware suggestions (polyfill fallbacks for older targets), step-by-step instructions, verification checklist, and rollback instructions.
Hand-crafted templates:
lodash/lodash-es— 12 symbols: debounce, throttle, cloneDeep, isEqual, merge, omit, pick, uniq, flatten, get, groupBy, isEmpty + catch-allmoment— 11 symbols: format, fromNow, add, subtract, isBefore, isAfter, diff, parse, startOf, endOf + defaultaxios— 8 symbols: get, post, put, patch, delete, create, interceptors + default
Any other package in the native-alternatives database gets a generic prompt automatically.
New flags:
--dry-run— preview candidates without writing files- Complexity labels per package:
trivial / easy / medium / complex - CONSOLIDATE pair deduplication — avoids contradictory prompts (e.g. uuid↔nanoid)
e18e integration — 195 packages with native alternatives
169 packages from the e18e/module-replacements project are now recognized as RECODE_NATIVE candidates. No runtime dependency added — data is embedded statically at build time.
Before: 15 packages with known alternatives
After: 195 packages with known alternatives
Covered packages include: has-flag, left-pad, array-includes, object-assign, is-windows, is-ci, is-even, uniq, arrify, filter-obj, concat-map, global, inherits, and the full array.prototype.* / string.prototype.* / object.* / string.prototype.* families.
Any import from these packages now shows the native replacement in dep-scope scan output and generates a migration prompt with dep-scope migrate.
srcPaths auto-detection
When configured source paths don't exist on disk, all commands now fall back to scanning common directories automatically:
src → lib → app → pages → components → hooks → server
A warning is printed when auto-detection is used. All commands benefit: scan, analyze, duplicates, report, migrate.
For best results, set explicit paths in .depscoperc.json:
{
"srcPaths": ["src", "app", "pages", "components", "lib", "hooks"]
}TypeScript target detection
resolveTsConfig() now follows extends chains transitively (up to 5 levels, cycle-safe), including npm package extends like @tsconfig/node18. Used to generate ES-target-aware migration suggestions.
Bug fixed: TSConfig resolver returned ES3 on Next.js projects using glob patterns in compilerOptions.paths (e.g. "@/*": ["./src/*"]). The old regex comment stripper matched /* inside JSON string values. Replaced with a proper string-aware JSONC parser.
Other changes
- Knip is now auto-detected when installed — no
--with-knipflag needed - Path aliases (
@/,~/, tsconfig paths) automatically filtered from analysis - Detailed symbol locations in
analyzeoutput (file:line) --check-duplicatesflag — duplicate detection is now opt-in- 120+ wellKnownPatterns added (bundlers, linting, CSS tooling, testing)
- 354 tests (up from 294)
Migration from v0.1.0
No breaking changes. All existing commands work as before.
New commands:
dep-scope migrate # new
dep-scope migrate lodash # newNew flags on existing commands:
dep-scope scan --check-duplicates # was always-on, now opt-in