dep-brain 1.0.0 → 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +15 -0
- package/dist/checks/risk.js +13 -2
- package/dist/checks/unused.js +53 -0
- package/dist/core/graph-builder.d.ts +1 -0
- package/dist/core/graph-builder.js +2 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,21 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
|
4
4
|
|
|
5
|
+
## 1.0.2
|
|
6
|
+
|
|
7
|
+
- Treated npm `overrides` entries as intentional version pins so direct override packages are not flagged as unused.
|
|
8
|
+
- Improved script/register-path inference for `ts-node/register` and `tsconfig-paths/register`.
|
|
9
|
+
- Suppressed common NestJS TypeScript tooling false positives for `source-map-support`, `ts-loader`, `ts-node`, and `tsconfig-paths`.
|
|
10
|
+
- Added regression coverage for override pins and NestJS debug/build script patterns.
|
|
11
|
+
|
|
12
|
+
## 1.0.1
|
|
13
|
+
|
|
14
|
+
- Reduced NestJS unused false positives for implicit runtime packages such as `@nestjs/platform-express` and `reflect-metadata`.
|
|
15
|
+
- Added script binary inference for common tooling packages used through `nest`, `eslint`, `jest`, `ts-node`, and related commands.
|
|
16
|
+
- Reduced risk-report noise by suppressing high-trust findings and medium-trust dev dependency findings.
|
|
17
|
+
- Stopped treating "no releases published in the last 30 days" as a standalone risk signal.
|
|
18
|
+
- Added regression tests for NestJS/tooling unused detection and weak risk-signal suppression.
|
|
19
|
+
|
|
5
20
|
## 1.0.0
|
|
6
21
|
|
|
7
22
|
- Stable v1 CLI and library release for explainable dependency intelligence.
|
package/dist/checks/risk.js
CHANGED
|
@@ -18,7 +18,7 @@ export async function findRiskDependencies(graph, options = {}) {
|
|
|
18
18
|
? "devDependencies"
|
|
19
19
|
: "unknown";
|
|
20
20
|
const assessment = assessRisk(metadata, dependencyType);
|
|
21
|
-
if (assessment.
|
|
21
|
+
if (!shouldReportRisk(assessment.trustScore, dependencyType)) {
|
|
22
22
|
return null;
|
|
23
23
|
}
|
|
24
24
|
return {
|
|
@@ -105,7 +105,9 @@ function assessRisk(metadata, dependencyType) {
|
|
|
105
105
|
reasonCodes.push("single_maintainer");
|
|
106
106
|
weight += 2;
|
|
107
107
|
}
|
|
108
|
-
if (
|
|
108
|
+
if (reasons.length > 0 &&
|
|
109
|
+
metadata.recentReleaseCount !== null &&
|
|
110
|
+
metadata.recentReleaseCount === 0) {
|
|
109
111
|
reasons.push("No releases published in the last 30 days");
|
|
110
112
|
reasonCodes.push("no_recent_release");
|
|
111
113
|
weight += 1;
|
|
@@ -133,6 +135,15 @@ function assessRisk(metadata, dependencyType) {
|
|
|
133
135
|
}
|
|
134
136
|
};
|
|
135
137
|
}
|
|
138
|
+
function shouldReportRisk(trustScore, dependencyType) {
|
|
139
|
+
if (trustScore === "high") {
|
|
140
|
+
return false;
|
|
141
|
+
}
|
|
142
|
+
if (dependencyType === "devDependencies" && trustScore !== "low") {
|
|
143
|
+
return false;
|
|
144
|
+
}
|
|
145
|
+
return true;
|
|
146
|
+
}
|
|
136
147
|
function buildRiskRecommendation(reasons, confidence, trustScore) {
|
|
137
148
|
return {
|
|
138
149
|
action: "review",
|
package/dist/checks/unused.js
CHANGED
|
@@ -3,6 +3,24 @@ const SOURCE_FILE_PATTERN = /\.(c|m)?(t|j)sx?$/;
|
|
|
3
3
|
const CONFIG_FILE_PATTERN = /(^|[\\/])(vite|vitest|jest|eslint|prettier|rollup|webpack|babel|tsup|eslint\.config|commitlint|playwright|storybook|tailwind|postcss)\.config\.(c|m)?(t|j)s$/;
|
|
4
4
|
const TEST_FILE_PATTERN = /(^|[\\/])(__tests__|test|tests|spec|specs)([\\/]|$)|\.(test|spec)\.(c|m)?(t|j)sx?$/;
|
|
5
5
|
const RUNTIME_DIR_PATTERN = /(^|[\\/])(src|app|lib|server|client|pages|components)([\\/]|$)/;
|
|
6
|
+
const SCRIPT_BINARY_PACKAGE_MAP = {
|
|
7
|
+
eslint: [
|
|
8
|
+
"eslint",
|
|
9
|
+
"@typescript-eslint/eslint-plugin",
|
|
10
|
+
"@typescript-eslint/parser",
|
|
11
|
+
"eslint-config-prettier",
|
|
12
|
+
"eslint-plugin-prettier"
|
|
13
|
+
],
|
|
14
|
+
jest: ["jest", "ts-jest"],
|
|
15
|
+
nest: ["@nestjs/cli", "@nestjs/schematics"],
|
|
16
|
+
prettier: ["prettier"],
|
|
17
|
+
ts_jest: ["ts-jest"],
|
|
18
|
+
ts_loader: ["ts-loader"],
|
|
19
|
+
ts_node: ["ts-node", "tsconfig-paths"],
|
|
20
|
+
ts_node_register: ["ts-node", "tsconfig-paths"],
|
|
21
|
+
tsconfig_paths_register: ["tsconfig-paths"],
|
|
22
|
+
webpack: ["webpack", "ts-loader"]
|
|
23
|
+
};
|
|
6
24
|
export async function findUnusedDependencies(rootDir, graph, fileEntries, options) {
|
|
7
25
|
const projectFiles = fileEntries
|
|
8
26
|
.map((entry) => entry.path)
|
|
@@ -26,13 +44,19 @@ export async function findUnusedDependencies(rootDir, graph, fileEntries, option
|
|
|
26
44
|
}
|
|
27
45
|
for (const referencedBinary of extractScriptReferences(graph.scripts)) {
|
|
28
46
|
devUsed.add(referencedBinary);
|
|
47
|
+
for (const packageName of inferPackagesFromScriptReference(referencedBinary)) {
|
|
48
|
+
devUsed.add(packageName);
|
|
49
|
+
}
|
|
29
50
|
}
|
|
30
51
|
const hasTypeScriptSources = projectFiles.some((filePath) => /\.(c|m)?tsx?$/.test(filePath));
|
|
31
52
|
if (options.hasTypeScriptConfig) {
|
|
32
53
|
devUsed.add("typescript");
|
|
54
|
+
addImplicitTypeScriptTooling(graph, devUsed);
|
|
33
55
|
}
|
|
34
56
|
const unusedDependencies = Object.keys(graph.dependencies)
|
|
35
57
|
.filter((name) => !runtimeUsed.has(name))
|
|
58
|
+
.filter((name) => !isPackageManagerOverride(name, graph))
|
|
59
|
+
.filter((name) => !isImplicitlyUsedRuntimeDependency(name, graph, runtimeUsed))
|
|
36
60
|
.map((name) => buildUnusedDependency(name, "dependencies"));
|
|
37
61
|
const unusedDevDependencies = Object.keys(graph.devDependencies)
|
|
38
62
|
.filter((name) => !devUsed.has(name) && !runtimeUsed.has(name))
|
|
@@ -121,6 +145,35 @@ function normalizeScriptToken(token) {
|
|
|
121
145
|
}
|
|
122
146
|
return token.replace(/\.cmd$/i, "");
|
|
123
147
|
}
|
|
148
|
+
function inferPackagesFromScriptReference(reference) {
|
|
149
|
+
const normalized = reference.replace(/[-/]/g, "_");
|
|
150
|
+
return SCRIPT_BINARY_PACKAGE_MAP[normalized] ?? [];
|
|
151
|
+
}
|
|
152
|
+
function addImplicitTypeScriptTooling(graph, devUsed) {
|
|
153
|
+
if (hasNestDependency(graph.dependencies) || hasNestDependency(graph.devDependencies)) {
|
|
154
|
+
devUsed.add("source-map-support");
|
|
155
|
+
devUsed.add("ts-loader");
|
|
156
|
+
devUsed.add("ts-node");
|
|
157
|
+
devUsed.add("tsconfig-paths");
|
|
158
|
+
}
|
|
159
|
+
}
|
|
160
|
+
function isPackageManagerOverride(name, graph) {
|
|
161
|
+
return Object.prototype.hasOwnProperty.call(graph.overrides, name);
|
|
162
|
+
}
|
|
163
|
+
function isImplicitlyUsedRuntimeDependency(name, graph, runtimeUsed) {
|
|
164
|
+
if (name === "@nestjs/platform-express" &&
|
|
165
|
+
(runtimeUsed.has("@nestjs/core") || Boolean(graph.dependencies["@nestjs/core"]))) {
|
|
166
|
+
return true;
|
|
167
|
+
}
|
|
168
|
+
if (name === "reflect-metadata" &&
|
|
169
|
+
(hasNestDependency(graph.dependencies) || hasNestDependency(graph.devDependencies))) {
|
|
170
|
+
return true;
|
|
171
|
+
}
|
|
172
|
+
return false;
|
|
173
|
+
}
|
|
174
|
+
function hasNestDependency(dependencies) {
|
|
175
|
+
return Object.keys(dependencies).some((dependency) => dependency.startsWith("@nestjs/"));
|
|
176
|
+
}
|
|
124
177
|
function isImplicitlyUsedDevDependency(name, hasTypeScriptSources, hasTypeScriptConfig) {
|
|
125
178
|
if (name === "typescript" && (hasTypeScriptSources || hasTypeScriptConfig)) {
|
|
126
179
|
return true;
|
|
@@ -8,6 +8,7 @@ export interface DependencyGraph {
|
|
|
8
8
|
lockfilePath?: string;
|
|
9
9
|
dependencies: Record<string, string>;
|
|
10
10
|
devDependencies: Record<string, string>;
|
|
11
|
+
overrides: Record<string, unknown>;
|
|
11
12
|
scripts: Record<string, string>;
|
|
12
13
|
lockPackages: Record<string, LockPackageInstance[]>;
|
|
13
14
|
}
|
|
@@ -39,6 +39,7 @@ export async function buildDependencyGraph(rootDir) {
|
|
|
39
39
|
lockfilePath: fallbackLockfile.lockfilePath,
|
|
40
40
|
dependencies: packageJson.dependencies ?? {},
|
|
41
41
|
devDependencies: packageJson.devDependencies ?? {},
|
|
42
|
+
overrides: packageJson.overrides ?? {},
|
|
42
43
|
scripts: packageJson.scripts ?? {},
|
|
43
44
|
lockPackages: fallbackLockfile.lockPackages
|
|
44
45
|
};
|
|
@@ -49,6 +50,7 @@ export async function buildDependencyGraph(rootDir) {
|
|
|
49
50
|
lockfilePath,
|
|
50
51
|
dependencies: packageJson.dependencies ?? {},
|
|
51
52
|
devDependencies: packageJson.devDependencies ?? {},
|
|
53
|
+
overrides: packageJson.overrides ?? {},
|
|
52
54
|
scripts: packageJson.scripts ?? {},
|
|
53
55
|
lockPackages: Object.fromEntries(Array.from(lockPackages.entries()).map(([name, instances]) => [
|
|
54
56
|
name,
|