Prerequisites
Reproduction url
https://github.com/astegmaier/playground-knip-load-package-manifest-bug
Reproduction access
Description of the issue
Knip will sometimes mis-identify a dependency as unused when both these conditions are true:
- knip is invoked from a workspace package directory (as I've mentioned before, we're currently doing this in our large mono-repo for performance reasons, which is recommended in the docs as a "last resort". I'd like to help profile and address these issues, but in the meantime this is where I'm at)
- the repo uses a "hoisting" strategy to install the dependencies (e.g. npm, yarn (by defult), or pnpm (with "shamefullyHoist: true")
Symptom A: detecting usage from package scripts
myRepo/packages/foo/package.json (see simplified reproduction)
{
"name": "foo",
"scripts": {
"moo": "cowsay hello" // This is the only usage of the 'cowsay' package
},
"devDependencies": {
"cowsay": "^1.6.0"
}
}
Running knip from the workspace root will (correctly) see that cowsay is used:
yarn knip
✂️ Excellent, Knip found no issues.
But running knip from the foo package directory will (incorrectly) report that it is not used:
cd packages/foo
yarn knip
Unused devDependencies (1)
cowsay package.json:8:6
Unlisted binaries (1)
cowsay package.json
Symptom B: detecting usage from peerDependencies
myRepo/bar/package.json (see simplified reproduction)
{
"name": "bar",
"devDependencies": {
"chai": "^4.5.0", // 'chai' is a peerDependency of 'chai-as-promised', but is otherwise unused
"chai-as-promised": "^7.1.2"
}
}
Running knip from the workspace root will (correctly) see that chai is used:
yarn knip
✂️ Excellent, Knip found no issues.
But running knip from the foo package directory will (incorrectly) report that it is not used:
cd packages/foo
yarn knip
Unused devDependencies (1)
chai package.json:4:6
Root cause analysis + suggested fix
My AI agent was able to generate this analysis and proposed fix, which appears simple and straightforward. I can verify that the agent's proposed fix does indeed address the simplified reproduction, but I'm (currently) uncertain about the broader implications and whether it is safe, all things considered.
If you are open to fixing this issue, I'm happy to take ownership of the PR to do it, with this suggestion as a starting-place.
Prerequisites
Reproduction url
https://github.com/astegmaier/playground-knip-load-package-manifest-bug
Reproduction access
Description of the issue
Knip will sometimes mis-identify a dependency as unused when both these conditions are true:
Symptom A: detecting usage from package scripts
myRepo/packages/foo/package.json (see simplified reproduction)
{ "name": "foo", "scripts": { "moo": "cowsay hello" // This is the only usage of the 'cowsay' package }, "devDependencies": { "cowsay": "^1.6.0" } }Running knip from the workspace root will (correctly) see that
cowsayis used:But running knip from the foo package directory will (incorrectly) report that it is not used:
Symptom B: detecting usage from peerDependencies
myRepo/bar/package.json (see simplified reproduction)
Running knip from the workspace root will (correctly) see that
chaiis used:But running knip from the foo package directory will (incorrectly) report that it is not used:
Root cause analysis + suggested fix
My AI agent was able to generate this analysis and proposed fix, which appears simple and straightforward. I can verify that the agent's proposed fix does indeed address the simplified reproduction, but I'm (currently) uncertain about the broader implications and whether it is safe, all things considered.
If you are open to fixing this issue, I'm happy to take ownership of the PR to do it, with this suggestion as a starting-place.