New rule: `no-unused-dependencies`

[ljharb]

The thought here is that this rule would lint package.json itself and warn on any deps or dev deps that are not explicitly imported somewhere in the linted JS files.

This would be independently configurable for deps as well as dev deps, with the following example schemas:

[2, {
  "dependencies": false,
  "devDependencies": true
}]

[2, {
  "dependencies": {
    "enable": false
  },
  "devDependencies": {
    "ignore": ["something-side-effecty", "a command-line tool"]
  }
}]

Ideally, it would also not warn on unused dev deps that had a "bin" name that was explicitly referenced in any of the "scripts".

[magicmark]

https://github.com/depcheck/depcheck does this and it's really useful - would be neat to have as an eslint rule though.

[platinumazure]

@ljharb Wonder if this might be a better fit for eslint-plugin-node?

[ljharb]

This plugin already has rules that check package.json, and there's no JS project worth working on that doesn't use npm and node for packages/builds, so I'm not sure why it would need a node-specific plugin.

Separately, the current situation with shared configs and peer deps in eslint means there's an incredibly high barrier to adding a plugin to a shared config like airbnb's, so until that's fixed, there's a also a huge incentive to add needed rules to plugins we're already using.

[hulkish]

my thinking is:

• package.json linting occurs in no-unused-dependencies rule
• no-extraneous-dependencies rule handles the import linting
• a tool shared between both of these rules is a good idea, since they both need to load and parse package.json files
• Where should this live?
• This brings up the topic of caching, should it instead just try to leverage eslint's cache? How?

[GreenGremlin]

I would love to see a no-unused-dependencies rule. What's needed to make this happen?

I imagine the no-unused-dependencies rule would also need to verify an unused dependency is not a peer dependency of another dependency. I'm not sure if it would be possible to verify this without crawling package.json files for all dependencies.

[nevir]

Might be able to leverage depcheck to do much of the heavy lifting (unsure about perf impact of that, though)

[ahayes91]

This would be really great to have for monorepos that use yarn workspaces and lerna, to stop unnecessary package interdependencies creeping in 🤞

[haggholm]

I would love to see a no-unused-dependencies rule. What's needed to make this happen?

I imagine the no-unused-dependencies rule would also need to verify an unused dependency is not a peer dependency of another dependency. I'm not sure if it would be possible to verify this without crawling package.json files for all dependencies.

Personally, I’d be happy as long as it checks the target package’s package.json and there’s an override. We currently use depcheck (mentioned above), and there are things in our toolchain it can’t cache, which we override with various settings to assure it that no, it really is used as a dep or dev dep or whatever; the same in an ESLint plugin would be a lot more convenient (whether it uses depcheck itself under the hood or not—I guess it wouldn’t need to if ESLint already parses everything, but I know roughly zilch about ESLint plugin development).

[forivall]

Luckily, I know a reasonable amount with ESLint plugin development, and as long as i find the time, i'll work on this. (i'm a co-worker of @haggholm)