Dependencies Review Skill

Purpose

This skill provides automated analysis commands and detection patterns for dependency issues. Use this as a reference for WHAT to check and HOW to detect issues—not for output formatting or workflow.

Automated Analysis Tools

Run these scripts to gather metrics (if tools available):

Unused Dependencies Detection

bash ~/.claude/plugins/marketplaces/claude-configs/review/scripts/review-unused-deps.sh

Returns: Unused dependencies, unused devDependencies, missing dependencies (imported but not in package.json)

Unused Code Detection

bash ~/.claude/plugins/marketplaces/claude-configs/review/scripts/review-unused-code.sh

Returns: Unused exports, unused files, unused enum/class members, unused types/interfaces

Security Audit

npm audit --json
npm audit --production --json

Outdated Dependencies Detection

npm outdated

Look for:

• available patch/minor/major version upgrades
• Deprecated dependencies

Bundle Analysis (if available)

npm run build -- --analyze

Returns: Bundle size breakdown, largest chunks

Manual Detection Patterns

When automated tools unavailable or for deeper analysis, use Read/Grep/Glob to detect:

Package.json Analysis

Read package.json:

cat package.json | jq '.dependencies, .devDependencies'

Check for:

• Version pinning strategy (^, ~, exact)
• Packages at latest/next tags
• Incorrect categorization (prod vs dev vs peer)
• Duplicate functionality patterns

Usage Frequency Detection

Count imports for specific package:

grep -r "from ['\"]package-name['\"]" src/ | wc -l
grep -r "require(['\"]package-name['\"])" src/ | wc -l

Find all import locations:

grep -rn "from ['\"]package-name['\"]" src/

Duplicate Functionality Detection

Multiple date libraries:

grep -E "moment|date-fns|dayjs|luxon" package.json

Multiple HTTP clients:

grep -E "axios|node-fetch|got|ky|superagent" package.json

Multiple testing frameworks:

grep -E "jest|mocha|jasmine|vitest" package.json

Uses skills tagged with review: true including reviewing-vitest-config from vitest-4 for detecting configuration deprecations and testing framework migration patterns.

Multiple utility libraries:

grep -E "lodash|underscore|ramda" package.json

Tree-Shaking Opportunities

Non-ES module imports:

grep -r "import .* from 'lodash'" src/
grep -r "import _ from" src/

Look for: Default imports that could be named imports from ES module versions

Large utility usage:

grep -rn "from 'lodash'" src/ | head -20

Look for: Single function imports that could be inlined

Dead Code Patterns

Exported but never imported:

# Find all exports
grep -rn "export (const|function|class|interface|type)" src/

# For each export, check if imported elsewhere
grep -r "import.*{ExportName}" src/

Unused utility files:

# Find utility/helper files
find src/ -name "*util*" -o -name "*helper*"

# Check if imported
grep -r "from.*utils" src/

Deprecated code markers:

grep -rn "@deprecated\|DEPRECATED\|DO NOT USE" src/

Severity Mapping

Use these criteria when classifying findings:

Common Dependency Patterns

Removal Candidates

High Confidence (Unused):

• Found by depcheck/Knip
• Zero imports in codebase
• Not in ignored files (scripts, config)
• Not peer dependency of other packages

Medium Confidence (Low Usage):

• 1-2 imports total
• Used only for simple operations
• Easy to inline or replace
• Alternative is smaller/native

Consider Alternatives:

• Large package (>50kb) with light usage
• Deprecated/unmaintained package
• Duplicate functionality exists
• Native alternative available

Size Reference (Approximate)

Refactoring Patterns

Replace large utility with inline:

// Before: lodash.debounce (71kb library)
import _ from 'lodash';
_.debounce(fn, 300);

// After: inline (0kb)
const debounce = (fn, ms) => {
  let timeout;
  return (...args) => {
    clearTimeout(timeout);
    timeout = setTimeout(() => fn(...args), ms);
  };
};

Replace with tree-shakeable alternative:

// Before: full library
import moment from 'moment';
moment(date).format('YYYY-MM-DD');

// After: specific function
import { format } from 'date-fns/format';
format(date, 'yyyy-MM-dd');

Replace with native alternative:

// Before: lodash
import { isEmpty } from 'lodash';
isEmpty(obj);

// After: native
Object.keys(obj).length === 0;

Analysis Priority

1. Run automated scripts first (if tools available)

   • review-unused-deps.sh for unused packages
   • review-unused-code.sh for dead code
   • npm audit for security issues

2. Parse script outputs for package names and file locations

3. Verify usage with grep for each flagged package

   • Count imports
   • Check import patterns (default vs named)
   • Identify usage locations

4. Read package.json to check:

   • Version ranges
   • Dependency categorization
   • Duplicate functionality

5. Cross-reference findings:

   • Unused package + large size = high priority
   • Low usage + available alternative = medium priority
   • Vulnerable package + unused = critical priority

Integration Notes

• This skill provides detection methods and patterns only
• Output formatting is handled by the calling agent
• Severity classification should align with agent’s schema
• Do NOT include effort estimates, bundle size savings calculations, or success criteria
• Do NOT provide refactoring instructions beyond pattern examples