dep-brain 1.0.0 → 1.0.1

package/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All notable changes to this project will be documented in this file.
 
+## 1.0.1
+
+- Reduced NestJS unused false positives for implicit runtime packages such as `@nestjs/platform-express` and `reflect-metadata`.
+- Added script binary inference for common tooling packages used through `nest`, `eslint`, `jest`, `ts-node`, and related commands.
+- Reduced risk-report noise by suppressing high-trust findings and medium-trust dev dependency findings.
+- Stopped treating "no releases published in the last 30 days" as a standalone risk signal.
+- Added regression tests for NestJS/tooling unused detection and weak risk-signal suppression.
+
 ## 1.0.0
 
 - Stable v1 CLI and library release for explainable dependency intelligence.

package/dist/checks/risk.js

@@ -18,7 +18,7 @@ export async function findRiskDependencies(graph, options = {}) {
                 ? "devDependencies"
                 : "unknown";
         const assessment = assessRisk(metadata, dependencyType);
-        if (assessment.reasons.length === 0) {
+        if (!shouldReportRisk(assessment.trustScore, dependencyType)) {
             return null;
         }
         return {
@@ -105,7 +105,9 @@ function assessRisk(metadata, dependencyType) {
         reasonCodes.push("single_maintainer");
         weight += 2;
     }
-    if (metadata.recentReleaseCount !== null && metadata.recentReleaseCount === 0) {
+    if (reasons.length > 0 &&
+        metadata.recentReleaseCount !== null &&
+        metadata.recentReleaseCount === 0) {
         reasons.push("No releases published in the last 30 days");
         reasonCodes.push("no_recent_release");
         weight += 1;
@@ -133,6 +135,15 @@ function assessRisk(metadata, dependencyType) {
         }
     };
 }
+function shouldReportRisk(trustScore, dependencyType) {
+    if (trustScore === "high") {
+        return false;
+    }
+    if (dependencyType === "devDependencies" && trustScore !== "low") {
+        return false;
+    }
+    return true;
+}
 function buildRiskRecommendation(reasons, confidence, trustScore) {
     return {
         action: "review",

package/dist/checks/unused.js

@@ -3,6 +3,22 @@ const SOURCE_FILE_PATTERN = /\.(c|m)?(t|j)sx?$/;
 const CONFIG_FILE_PATTERN = /(^|[\\/])(vite|vitest|jest|eslint|prettier|rollup|webpack|babel|tsup|eslint\.config|commitlint|playwright|storybook|tailwind|postcss)\.config\.(c|m)?(t|j)s$/;
 const TEST_FILE_PATTERN = /(^|[\\/])(__tests__|test|tests|spec|specs)([\\/]|$)|\.(test|spec)\.(c|m)?(t|j)sx?$/;
 const RUNTIME_DIR_PATTERN = /(^|[\\/])(src|app|lib|server|client|pages|components)([\\/]|$)/;
+const SCRIPT_BINARY_PACKAGE_MAP = {
+    eslint: [
+        "eslint",
+        "@typescript-eslint/eslint-plugin",
+        "@typescript-eslint/parser",
+        "eslint-config-prettier",
+        "eslint-plugin-prettier"
+    ],
+    jest: ["jest", "ts-jest"],
+    nest: ["@nestjs/cli", "@nestjs/schematics"],
+    prettier: ["prettier"],
+    ts_jest: ["ts-jest"],
+    ts_loader: ["ts-loader"],
+    ts_node: ["ts-node", "tsconfig-paths"],
+    webpack: ["webpack", "ts-loader"]
+};
 export async function findUnusedDependencies(rootDir, graph, fileEntries, options) {
     const projectFiles = fileEntries
         .map((entry) => entry.path)
@@ -26,6 +42,9 @@ export async function findUnusedDependencies(rootDir, graph, fileEntries, option
     }
     for (const referencedBinary of extractScriptReferences(graph.scripts)) {
         devUsed.add(referencedBinary);
+        for (const packageName of inferPackagesFromScriptReference(referencedBinary)) {
+            devUsed.add(packageName);
+        }
     }
     const hasTypeScriptSources = projectFiles.some((filePath) => /\.(c|m)?tsx?$/.test(filePath));
     if (options.hasTypeScriptConfig) {
@@ -33,6 +52,7 @@ export async function findUnusedDependencies(rootDir, graph, fileEntries, option
     }
     const unusedDependencies = Object.keys(graph.dependencies)
         .filter((name) => !runtimeUsed.has(name))
+        .filter((name) => !isImplicitlyUsedRuntimeDependency(name, graph, runtimeUsed))
         .map((name) => buildUnusedDependency(name, "dependencies"));
     const unusedDevDependencies = Object.keys(graph.devDependencies)
         .filter((name) => !devUsed.has(name) && !runtimeUsed.has(name))
@@ -121,6 +141,24 @@ function normalizeScriptToken(token) {
     }
     return token.replace(/\.cmd$/i, "");
 }
+function inferPackagesFromScriptReference(reference) {
+    const normalized = reference.replace(/[-/]/g, "_");
+    return SCRIPT_BINARY_PACKAGE_MAP[normalized] ?? [];
+}
+function isImplicitlyUsedRuntimeDependency(name, graph, runtimeUsed) {
+    if (name === "@nestjs/platform-express" &&
+        (runtimeUsed.has("@nestjs/core") || Boolean(graph.dependencies["@nestjs/core"]))) {
+        return true;
+    }
+    if (name === "reflect-metadata" &&
+        (hasNestDependency(graph.dependencies) || hasNestDependency(graph.devDependencies))) {
+        return true;
+    }
+    return false;
+}
+function hasNestDependency(dependencies) {
+    return Object.keys(dependencies).some((dependency) => dependency.startsWith("@nestjs/"));
+}
 function isImplicitlyUsedDevDependency(name, hasTypeScriptSources, hasTypeScriptConfig) {
     if (name === "typescript" && (hasTypeScriptSources || hasTypeScriptConfig)) {
         return true;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dep-brain",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "CLI and library for explainable dependency intelligence",
   "type": "module",
   "main": "dist/index.js",