Total dependency count is reasonable for project size

Every production dependency is an additional attack surface: a potential CVE vector, a maintenance obligation, an install-time script that executes on every developer machine and CI run, and an entry in your lock file that must be audited. SSDF PW.4 requires that the software composition be evaluated; an excessive dependency count means you have more components to track, more advisories to monitor, and more attack surface to defend than the project's functionality justifies. CWE-1357 scales with the number of third-party components you rely on. AI coding tools in particular routinely install duplicate-purpose packages — both axios and node-fetch, both dayjs and date-fns — because they generate installs session-by-session without a holistic view of what's already present.

Audit for unused and redundant dependencies:

npx depcheck

For each flagged package, verify it is genuinely unused before removing. Common AI-generated redundancies:

• Both axios and node-fetch — use native fetch (Node 18+)
• Both dayjs and date-fns — pick one
• uuid when crypto.randomUUID() is available natively (Node 14.17+)

Remove confirmed redundancies with npm uninstall and commit the updated package.json and lock file.

• ID: dep-count-reasonable

• Severity: medium

• What to look for: Count entries in dependencies in package.json. Compare against project size thresholds: small projects (<20 routes) should have fewer than 40 direct dependencies; medium projects (20-100 routes) fewer than 60; large projects (100+ routes) fewer than 80. These are soft thresholds — a project exceeding them should be reviewed for unnecessary dependencies, not automatically failed. AI coding tools in particular tend to install redundant packages (e.g., both axios and node-fetch, both dayjs and date-fns, both lodash and ramda). Count all instances found and enumerate each.

• Pass criteria: Total direct production dependency count is within the threshold for the project size, or the project size cannot be determined and the count is under 40.

• Fail criteria: Total direct production dependency count significantly exceeds the threshold for the detected project size (more than 1.5× the threshold).

• Skip (N/A) when: No package.json detected.

• Detail on fail: "Small project (12 routes) has 68 production dependencies — this is unusually high. Review for redundant or unused packages." Include the actual count.

• Remediation: Excessive dependencies increase attack surface, slow install times, bloat bundle sizes, and make audits harder. AI tools often suggest packages for one-liners that could be implemented natively.

  Audit your dependencies:

  npx depcheck    # finds unused dependencies
  

  Common redundancies in AI-built projects:

  • Both axios and node-fetch or got — pick one, or use native fetch (Node 18+)
  • Both dayjs and date-fns — pick one
  • Both lodash and ramda — pick one, or use native JS
  • uuid when crypto.randomUUID() is available natively (Node 14.17+)