depcheck
★
★
★
★
★
3
reviews
Check dependencies in your node module
85
Security
45
Quality
13
Maintenance
50
Overall
v1.4.7
npm
JavaScript
Oct 17, 2023
by Djordje Lukic
No Known Issues
This package has a good security score with no known vulnerabilities.
4941
GitHub Stars
3.0/5
Avg Rating
Community Reviews
CAUTION
Useful analysis tool but memory-hungry and lacking production safeguards
Depcheck does what it promises - scanning your codebase to identify unused dependencies and missing ones. The CLI works well for one-off audits during development, but integrating it programmatically reveals concerning performance characteristics. On medium-to-large codebases (500+ files), memory usage can spike to 500MB+ with no streaming or chunking options available. There's no built-in resource pooling or concurrency control when analyzing multiple projects.
The library lacks timeout configuration entirely, which becomes problematic when parsers hang on malformed files. Error handling is basic - parse failures often bubble up as unhandled rejections rather than graceful degradation. There's minimal logging output even when verbose mode is enabled, making it difficult to debug why certain dependencies aren't detected. The API is synchronous-feeling despite being async, with no progress hooks for long-running operations.
Configuration options exist for custom parsers and detectors, but they're poorly documented. Breaking changes between minor versions (particularly around detector APIs) have caught me off guard. For CI/CD pipelines, you'll want to wrap this with your own timeout logic and memory limits.
The library lacks timeout configuration entirely, which becomes problematic when parsers hang on malformed files. Error handling is basic - parse failures often bubble up as unhandled rejections rather than graceful degradation. There's minimal logging output even when verbose mode is enabled, making it difficult to debug why certain dependencies aren't detected. The API is synchronous-feeling despite being async, with no progress hooks for long-running operations.
Configuration options exist for custom parsers and detectors, but they're poorly documented. Breaking changes between minor versions (particularly around detector APIs) have caught me off guard. For CI/CD pipelines, you'll want to wrap this with your own timeout logic and memory limits.
Accurately detects unused dependencies across JavaScript, TypeScript, and various module formats
Supports custom parsers and detectors for framework-specific dependency patterns
Provides both CLI and programmatic APIs with structured JSON output
Can detect missing dependencies that are imported but not in package.json
No timeout configuration or memory limits - can hang indefinitely on problematic files
Memory usage scales poorly on large codebases with no streaming options
Minimal logging and observability hooks make debugging detection issues difficult
Best for: Periodic manual dependency audits in development or small-to-medium projects with controlled execution environments.
Avoid if: You need to run dependency checks in resource-constrained environments or require reliable timeouts for production automation.
CAUTION
Functional but requires manual configuration and produces noisy results
Depcheck does what it promises - scans your codebase to find unused dependencies and missing imports. The CLI is straightforward (`npx depcheck`), and it works out of the box for simple projects. However, real-world usage quickly reveals limitations that require significant configuration investment.
The false positive rate is frustratingly high. Dev dependencies used in config files (ESLint plugins, Jest presets, Vite plugins) are routinely flagged as unused. TypeScript type-only imports often confuse the parser. You'll spend considerable time maintaining an `ignoreMatches` array in your config, essentially teaching it about your project structure. The programmatic API exists but lacks TypeScript definitions, making IDE support nonexistent when integrating into custom tooling.
Error messages are minimal - when parsing fails on a file, you get a brief path and cryptic message with little context. The JSON output format helps for CI integration, but the default console output is verbose and difficult to scan. Documentation covers basic usage but lacks guidance on handling common false positives or explaining detection heuristics.
The false positive rate is frustratingly high. Dev dependencies used in config files (ESLint plugins, Jest presets, Vite plugins) are routinely flagged as unused. TypeScript type-only imports often confuse the parser. You'll spend considerable time maintaining an `ignoreMatches` array in your config, essentially teaching it about your project structure. The programmatic API exists but lacks TypeScript definitions, making IDE support nonexistent when integrating into custom tooling.
Error messages are minimal - when parsing fails on a file, you get a brief path and cryptic message with little context. The JSON output format helps for CI integration, but the default console output is verbose and difficult to scan. Documentation covers basic usage but lacks guidance on handling common false positives or explaining detection heuristics.
CLI works immediately with zero configuration for basic dependency checking
JSON output format enables easy CI/CD integration and custom processing
Correctly identifies genuinely unused dependencies in straightforward codebases
Supports custom parsers and detectors for framework-specific patterns
No TypeScript definitions for programmatic API, breaking IDE autocomplete and type safety
High false positive rate requires extensive ignore configuration for modern toolchains
Poor detection of dependencies used in config files, plugins, and type-only imports
Minimal error messages when file parsing fails provide little debugging context
Best for: Simple Node.js projects with straightforward dependency usage patterns that need occasional dependency audits.
Avoid if: You have complex TypeScript projects with extensive tooling configurations or need a maintenance-free solution in CI pipelines.
CAUTION
Functional but rough edges in configuration and false positives
Depcheck does what it promises - scanning your codebase to find unused dependencies and missing ones from package.json. The CLI is straightforward (`npx depcheck`) and provides useful output for basic cases. However, the day-to-day experience reveals significant friction points that require manual configuration.
The biggest pain point is false positives. Modern build tools, monorepo setups, and dynamic imports frequently confuse depcheck. You'll spend time creating ignore patterns and special configurations. The configuration API is JSON-based but lacks schema validation, so typos fail silently. TypeScript support exists but type definitions are minimal - you're mostly working with string arrays and basic options without much IDE guidance.
Error messages are cryptic when parsing fails, often just exiting without clear indication of what went wrong. The documentation covers basic usage well but advanced scenarios (custom parsers, ignore patterns for specific frameworks) require digging through GitHub issues. Integration into CI pipelines works but expect to maintain an exclusion list as your project evolves.
The biggest pain point is false positives. Modern build tools, monorepo setups, and dynamic imports frequently confuse depcheck. You'll spend time creating ignore patterns and special configurations. The configuration API is JSON-based but lacks schema validation, so typos fail silently. TypeScript support exists but type definitions are minimal - you're mostly working with string arrays and basic options without much IDE guidance.
Error messages are cryptic when parsing fails, often just exiting without clear indication of what went wrong. The documentation covers basic usage well but advanced scenarios (custom parsers, ignore patterns for specific frameworks) require digging through GitHub issues. Integration into CI pipelines works but expect to maintain an exclusion list as your project evolves.
Simple CLI interface that works out of the box for basic Node.js projects
Detects both unused dependencies and missing ones from package.json
Supports custom parsers and detectors for framework-specific patterns
Programmatic API available for integration into build tooling
High false positive rate with modern bundlers, dynamic imports, and monorepos requiring extensive ignore configuration
Minimal TypeScript definitions and no schema validation for configuration files
Cryptic error messages when parsing fails or encounters unsupported syntax
Documentation lacks practical examples for common framework setups (Next.js, Vite, NX)
Best for: Simple Node.js projects with straightforward dependency usage and developers willing to maintain ignore lists.
Avoid if: You're working with complex monorepos, heavy dynamic imports, or need zero-config tooling that adapts to modern build setups.
Write a Review
Sign in to write a review
Sign In
Dependencies
@babel/parser
7.29.0
@babel/traverse
7.29.0
@vue/compiler-sfc
3.5.27
callsite
1.0.0
camelcase
6.3.0
cosmiconfig
7.1.0
debug
4.4.3
deps-regex
0.2.0
findup-sync
5.0.0
ignore
5.3.2
is-core-module
2.16.1
js-yaml
3.14.2
json5
2.2.3
lodash
4.17.23
minimatch
7.4.6
multimatch
5.0.0
please-upgrade-node
3.2.0
readdirp
3.6.0
require-package-name
2.0.1
resolve
1.22.11
and 3 more
Used By