Clean Up Dependencies

Remove unused packages, fix security vulnerabilities, update outdated packages, eliminate duplicate versions.

Prerequisites

Safety requirements:

1. Git repository with clean working tree
2. All tests passing before cleanup
3. Backup branch created automatically
4. Test validation after each dependency change

Run prerequisite check:

PLUGIN_ROOT="$HOME/.claude/plugins/marketplaces/shavakan"

if [[ ! "$PLUGIN_ROOT" =~ ^"$HOME"/.* ]]; then
  echo "ERROR: Invalid plugin root path"
  exit 1
fi

PREREQ_SCRIPT="$PLUGIN_ROOT/commands/cleanup/scripts/check-prerequisites.sh"
if [[ ! -f "$PREREQ_SCRIPT" ]]; then
  echo "ERROR: Prerequisites script not found"
  exit 1
fi

PREREQ_OUTPUT=$(mktemp)
if "$PREREQ_SCRIPT" > "$PREREQ_OUTPUT" 2>&1; then
  source "$PREREQ_OUTPUT"
  rm "$PREREQ_OUTPUT"
else
  cat "$PREREQ_OUTPUT"
  rm "$PREREQ_OUTPUT"
  exit 1
fi

This exports: TEST_CMD, BACKUP_BRANCH, LOG_FILE

---

Additional Instructions

$ARGUMENTS

---

Objective

Clean up project dependencies across four categories:

Unused dependencies - Installed but never imported, dev deps not used in build/test

Security vulnerabilities - Packages with known CVEs (critical/high priority)

Outdated dependencies - Packages with newer stable versions, major updates available

Duplicates - Same package at multiple versions, conflicting peer dependencies

---

Execution

Phase 1: Detect Package Manager & Scan

Identify package manager (npm/pnpm/yarn/pip/cargo/go) from lockfiles.

Scan dependencies for all four categories. Present findings grouped by category with counts and severity:

• Critical vulnerabilities (fix immediately)
• Unused packages (safe to remove)
• Outdated packages (by semver level: major/minor/patch)
• Duplicates (version conflicts)

Gate: User must see full audit before proceeding.

Phase 2: Prioritize with User

Present findings with risk assessment:

• Critical: Security vulnerabilities (URGENT - fix immediately)
• Safe: Unused dependencies (safe to remove after verification)
• Low risk: Minor/patch updates (backwards compatible)
• Medium risk: Major version updates (review breaking changes)
• Needs review: Duplicate resolution (check compatibility)

Offer update strategies:

Choose cleanup strategy:

□ Conservative - Patch only, critical security fixes
□ Moderate - Minor + patch, all security fixes
□ Aggressive - All major updates (extensive testing required)
□ Custom - Select specific categories
□ Cancel

Gate: Get user approval on which categories and strategy level.

Phase 3: Execute Cleanup

For each approved category:

Security vulnerabilities:

• Update to patched version
• Check release notes for breaking changes
• Update code if API changed
• Test thoroughly

Unused dependencies:

• Verify not imported anywhere (check for dynamic requires)
• Remove from package manifest
• Clean lockfile
• Test immediately

Outdated packages:

• Check CHANGELOG for breaking changes
• Update one package at a time (or related packages together)
• Update code for API changes
• Test after each update

Duplicates:

• Choose version to keep (usually newer)
• Use resolutions/overrides if needed
• Rebuild lockfile
• Test compatibility

Critical safety constraint: One change at a time. Test after each. Commit on success, rollback on failure.

Gate: Tests must pass before moving to next category.

Phase 4: Report Results

Summarize: vulnerabilities fixed (by severity), unused removed, packages updated (major/minor/patch), duplicates resolved, overall security/maintenance improvement.

Delete the backup branch after successful completion:

git branch -D "$BACKUP_BRANCH"

---

Safety Constraints

CRITICAL:

• Security fixes first - prioritize over cosmetic improvements
• One package change at a time - test between each
• Read release notes before major updates
• Commit granularly
• Don't blindly auto-fix - some fixes introduce breaking changes
• Keep lockfiles - commit package-lock.json, yarn.lock, etc.
• Check peer dependencies after updates

If tests fail: Rollback, check if jumping too many versions, try intermediate version, review release notes for breaking changes.

---

After Cleanup

Review with code-reviewer agent before pushing:

Use shavakan-agents:code-reviewer to verify changes don't introduce issues.

---

Related Commands

• /shavakan-commands:cleanup - Full repository audit
• /shavakan-commands:cleanup-dead-code - Remove unused code
• /shavakan-commands:cleanup-architecture - Refactor structure