Back to Details

dependency-audit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Dependency Audit Skill

依赖项审计技能

Summary

概述

Systematic workflow for auditing, updating, and cleaning up project dependencies. Covers security vulnerability scanning, outdated package detection, unused dependency removal, and migration from deprecated libraries.
这是一套用于审计、更新和清理项目依赖项的系统化工作流,涵盖安全漏洞扫描、过时包检测、未使用依赖项移除以及从已废弃库迁移的内容。

When to Use

适用场景

  • Weekly/monthly dependency maintenance
  • After security advisories (CVE announcements)
  • Before major releases
  • When bundle size increases unexpectedly
  • During code reviews for dependency changes
  • Onboarding to legacy projects
  • 每周/每月的依赖项维护
  • 收到安全公告(CVE通知)后
  • 重大版本发布前
  • 包体积意外增大时
  • 依赖项变更的代码审查期间
  • 接手遗留项目时

Quick Audit Process

快速审计流程

1. Check Outdated Packages

1. 检查过时包

bash
undefined
bash
undefined

npm

npm

npm outdated
npm outdated

pnpm

pnpm

pnpm outdated
pnpm outdated

yarn

yarn

yarn outdated
yarn outdated

pip (Python)

pip (Python)

pip list --outdated
pip list --outdated

poetry (Python)

poetry (Python)

poetry show --outdated
undefined
poetry show --outdated
undefined

2. Security Vulnerability Scan

2. 安全漏洞扫描

bash
undefined
bash
undefined

npm

npm

npm audit npm audit fix # Auto-fix where possible npm audit fix --force # Force major version updates (risky)
npm audit npm audit fix # Auto-fix where possible npm audit fix --force # Force major version updates (risky)

pnpm

pnpm

pnpm audit pnpm audit --fix
pnpm audit pnpm audit --fix

yarn

yarn

yarn audit yarn audit --fix
yarn audit yarn audit --fix

Python

Python

pip-audit # Requires: pip install pip-audit safety check # Requires: pip install safety
undefined
pip-audit # Requires: pip install pip-audit safety check # Requires: pip install safety
undefined

3. Find Unused Dependencies

3. 查找未使用的依赖项

bash
undefined
bash
undefined

JavaScript/TypeScript

JavaScript/TypeScript

npx depcheck
npx depcheck

Output example:

Output example:

Unused dependencies

Unused dependencies

* lodash

* lodash

* moment

* moment

Unused devDependencies

Unused devDependencies

* @types/old-package

* @types/old-package

Python

Python

pip-autoremove --list # Requires: pip install pip-autoremove

---
pip-autoremove --list # Requires: pip install pip-autoremove

---

Audit Commands

审计命令

JavaScript/TypeScript/Node.js

JavaScript/TypeScript/Node.js

npm

npm

bash
undefined
bash
undefined

Check what's outdated

Check what's outdated

npm outdated
npm outdated

Update within semver range (safe)

Update within semver range (safe)

npm update
npm update

Update specific package to latest

Update specific package to latest

npm install package@latest
npm install package@latest

Check security vulnerabilities

Check security vulnerabilities

npm audit
npm audit

Auto-fix vulnerabilities

Auto-fix vulnerabilities

npm audit fix
npm audit fix

View dependency tree

View dependency tree

npm list npm list --depth=0 # Top-level only
npm list npm list --depth=0 # Top-level only

Why is this package installed?

Why is this package installed?

npm ls package-name
npm ls package-name

Check for duplicate packages

Check for duplicate packages

npm dedupe
undefined
npm dedupe
undefined

pnpm

pnpm

bash
undefined
bash
undefined

Check outdated

Check outdated

pnpm outdated
pnpm outdated

Update all dependencies

Update all dependencies

pnpm update
pnpm update

Update specific package

Update specific package

pnpm update package@latest
pnpm update package@latest

Security audit

Security audit

pnpm audit
pnpm audit

Deduplicate

Deduplicate

pnpm dedupe
pnpm dedupe

List all packages

List all packages

pnpm list
undefined
pnpm list
undefined

yarn

yarn

bash
undefined
bash
undefined

Check outdated

Check outdated

yarn outdated
yarn outdated

Upgrade interactive (recommended)

Upgrade interactive (recommended)

yarn upgrade-interactive
yarn upgrade-interactive

Update all

Update all

yarn upgrade
yarn upgrade

Security audit

Security audit

yarn audit
yarn audit

Why is this here?

Why is this here?

yarn why package-name
undefined
yarn why package-name
undefined

Python

Python

pip

pip

bash
undefined
bash
undefined

List outdated

List outdated

pip list --outdated
pip list --outdated

Update specific package

Update specific package

pip install --upgrade package-name
pip install --upgrade package-name

Security audit

Security audit

pip-audit # Install: pip install pip-audit
pip-audit # Install: pip install pip-audit

Freeze current dependencies

Freeze current dependencies

pip freeze > requirements.txt
pip freeze > requirements.txt

Check dependencies of a package

Check dependencies of a package

pip show package-name
undefined
pip show package-name
undefined

poetry

poetry

bash
undefined
bash
undefined

Show outdated

Show outdated

poetry show --outdated
poetry show --outdated

Update all

Update all

poetry update
poetry update

Update specific package

Update specific package

poetry update package-name
poetry update package-name

Security check

Security check

poetry audit # poetry-audit-plugin required
poetry audit # poetry-audit-plugin required

Show dependency tree

Show dependency tree

poetry show --tree
undefined
poetry show --tree
undefined

pipenv

pipenv

bash
undefined
bash
undefined

Check for security vulnerabilities

Check for security vulnerabilities

pipenv check
pipenv check

Update all

Update all

pipenv update
pipenv update

Update specific

Update specific

pipenv update package-name
pipenv update package-name

Show dependency graph

Show dependency graph

pipenv graph

---
pipenv graph

---

Priority Matrix

优先级矩阵

PriorityTypeActionTimelineExample
P0Critical CVE (actively exploited)Patch immediatelySame dayAuth bypass, RCE
P1High CVE or major framework updatePlan migration1-2 weeksNext.js, React major version
P2Deprecated with active usageFind replacement2-4 weeksmoment.js → date-fns
P3Minor/patch updatesBatch updateMonthlyNon-breaking updates
P4Unused dependenciesRemoveNext cleanup PRDead imports
优先级类型操作时间线示例
P0严重CVE(已被主动利用)立即修复当日Auth bypass, RCE
P1高风险CVE或核心框架更新规划迁移1-2周Next.js, React 大版本
P2已废弃且仍在使用的包寻找替代方案2-4周moment.js → date-fns
P3小版本/补丁更新批量更新每月非破坏性更新
P4未使用的依赖项移除下次清理PR无效导入

Priority Decision Tree

优先级决策树

Is there a CVE?
├─ Yes → Is it critical/high severity?
│  ├─ Yes → P0 (patch immediately)
│  └─ No → P1 (plan update)
└─ No → Is package deprecated?
   ├─ Yes → Is it actively used?
   │  ├─ Yes → P2 (find replacement)
   │  └─ No → P4 (remove)
   └─ No → Is it outdated?
      ├─ Major version → P1 (plan migration)
      ├─ Minor/patch → P3 (batch update)
      └─ Unused → P4 (remove)
是否存在CVE漏洞?
├─ 是 → 漏洞是否为严重/高风险级别?
│  ├─ 是 → P0(立即修复)
│  └─ 否 → P1(规划更新)
└─ 否 → 包是否已被废弃?
   ├─ 是 → 是否仍在使用?
   │  ├─ 是 → P2(寻找替代方案)
   │  └─ 否 → P4(移除)
   └─ 否 → 包是否已过时?
      ├─ 大版本更新 → P1(规划迁移)
      ├─ 小版本/补丁 → P3(批量更新)
      └─ 未使用 → P4(移除)

Common Replacements

常见替代方案

Date/Time Libraries

日期/时间库

JavaScript/TypeScript

JavaScript/TypeScript

javascript
// ❌ moment.js (deprecated, 288KB minified)
import moment from 'moment';
const formatted = moment().format('YYYY-MM-DD');
const diff = moment(date1).diff(moment(date2), 'days');

// ✅ date-fns (tree-shakeable, 2-5KB per function)
import { format, differenceInDays } from 'date-fns';
const formatted = format(new Date(), 'yyyy-MM-dd');
const diff = differenceInDays(date1, date2);

// ✅ Native Intl (zero bundle cost)
const formatted = new Intl.DateTimeFormat('en-US').format(new Date());
const relative = new Intl.RelativeTimeFormat('en').format(-1, 'day'); // "1 day ago"
javascript
// ❌ moment.js (deprecated, 288KB minified)
import moment from 'moment';
const formatted = moment().format('YYYY-MM-DD');
const diff = moment(date1).diff(moment(date2), 'days');

// ✅ date-fns (tree-shakeable, 2-5KB per function)
import { format, differenceInDays } from 'date-fns';
const formatted = format(new Date(), 'yyyy-MM-dd');
const diff = differenceInDays(date1, date2);

// ✅ Native Intl (zero bundle cost)
const formatted = new Intl.DateTimeFormat('en-US').format(new Date());
const relative = new Intl.RelativeTimeFormat('en').format(-1, 'day'); // "1 day ago"

Python

Python

python
undefined
python
undefined

❌ arrow (overhead for simple tasks)

❌ arrow (overhead for simple tasks)

import arrow now = arrow.now().format('YYYY-MM-DD')
import arrow now = arrow.now().format('YYYY-MM-DD')

✅ Native datetime

✅ Native datetime

from datetime import datetime now = datetime.now().strftime('%Y-%m-%d')
from datetime import datetime now = datetime.now().strftime('%Y-%m-%d')

✅ pendulum (for complex timezone handling)

✅ pendulum (for complex timezone handling)

import pendulum now = pendulum.now('America/New_York')
undefined
import pendulum now = pendulum.now('America/New_York')
undefined

Utility Libraries

工具库

JavaScript/TypeScript

JavaScript/TypeScript

javascript
// ❌ Full lodash import (70KB)
import _ from 'lodash';
const value = _.get(obj, 'path.to.value');
const unique = _.uniq(array);

// ✅ Specific imports (5-10KB)
import get from 'lodash/get';
import uniq from 'lodash/uniq';

// ✅ Native alternatives (0KB)
const value = obj?.path?.to?.value;           // Optional chaining
const unique = [...new Set(array)];           // Set
const keys = Object.keys(obj);                // Object.keys
const flat = array.flat();                    // Array.flat()
const grouped = Object.groupBy(arr, fn);      // Object.groupBy
javascript
// ❌ Full lodash import (70KB)
import _ from 'lodash';
const value = _.get(obj, 'path.to.value');
const unique = _.uniq(array);

// ✅ Specific imports (5-10KB)
import get from 'lodash/get';
import uniq from 'lodash/uniq';

// ✅ Native alternatives (0KB)
const value = obj?.path?.to?.value;           // Optional chaining
const unique = [...new Set(array)];           // Set
const keys = Object.keys(obj);                // Object.keys
const flat = array.flat();                    // Array.flat()
const grouped = Object.groupBy(arr, fn);      // Object.groupBy

HTTP Clients

HTTP客户端

JavaScript/TypeScript

JavaScript/TypeScript

javascript
// ❌ axios (11KB) - often unnecessary
import axios from 'axios';
const { data } = await axios.get('/api/users');

// ✅ Native fetch (0KB) - built-in
const response = await fetch('/api/users');
const data = await response.json();

// ✅ ky (2KB) - if you need retries/timeout
import ky from 'ky';
const data = await ky.get('/api/users').json();
javascript
// ❌ axios (11KB) - often unnecessary
import axios from 'axios';
const { data } = await axios.get('/api/users');

// ✅ Native fetch (0KB) - built-in
const response = await fetch('/api/users');
const data = await response.json();

// ✅ ky (2KB) - if you need retries/timeout
import ky from 'ky';
const data = await ky.get('/api/users').json();

Python

Python

python
undefined
python
undefined

❌ requests (large for serverless)

❌ requests (large for serverless)

import requests response = requests.get('https://api.example.com')
import requests response = requests.get('https://api.example.com')

✅ httpx (async support, same API)

✅ httpx (async support, same API)

import httpx async with httpx.AsyncClient() as client: response = await client.get('https://api.example.com')
import httpx async with httpx.AsyncClient() as client: response = await client.get('https://api.example.com')

✅ urllib (native, for simple cases)

✅ urllib (native, for simple cases)

from urllib.request import urlopen response = urlopen('https://api.example.com')
undefined
from urllib.request import urlopen response = urlopen('https://api.example.com')
undefined

Testing Libraries

测试库

JavaScript/TypeScript

JavaScript/TypeScript

javascript
// Consider consolidating test runners

// If using Jest + Vitest + Playwright separately:
// ✅ Vitest can replace Jest in most projects (faster, native ESM)
// ✅ Keep Playwright for E2E, use Vitest for unit/integration
javascript
// Consider consolidating test runners

// If using Jest + Vitest + Playwright separately:
// ✅ Vitest can replace Jest in most projects (faster, native ESM)
// ✅ Keep Playwright for E2E, use Vitest for unit/integration

Validation Libraries

验证库

JavaScript/TypeScript

JavaScript/TypeScript

javascript
// ❌ Multiple validation libraries
import * as yup from 'yup';
import Joi from 'joi';
import { z } from 'zod';

// ✅ Pick one (Zod recommended for TypeScript)
import { z } from 'zod';
const schema = z.object({
  email: z.string().email(),
  age: z.number().min(0)
});
javascript
// ❌ Multiple validation libraries
import * as yup from 'yup';
import Joi from 'joi';
import { z } from 'zod';

// ✅ Pick one (Zod recommended for TypeScript)
import { z } from 'zod';
const schema = z.object({
  email: z.string().email(),
  age: z.number().min(0)
});

Update Strategy

更新策略

Batch Related Updates

批量更新相关包

bash
undefined
bash
undefined

Update all ESLint-related packages together

Update all ESLint-related packages together

pnpm update eslint @typescript-eslint/parser @typescript-eslint/eslint-plugin
pnpm update eslint @typescript-eslint/parser @typescript-eslint/eslint-plugin

Update all testing packages together

Update all testing packages together

pnpm update vitest @vitest/ui @vitest/coverage-v8
pnpm update vitest @vitest/ui @vitest/coverage-v8

Update all Next.js packages together

Update all Next.js packages together

pnpm update next react react-dom @types/react @types/react-dom
undefined
pnpm update next react react-dom @types/react @types/react-dom
undefined

Test After Updates

更新后测试

Comprehensive Testing Checklist

全面测试检查清单

bash
undefined
bash
undefined

1. Type check

1. Type check

pnpm tsc --noEmit
pnpm tsc --noEmit

2. Lint

2. Lint

pnpm lint
pnpm lint

3. Unit tests

3. Unit tests

pnpm test
pnpm test

4. Build verification

4. Build verification

pnpm build
pnpm build

5. Dev server (smoke test)

5. Dev server (smoke test)

pnpm dev
pnpm dev

Open browser, test key features

Open browser, test key features

6. E2E tests (if available)

6. E2E tests (if available)

pnpm test:e2e
undefined
pnpm test:e2e
undefined

Incremental Update Strategy

增量更新策略

For Major Version Updates

大版本更新步骤

bash
undefined
bash
undefined

1. Create branch

1. Create branch

git checkout -b chore/update-nextjs-15
git checkout -b chore/update-nextjs-15

2. Update package.json

2. Update package.json

Change "next": "^14.0.0" → "^15.0.0"

Change "next": "^14.0.0" → "^15.0.0"

3. Install

3. Install

pnpm install
pnpm install

4. Read migration guide

4. Read migration guide

Visit: nextjs.org/docs/upgrading

Visit: nextjs.org/docs/upgrading

5. Address breaking changes

5. Address breaking changes

Follow migration guide step-by-step

Follow migration guide step-by-step

6. Test thoroughly

6. Test thoroughly

pnpm test && pnpm build
pnpm test && pnpm build

7. Commit and PR

7. Commit and PR

git add . git commit -m "chore: upgrade Next.js to v15"

---
git add . git commit -m "chore: upgrade Next.js to v15"

---

Cleanup Workflow

清理工作流

Step 1: Identify Unused Dependencies

步骤1:识别未使用的依赖项

bash
npx depcheck
Example Output:
Unused dependencies
* lodash
* moment
* old-library

Unused devDependencies
* @types/old-package
* unused-test-lib
bash
npx depcheck
示例输出:
Unused dependencies
* lodash
* moment
* old-library

Unused devDependencies
* @types/old-package
* unused-test-lib

Step 2: Verify Not Used

步骤2:确认未被使用

bash
undefined
bash
undefined

Search codebase for imports

Search codebase for imports

rg "from 'lodash'" --type ts rg "import.*lodash" --type ts rg "require('lodash')" --type js
rg "from 'lodash'" --type ts rg "import.*lodash" --type ts rg "require('lodash')" --type js

If no results → safe to remove

If no results → safe to remove

undefined
undefined

Step 3: Remove Package

步骤3:移除包

bash
pnpm remove lodash
bash
pnpm remove lodash

Step 4: Update Lock File

步骤4:更新锁文件

bash
undefined
bash
undefined

npm

npm

rm package-lock.json npm install
rm package-lock.json npm install

pnpm

pnpm

rm pnpm-lock.yaml pnpm install
rm pnpm-lock.yaml pnpm install

yarn

yarn

rm yarn.lock yarn install
undefined
rm yarn.lock yarn install
undefined

Step 5: Test

步骤5:测试

bash
pnpm test
pnpm build
bash
pnpm test
pnpm build

Cleanup PR Template

清理PR模板

markdown
undefined
markdown
undefined

Dependency Cleanup

Dependency Cleanup

Security Updates (P0/P1)

Security Updates (P0/P1)

  • next
    : 14.0.4 → 14.2.3 (CVE-2024-XXXX)
  • jose
    : 4.15.4 → 4.15.5 (CVE-2024-YYYY)
  • next
    : 14.0.4 → 14.2.3 (CVE-2024-XXXX)
  • jose
    : 4.15.4 → 4.15.5 (CVE-2024-YYYY)

Removed (Unused)

Removed (Unused)

  • lodash
    - replaced with native JS methods
  • moment
    - replaced with date-fns
  • @types/old-package
    - package no longer used
  • lodash
    - replaced with native JS methods
  • moment
    - replaced with date-fns
  • @types/old-package
    - package no longer used

Updated (Maintenance)

Updated (Maintenance)

  • eslint
    : 8.57.0 → 9.0.0
  • typescript
    : 5.3.3 → 5.4.2
  • eslint
    : 8.57.0 → 9.0.0
  • typescript
    : 5.3.3 → 5.4.2

Migration Notes

Migration Notes

lodash → Native:
  • _.get()
    → optional chaining 
    obj?.prop?.value
  • _.uniq()
    [...new Set(array)]
moment → date-fns:
  • moment().format('YYYY-MM-DD')
    format(new Date(), 'yyyy-MM-dd')
lodash → Native:
  • _.get()
    → optional chaining 
    obj?.prop?.value
  • _.uniq()
    [...new Set(array)]
moment → date-fns:
  • moment().format('YYYY-MM-DD')
    format(new Date(), 'yyyy-MM-dd')

Testing

Testing

  • All tests pass (
    pnpm test
    )
  • Build succeeds (
    pnpm build
    )
  • No runtime errors in dev (
    pnpm dev
    )
  • E2E tests pass (if applicable)
  • All tests pass (
    pnpm test
    )
  • Build succeeds (
    pnpm build
    )
  • No runtime errors in dev (
    pnpm dev
    )
  • E2E tests pass (if applicable)

Bundle Size Impact

Bundle Size Impact

  • Before: 2.4 MB
  • After: 1.8 MB
  • Savings: 600 KB (25% reduction)

---
  • Before: 2.4 MB
  • After: 1.8 MB
  • Savings: 600 KB (25% reduction)

---

Security Scanning

安全扫描

Automated Security Checks

自动化安全检查

GitHub Actions

GitHub Actions

yaml
undefined
yaml
undefined

.github/workflows/security.yml

.github/workflows/security.yml

name: Security Audit
on: schedule: - cron: '0 0 * * 1' # Weekly on Monday pull_request: push: branches: [main]
jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
  - name: Setup Node.js
    uses: actions/setup-node@v4
    with:
      node-version: '20'

  - name: Install dependencies
    run: npm ci

  - name: Run security audit
    run: npm audit --audit-level=high

  - name: Check for outdated packages
    run: npm outdated || true

  - name: Dependency review
    uses: actions/dependency-review-action@v4
    if: github.event_name == 'pull_request'
undefined
name: Security Audit
on: schedule: - cron: '0 0 * * 1' # Weekly on Monday pull_request: push: branches: [main]
jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
  - name: Setup Node.js
    uses: actions/setup-node@v4
    with:
      node-version: '20'

  - name: Install dependencies
    run: npm ci

  - name: Run security audit
    run: npm audit --audit-level=high

  - name: Check for outdated packages
    run: npm outdated || true

  - name: Dependency review
    uses: actions/dependency-review-action@v4
    if: github.event_name == 'pull_request'
undefined

Snyk Integration

Snyk Integration

yaml
undefined
yaml
undefined

.github/workflows/snyk.yml

.github/workflows/snyk.yml

name: Snyk Security
on: [push, pull_request]
jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
  - name: Run Snyk to check for vulnerabilities
    uses: snyk/actions/node@master
    env:
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
undefined
name: Snyk Security
on: [push, pull_request]
jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
  - name: Run Snyk to check for vulnerabilities
    uses: snyk/actions/node@master
    env:
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
undefined

Manual Security Commands

手动安全命令

bash
undefined
bash
undefined

npm security audit

npm security audit

npm audit
npm audit

Show only high/critical

Show only high/critical

npm audit --audit-level=high
npm audit --audit-level=high

Get JSON report

Get JSON report

npm audit --json > audit-report.json
npm audit --json > audit-report.json

Snyk (requires: npm install -g snyk)

Snyk (requires: npm install -g snyk)

snyk test # Test for vulnerabilities snyk monitor # Continuous monitoring snyk wizard # Interactive fixing
snyk test # Test for vulnerabilities snyk monitor # Continuous monitoring snyk wizard # Interactive fixing

Socket.dev (supply chain security)

Socket.dev (supply chain security)

npx socket-npm audit
undefined
npx socket-npm audit
undefined

CVE Response Process

CVE响应流程

  1. Notification: Receive security advisory (GitHub, npm, Snyk)
  2. Assess Impact:
    bash
    # Find where vulnerable package is used
npm ls vulnerable-package

# Check if we use vulnerable functionality
rg "vulnerableFunction" --type ts
  3. Patch:
    bash
    # Update to patched version
npm install vulnerable-package@4.15.5

# Or update dependency that depends on it
npm update parent-package
  4. Verify Fix:
    bash
    npm audit
# Should show 0 vulnerabilities
  5. Test & Deploy:
    bash
    pnpm test && pnpm build
git commit -m "fix: patch CVE-2024-XXXX in vulnerable-package"
  1. 通知:收到安全公告(GitHub、npm、Snyk)
  2. 评估影响:
    bash
    # Find where vulnerable package is used
npm ls vulnerable-package

# Check if we use vulnerable functionality
rg "vulnerableFunction" --type ts
  3. 修复:
    bash
    # Update to patched version
npm install vulnerable-package@4.15.5

# Or update dependency that depends on it
npm update parent-package
  4. 验证修复:
    bash
    npm audit
# Should show 0 vulnerabilities
  5. 测试与部署:
    bash
    pnpm test && pnpm build
git commit -m "fix: patch CVE-2024-XXXX in vulnerable-package"

Summary

总结

Monthly Maintenance Checklist

月度维护检查清单

markdown
undefined
markdown
undefined

Dependency Maintenance - [YYYY-MM]

Dependency Maintenance - [YYYY-MM]

Security

Security

  • Run 
    npm audit
    and address high/critical issues
  • Review GitHub security advisories
  • Check Snyk dashboard (if integrated)
  • Run 
    npm audit
    and address high/critical issues
  • Review GitHub security advisories
  • Check Snyk dashboard (if integrated)

Updates

Updates

  • Check 
    npm outdated
    for major updates
  • Update patch versions: 
    npm update
  • Plan migration for deprecated packages
  • Check 
    npm outdated
    for major updates
  • Update patch versions: 
    npm update
  • Plan migration for deprecated packages

Cleanup

Cleanup

  • Run 
    npx depcheck
    to find unused deps
  • Remove packages with zero imports
  • Deduplicate: 
    npm dedupe
  • Run 
    npx depcheck
    to find unused deps
  • Remove packages with zero imports
  • Deduplicate: 
    npm dedupe

Testing

Testing

  • Run full test suite
  • Check build succeeds
  • Verify dev server works
  • Test in production-like environment
  • Run full test suite
  • Check build succeeds
  • Verify dev server works
  • Test in production-like environment

Documentation

Documentation

  • Update CHANGELOG.md
  • Document breaking changes
  • Update .env.example if needed
undefined
  • Update CHANGELOG.md
  • Document breaking changes
  • Update .env.example if needed
undefined

Best Practices

最佳实践

  • Automate: Set up GitHub Actions for weekly audits
  • Batch Updates: Group related dependency updates
  • Test Thoroughly: Never skip tests after updates
  • Document: Keep CHANGELOG.md updated
  • Measure Impact: Track bundle size changes
  • Stay Informed: Subscribe to security advisories
  • Use Lock Files: Commit package-lock.json/pnpm-lock.yaml
  • Gradual Migration: Don't update everything at once
  • 自动化:配置GitHub Actions进行每周审计
  • 批量更新:将相关依赖项更新分组
  • 全面测试:更新后绝不跳过测试
  • 文档记录:保持CHANGELOG.md更新
  • 衡量影响:跟踪包体积变化
  • 及时了解:订阅安全公告
  • 使用锁文件:提交package-lock.json/pnpm-lock.yaml
  • 逐步迁移:不要一次性更新所有内容