@jmruthers/pace-core 0.6.4 → 0.6.6

package/scripts/audit/core/checks/dependencies.cjs

@@ -1,994 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * Dependencies Check Module
- * @package @jmruthers/pace-core
- * @module Audit/Checks/Dependencies
- * 
- * Checks for:
- * - Outdated pace-core version
- * - Security vulnerabilities
- * - Unused dependencies
- * - Missing peer dependencies
- * - Version mismatches
- * - Redundant dependencies (duplicates of pace-core deps)
- * - Missing dependencies (used but not declared)
- * - Misclassified dependencies (wrong section)
- * - Version mismatches across workspace
- * - Optional dependencies build configuration
- */
-
-const fs = require('fs');
-const path = require('path');
-const { getPackageInfo, findSourceFiles } = require('../utils.cjs');
-
-/**
- * Extract package name from import/require path
- */
-function extractPackageName(modulePath) {
-  if (modulePath.startsWith('@')) {
-    const parts = modulePath.split('/');
-    if (parts.length >= 2) {
-      return `${parts[0]}/${parts[1]}`;
-    }
-  } else {
-    return modulePath.split('/')[0];
-  }
-  return null;
-}
-
-/**
- * Find all config files in the project
- */
-function findConfigFiles(projectRoot) {
-  const configFiles = [];
-  const configPatterns = [
-    'vite.config.{ts,js,mjs,cjs}',
-    'vitest.config.{ts,js,mjs,cjs}',
-    'tsconfig.json',
-    '.eslintrc.{js,json,cjs}',
-    'eslint.config.{js,mjs,cjs}',
-    'tailwind.config.{ts,js}',
-    'postcss.config.{js,cjs}',
-    'babel.config.{js,json}',
-    'jest.config.{js,ts}',
-    'webpack.config.{js,ts}',
-    'rollup.config.{js,ts}',
-    'next.config.{js,mjs}',
-    'remix.config.{js,ts}',
-  ];
-  
-  // Check root directory
-  const rootFiles = fs.readdirSync(projectRoot);
-  rootFiles.forEach(file => {
-    configPatterns.forEach(pattern => {
-      const regex = new RegExp('^' + pattern.replace(/\{.*?\}/g, '.*') + '$');
-      if (regex.test(file)) {
-        const fullPath = path.join(projectRoot, file);
-        if (fs.existsSync(fullPath)) {
-          configFiles.push(fullPath);
-        }
-      }
-    });
-  });
-  
-  return configFiles;
-}
-
-/**
- * Get pace-core peer dependencies
- */
-function getPaceCorePeerDeps(projectRoot) {
-  try {
-    // Try to find pace-core in node_modules
-    const paceCorePath = path.join(projectRoot, 'node_modules', '@jmruthers', 'pace-core', 'package.json');
-    if (fs.existsSync(paceCorePath)) {
-      const paceCorePkg = JSON.parse(fs.readFileSync(paceCorePath, 'utf8'));
-      return paceCorePkg.peerDependencies || {};
-    }
-  } catch (error) {
-    // If we can't find it, return empty object
-  }
-  return {};
-}
-
-/**
- * Get pace-core dependencies (runtime dependencies provided by pace-core)
- */
-function getPaceCoreDeps(projectRoot) {
-  try {
-    // Try to find pace-core in node_modules
-    const paceCorePath = path.join(projectRoot, 'node_modules', '@jmruthers', 'pace-core', 'package.json');
-    if (fs.existsSync(paceCorePath)) {
-      const paceCorePkg = JSON.parse(fs.readFileSync(paceCorePath, 'utf8'));
-      return paceCorePkg.dependencies || {};
-    }
-  } catch (error) {
-    // If we can't find it, return empty object
-  }
-  return {};
-}
-
-/**
- * Get pace-core package.json (for workspace checks)
- */
-function getPaceCorePackageJson(projectRoot) {
-  try {
-    // Try to find pace-core in node_modules
-    const paceCorePath = path.join(projectRoot, 'node_modules', '@jmruthers', 'pace-core', 'package.json');
-    if (fs.existsSync(paceCorePath)) {
-      return JSON.parse(fs.readFileSync(paceCorePath, 'utf8'));
-    }
-    // Also try packages/core if we're in the workspace
-    const packagesCorePath = path.join(projectRoot, 'packages', 'core', 'package.json');
-    if (fs.existsSync(packagesCorePath)) {
-      return JSON.parse(fs.readFileSync(packagesCorePath, 'utf8'));
-    }
-  } catch (error) {
-    // If we can't find it, return null
-  }
-  return null;
-}
-
-/**
- * Get workspace root package.json (for monorepo checks)
- */
-function getWorkspaceRootPackageJson(projectRoot) {
-  try {
-    const rootPath = path.join(projectRoot, 'package.json');
-    if (fs.existsSync(rootPath)) {
-      return JSON.parse(fs.readFileSync(rootPath, 'utf8'));
-    }
-  } catch (error) {
-    // If we can't find it, return null
-  }
-  return null;
-}
-
-/**
- * Check if a dependency is used in config files
- */
-function checkConfigFiles(configFiles, depName) {
-  for (const configFile of configFiles) {
-    try {
-      const content = fs.readFileSync(configFile, 'utf8');
-      
-      // Check for direct imports/requires
-      const importPatterns = [
-        /from\s+['"]([^'"]+)['"]/g,
-        /require\(['"]([^'"]+)['"]\)/g,
-        /import\(['"]([^'"]+)['"]\)/g,
-      ];
-      
-      for (const pattern of importPatterns) {
-        let match;
-        while ((match = pattern.exec(content)) !== null) {
-          const modulePath = match[1];
-          const pkgName = extractPackageName(modulePath);
-          if (pkgName === depName) {
-            return true;
-          }
-        }
-      }
-      
-      // Check for string references (e.g., in optimizeDeps, plugins, etc.)
-      // This is a heuristic - check if the package name appears as a string
-      const depNameEscaped = depName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-      const stringRefPattern = new RegExp(`['"]${depNameEscaped}['"]`, 'g');
-      if (stringRefPattern.test(content)) {
-        return true;
-      }
-    } catch (error) {
-      // Skip files we can't read
-    }
-  }
-  return false;
-}
-
-/**
- * Check if a dependency is used in CSS or other non-JS files
- */
-function checkNonJsFiles(projectRoot, depName) {
-  const cssFiles = [];
-  const cssExtensions = ['.css', '.scss', '.sass', '.less', '.styl'];
-  
-  try {
-    const srcPath = path.join(projectRoot, 'src');
-    if (fs.existsSync(srcPath)) {
-      const walkDir = (dir) => {
-        const files = fs.readdirSync(dir);
-        files.forEach(file => {
-          const fullPath = path.join(dir, file);
-          const stat = fs.statSync(fullPath);
-          if (stat.isDirectory() && !file.startsWith('.') && file !== 'node_modules') {
-            walkDir(fullPath);
-          } else if (stat.isFile()) {
-            const ext = path.extname(file);
-            if (cssExtensions.includes(ext)) {
-              cssFiles.push(fullPath);
-            }
-          }
-        });
-      };
-      walkDir(srcPath);
-    }
-  } catch (error) {
-    // Skip if can't read
-  }
-  
-  // Check CSS files for @import statements
-  for (const cssFile of cssFiles) {
-    try {
-      const content = fs.readFileSync(cssFile, 'utf8');
-      // Check for @import statements that might reference packages
-      const importPattern = /@import\s+['"]([^'"]+)['"]/g;
-      let match;
-      while ((match = importPattern.exec(content)) !== null) {
-        const modulePath = match[1];
-        const pkgName = extractPackageName(modulePath);
-        if (pkgName === depName) {
-          return true;
-        }
-      }
-    } catch (error) {
-      // Skip files we can't read
-    }
-  }
-  
-  return false;
-}
-
-/**
- * Find all test files in the project
- */
-function findTestFiles(projectRoot) {
-  const testFiles = [];
-  const testPattern = /\.(test|spec)\.(ts|tsx|js|jsx)$/;
-  const ignoreDirs = ['node_modules', 'dist', 'build', '.next', 'coverage'];
-  
-  const walkDir = (dir) => {
-    try {
-      const items = fs.readdirSync(dir);
-      items.forEach(item => {
-        const fullPath = path.join(dir, item);
-        const stat = fs.statSync(fullPath);
-        
-        if (stat.isDirectory()) {
-          if (!ignoreDirs.includes(item) && !item.startsWith('.')) {
-            walkDir(fullPath);
-          }
-        } else if (stat.isFile() && testPattern.test(item)) {
-          testFiles.push(fullPath);
-        }
-      });
-    } catch (error) {
-      // Skip directories we can't read
-    }
-  };
-  
-  try {
-    const srcPath = path.join(projectRoot, 'src');
-    if (fs.existsSync(srcPath)) {
-      walkDir(srcPath);
-    }
-  } catch (error) {
-    // Skip if can't read
-  }
-  
-  return testFiles;
-}
-
-/**
- * Check if a dependency is used in package.json scripts
- */
-function checkPackageScripts(packageJson, depName) {
-  if (!packageJson || !packageJson.scripts) {
-    return false;
-  }
-  
-  const scripts = packageJson.scripts;
-  const scriptContent = Object.values(scripts).join(' ');
-  
-  // Check if the package name appears in any script
-  // This is a simple check - package names in scripts are usually the command name
-  const depNameEscaped = depName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-  const scriptPattern = new RegExp(`\\b${depNameEscaped}\\b`, 'i');
-  
-  return scriptPattern.test(scriptContent);
-}
-
-/**
- * Check if a dependency is only used in test files
- */
-function isOnlyUsedInTests(projectRoot, depName, testFiles) {
-  if (testFiles.length === 0) {
-    return false;
-  }
-  
-  // Check if it's used in any test file
-  let foundInTests = false;
-  for (const testFile of testFiles) {
-    try {
-      const content = fs.readFileSync(testFile, 'utf8');
-      const depNameEscaped = depName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-      
-      // Check for imports
-      const importPattern = new RegExp(`from\\s+['"]${depNameEscaped}`, 'g');
-      const requirePattern = new RegExp(`require\\(['"]${depNameEscaped}`, 'g');
-      
-      if (importPattern.test(content) || requirePattern.test(content)) {
-        foundInTests = true;
-        break;
-      }
-    } catch (error) {
-      // Skip files we can't read
-    }
-  }
-  
-  return foundInTests;
-}
-
-const dependenciesCheck = {
-  name: 'dependencies',
-  description: 'Dependency analysis (outdated versions, security, unused deps, redundant deps, misclassified deps, version mismatches)',
-  severity: 'warning',
-  
-  async run(context) {
-    const { projectRoot } = context;
-    const issues = [];
-    const warnings = [];
-    const suggestions = [];
-    
-    const packageJson = getPackageInfo(projectRoot);
-    if (!packageJson) {
-      return { issues, warnings, suggestions };
-    }
-    
-    // Skip dependency checks if this is the pace-core repository itself
-    // Detect pace-core repository by checking if packages/core exists
-    const packagesCorePath = path.join(projectRoot, 'packages', 'core');
-    const isPaceCoreRepository = fs.existsSync(packagesCorePath);
-    
-    const allDeps = { ...packageJson.dependencies, ...packageJson.devDependencies };
-    const devDeps = packageJson.devDependencies || {};
-    
-    // Get pace-core peer dependencies
-    const paceCorePeerDeps = getPaceCorePeerDeps(projectRoot);
-    
-    // Get pace-core version (used in multiple checks)
-    const paceCoreVersion = !isPaceCoreRepository ? allDeps['@jmruthers/pace-core'] : null;
-    
-    // Check for required React version (19.2.3) - do this early to ensure it always runs
-    // This check MUST run for all consuming apps (not pace-core repository itself)
-    if (!isPaceCoreRepository) {
-      const requiredReactVersion = '19.2.3';
-      
-      // Read React versions from package.json - check both dependencies and devDependencies
-      const reactVersion = (packageJson.dependencies && packageJson.dependencies.react) || 
-                          (packageJson.devDependencies && packageJson.devDependencies.react) || 
-                          null;
-      const reactDomVersion = (packageJson.dependencies && packageJson.dependencies['react-dom']) || 
-                             (packageJson.devDependencies && packageJson.devDependencies['react-dom']) || 
-                             null;
-      
-      // Normalize version for comparison (remove ^, ~, >=, <=, etc.)
-      const normalizeVersion = (v) => {
-        if (!v || typeof v !== 'string') {
-          return null;
-        }
-        // Remove range prefixes (^, ~, >=, <=, >, <, =)
-        let normalized = v.replace(/^[\^~>=<]/, '');
-        // Remove any whitespace
-        normalized = normalized.trim();
-        // Extract base version (e.g., "19.2.3" from "19.2.3" or "19.2.3-alpha.1")
-        const match = normalized.match(/^(\d+\.\d+\.\d+)/);
-        if (match && match[1]) {
-          return match[1];
-        }
-        // Fallback: try to extract any version pattern
-        const fallbackMatch = normalized.match(/(\d+\.\d+\.\d+)/);
-        return fallbackMatch ? fallbackMatch[1] : null;
-      };
-      
-      // Check React version
-      if (reactVersion) {
-        const normalizedReactVersion = normalizeVersion(reactVersion);
-        const normalizedRequiredVersion = normalizeVersion(requiredReactVersion);
-        
-        // Check if versions match - always add issue if they don't match
-        let versionMismatch = false;
-        
-        if (normalizedReactVersion && normalizedRequiredVersion) {
-          // Both normalized successfully - compare normalized versions
-          versionMismatch = normalizedReactVersion !== normalizedRequiredVersion;
-        } else {
-          // Normalization failed - do a simple string check
-          const cleanReactVersion = reactVersion.replace(/^[\^~>=<]/, '').trim();
-          const cleanRequiredVersion = requiredReactVersion.replace(/^[\^~>=<]/, '').trim();
-          versionMismatch = cleanReactVersion !== cleanRequiredVersion && !cleanReactVersion.startsWith(requiredReactVersion);
-        }
-        
-        if (versionMismatch) {
-          issues.push({
-            type: 'incorrect-react-version',
-            file: 'package.json',
-            message: `React version ${reactVersion} does not match required version ${requiredReactVersion}`,
-            recommendation: `Install React ${requiredReactVersion}. Run: npm install react@${requiredReactVersion} react-dom@${requiredReactVersion}`
-          });
-        }
-      } else {
-        issues.push({
-          type: 'missing-react',
-          file: 'package.json',
-          message: 'React is not installed but is required',
-          recommendation: `Install React ${requiredReactVersion}. Run: npm install react@${requiredReactVersion} react-dom@${requiredReactVersion}`
-        });
-      }
-      
-      // Check react-dom version matches
-      if (reactDomVersion) {
-        const normalizedReactDomVersion = normalizeVersion(reactDomVersion);
-        const normalizedRequiredVersion = normalizeVersion(requiredReactVersion);
-        
-        // Check if versions match - always add issue if they don't match
-        let versionMismatch = false;
-        
-        if (normalizedReactDomVersion && normalizedRequiredVersion) {
-          // Both normalized successfully - compare normalized versions
-          versionMismatch = normalizedReactDomVersion !== normalizedRequiredVersion;
-        } else {
-          // Normalization failed - do a simple string check
-          const cleanReactDomVersion = reactDomVersion.replace(/^[\^~>=<]/, '').trim();
-          const cleanRequiredVersion = requiredReactVersion.replace(/^[\^~>=<]/, '').trim();
-          versionMismatch = cleanReactDomVersion !== cleanRequiredVersion && !cleanReactDomVersion.startsWith(requiredReactVersion);
-        }
-        
-        if (versionMismatch) {
-          issues.push({
-            type: 'incorrect-react-dom-version',
-            file: 'package.json',
-            message: `react-dom version ${reactDomVersion} does not match required version ${requiredReactVersion}`,
-            recommendation: `Install react-dom ${requiredReactVersion}. Run: npm install react-dom@${requiredReactVersion}`
-          });
-        }
-      } else if (reactVersion) {
-        // If react is installed but react-dom is not, that's also an issue
-        issues.push({
-          type: 'missing-react-dom',
-          file: 'package.json',
-          message: 'react-dom is not installed but is required',
-          recommendation: `Install react-dom ${requiredReactVersion}. Run: npm install react-dom@${requiredReactVersion}`
-        });
-      }
-    }
-    
-    // Check pace-core version (skip if this is the pace-core repository itself)
-    if (!isPaceCoreRepository) {
-      if (paceCoreVersion) {
-        // Check if version is outdated (simplified - would need to check npm registry)
-        if (paceCoreVersion.startsWith('^') || paceCoreVersion.startsWith('~')) {
-          // Version range - this is fine
-        } else if (paceCoreVersion.match(/^\d+\.\d+\.\d+$/)) {
-          // Exact version - suggest using range
-          suggestions.push({
-            type: 'exact-version',
-            file: 'package.json',
-            message: `pace-core is pinned to exact version ${paceCoreVersion}`,
-            recommendation: 'Consider using a version range (^ or ~) to receive patch/minor updates automatically'
-          });
-        }
-      } else {
-        issues.push({
-          type: 'missing-pace-core',
-          file: 'package.json',
-          message: '@jmruthers/pace-core is not in dependencies',
-          recommendation: 'Add @jmruthers/pace-core to your dependencies'
-        });
-      }
-    }
-    
-    // Collect all files to scan
-    // Skip unused dependency checks if this is the pace-core repository itself
-    // The library's dependencies are used in packages/core/src/, not in the root src/
-    const sourceFiles = [];
-    if (!isPaceCoreRepository) {
-      try {
-        const srcPath = path.join(projectRoot, 'src');
-        if (fs.existsSync(srcPath)) {
-          sourceFiles.push(...findSourceFiles(srcPath));
-        }
-      } catch (error) {
-        // Skip if can't read source files
-      }
-    }
-    
-    // Also scan config files
-    const configFiles = findConfigFiles(projectRoot);
-    
-    // Find test files separately for better analysis
-    const testFiles = !isPaceCoreRepository ? findTestFiles(projectRoot) : [];
-    
-    // Build set of imported packages from source files (runtime)
-    const importedPackages = new Set();
-    // Build set of packages used only in tests
-    const testOnlyPackages = new Set();
-    
-    // Scan source files (runtime code)
-    sourceFiles.forEach(filePath => {
-      try {
-        const content = fs.readFileSync(filePath, 'utf8');
-        // Check for ES6 imports
-        const importPattern = /from\s+['"]([^'"]+)['"]/g;
-        let match;
-        while ((match = importPattern.exec(content)) !== null) {
-          const modulePath = match[1];
-          const pkgName = extractPackageName(modulePath);
-          if (pkgName) {
-            importedPackages.add(pkgName);
-          }
-        }
-        // Check for require() statements
-        const requirePattern = /require\(['"]([^'"]+)['"]\)/g;
-        while ((match = requirePattern.exec(content)) !== null) {
-          const modulePath = match[1];
-          const pkgName = extractPackageName(modulePath);
-          if (pkgName) {
-            importedPackages.add(pkgName);
-          }
-        }
-        // Check for dynamic imports
-        const dynamicImportPattern = /import\(['"]([^'"]+)['"]\)/g;
-        while ((match = dynamicImportPattern.exec(content)) !== null) {
-          const modulePath = match[1];
-          const pkgName = extractPackageName(modulePath);
-          if (pkgName) {
-            importedPackages.add(pkgName);
-          }
-        }
-      } catch (error) {
-        // Skip files with errors
-      }
-    });
-    
-    // Scan test files separately
-    testFiles.forEach(filePath => {
-      try {
-        const content = fs.readFileSync(filePath, 'utf8');
-        const importPattern = /from\s+['"]([^'"]+)['"]/g;
-        let match;
-        while ((match = importPattern.exec(content)) !== null) {
-          const modulePath = match[1];
-          const pkgName = extractPackageName(modulePath);
-          if (pkgName && !importedPackages.has(pkgName)) {
-            // Only add to test-only if not already used in runtime code
-            testOnlyPackages.add(pkgName);
-          }
-        }
-        const requirePattern = /require\(['"]([^'"]+)['"]\)/g;
-        while ((match = requirePattern.exec(content)) !== null) {
-          const modulePath = match[1];
-          const pkgName = extractPackageName(modulePath);
-          if (pkgName && !importedPackages.has(pkgName)) {
-            testOnlyPackages.add(pkgName);
-          }
-        }
-      } catch (error) {
-        // Skip files with errors
-      }
-    });
-    
-    // Scan config files for imports
-    configFiles.forEach(filePath => {
-      try {
-        const content = fs.readFileSync(filePath, 'utf8');
-        const importPattern = /from\s+['"]([^'"]+)['"]/g;
-        let match;
-        while ((match = importPattern.exec(content)) !== null) {
-          const modulePath = match[1];
-          const pkgName = extractPackageName(modulePath);
-          if (pkgName) {
-            importedPackages.add(pkgName);
-          }
-        }
-        const requirePattern = /require\(['"]([^'"]+)['"]\)/g;
-        while ((match = requirePattern.exec(content)) !== null) {
-          const modulePath = match[1];
-          const pkgName = extractPackageName(modulePath);
-          if (pkgName) {
-            importedPackages.add(pkgName);
-          }
-        }
-      } catch (error) {
-        // Skip files with errors
-      }
-    });
-    
-    // Known build tools and dev dependencies that are commonly used but not directly imported
-    const knownBuildTools = [
-      'vite',
-      'typescript',
-      'eslint',
-      'prettier',
-      'vitest',
-      '@types',
-      '@vitejs',
-      '@testing-library',
-      'jsdom',
-      'globals',
-      'tailwindcss',
-      '@tailwindcss',
-      'postcss',
-      'autoprefixer',
-      'babel',
-      'webpack',
-      'rollup',
-      'tsup',
-      'esbuild',
-      'lovable-tagger',
-      'babel-plugin-react-compiler',
-    ];
-    
-    // Check for potentially unused dependencies
-    // Skip this check if running on the pace-core repository itself
-    // The library's dependencies are used in packages/core/src/, not in the root src/ (demo app)
-    if (!isPaceCoreRepository) {
-      Object.keys(allDeps).forEach(dep => {
-        // Skip if it's a known build tool
-        if (knownBuildTools.some(tool => dep.includes(tool) || dep.startsWith(tool))) {
-          return;
-        }
-        
-        // Skip if it's a peer dependency of pace-core
-        if (paceCorePeerDeps[dep]) {
-          return;
-        }
-        
-        // Skip if it's pace-core itself
-        if (dep === '@jmruthers/pace-core') {
-          return;
-        }
-        
-        // Skip if it's a dependency of pace-core (required by pace-core's bundled code)
-        if (!isPaceCoreRepository) {
-          const paceCoreDeps = getPaceCoreDeps(projectRoot);
-          if (paceCoreDeps[dep]) {
-            // This dependency is required by pace-core, so it's not unused
-            return;
-          }
-        }
-      
-      // Check if package is imported in source files (runtime)
-      if (importedPackages.has(dep)) {
-        // Package is used in runtime code, so it's needed
-        return;
-      }
-      
-      // Check if it's used in package.json scripts
-      if (checkPackageScripts(packageJson, dep)) {
-        return;
-      }
-      
-      // Check if it's used in config files
-      if (checkConfigFiles(configFiles, dep)) {
-        return;
-      }
-      
-      // Check if it's used in CSS or other non-JS files
-      if (checkNonJsFiles(projectRoot, dep)) {
-        return;
-      }
-      
-      // Check if it's used in test files
-      const isUsedInTests = testOnlyPackages.has(dep) || isOnlyUsedInTests(projectRoot, dep, testFiles);
-      const isOnlyInTests = isUsedInTests && !importedPackages.has(dep);
-      
-      // For dev dependencies, provide more context
-      const isDevDep = dep in devDeps;
-      const context = [];
-      
-      if (isDevDep) {
-        context.push('This is a dev dependency and may be used by build tools or test frameworks');
-      }
-      
-      // Check if it might be a transitive dependency needed by pace-core
-      if (paceCoreVersion) {
-        context.push('This may be required by @jmruthers/pace-core as a transitive dependency');
-      }
-      
-      // Check if it's in vite.config.ts optimizeDeps (common for pace-core peer deps)
-      const viteConfigPath = path.join(projectRoot, 'vite.config.ts');
-      const viteConfigJsPath = path.join(projectRoot, 'vite.config.js');
-      let isInViteConfig = false;
-      
-      for (const configPath of [viteConfigPath, viteConfigJsPath]) {
-        if (fs.existsSync(configPath)) {
-          try {
-            const viteContent = fs.readFileSync(configPath, 'utf8');
-            if (viteContent.includes(dep)) {
-              isInViteConfig = true;
-              break;
-            }
-          } catch (error) {
-            // Skip if can't read
-          }
-        }
-      }
-      
-      // Only warn if we're reasonably sure it's unused
-      // For runtime dependencies, be more strict
-      if (!isDevDep) {
-        // If it's only used in tests, suggest moving to devDependencies
-        if (isOnlyInTests) {
-          warnings.push({
-            type: 'test-only-runtime-dependency',
-            file: 'package.json',
-            message: `Runtime dependency '${dep}' is only used in test files`,
-            recommendation: `Move '${dep}' from dependencies to devDependencies since it's only used in tests. This will reduce your production bundle size.`
-          });
-          return;
-        }
-        
-        const recommendation = `Verify if '${dep}' is actually used. ${context.length > 0 ? context.join(' ') : ''}${isInViteConfig ? 'This dependency is referenced in vite.config.ts, which suggests it may be required by pace-core components. ' : ''}If it's a peer dependency of @jmruthers/pace-core (check pace-core's package.json), it's required even if not directly imported. If confirmed unused, remove it to reduce bundle size.`;
-        
-        warnings.push({
-          type: 'unused-dependency',
-          file: 'package.json',
-          message: `Runtime dependency '${dep}' may be unused`,
-          recommendation: recommendation
-        });
-      } else {
-        // For dev dependencies, only suggest (lower severity)
-        suggestions.push({
-          type: 'potentially-unused-dev-dependency',
-          file: 'package.json',
-          message: `Dev dependency '${dep}' may be unused`,
-          recommendation: `Check if '${dep}' is used in build configs, test files, or by pace-core. ${context.join(' ')}${isInViteConfig ? 'This dependency is referenced in vite.config.ts. ' : ''}If confirmed unused, you can remove it.`
-        });
-      }
-    });
-    }
-    
-    // Check for missing peer dependencies from pace-core
-    Object.keys(paceCorePeerDeps).forEach(peerDep => {
-      if (!allDeps[peerDep]) {
-        warnings.push({
-          type: 'missing-peer-dependency',
-          file: 'package.json',
-          message: `Peer dependency '${peerDep}' is missing but required by @jmruthers/pace-core`,
-          recommendation: `Install '${peerDep}' as it's required by pace-core. Run: npm install ${peerDep}`
-        });
-      }
-    });
-    
-    // Check for version mismatches between react and react-dom
-    // (The required version check is done earlier in the function)
-    const reactVersionForMismatch = packageJson.dependencies?.react || packageJson.devDependencies?.react;
-    const reactDomVersionForMismatch = packageJson.dependencies?.['react-dom'] || packageJson.devDependencies?.['react-dom'];
-    
-    if (reactVersionForMismatch && reactDomVersionForMismatch && reactVersionForMismatch !== reactDomVersionForMismatch) {
-      issues.push({
-        type: 'version-mismatch',
-        file: 'package.json',
-        message: `React version mismatch: react@${reactVersionForMismatch} vs react-dom@${reactDomVersionForMismatch}`,
-        recommendation: 'React and react-dom versions must match exactly'
-      });
-    }
-    
-    // ============================================
-    // NEW CHECKS: Future-proofing dependency management
-    // ============================================
-    
-    // 1. Check for redundant dependencies in consuming apps
-    // (packages already provided by pace-core)
-    if (!isPaceCoreRepository) {
-      const paceCoreDeps = getPaceCoreDeps(projectRoot);
-      const paceCorePeerDeps = getPaceCorePeerDeps(projectRoot);
-      
-      // Packages that pace-core provides as dependencies (should not be duplicated)
-      const redundantDeps = [];
-      Object.keys(packageJson.dependencies || {}).forEach(dep => {
-        // Skip pace-core itself
-        if (dep === '@jmruthers/pace-core') {
-          return;
-        }
-        
-        // Check if it's provided by pace-core as a dependency
-        if (paceCoreDeps[dep]) {
-          redundantDeps.push({
-            dep,
-            reason: 'provided by pace-core as a dependency',
-            paceCoreVersion: paceCoreDeps[dep]
-          });
-        }
-      });
-      
-      redundantDeps.forEach(({ dep, reason, paceCoreVersion }) => {
-        warnings.push({
-          type: 'redundant-dependency',
-          file: 'package.json',
-          message: `Dependency '${dep}' is redundant - ${reason}`,
-          recommendation: `Remove '${dep}' from dependencies. It's already provided by @jmruthers/pace-core@${paceCoreVersion}. Exception: If you need a different version or direct control, keep it but document why.`
-        });
-      });
-    }
-    
-    // 2. Check for missing dependencies (used but not declared)
-    if (!isPaceCoreRepository) {
-      // Check for dynamic imports that might need to be declared
-      const optionalDeps = ['recharts', 'papaparse', 'lodash.debounce', 'lodash.throttle'];
-      const dynamicImportPattern = /import\(['"]([^'"]+)['"]\)/g;
-      
-      sourceFiles.forEach(filePath => {
-        try {
-          const content = fs.readFileSync(filePath, 'utf8');
-          let match;
-          while ((match = dynamicImportPattern.exec(content)) !== null) {
-            const modulePath = match[1];
-            const pkgName = extractPackageName(modulePath);
-            if (pkgName && optionalDeps.includes(pkgName)) {
-              // Check if it's declared
-              if (!allDeps[pkgName]) {
-                suggestions.push({
-                  type: 'missing-optional-dependency',
-                  file: path.relative(projectRoot, filePath),
-                  message: `Optional dependency '${pkgName}' is dynamically imported but not declared`,
-                  recommendation: `Add '${pkgName}' to dependencies if you use this feature, or ensure it's marked as external in your build config`
-                });
-              }
-            }
-          }
-        } catch (error) {
-          // Skip files with errors
-        }
-      });
-    }
-    
-    // 3. Check for misclassified dependencies
-    // Runtime deps in devDependencies, peer deps in dependencies, etc.
-    if (isPaceCoreRepository) {
-      // Check pace-core's own package.json
-      const packagesCorePath = path.join(projectRoot, 'packages', 'core', 'package.json');
-      if (fs.existsSync(packagesCorePath)) {
-        const corePkg = JSON.parse(fs.readFileSync(packagesCorePath, 'utf8'));
-        const coreDeps = corePkg.dependencies || {};
-        const coreDevDeps = corePkg.devDependencies || {};
-        const corePeerDeps = corePkg.peerDependencies || {};
-        
-        // Check if peer dependencies are incorrectly in dependencies
-        Object.keys(coreDeps).forEach(dep => {
-          if (corePeerDeps[dep]) {
-            issues.push({
-              type: 'misclassified-dependency',
-              file: 'packages/core/package.json',
-              message: `'${dep}' is declared as both dependency and peerDependency`,
-              recommendation: `Remove '${dep}' from dependencies. Peer dependencies should only be in peerDependencies.`
-            });
-          }
-        });
-        
-        // Check if runtime dependencies are in devDependencies
-        // This is harder to detect automatically, but we can check for common patterns
-        const runtimeDepsInDev = ['@hookform/resolvers', '@supabase/supabase-js', '@tanstack/react-query'];
-        runtimeDepsInDev.forEach(dep => {
-          if (coreDevDeps[dep] && !coreDeps[dep]) {
-            // Check if it's used in source code
-            const coreSrcPath = path.join(projectRoot, 'packages', 'core', 'src');
-            if (fs.existsSync(coreSrcPath)) {
-              const coreSourceFiles = findSourceFiles(coreSrcPath);
-              let isUsed = false;
-              coreSourceFiles.forEach(filePath => {
-                try {
-                  const content = fs.readFileSync(filePath, 'utf8');
-                  if (content.includes(dep) || content.includes(extractPackageName(dep))) {
-                    isUsed = true;
-                  }
-                } catch (error) {
-                  // Skip
-                }
-              });
-              
-              if (isUsed) {
-                warnings.push({
-                  type: 'misclassified-dependency',
-                  file: 'packages/core/package.json',
-                  message: `'${dep}' is in devDependencies but appears to be used in source code`,
-                  recommendation: `Move '${dep}' from devDependencies to dependencies if it's used at runtime`
-                });
-              }
-            }
-          }
-        });
-      }
-    }
-    
-    // 4. Check for version mismatches across workspace (monorepo)
-    if (isPaceCoreRepository) {
-      const rootPkg = getWorkspaceRootPackageJson(projectRoot);
-      const corePkg = getPaceCorePackageJson(projectRoot);
-      
-      if (rootPkg && corePkg) {
-        const rootDeps = { ...rootPkg.dependencies, ...rootPkg.devDependencies };
-        const coreDeps = { ...corePkg.dependencies, ...corePkg.devDependencies };
-        
-        // Check for version mismatches in common dependencies
-        const commonDeps = Object.keys(rootDeps).filter(dep => coreDeps[dep]);
-        commonDeps.forEach(dep => {
-          const rootVersion = rootDeps[dep];
-          const coreVersion = coreDeps[dep];
-          
-          // Normalize versions for comparison (remove ^, ~, etc.)
-          const normalizeVersion = (v) => v.replace(/^[\^~]/, '');
-          const rootNormalized = normalizeVersion(rootVersion);
-          const coreNormalized = normalizeVersion(coreVersion);
-          
-          if (rootNormalized !== coreNormalized) {
-            warnings.push({
-              type: 'workspace-version-mismatch',
-              file: 'package.json',
-              message: `Version mismatch for '${dep}': root@${rootVersion} vs packages/core@${coreVersion}`,
-              recommendation: `Align versions across workspace. Consider using the same version in both root and packages/core package.json files.`
-            });
-          }
-        });
-      }
-    }
-    
-    // 5. Check for missing peer dependencies in consuming apps
-    if (!isPaceCoreRepository) {
-      const paceCorePkg = getPaceCorePackageJson(projectRoot);
-      if (paceCorePkg) {
-        const peerDeps = paceCorePkg.peerDependencies || {};
-        const allDeps = { ...packageJson.dependencies, ...packageJson.devDependencies };
-        
-        Object.keys(peerDeps).forEach(peerDep => {
-          if (!allDeps[peerDep]) {
-            issues.push({
-              type: 'missing-peer-dependency',
-              file: 'package.json',
-              message: `Missing peer dependency '${peerDep}' required by @jmruthers/pace-core`,
-              recommendation: `Install '${peerDep}@${peerDeps[peerDep]}' as a dependency. Run: npm install ${peerDep}@${peerDeps[peerDep]}`
-            });
-          }
-        });
-      }
-    }
-    
-    // 6. Check for optional dependencies handling in vite.config
-    if (!isPaceCoreRepository) {
-      const viteConfigPath = path.join(projectRoot, 'vite.config.ts');
-      const viteConfigJsPath = path.join(projectRoot, 'vite.config.js');
-      const optionalDeps = ['recharts', 'papaparse'];
-      
-      for (const configPath of [viteConfigPath, viteConfigJsPath]) {
-        if (fs.existsSync(configPath)) {
-          try {
-            const viteContent = fs.readFileSync(configPath, 'utf8');
-            optionalDeps.forEach(dep => {
-              // Check if it's marked as external
-              const isExternal = viteContent.includes(`external`) && 
-                                 (viteContent.includes(`'${dep}'`) || viteContent.includes(`"${dep}"`));
-              
-              // Check if it's in dependencies
-              const isInDeps = allDeps[dep];
-              
-              if (!isExternal && !isInDeps) {
-                suggestions.push({
-                  type: 'optional-dependency-config',
-                  file: path.relative(projectRoot, configPath),
-                  message: `Optional dependency '${dep}' should be handled in build config`,
-                  recommendation: `Add '${dep}' to build.rollupOptions.external if you want it resolved at runtime, or install it as a dependency if you want it bundled`
-                });
-              }
-            });
-          } catch (error) {
-            // Skip if can't read
-          }
-        }
-      }
-    }
-    
-    return { issues, warnings, suggestions };
-  }
-};
-
-module.exports = dependenciesCheck;