vøiddo
dev utility
depcheck icon

depcheck.

offline cve scan + unused/missing deps + python. one binary, no network.

47-entry curated cve database through 2025 (incl. supply-chain: node-ipc, colors, faker). transitive scan via package-lock.json. unused/missing static analysis for js + python. --json envelope, --fail-on gate for ci.

github →npm →install →
npm install -g @v0idd0/depcheck

what it is

depcheck is a static analysis tool that finds unused dependencies in JavaScript and Python projects. it reads your source files, extracts the import statements, and cross-references them with your package.json or requirements.txt. it outputs a list of packages you can safely remove.

over time, projects accumulate ghost dependencies from refactoring or abandoned features. these bloat your container images, slow down ci installs, and increase your security attack surface. depcheck automates the tedious process of verifying which libraries are actually in use.

if you are maintaining a legacy codebase or trying to shrink a Docker image, this tool is mandatory. it supports modern import syntax, dynamic imports, and standard requires.

core features

~

ast parsing

reads your actual source code to find import statements. does not rely on simple string matching.

~

multi-language

supports both JavaScript (npm) and Python (pip) projects. handles modern import syntax.

~

dev-dependency filtering

separates production dependencies from development tools. prevents accidental removal of test frameworks.

~

auto-fix suggestions

generates the exact uninstall commands for your package manager. copy, paste, and clean up.

~

ignore lists

allows you to whitelist packages that are required but not explicitly imported. handles implicit runtime dependencies.

how to use it

scan a JavaScript project for unused npm packages.

// input

depcheck ./src

// output

analyzed 45 files.

unused dependencies found:
- lodash
- moment

run 'npm uninstall lodash moment' to remove them.

it parsed the source code, found no import statements for those libraries, and suggested removal.

why we built it

javascript projects accumulate ghost dependencies at an alarming rate. developers install a library to test it, decide not to use it, and forget to remove it from package.json.

we built this after realizing our Docker images were 500mb larger than they needed to be. parsing abstract syntax trees to find actual import statements is the only reliable way to know what is safe to delete.

frequently asked questions

does it handle dynamic imports?

yes. the parser recognizes dynamic import() calls and lazy-loaded modules.

what about global scripts?

if a package is loaded globally via a script tag or implicit runner, depcheck might flag it as unused. use the ignore flag for these.

does it modify my files?

no. it only reads your files and outputs suggestions. you have to run the uninstall commands yourself.

does it work with typescript?

yes. it parses standard typescript files and resolves type-only imports correctly.

related tools

envguard icon envguard

validate your environment variables before your app crashes.
gitstats icon gitstats

analyze git repository history locally.

// stop shipping code you do not use.

← all tools