Rule or option for detecting undeclared dependencies

[mjomble]

tl;dr version:

It would be nice if a rule could warn when a require-d (or imported) module is neither in dependencies or devDependencies.
no-unpublished-require comes close, but does not consider devDependencies.

Long version:

My use case: I'm developing a custom application, not an npm package. I have no intentions of publishing this application to npm.
This application has some dependencies that are required for running the production version which I keep under dependencies, and other dependencies needed only for building, dev tools, etc, which I keep under devDependencies.
For a project like this, requiring a module that is declared under devDependencies, but not under dependencies is completely valid and should not be considered an error.
On the other hand, leaving any dependency (whether production or dev) undeclared can break the build in a new environment.
As far as this problem is concerned, dependencies and devDependencies are pretty much equal and an ESLint rule that helps avoiding this problem should treat them as such.

Possible solutions:

• A configuration option for no-unpublished-require that makes it consider devDependencies. This might drift off too far from the core idea of this rule, though.
• A configuration option for no-missing-require that makes it also check dependency declarations in addition to just file existence.
• A new rule - no-undeclared-dependency?

[mysticatea]

Thank you for this issue.

I got your use case.
Hmm, I guess you can consider the source code to build as unpublished files since only the build result will go the production stage. The source code can import devDependencies because those don't go the production stage as is.

Or I received several request about this, so I'm thinking maybe the check of extraneous packages should be separated from no-unpublished-require. It will be no-extraneous-require.