Skip to content

Releases: FlorianBruniaux/node-dep-scope

v0.4.0 — config file detection (fix false REMOVE for scripts, storybook, vitest, next)

Choose a tag to compare

@FlorianBruniaux FlorianBruniaux released this 23 Apr 20:01

What's new

Config file detection — dep-scope now scans config files at the project root to detect packages referenced as strings. Five built-in detectors ship enabled by default, fixing false REMOVE verdicts reported by the community.

Fixed false positives

Package Was detected via
oxfmt, oxlint package.json scripts
@storybook/addon-mcp .storybook/main.ts addons array
@svgr/webpack next.config.mjs turbopack loaders
jsdom vitest.config.ts environment: "jsdom"

Built-in detectors

Detector Config file
package-json-scripts package.json scripts
vitest-config vitest.config.*
vite-config vite.config.*
next-config next.config.*
storybook-config .storybook/main.*

Opt-out

{ "stringReferences": { "disable": ["storybook-config"] } }

Architecture

String references are converted to synthetic ImportInfo entries injected before groupByPackage — verdict engine untouched. Detection is gated against declared dependencies to prevent false KEEPs.

Full changelog: CHANGELOG.md

v0.3.8 — init wizard + false-positive REMOVE fix

Choose a tag to compare

@FlorianBruniaux FlorianBruniaux released this 22 Apr 10:52

What's new

dep-scope init — interactive wizard

init is now a guided setup instead of a static config dump. It detects your framework and existing directories, then asks 4 questions: scan scope, devDependencies, RECODE threshold, config format (JSON or TypeScript).

dep-scope init        # interactive
dep-scope init --yes  # CI-safe, writes defaults

--root flag (scan, analyze)

Shorthand for --src . — scans the full project root including scripts/, tools/, bin/, and any other top-level directory.

dep-scope scan --root
dep-scope analyze gray-matter --root

Bug fix: false-positive REMOVE on packages used in scripts/

Packages imported only in scripts/, tools/, or bin/ were incorrectly flagged as unused, generating dangerous npm remove suggestions. Auto-detection now covers those directories. A warning is also printed in "Next steps" when the scan scope may be incomplete.

Scope warning

When a REMOVE verdict is shown with a narrow scan scope:

  ⚠ Scanned src/ only — verify these aren't used in scripts/, tools/, etc.
  → Use --root . to scan the full project before removing

Installation

npm install -g @florianbruniaux/dep-scope

v0.3.6 — fix double header + patterns express/prisma-cli/superjson

Choose a tag to compare

@FlorianBruniaux FlorianBruniaux released this 21 Apr 22:42

Fixes

Double header in --each-workspace: printScanSummary now accepts skipHeader option. Workspace mode uses it so the per-package header (package name) is not followed by a second "dep-scope Analysis Report" header.

New KEEP patterns: express, express-*, hono, @hono/*, koa, koa-*, superjson, http-status-codes, http-status

New IGNORE patterns: prisma (CLI tool, not imported — distinct from @prisma/client), tsx, ts-node, zod-prisma-types, prisma-* generators, *-prisma-* generators

Update

npm install -g @florianbruniaux/dep-scope@latest

v0.3.5 — --each-workspace: monorepo support

Choose a tag to compare

@FlorianBruniaux FlorianBruniaux released this 21 Apr 22:33

Feature

dep-scope scan --each-workspace

Scans each workspace package individually and shows a per-package report followed by an aggregate summary. Useful for monorepos where the root package.json has no direct app dependencies.

Output format:

Workspace detected (pnpm): 4 packages

═══════════════════════════════════════════
  apps/web
═══════════════════════════════════════════
  Summary: 45 deps — 40 KEEP, 2 RECODE_NATIVE, 1 REMOVE

═══════════════════════════════════════════
  apps/api
═══════════════════════════════════════════
  Summary: 28 deps — 27 KEEP, 1 INVESTIGATE

═══════════════════════════════════════════
  Workspace Summary (4 packages)
═══════════════════════════════════════════
  Total deps: 89 across 4 packages
  ✗ Remove:        1
  ↻ Recode Native: 2

Supported workspace layouts: pnpm-workspace.yaml, package.json#workspaces (npm/yarn), turbo.json, lerna.json.

Packages with no package.json or 0 dependencies are skipped automatically.

Update

npm install -g @florianbruniaux/dep-scope@latest

v0.3.4 — +60 singleton SDK patterns (feature flags, search, CMS, storage, Web3...)

Choose a tag to compare

@FlorianBruniaux FlorianBruniaux released this 21 Apr 17:42

Fix

Mass addition of KEEP patterns for singleton-init SDKs that were incorrectly flagged as INVESTIGATE. Sourced via Perplexity deep research on the 2024-2025 npm ecosystem.

Feature flags: @growthbook/*, @launchdarkly/*, launchdarkly-*, flagsmith, unleash-client, @statsig/*

Search: algoliasearch, @algolia/*, typesense, meilisearch, @elastic/elasticsearch, @elastic/*

CMS clients: @sanity/*, contentful, @contentful/*, @storyblok/*, @prismicio/*, tinacms, @tinacms/*

File storage/CDN: @aws-sdk/*, aws-sdk, cloudinary, @cloudinary/*, uploadthing, @uploadthing/*

Auth providers: @auth0/*, @okta/*, @stytch/*, @descope/*, firebase, @firebase/*

Observability: @opentelemetry/*, dd-trace, newrelic

Background jobs: inngest, @trigger.dev/*, bull

Payment: squareup, @paypal/*, @paddle/*

Realtime: @liveblocks/*, partykit

Notifications: mailgun.js, postmark, @mailchimp/*

Third-party clients: @linear/sdk, octokit, @octokit/*, @supabase/*, replicate

Analytics: @amplitude/*, mixpanel-browser

Web3/Blockchain: viem, ethers, wagmi, @rainbow-me/*, web3, @privy-io/*, @thirdweb-dev/*, thirdweb

Update

npm install -g @florianbruniaux/dep-scope@latest

v0.3.3 — KEEP patterns for payment, realtime, notifications, analytics

Choose a tag to compare

@FlorianBruniaux FlorianBruniaux released this 21 Apr 17:35

Fix

Integration SDKs with a singleton init pattern were incorrectly flagged as INVESTIGATE. Added KEEP patterns for:

Payment: stripe, @stripe/*

Realtime/WebSocket: pusher, pusher-js, ably, socket.io, socket.io-client, ws

Notifications/Messaging: @knocklabs/*, @novu/*, twilio

Third-party API clients: @notionhq/*, @airtable/*, airtable

Analytics/Monitoring: @sentry/*, posthog-js, posthog-node, @posthog/*, @segment/*, mixpanel

These packages are initialized once (one server instance, one client connection, one provider). Low symbol count is expected — not a smell.

Update

npm install -g @florianbruniaux/dep-scope@latest

v0.3.2 — KEEP patterns for infrastructure clients

Choose a tag to compare

@FlorianBruniaux FlorianBruniaux released this 21 Apr 17:31

Fix

Infrastructure packages initialized in a single connection file were incorrectly flagged as INVESTIGATE. Added KEEP patterns for:

  • @upstash/redis, @upstash/ratelimit, @upstash/* — Upstash clients
  • @neondatabase/* — Neon serverless PostgreSQL
  • @prisma/* — Prisma adapters and extensions
  • @libsql/*, libsql — Turso/libSQL
  • @planetscale/* — PlanetScale driver

These follow a singleton pattern by design (one connection file, one or two imports). Low symbol count is expected, not a smell.

Update

npm install -g @florianbruniaux/dep-scope@latest

v0.3.1 — Next-steps guidance after transitive echoes

Choose a tag to compare

@FlorianBruniaux FlorianBruniaux released this 21 Apr 17:25

Fix

After dep-scope scan --check-transitive, the console output now includes actionable next-steps:

These packages cannot be removed from your package.json directly.
Next steps:
  1. Report to upstream — open an issue or link to https://e18e.dev
  2. Force a version via overrides (npm/pnpm) or resolutions (Yarn):

     # package.json
     "overrides": {
       "es-define-property": "npm:es-define-property@*"
       "function-bind": "npm:function-bind@*"
       ...
     }

  dep-scope analyze <package>  — deep-dive any direct dep to see which transitives it pulls

Update

npm install -g @florianbruniaux/dep-scope@latest

v0.3.0 — Transitive echo detection + 207 well-known patterns

Choose a tag to compare

@FlorianBruniaux FlorianBruniaux released this 21 Apr 17:18

What's new

--check-transitive — Transitive dependency graph analysis

dep-scope scan --check-transitive

Walks the full transitive dependency graph (BFS from your direct deps) and surfaces packages that have native JS alternatives in the e18e database (169 packages). These are the real problem: is-string pulls 160M downloads/month, almost always as a transitive, not a direct install.

Transitive echoes (reportable upstream or via overrides):
  ↗ is-string          via lodash              → typeof x === 'string'
  ↗ has-flag           via chalk               → process.argv.includes('--flag')

Symbol is intentional: transitive packages can't be removed from your package.json directly. The action is to report upstream or force a version via overrides (npm/pnpm) / resolutions (Yarn). These findings do not trigger exit code 1.

Supported layouts: npm (flat), pnpm (strict + non-strict, .pnpm/ store), Bun (same as npm). Yarn PnP is detected and skipped with a warning.

Performance: BFS with caching. Typical time: ~1s for 1500 packages.


207 well-known patterns (up from 120)

67 new KEEP patterns added to eliminate false positives on common stacks:

  • NestJS: @nestjs/*, rxjs, reflect-metadata, class-validator, class-transformer
  • Fastify: fastify, @fastify/*
  • React Router v7: @react-router/*, react-router
  • Loggers: winston, pino, bunyan, log4js
  • Email: nodemailer, resend, @sendgrid/*
  • HTTP middleware: cors, helmet, cookie-parser, isbot
  • AI SDKs: @anthropic-ai/*, @google/genai, @azure/openai, openai
  • Auth/secrets: @workos-inc/*, @infisical/*
  • ORMs: typeorm, sequelize, mikro-orm, @mikro-orm/*
  • Security: dompurify

Update

npm install -g @florianbruniaux/dep-scope@latest

v0.2.0 — e18e integration + migrate command

Choose a tag to compare

@FlorianBruniaux FlorianBruniaux released this 20 Apr 12:09

What's new in v0.2.0

dep-scope migrate — LLM-ready migration prompts

New command that generates structured markdown prompts for Claude Code, Cursor, or any LLM to remove a dependency and replace its usages with native alternatives.

# Preview what would be targeted
dep-scope migrate --dry-run

# Generate prompts for everything migratable
dep-scope migrate

# Target one package
dep-scope migrate lodash

# Pipe directly into Claude Code
claude -p "$(cat .dep-scope/migrate-lodash.md)"

Each generated prompt includes: exact file locations, per-symbol native replacement code, ES-target-aware suggestions (polyfill fallbacks for older targets), step-by-step instructions, verification checklist, and rollback instructions.

Hand-crafted templates:

  • lodash / lodash-es — 12 symbols: debounce, throttle, cloneDeep, isEqual, merge, omit, pick, uniq, flatten, get, groupBy, isEmpty + catch-all
  • moment — 11 symbols: format, fromNow, add, subtract, isBefore, isAfter, diff, parse, startOf, endOf + default
  • axios — 8 symbols: get, post, put, patch, delete, create, interceptors + default

Any other package in the native-alternatives database gets a generic prompt automatically.

New flags:

  • --dry-run — preview candidates without writing files
  • Complexity labels per package: trivial / easy / medium / complex
  • CONSOLIDATE pair deduplication — avoids contradictory prompts (e.g. uuid↔nanoid)

e18e integration — 195 packages with native alternatives

169 packages from the e18e/module-replacements project are now recognized as RECODE_NATIVE candidates. No runtime dependency added — data is embedded statically at build time.

Before: 15 packages with known alternatives
After: 195 packages with known alternatives

Covered packages include: has-flag, left-pad, array-includes, object-assign, is-windows, is-ci, is-even, uniq, arrify, filter-obj, concat-map, global, inherits, and the full array.prototype.* / string.prototype.* / object.* / string.prototype.* families.

Any import from these packages now shows the native replacement in dep-scope scan output and generates a migration prompt with dep-scope migrate.


srcPaths auto-detection

When configured source paths don't exist on disk, all commands now fall back to scanning common directories automatically:

src → lib → app → pages → components → hooks → server

A warning is printed when auto-detection is used. All commands benefit: scan, analyze, duplicates, report, migrate.

For best results, set explicit paths in .depscoperc.json:

{
  "srcPaths": ["src", "app", "pages", "components", "lib", "hooks"]
}

TypeScript target detection

resolveTsConfig() now follows extends chains transitively (up to 5 levels, cycle-safe), including npm package extends like @tsconfig/node18. Used to generate ES-target-aware migration suggestions.

Bug fixed: TSConfig resolver returned ES3 on Next.js projects using glob patterns in compilerOptions.paths (e.g. "@/*": ["./src/*"]). The old regex comment stripper matched /* inside JSON string values. Replaced with a proper string-aware JSONC parser.


Other changes

  • Knip is now auto-detected when installed — no --with-knip flag needed
  • Path aliases (@/, ~/, tsconfig paths) automatically filtered from analysis
  • Detailed symbol locations in analyze output (file:line)
  • --check-duplicates flag — duplicate detection is now opt-in
  • 120+ wellKnownPatterns added (bundlers, linting, CSS tooling, testing)
  • 354 tests (up from 294)

Migration from v0.1.0

No breaking changes. All existing commands work as before.

New commands:

dep-scope migrate         # new
dep-scope migrate lodash  # new

New flags on existing commands:

dep-scope scan --check-duplicates  # was always-on, now opt-in