Back to Details

dependency-auditor

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Dependency Auditor

依赖项审计

Instructions

操作说明

When auditing dependencies:
  1. Run security audit
  2. Check for outdated packages
  3. Find unused dependencies
  4. Analyze bundle size impact
  5. Review and update
进行依赖项审计时:
  1. 执行安全审计
  2. 检查过时包
  3. 查找未使用的依赖项
  4. 分析包体积影响
  5. 审核并更新

Security Audit

安全审计

bash
undefined
bash
undefined

NPM audit

NPM 审计

npm audit
npm audit

Get JSON output for processing

获取JSON格式输出以便处理

npm audit --json
npm audit --json

Fix automatically (safe fixes only)

自动修复(仅安全修复)

npm audit fix
npm audit fix

Force fix (may have breaking changes)

强制修复(可能导致破坏性变更)

npm audit fix --force
npm audit fix --force

PNPM

PNPM

pnpm audit
pnpm audit

Yarn

Yarn

yarn audit
undefined
yarn audit
undefined

Check Outdated Packages

检查过时包

bash
undefined
bash
undefined

NPM

NPM

npm outdated
npm outdated

Interactive update

交互式更新

npx npm-check-updates -i
npx npm-check-updates -i

Update all to latest

更新所有包至最新版本

npx npm-check-updates -u npm install
npx npm-check-updates -u npm install

Check specific package

检查特定包

npm view <package> versions
undefined
npm view <package> versions
undefined

Find Unused Dependencies

查找未使用的依赖项

bash
undefined
bash
undefined

Using depcheck

使用depcheck工具

npx depcheck
npx depcheck

With details

查看详细信息

npx depcheck --detailed
npx depcheck --detailed

Ignore patterns

忽略指定模式

npx depcheck --ignores="@types/,eslint-"
undefined
npx depcheck --ignores="@types/,eslint-"
undefined

Common False Positives

常见误判情况

Depcheck may flag these as unused when they're actually needed:
  • @types/*
    packages (used by TypeScript)
  • ESLint/Prettier plugins (referenced in config)
  • PostCSS plugins (referenced in config)
  • Next.js plugins
  • Babel presets
Depcheck可能会将以下实际需要的包标记为未使用:
  • @types/*
    包(TypeScript 所需)
  • ESLint/Prettier 插件(在配置文件中引用)
  • PostCSS 插件(在配置文件中引用)
  • Next.js 插件
  • Babel 预设

Analyze Bundle Size

分析包体积

bash
undefined
bash
undefined

For Next.js

适用于Next.js项目

npx @next/bundle-analyzer
npx @next/bundle-analyzer

General purpose

通用工具

npx source-map-explorer dist/**/*.js
npx source-map-explorer dist/**/*.js

Check package size before installing

安装前检查包体积

npx package-phobia <package-name>
npx package-phobia <package-name>

Compare alternatives

对比替代包

npx bundlephobia-cli compare lodash ramda
undefined
npx bundlephobia-cli compare lodash ramda
undefined

Dependency Review Checklist

依赖项审核清单

Security

安全方面

  • No critical/high vulnerabilities
  • Dependencies actively maintained
  • No known malicious packages
  • Lock file committed
  • 无严重/高危漏洞
  • 依赖项处于活跃维护状态
  • 无已知恶意包
  • 已提交锁文件

Freshness

时效性

  • No major version behind (unless intentional)
  • Security patches applied
  • Deprecated packages replaced
  • 未落后主版本(除非有意为之)
  • 已应用安全补丁
  • 已替换废弃包

Cleanliness

整洁性

  • No unused dependencies
  • No duplicate packages (check lock file)
  • devDependencies vs dependencies correct
  • 无未使用依赖项
  • 无重复包(检查锁文件)
  • devDependencies 与 dependencies 划分正确

Update Strategies

更新策略

Conservative (Recommended)

保守策略(推荐)

bash
undefined
bash
undefined

Update patch versions only

仅更新补丁版本

npm update
npm update

Update specific package

更新特定包

npm install package@latest
undefined
npm install package@latest
undefined

Aggressive

激进策略

bash
undefined
bash
undefined

Update everything

更新所有包

npx npm-check-updates -u npm install npm test
undefined
npx npm-check-updates -u npm install npm test
undefined

Interactive

交互式策略

bash
npx npm-check-updates -i
bash
npx npm-check-updates -i

Options:

选项说明:

a - update all

a - 更新全部

space - toggle selection

空格 - 切换选中状态

enter - apply selected

回车 - 应用选中项

undefined
undefined

Package.json Cleanup

Package.json 清理

json
{
  "dependencies": {
    // Runtime dependencies only
  },
  "devDependencies": {
    // Build/test tools only
  },
  "peerDependencies": {
    // For libraries only
  },
  "optionalDependencies": {
    // Platform-specific (rare)
  }
}
json
{
  "dependencies": {
    // 仅包含运行时依赖
  },
  "devDependencies": {
    // 仅包含构建/测试工具
  },
  "peerDependencies": {
    // 仅适用于类库项目
  },
  "optionalDependencies": {
    // 平台特定依赖(少见)
  }
}

Lock File Best Practices

锁文件最佳实践

  1. Always commit lock files (package-lock.json, pnpm-lock.yaml, yarn.lock)
  2. Use 
    npm ci
     in CI/CD (not 
    npm install
    )
  3. Regenerate if corrupted: delete lock file + node_modules, reinstall
  4. Single lock file per project (don't mix package managers)
  1. 务必提交锁文件(package-lock.json、pnpm-lock.yaml、yarn.lock)
  2. 在CI/CD中使用
    npm ci
    (而非
    npm install
  3. 若锁文件损坏则重新生成:删除锁文件和node_modules,重新安装
  4. 每个项目仅使用一种锁文件(不要混用包管理器)

Automated Monitoring

自动化监控

yaml
undefined
yaml
undefined

.github/dependabot.yml

.github/dependabot.yml

version: 2 updates:
  • package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" open-pull-requests-limit: 10 groups: dev-dependencies: dependency-type: "development"
undefined
version: 2 updates:
  • package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" open-pull-requests-limit: 10 groups: dev-dependencies: dependency-type: "development"
undefined