No unused dependencies in package.json

Why it matters

Unused production dependencies add bundle weight, extend install time, and expand your attack surface — every extra package is a potential supply chain compromise vector. CWE-1357 (Reliance on Insufficiently Trustworthy Component) applies: dependencies you didn't intend to ship still ship. AI-generated codebases accumulate unused packages frequently: the model installs axios and moment in one session, then the next session uses native fetch and inline date formatting without removing the earlier additions.

Remediation

Run a dependency check to find unused packages:

npx depcheck

Verify each reported unused package before removing — some packages are loaded via config rather than imports (ESLint plugins, Babel presets). For confirmed unused packages:

npm uninstall axios moment lodash

Also audit whether production dependencies have been misplaced as devDependencies or vice versa. For deeper supply chain analysis, the Dependency & Supply Chain Audit covers version pinning, lockfile integrity, and provenance checks.

Detection

ID: code-maintainability.dependency-management.no-unused-deps
Severity: medium
What to look for: Compare the packages listed in package.json dependencies and devDependencies against actual usage in source files. Look for packages that:
- Appear in dependencies but are never imported in any source file
- Were added during AI-assisted development but whose functionality ended up unused
- Duplicate functionality of another installed package
Focus especially on dependencies (production) vs. devDependencies (development-only) — packages used only in tests or build scripts should be in devDependencies, not dependencies. Tools like depcheck can automate this analysis; check if it's in the project's scripts.
Pass criteria: Count every package in dependencies and check each for at least one import in source code. No more than 2 packages in dependencies appear to be unused (not imported anywhere in source code). Report the count even on pass: "X of Y production dependencies are actively imported."
Fail criteria: 3 or more packages in dependencies are never imported in source code, OR multiple packages in devDependencies appear to be production dependencies misplaced there (or vice versa).
Skip (N/A) when: The project has fewer than 5 total dependencies. Signal: dependencies + devDependencies combined has fewer than 5 entries.
Detail on fail: "3 unused packages found in dependencies: 'axios' (never imported — project uses native fetch), 'moment' (never imported — date formatting done inline), 'lodash' (never imported). These add ~150KB to the bundle unnecessarily." or "5 packages in dependencies should be in devDependencies: jest, @types/jest, ts-jest, @testing-library/react, @testing-library/jest-dom."
Remediation: Unused dependencies bloat your install time, bundle size, and attack surface. Run a dependency check:
```
npx depcheck
```
For each unused package reported, verify it's truly unused (some packages are loaded via config, not imports — e.g., ESLint plugins) before removing. To remove:
```
npm uninstall axios moment lodash
```
For a deeper analysis of dependency risks and supply chain health, the Dependency & Supply Chain Audit covers this in detail.

Why it matters

Remediation

Run a dependency check to find unused packages:

npx depcheck

Verify each reported unused package before removing — some packages are loaded via config rather than imports (ESLint plugins, Babel presets). For confirmed unused packages:

npm uninstall axios moment lodash

Detection

ID: code-maintainability.dependency-management.no-unused-deps
Severity: medium
What to look for: Compare the packages listed in package.json dependencies and devDependencies against actual usage in source files. Look for packages that:
- Appear in dependencies but are never imported in any source file
- Were added during AI-assisted development but whose functionality ended up unused
- Duplicate functionality of another installed package
Focus especially on dependencies (production) vs. devDependencies (development-only) — packages used only in tests or build scripts should be in devDependencies, not dependencies. Tools like depcheck can automate this analysis; check if it's in the project's scripts.
Pass criteria: Count every package in dependencies and check each for at least one import in source code. No more than 2 packages in dependencies appear to be unused (not imported anywhere in source code). Report the count even on pass: "X of Y production dependencies are actively imported."
Fail criteria: 3 or more packages in dependencies are never imported in source code, OR multiple packages in devDependencies appear to be production dependencies misplaced there (or vice versa).
Skip (N/A) when: The project has fewer than 5 total dependencies. Signal: dependencies + devDependencies combined has fewer than 5 entries.
Detail on fail: "3 unused packages found in dependencies: 'axios' (never imported — project uses native fetch), 'moment' (never imported — date formatting done inline), 'lodash' (never imported). These add ~150KB to the bundle unnecessarily." or "5 packages in dependencies should be in devDependencies: jest, @types/jest, ts-jest, @testing-library/react, @testing-library/jest-dom."
Remediation: Unused dependencies bloat your install time, bundle size, and attack surface. Run a dependency check:
```
npx depcheck
```
For each unused package reported, verify it's truly unused (some packages are loaded via config, not imports — e.g., ESLint plugins) before removing. To remove:
```
npm uninstall axios moment lodash
```
For a deeper analysis of dependency risks and supply chain health, the Dependency & Supply Chain Audit covers this in detail.

No unused dependencies in package.json

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

No unused dependencies in package.json

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History