Skip to content

🐛 knip mis-identifies dependencies as unused when run from a workspace package #1711

Description

@astegmaier

Prerequisites

Reproduction url

https://github.com/astegmaier/playground-knip-load-package-manifest-bug

Reproduction access

  • I've made sure the reproduction is publicly accessible

Description of the issue

Knip will sometimes mis-identify a dependency as unused when both these conditions are true:

  1. knip is invoked from a workspace package directory (as I've mentioned before, we're currently doing this in our large mono-repo for performance reasons, which is recommended in the docs as a "last resort". I'd like to help profile and address these issues, but in the meantime this is where I'm at)
  2. the repo uses a "hoisting" strategy to install the dependencies (e.g. npm, yarn (by defult), or pnpm (with "shamefullyHoist: true")

Symptom A: detecting usage from package scripts

myRepo/packages/foo/package.json (see simplified reproduction)

{
  "name": "foo",
  "scripts": {
    "moo": "cowsay hello" // This is the only usage of the 'cowsay' package
  },
  "devDependencies": {
    "cowsay": "^1.6.0"
  }
}

Running knip from the workspace root will (correctly) see that cowsay is used:

yarn knip
✂️  Excellent, Knip found no issues.

But running knip from the foo package directory will (incorrectly) report that it is not used:

cd packages/foo
yarn knip

Unused devDependencies (1)
cowsay  package.json:8:6
Unlisted binaries (1)
cowsay  package.json

Symptom B: detecting usage from peerDependencies

myRepo/bar/package.json (see simplified reproduction)

{
  "name": "bar",
  "devDependencies": {
    "chai": "^4.5.0", // 'chai' is a peerDependency of 'chai-as-promised', but is otherwise unused
    "chai-as-promised": "^7.1.2"
  }
}

Running knip from the workspace root will (correctly) see that chai is used:

yarn knip
✂️  Excellent, Knip found no issues.

But running knip from the foo package directory will (incorrectly) report that it is not used:

cd packages/foo
yarn knip

Unused devDependencies (1)
chai  package.json:4:6

Root cause analysis + suggested fix

My AI agent was able to generate this analysis and proposed fix, which appears simple and straightforward. I can verify that the agent's proposed fix does indeed address the simplified reproduction, but I'm (currently) uncertain about the broader implications and whether it is safe, all things considered.

If you are open to fixing this issue, I'm happy to take ownership of the PR to do it, with this suggestion as a starting-place.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions