An import of bcrypt or sanitize-html with zero call sites in the file indicates someone planned to add a security control and stopped. CWE-1164 (Irrelevant Code) covers the surface-level issue, but the real risk is the false assurance it creates during review: a developer or auditor who sees import sanitize-html assumes sanitization is happening somewhere. If the call site never got added, user input goes unsanitized, and the import just misleads everyone looking at the code.
Info because unused imports don't directly expose a vulnerability but indicate incomplete security controls that reviewers may incorrectly assume are active.
Either add the missing call site or remove the import and package. To audit your security imports quickly:
# Find all security library imports
grep -rn "import bcrypt\|import sanitize\|import xss\|import validator" src/
# Confirm corresponding call sites exist
grep -rn "bcrypt\.hash\|bcrypt\.compare" src/
grep -rn "sanitizeHtml(\|xss(" src/
If the library was meant to hash passwords and no call site exists, add the hash call in src/lib/auth.ts where the password is set. If sanitization was planned for user HTML input, add it in the route that accepts that input. Unused security packages also inflate bundle size and dependency audit surface — remove them if the feature was abandoned.
ID: ai-slop-security-theater.unbound-auth.imported-securty-libs-actually-used
Severity: info
What to look for: Walk all imports across the project and count all imports from known security libraries. For each import from a known security library (bcrypt, bcryptjs, argon2, jsonwebtoken, jose, crypto-js, nanoid, uuid, sanitize-html, dompurify, xss, validator, express-validator), count whether the imported binding is referenced in at least 1 function call elsewhere in the same file or in a function called from the same file.
Pass criteria: 100% of security library imports are followed by at least 1 call site. Report: "X security library imports, Y with call sites, 0 unused."
Fail criteria: At least 1 security library import has zero call sites in the same file or its callees.
Skip (N/A) when: No security libraries from the list are in package.json dependencies.
Detail on fail: "1 unused security import: 'import bcrypt from \"bcrypt\"' in src/lib/auth.ts — no bcrypt.hash or bcrypt.compare calls in the file"
Remediation: Imported but unused security libraries inflate the bundle and signal that someone planned to add a security control but never finished. Either use the import or remove it:
# Find unused security imports
grep -rn "import bcrypt" src/
# If no bcrypt.hash/bcrypt.compare calls exist, remove the import:
npm uninstall bcrypt @types/bcrypt