Detector: Unused Deps

Detector: Unused Deps

Flags declared dependencies that are never imported in source code.

Property	Value
Name	unused-deps
Tier	DETERMINISTIC
Languages	Python, JavaScript/TypeScript
External tool	None (AST + regex)
LLM required	No
Confidence	0.80

What it detects

Dependencies declared in pyproject.toml, requirements.txt, or package.json that have no corresponding import in source files.

How it works

1. Reads declared deps from:
   • Python: pyproject.toml (PEP 621 + Poetry), requirements.txt
   • JS/TS: package.json (dependencies + devDependencies)
2. Collects imports from source files:
   • Python: Full AST parsing of import and from ... import statements
   • JS/TS: Regex matching of import, require(), and dynamic import()
3. Compares using a package-name → import-name mapping table for packages where the name differs from the import (e.g., Pillow → PIL, scikit-learn → sklearn, PyYAML → yaml)
4. Filters tool packages that are never imported (pytest, ruff, mypy, etc.)

Tool package allowlists

Extensive allowlists prevent false positives for packages that are used as tools, not imported:

• Python: ~50 packages (pytest, ruff, mypy, coverage, mkdocs, pre-commit, sphinx, twine, etc.) plus prefix patterns (pytest_*, flake8_*, types_*, etc.)
• JS/TS: ~40 packages (eslint, prettier, webpack, vite, typescript, etc.) plus prefix patterns (eslint-config-*, eslint-plugin-*, @typescript-eslint/*, prettier-plugin-*)
• Build system: [build-system].requires packages are automatically excluded

Example finding

[UNUSED-DEPS] package.json — "motion"
  Declared as dependency but no import found in source files
  Severity: LOW, Confidence: 0.80

Observed accuracy

Repo	Findings	TP Rate	Notes
pip-tools	0	N/A	Clean (after filtering)
httpx	0	N/A	All were tool packages
shadcn-ui/ui	1	~50%	motion — CSS-only usage

Known limitations

• Cannot detect CSS-only or runtime-resolved package usage
• Allowlists need expansion as new tool ecosystems emerge (continuously improving)
• No Go or Rust support