sadrazam 0.1.7 → 0.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -2,6 +2,27 @@
2
2
 
3
3
  ## Unreleased
4
4
 
5
+ ## v0.1.9
6
+
7
+ ### Added
8
+ - `sadrazam init` for interactive `sadrazam.json` creation, including piped input support for automated setup
9
+ - `--explain <type>` output for supported finding types in text, JSON, and TOON reports
10
+ - TypeScript `compilerOptions.paths` alias resolution for local import reachability
11
+
12
+ ### Changed
13
+ - `--fix` can now add missing package declarations to `devDependencies` with a `"*"` placeholder version, while continuing to remove deterministic unused package declarations
14
+ - Improved `pnpm-workspace.yaml` parsing for quoted workspace patterns, inline comments, and additional top-level keys
15
+ - Expanded script command package detection for common build, test, lint, release, and utility tools
16
+
17
+ ## v0.1.8
18
+
19
+ ### Added
20
+ - `toon` reporter for agent-friendly structured output
21
+
22
+ ### Changed
23
+ - Updated CLI help, README, and docs examples to include TOON output support
24
+ - Expanded CLI coverage for the new TOON reporter
25
+
5
26
  ## v0.1.7
6
27
 
7
28
  ### Added
package/README.md CHANGED
@@ -1,418 +1,224 @@
1
1
  <p align="center">
2
- <img src="https://raw.githubusercontent.com/borakilicoglu/sadrazam/main/assets/logo.svg?v=2" alt="Sadrazam logo" width="200" />
2
+ <img src="https://raw.githubusercontent.com/borakilicoglu/sadrazam/main/assets/logo.svg?v=2" alt="Sadrazam logo" width="160" />
3
3
  </p>
4
4
 
5
5
  <p align="center">
6
- <a href="https://www.npmjs.com/package/sadrazam"><img src="https://img.shields.io/npm/v/sadrazam" alt="npm version" /></a>
7
- <a href="https://github.com/borakilicoglu/sadrazam/blob/main/LICENSE"><img src="https://img.shields.io/npm/l/sadrazam" alt="license" /></a>
8
- <a href="https://www.npmjs.com/package/sadrazam"><img src="https://img.shields.io/npm/dt/sadrazam" alt="npm total downloads" /></a>
9
- <a href="https://packagephobia.com/result?p=sadrazam"><img src="https://packagephobia.com/badge?p=sadrazam" alt="install size" /></a>
6
+ <b>Find and remove unused dependencies in seconds — with AI-powered explanations.</b>
10
7
  </p>
11
8
 
12
- <p>Sadrazam is an npm package and CLI for dependency analysis in JavaScript and TypeScript projects. It finds unused packages, flags dependency hygiene issues, and helps explain cleanup decisions with optional AI-powered insights.</p>
13
-
14
- ## Overview
15
-
16
- See the full feature matrix: https://borakilicoglu.github.io/sadrazam/features
17
-
18
- - unused `dependencies` and `devDependencies`
19
- - missing package declarations
20
- - unused source file detection
21
- - unused export detection for reachable local modules
22
- - package and export trace output
23
- - script-aware dependency detection
24
- - workspace and monorepo-aware scanning
25
- - CommonJS and hybrid import support
26
- - text and JSON reporters
27
- - source mapping from build output back to source files
28
- - cache, performance, memory, and watch modes
29
- - production and strict scan modes
30
- - config file support via `sadrazam.json` or `package.json#sadrazam`
31
- - ignore, allowlist, catalog, and preprocessor controls
32
- - plugin-aware script analysis and config inputs
33
- - safe `--fix` and `--fix --format` support for `package.json`
34
- - JSDoc export ignore tags
35
- - AI summaries via `openai`, `anthropic`, or `gemini`
36
-
37
- ## Why Sadrazam?
38
-
39
- JavaScript projects accumulate packages over time. Some stop being used. Some belong in `devDependencies` but end up in `dependencies`. Some become outdated, deprecated, or risky.
40
-
41
- Sadrazam exists to answer a simple question:
42
-
43
- Which packages in this project are actually needed, and which ones are adding weight or risk?
44
-
45
- Sadrazam's direction is:
46
-
47
- - cover the core dependency analysis workflow teams expect from a modern dependency scanner
48
- - add an optional AI layer for interpretation, prioritization, and remediation suggestions
49
- - keep the base scanner useful even when no token is provided
50
-
51
- ## What Sadrazam Does
52
-
53
- Sadrazam analyzes a project by reading its manifest and source files, then comparing declared dependencies with actual usage.
9
+ <p align="center">
10
+ <a href="https://www.npmjs.com/package/sadrazam"><img src="https://img.shields.io/npm/v/sadrazam" /></a>
11
+ <a href="https://github.com/borakilicoglu/sadrazam/blob/main/LICENSE"><img src="https://img.shields.io/npm/l/sadrazam" /></a>
12
+ <a href="https://www.npmjs.com/package/sadrazam"><img src="https://img.shields.io/npm/dt/sadrazam" /></a>
13
+ </p>
54
14
 
55
- Without AI:
15
+ ---
56
16
 
57
- - scans the project graph
58
- - resolves imported packages and local source relationships
59
- - reports unused or suspicious dependencies
60
- - reports unreachable source files
61
- - reports unused exports in reachable local modules
17
+ ## What is Sadrazam?
62
18
 
63
- With AI token provided:
19
+ Sadrazam is a CLI tool that scans your project and tells you:
64
20
 
65
- - explains why a dependency looks unused or risky
66
- - suggests whether it should be removed, moved, or reviewed
67
- - helps turn raw analysis into actionable cleanup decisions
21
+ - which dependencies are **unused**
22
+ - which ones are **misplaced or risky**
23
+ - what you can safely **remove or fix**
68
24
 
69
- Current focus:
25
+ 👉 And if you enable AI:
26
+ it explains **why**, **what to do next**, and supports **agent-friendly TOON output** for automation and LLM workflows.
70
27
 
71
- - read `package.json`
72
- - scan `js`, `ts`, `jsx`, `tsx`, `mjs`, `cjs`, `mts`, `cts`, `svelte`, `vue`, `mdx`, and `astro` files
73
- - extract package usage from `import`, `export ... from`, `import = require`, `require`, and `require.resolve`
74
- - include package usage referenced from `package.json` scripts
75
- - trace local source reachability from package and script entry points
76
- - report unused dependencies, unused files, unused exports, and suspicious declarations
28
+ ---
77
29
 
78
- ## Quick Start
30
+ ## 🚀 Quick Start
79
31
 
80
32
  ```bash
81
33
  npx sadrazam .
82
- npx sadrazam . --reporter json
83
- npx sadrazam . --trace typescript
84
- npx sadrazam . --trace-export src/lib.ts:usedHelper
85
- npx sadrazam . --include unused-files,unused-exports
86
- npx sadrazam . --cache --performance
87
- npx sadrazam . --fix --format
88
- AI_PROVIDER=openai AI_TOKEN=your_token npx sadrazam . --ai
89
34
  ```
90
35
 
91
- ## Install
36
+ That’s it.
92
37
 
93
- Local development:
38
+ ---
94
39
 
95
- ```bash
96
- npm install
97
- ```
40
+ ## 🧠 Example Output
98
41
 
99
- When published as an npm package:
42
+ ```
43
+ ❌ Unused dependency: lodash
44
+ 💡 Suggested: remove
100
45
 
101
- ```bash
102
- npm install -g sadrazam
46
+ ⚠️ Misplaced dependency: typescript
47
+ 💡 Suggested: move to devDependencies
103
48
  ```
104
49
 
105
- or run it without a global install:
50
+ With AI:
106
51
 
107
- ```bash
108
- npx sadrazam .
52
+ ```
53
+ 🧠 lodash is not imported anywhere in your codebase.
54
+ Removing it will reduce bundle size and install time.
109
55
  ```
110
56
 
111
- ## Usage
57
+ ---
112
58
 
113
- Common scenarios:
59
+ ## 🎯 Why Sadrazam?
114
60
 
115
- - scan a single package
116
- - scan one workspace inside a monorepo
117
- - export findings as JSON
118
- - trace why a package is treated as used
119
- - trace why an export is treated as used
120
- - apply safe cleanup fixes to `package.json`
121
- - run in production or strict mode
122
- - enrich the report with AI summaries
61
+ JavaScript projects accumulate dependencies over time.
123
62
 
124
- Scan the current project:
63
+ - unused packages slow installs
64
+ - wrong dependencies increase risk
65
+ - messy `package.json` hurts maintainability
125
66
 
126
- ```bash
127
- npx sadrazam .
128
- ```
67
+ Sadrazam answers one question:
129
68
 
130
- Scan a specific directory:
69
+ 👉 **What can I safely remove from this project?**
131
70
 
132
- ```bash
133
- npx sadrazam ./packages/web
134
- ```
71
+ ---
135
72
 
136
- Scan a single workspace in a monorepo:
73
+ ## 🔥 What Makes It Different?
137
74
 
138
- ```bash
139
- npx sadrazam . --workspace packages/web
140
- ```
75
+ Unlike traditional tools:
141
76
 
142
- Get JSON output:
77
+ - detects unused dependencies AND unused files/exports
78
+ - understands monorepos and modern frameworks
79
+ - optional AI layer for real explanations (not raw output)
80
+ - safe auto-fix for `package.json`
143
81
 
144
- ```bash
145
- npx sadrazam . --reporter json
146
- ```
82
+ ---
147
83
 
148
- Focus on code hygiene findings:
84
+ ## Common Use Cases
149
85
 
150
- ```bash
151
- npx sadrazam . --include unused-files,unused-exports
152
- ```
86
+ - clean up old projects
87
+ - audit dependency bloat
88
+ - prepare for production
89
+ - CI dependency checks
90
+ - monorepo hygiene
153
91
 
154
- Measure scan performance with cache enabled:
92
+ ---
155
93
 
156
- ```bash
157
- npx sadrazam . --cache --performance
158
- ```
94
+ ## 🛠️ Usage
159
95
 
160
- Trace why a package is considered used:
96
+ Basic scan:
161
97
 
162
98
  ```bash
163
- npx sadrazam . --trace typescript
99
+ npx sadrazam .
164
100
  ```
165
101
 
166
- Trace why an export is considered used:
102
+ Create a config file:
167
103
 
168
104
  ```bash
169
- npx sadrazam . --trace-export src/lib.ts:usedHelper
105
+ npx sadrazam init
170
106
  ```
171
107
 
172
- Apply safe fixes and normalize modified `package.json` files:
108
+ JSON output:
173
109
 
174
110
  ```bash
175
- npx sadrazam . --fix --format
111
+ npx sadrazam . --reporter json
176
112
  ```
177
113
 
178
- Production-only scan:
114
+ TOON output:
179
115
 
180
116
  ```bash
181
- npx sadrazam . --production
117
+ npx sadrazam . --reporter toon
182
118
  ```
183
119
 
184
- Strict mode:
120
+ Auto-fix:
185
121
 
186
122
  ```bash
187
- npx sadrazam . --strict
123
+ npx sadrazam . --fix --format
188
124
  ```
189
125
 
190
- Ignore or allow specific findings from the CLI:
191
-
192
- ```bash
193
- npx sadrazam . --ignore-packages react
194
- npx sadrazam . --allow-unused-dev-dependencies typescript
195
- ```
126
+ `--fix` removes deterministic unused package declarations and can add missing packages to `devDependencies` with a `"*"` placeholder version.
196
127
 
197
- For local development in this repository:
128
+ Trace why something is used:
198
129
 
199
130
  ```bash
200
- npm run dev
201
- npm run build
202
- npm run typecheck
203
- node dist/index.js .
131
+ npx sadrazam . --trace typescript
204
132
  ```
205
133
 
206
- Useful local examples:
134
+ Explain findings of one type:
207
135
 
208
136
  ```bash
209
- node dist/index.js . --debug
210
- node dist/index.js . --exclude unused-devDependencies
211
- node dist/index.js . --reporter json --trace commander
212
- node dist/index.js . --ignore-packages react --allow-unused-dev-dependencies typescript
213
- ```
214
-
215
- ## Config
216
-
217
- Sadrazam can load config from either:
218
-
219
- - `sadrazam.json`
220
- - `package.json` under the `sadrazam` key
221
-
222
- Example `sadrazam.json`:
223
-
224
- ```json
225
- {
226
- "reporter": "json",
227
- "production": false,
228
- "strict": false,
229
- "exclude": ["missing"],
230
- "ignorePackages": ["$packages:ignored"],
231
- "allowUnusedDependencies": [],
232
- "allowUnusedDevDependencies": ["typescript"],
233
- "allowMissingPackages": [],
234
- "allowMisplacedDevDependencies": [],
235
- "catalog": {
236
- "packages": {
237
- "ignored": ["react"]
238
- },
239
- "entryFiles": {
240
- "bootstrap": ["scripts/bootstrap.ts"]
241
- }
242
- },
243
- "inputs": {
244
- "entryFiles": ["$entryFiles:bootstrap"]
245
- },
246
- "jsdocTags": {
247
- "ignoreExports": ["sadrazam-ignore", "sadrazam-keep"]
248
- },
249
- "workspace": ["packages/web"],
250
- "ai": {
251
- "provider": "openai",
252
- "model": "gpt-4.1"
253
- }
254
- }
137
+ npx sadrazam . --explain unused-files
255
138
  ```
256
139
 
257
- CLI flags take precedence over config values.
140
+ ---
258
141
 
259
- ## Exit Codes
142
+ ## 🧠 AI Mode (Optional)
260
143
 
261
- Sadrazam uses these exit codes:
144
+ Enable AI to get explanations and recommendations:
262
145
 
263
- - `0`: scan completed and no findings were reported
264
- - `1`: execution error, invalid configuration, or unrecoverable runtime failure
265
- - `2`: scan completed and findings were reported
146
+ ```bash
147
+ AI_PROVIDER=openai AI_TOKEN=your_token npx sadrazam . --ai
148
+ ```
266
149
 
267
- ## Ignore And Allowlist
150
+ AI will:
268
151
 
269
- Use these when a finding is intentionally acceptable:
152
+ - explain why a dependency is unused
153
+ - suggest what action to take
154
+ - summarize cleanup steps
270
155
 
271
- - `ignorePackages`
272
- - `allowUnusedDependencies`
273
- - `allowUnusedDevDependencies`
274
- - `allowMissingPackages`
275
- - `allowMisplacedDevDependencies`
276
- - `catalog.packages`
277
- - `catalog.entryFiles`
278
- - `preprocessors.packagePatterns`
279
- - `preprocessors.filePatterns`
280
- - `preprocessors.exportPatterns`
281
- - `jsdocTags.ignoreExports`
156
+ ---
282
157
 
283
- ## AI Mode
158
+ ## ⚙️ Features
284
159
 
285
- Sadrazam works in two modes:
160
+ - unused dependency detection
161
+ - unused file + export detection
162
+ - monorepo & workspace support
163
+ - TypeScript path alias support
164
+ - script-aware scanning
165
+ - CommonJS + modern import support
166
+ - safe auto-fix
167
+ - text, JSON, TOON, markdown, and SARIF output
168
+ - AI-powered insights
286
169
 
287
- - standard analysis mode with no token required
288
- - AI-assisted mode when the user provides an API token
170
+ 👉 Full feature list: https://borakilicoglu.github.io/sadrazam/features
289
171
 
290
- The base CLI remains useful without AI. AI is an upgrade layer, not a requirement.
172
+ ---
291
173
 
292
- Environment variables:
174
+ ## 📦 Install
293
175
 
294
176
  ```bash
295
- AI_PROVIDER=openai
296
- AI_TOKEN=your_token
297
- AI_MODEL=gpt-4.1
177
+ npm install -g sadrazam
298
178
  ```
299
179
 
300
- Current provider values:
301
-
302
- - `openai`
303
- - `anthropic`
304
- - `gemini`
305
-
306
- Examples:
180
+ or:
307
181
 
308
182
  ```bash
309
- AI_PROVIDER=openai AI_TOKEN=your_token npx sadrazam . --ai
310
- AI_PROVIDER=anthropic AI_TOKEN=your_token npx sadrazam . --ai
311
- AI_PROVIDER=gemini AI_TOKEN=your_token npx sadrazam . --ai
183
+ npx sadrazam .
312
184
  ```
313
185
 
314
- CLI overrides:
186
+ ---
315
187
 
316
- ```bash
317
- npx sadrazam . --ai --provider openai --model gpt-4.1
318
- ```
188
+ ## 🧪 When to Use It
319
189
 
320
- What AI currently does:
321
-
322
- - summarizes findings
323
- - prioritizes the most important cleanup actions
324
- - turns raw scan output into a short remediation note
325
-
326
- What AI does not yet do:
327
-
328
- - automatic fixes
329
- - package reputation or security scoring
330
- - multi-step remediation planning
331
- - guaranteed deterministic recommendations across providers
332
-
333
- ## Feature Overview
334
-
335
- | Name | Description or example |
336
- | ---------------------- | ---------------------------------------------------------------------------------------------------------------- |
337
- | Auto-fix | Use `--fix` to safely remove deterministic unused package declarations from `package.json`. |
338
- | Cache | Use `--cache` to speed up consecutive runs when inputs are unchanged. |
339
- | Catalog | Reuse config entries with `catalog.packages` and `catalog.entryFiles`, and get hints for unused catalog entries. |
340
- | CommonJS | `require`, `require.resolve`, and hybrid import patterns are supported. |
341
- | Compilers | Support for `.astro`, `.mdx`, `.svelte`, and `.vue` source scanning. |
342
- | Configuration hints | Display hints for stale allowlists, ignored entries, and unused catalog references. |
343
- | Debug | Use `--debug` for troubleshooting resolved config and rule state. |
344
- | Filters | Use `--include` and `--exclude` to focus on specific finding groups. |
345
- | Format | Use `--format` with `--fix` to normalize modified `package.json` files. |
346
- | JSDoc tags | Tag exports with `@sadrazam-ignore` or `@sadrazam-keep` to suppress unused export findings. |
347
- | Memory usage | Use `--memory` for peak heap and RSS insight. |
348
- | Monorepos | Workspaces are first-class and can be filtered with `--workspace`. |
349
- | Performance | Use `--performance` for workspace and total timing insights. |
350
- | Plugins | Built-in plugin analysis exists for common tools. |
351
- | Plugins: inputs | Add entry files and package usage through config inputs. |
352
- | Plugins: CLI arguments | Parse common tool arguments such as `--config`, `--plugin`, and `--parser`. |
353
- | Preprocessors | Preprocess findings before reporting them through package, file, and export patterns. |
354
- | Production mode | Use `--production` to lint only production code paths. |
355
- | Reporters | Use built-in `text` and `json` reporters for human and machine-readable output. |
356
- | Rules | Exclude or focus on specific issue types with ignore and allowlist rules. |
357
- | Script parser | `package.json` scripts contribute entry paths and package dependencies. |
358
- | Source mapping | Map `dist` files back to `src` files through sourcemaps and heuristics. |
359
- | Strict mode | Use `--strict` to flag production usage of `devDependencies`. |
360
- | Trace | Trace packages and exports to find where they are used. |
361
- | Watch mode | Use `--watch` for live updates of unused files, exports, and dependency findings. |
362
- | Workspace | Use `--workspace` to filter workspaces in a monorepo. |
363
-
364
- See the full feature matrix: https://borakilicoglu.github.io/sadrazam/features
365
-
366
- ## Testing
367
-
368
- Local verification includes fixture-based tests for:
369
-
370
- - config loading
371
- - ignore and allowlist behavior
372
- - AI response parsing
373
- - AI auth error handling
374
-
375
- Run:
190
+ Run Sadrazam when:
376
191
 
377
- ```bash
378
- npm test
379
- ```
192
+ - your project feels bloated
193
+ - you're unsure which deps are safe to remove
194
+ - you're preparing for deployment
195
+ - you're reviewing a codebase
380
196
 
381
- Smoke scenarios:
197
+ ---
382
198
 
383
- ```bash
384
- npm run smoke
385
- ```
199
+ ## 💡 Philosophy
386
200
 
387
- This runs repeatable checks for:
201
+ Sadrazam is built around a simple idea:
388
202
 
389
- - single-package config-driven repo
390
- - CommonJS repo
391
- - monorepo with multiple workspaces
392
- - compiler-style source files
393
- - file and export hygiene scenarios
394
- - config features such as catalog, preprocessors, and JSDoc export tags
203
+ > **Keep your dependency tree clean, understandable, and safe.**
395
204
 
396
- ## Known Limitations
205
+ AI is optional — the core tool works without it.
397
206
 
398
- - AI summaries depend on third-party provider behavior and network availability
399
- - source mapping uses source maps first and path heuristics second
400
- - misplaced dependency detection is intentionally conservative
401
- - dependency analysis is strongest for standard JS/TS project layouts
402
- - `--fix` is intentionally narrow and currently targets deterministic `package.json` cleanup
207
+ ---
403
208
 
404
- ## Support
209
+ ## ❤️ Support
405
210
 
406
- If Sadrazam helps you keep dependency hygiene under control, you can support ongoing maintenance through GitHub Sponsors:
211
+ If this tool saves you time:
407
212
 
408
- - https://github.com/sponsors/borakilicoglu
213
+ Star the repo
214
+ ☕ Support via GitHub Sponsors
409
215
 
410
- ## Resources
216
+ https://github.com/sponsors/borakilicoglu
411
217
 
412
- - Website: https://borakilicoglu.github.io/sadrazam/
413
- - GitHub repo: https://github.com/borakilicoglu/sadrazam
414
- - Official npm package: https://www.npmjs.com/package/sadrazam
415
- - Docs: https://borakilicoglu.github.io/sadrazam/features
416
- - Contributing: https://github.com/borakilicoglu/sadrazam/blob/main/CONTRIBUTING.md
417
- - Releases: https://github.com/borakilicoglu/sadrazam/releases
218
+ ---
418
219
 
220
+ ## 🔗 Links
221
+
222
+ - GitHub: https://github.com/borakilicoglu/sadrazam
223
+ - npm: https://www.npmjs.com/package/sadrazam
224
+ - Docs: https://borakilicoglu.github.io/sadrazam/features
@@ -0,0 +1,28 @@
1
+ /**
2
+ * A resolved alias entry: the prefix to match and the absolute base path(s) it maps to.
3
+ */
4
+ export interface AliasEntry {
5
+ /** The prefix as written in imports, e.g. "@/" or "~/" or "src/" */
6
+ prefix: string;
7
+ /** Absolute directory paths the prefix maps to, in priority order */
8
+ targets: string[];
9
+ }
10
+ /**
11
+ * Reads tsconfig.json (and follows a single level of `extends`) from the given
12
+ * package directory and returns the resolved path alias entries.
13
+ *
14
+ * Returns an empty array when no tsconfig is found or no paths are configured.
15
+ */
16
+ export declare function loadAliasEntries(packageDir: string): Promise<AliasEntry[]>;
17
+ /**
18
+ * Given a specifier and the alias entries for the project, returns the resolved
19
+ * absolute path if the specifier matches an alias — or null if it doesn't.
20
+ *
21
+ * Example:
22
+ * specifier = "@/components/Button"
23
+ * alias = { prefix: "@/", targets: ["/project/src"] }
24
+ * returns "/project/src/components/Button"
25
+ */
26
+ export declare function resolveAlias(specifier: string, aliases: AliasEntry[]): string | null;
27
+ export declare function resolveAliasCandidates(specifier: string, aliases: AliasEntry[]): string[];
28
+ //# sourceMappingURL=aliasResolver.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"aliasResolver.d.ts","sourceRoot":"","sources":["../src/aliasResolver.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,oEAAoE;IACpE,MAAM,EAAE,MAAM,CAAC;IACf,qEAAqE;IACrE,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAUD;;;;;GAKG;AACH,wBAAsB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CA8ChF;AAED;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,MAAM,GAAG,IAAI,CAEpF;AAED,wBAAgB,sBAAsB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,MAAM,EAAE,CAYzF"}