Unused packages detected in the autoprefixer project on Tag: 10.3.1

[mahirkabir]

Issue: We have detected the following unused dependencies in your project: Unused devDependencies

• @size-limit/preset-small-lib
• @types/jest
• @typescript-eslint/eslint-plugin
• @typescript-eslint/parser
• check-dts
• clean-publish
• eslint
• eslint-config-standard
• eslint-plugin-import
• eslint-plugin-jest
• eslint-plugin-node
• eslint-plugin-prefer-let
• eslint-plugin-promise
• eslint-plugin-security
• eslint-plugin-unicorn
• jest
• prettier
• simple-git-hooks
• size-limit
• typescript

Questions: We are conducting a research study on the unused packages in JS projects. We were curious:

1. Will you remove the unused packages mentioned above? (Yes/No), and why?:
2. Do you have any additional comments? (If so, please write it down):

For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.

Rationale: When a JS application depends on too many packages, its attack surface can grow dramatically; hackers can get a higher chance of successfully exploiting the vulnerabilities inside those packages and escalating the potential damage. Therefore, JS application developers are recommended to remove unused packages from their projects, in order to eliminate the security risks unnecessarily incurred by those packages.

Steps to reproduce:

• Execute the “npx depcheck” command to print the list of all the unused dependencies

Suggested Solution: Please look at the unused dependencies list and uninstall them if they do not find them necessary.

Resources: https://www.npmjs.com/package/depcheck

[ai]

The detection is wrong.

For instance, check-dts is used in package.scripts. lint-staged is used in pre-commit hook of simple-git-hooks.