Automated tooling and detection patterns for analyzing npm dependencies, unused packages, and dead code. Provides tool commands and what to look for—not how to structure output.
Automated analysis commands and detection patterns for identifying npm dependency issues, unused packages, and dead code. Uses bash scripts and grep patterns to detect problems when analyzing package.json and source files.
/plugin marketplace add djankies/claude-configs/plugin install review@claude-configsThis skill is limited to using the following tools:
This skill provides automated analysis commands and detection patterns for dependency issues. Use this as a reference for WHAT to check and HOW to detect issues—not for output formatting or workflow.
Run these scripts to gather metrics (if tools available):
bash ~/.claude/plugins/marketplaces/claude-configs/review/scripts/review-unused-deps.sh
Returns: Unused dependencies, unused devDependencies, missing dependencies (imported but not in package.json)
bash ~/.claude/plugins/marketplaces/claude-configs/review/scripts/review-unused-code.sh
Returns: Unused exports, unused files, unused enum/class members, unused types/interfaces
npm audit --json
npm audit --production --json
npm outdated
Look for:
npm run build -- --analyze
Returns: Bundle size breakdown, largest chunks
When automated tools unavailable or for deeper analysis, use Read/Grep/Glob to detect:
Read package.json:
cat package.json | jq '.dependencies, .devDependencies'
Check for:
Count imports for specific package:
grep -r "from ['\"]package-name['\"]" src/ | wc -l
grep -r "require(['\"]package-name['\"])" src/ | wc -l
Find all import locations:
grep -rn "from ['\"]package-name['\"]" src/
Multiple date libraries:
grep -E "moment|date-fns|dayjs|luxon" package.json
Multiple HTTP clients:
grep -E "axios|node-fetch|got|ky|superagent" package.json
Multiple testing frameworks:
grep -E "jest|mocha|jasmine|vitest" package.json
Uses skills tagged with review: true including reviewing-vitest-config from vitest-4 for detecting configuration deprecations and testing framework migration patterns.
Multiple utility libraries:
grep -E "lodash|underscore|ramda" package.json
Non-ES module imports:
grep -r "import .* from 'lodash'" src/
grep -r "import _ from" src/
Look for: Default imports that could be named imports from ES module versions
Large utility usage:
grep -rn "from 'lodash'" src/ | head -20
Look for: Single function imports that could be inlined
Exported but never imported:
# Find all exports
grep -rn "export (const|function|class|interface|type)" src/
# For each export, check if imported elsewhere
grep -r "import.*{ExportName}" src/
Unused utility files:
# Find utility/helper files
find src/ -name "*util*" -o -name "*helper*"
# Check if imported
grep -r "from.*utils" src/
Deprecated code markers:
grep -rn "@deprecated\|DEPRECATED\|DO NOT USE" src/
Use these criteria when classifying findings:
| Pattern | Severity | Rationale |
|---|---|---|
| Vulnerable dependency (critical/high) | critical | Security risk in production |
| Unused dependency >100kb | high | Significant bundle bloat |
| Multiple packages for same purpose | high | Maintenance overhead |
| Vulnerable dependency (moderate) | medium | Security risk, lower impact |
| Unused dependency 10-100kb | medium | Moderate bundle bloat |
| Unused devDependency | medium | Maintenance overhead |
| Single-use utility from large library | medium | Tree-shaking opportunity |
| Unused dependency <10kb | nitpick | Minimal impact |
| Loose version ranges (^, ~) | nitpick | Potential instability |
| Incorrect dependency category | nitpick | Organization issue |
High Confidence (Unused):
Medium Confidence (Low Usage):
Consider Alternatives:
| Category | Examples | Typical Size |
|---|---|---|
| Heavy date libs | moment | 70kb |
| Light date libs | dayjs, date-fns (tree-shaken) | 2-10kb |
| Heavy utilities | lodash (full) | 70kb |
| Light utilities | lodash-es (per function) | 1-5kb |
| HTTP clients | axios, node-fetch | 10-15kb |
| Native alternatives | fetch, Intl API | 0kb |
Replace large utility with inline:
// Before: lodash.debounce (71kb library)
import _ from 'lodash';
_.debounce(fn, 300);
// After: inline (0kb)
const debounce = (fn, ms) => {
let timeout;
return (...args) => {
clearTimeout(timeout);
timeout = setTimeout(() => fn(...args), ms);
};
};
Replace with tree-shakeable alternative:
// Before: full library
import moment from 'moment';
moment(date).format('YYYY-MM-DD');
// After: specific function
import { format } from 'date-fns/format';
format(date, 'yyyy-MM-dd');
Replace with native alternative:
// Before: lodash
import { isEmpty } from 'lodash';
isEmpty(obj);
// After: native
Object.keys(obj).length === 0;
Run automated scripts first (if tools available)
Parse script outputs for package names and file locations
Verify usage with grep for each flagged package
Read package.json to check:
Cross-reference findings:
Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.