A monorepo dependency analyzer that complements Knip and modernizes depcheck-style checks. monodep focuses on dependency hygiene gaps that are common in real-world workspaces.
There are many excellent tools for managing JavaScript dependencies. Here's how monodep compares:
monodep is designed as a gap-filler, not a replacement for every tool:
- Use Knip as your primary dead-code and unused-export detector.
- Use monodep to enforce dependency hygiene that Knip/depcheck typically do not own (dependency type correctness, cross-workspace version consistency, internal workspace protocol correctness, and peer dependency validation).
- If you currently rely on depcheck-like unused/missing checks, monodep keeps that baseline while extending it for modern monorepo needs.
| Feature | Knip | depcheck | syncpack | Dependabot | dependency-cruiser | monodep |
|---|---|---|---|---|---|---|
| Unused dependencies | β | β | β | β | β | β |
| Missing dependencies | β | β | β | β | β | β |
| Wrong dependency type (dev vs prod) | β | β | β | β | β | β |
| Version mismatch across packages | β | β | β | β | β | β |
| Outdated dependencies | β | β | β | β | β | β |
| Internal package validation (workspace:*) | β | β | β | β | β | β |
| Peer dependency validation | β | β | β | β | β | β |
| Circular dependencies | β | β | β | β | β | β |
| Unused exports/files | β | β | β | β | β | β |
| Auto-fix | β | β | β | β | β | β |
| Monorepo support | β | β | β | β | β | β |
| Plugin ecosystem | β (70+) | β | β | β | β | β |
- Wrong dependency type detection: Catches dependencies that should be in
devDependenciesbut are independencies(and vice versa). - Version mismatch detection: Finds inconsistent versions of the same dependency across workspaces.
- Internal package validation: Ensures internal workspace imports are declared and use
workspace:*(orfile:) protocol. - Peer dependency validation: Checks declared peer requirements against what consuming/root packages provide.
- Use Knip for dead code detection (unused exports/files/dependencies).
- Use dependency-cruiser for circular dependency analysis.
- Use monodep --only-extras to run the checks Knip does not target (
wrongType,mismatch,outdated,internal,peer). - Use monodep standalone when you also want depcheck-style
unused/missingchecks in one command.
To keep expectations clear, monodep currently prioritizes deterministic static analysis and repository metadata.
- In scope: package manifest consistency, import-based dependency presence, workspace protocol correctness, peer requirement validation, and registry version freshness checks.
- Partially in scope: dynamic/runtime-only dependency resolution patterns (these may need explicit ignores or future advanced detection).
- Out of scope: circular dependency graphs, unused exports/files auto-fix workflows.
- Monorepo Support: Automatically detects packages using
package.jsonworkspaces orpnpm-workspace.yaml. - Nested Package Handling: Correctly scans root and sub-packages in isolation, ignoring nested package directories.
- Dependency Analysis: Identifies:
- Unused dependencies: Packages listed in
package.jsonbut not imported in the code. - Missing dependencies: Packages imported in the code but not listed in
package.json. - Wrong dependency types: Dependencies that should be in
devDependenciesbut are independencies(or vice versa). - Outdated dependencies: Packages with newer versions available on npm.
- Version mismatches: Same dependency with different versions across packages in the monorepo.
- Internal package issues: Internal packages not using
workspace:*protocol or unlisted internal imports. - Peer dependency issues: Missing or incompatible peer dependencies in consuming packages.
- Unused dependencies: Packages listed in
- Package Manager Agnostic: Works with npm, yarn, pnpm, and bun.
- TypeScript Support: Parses TypeScript files to extract imports.
- Configurable: Supports configuration files to customize behavior.
- CI/AI Friendly: Provides compact output mode for automation and AI agents.
npm install -g monodepOr use directly via npx:
npx monodep- Clone the repository.
- Install dependencies:
npm install
- Build the project:
npm run build
- Link globally (optional):
npm link
Run the tool against your project root:
npx monodep /path/to/your/projectOr in the current directory:
npx monodep .| Option | Description |
|---|---|
--compact |
Output compact log format for AI agents and CI pipelines |
--only-extras |
Only run checks not covered by Knip (wrongType, mismatch, outdated, internal, peer) |
--no-outdated |
Skip outdated dependency checks for faster execution |
--check-installed-peers |
Validate peer requirements from installed dependencies in node_modules |
--ownership-report |
Show workspace dependency ownership suggestions (informational) |
π¦ monodep - Monorepo Dependency Checker
Analyzing project at /path/to/project...
Found 3 packages.
π package-a
/path/to/project/packages/a
β Unused dependencies:
- lodash
β Missing dependencies:
- react
β‘ Wrong dependency types:
- chalk: Should be in devDependencies (found in dependencies)
β° Outdated dependencies:
- typescript: ^5.0.0 β 5.3.3
π Internal package issues:
- @myorg/utils: Should use workspace:* protocol
π₯ Peer dependency issues:
- react: Missing peer dependency (required by @myorg/ui)
π package-b
/path/to/project/packages/b
β No issues found.
π Version Mismatches Found:
lodash:
- ^4.17.21 in package-a, package-c
- ^4.17.20 in package-b
ββββββββββββββββββββββββββββββββββββββββββββββββββ
π Summary
Packages scanned: 3
Packages with issues: 1
β Unused: 1
β Missing: 1
β‘ Wrong type: 1
β° Outdated: 1
π Mismatches: 1
π Internal: 1
π₯ Peer: 1
ββββββββββββββββββββββββββββββββββββββββββββββββββ
β Total issues: 7
For CI pipelines or AI agents, use the --compact flag:
npx monodep . --compactOutput:
[monodep] scanned=3 issues=7
[unused] package-a: lodash
[missing] package-a: react
[wrongType] package-a: chalk (dependencies -> devDependencies)
[outdated] package-a: typescript (^5.0.0 -> 5.3.3)
[mismatch] *: lodash (^4.17.21(package-a,package-c) vs ^4.17.20(package-b))
[internal] package-a: @myorg/utils (should use workspace:*)
[peer] package-a: react (missing, required by @myorg/ui)
If you're already using Knip for unused dependency detection, you can run monodep in --only-extras mode to avoid duplicate checks:
# Run only monodep-specific checks
npx monodep . --only-extras
# Combine with compact output for CI
npx monodep . --only-extras --compactThis mode skips unused/missing dependency detection (which Knip handles) and focuses on:
- wrongType: Dependencies in wrong section (devDependencies vs dependencies)
- mismatch: Version inconsistencies across packages
- outdated: Packages with newer versions available
- internal: Internal workspace package reference issues
- peer: Peer dependency validation issues
Create a configuration file in your project root. Supported formats:
.monodeprc.monodeprc.json.monodeprc.yaml.monodeprc.yml.monodeprc.js.monodeprc.cjsmonodep.config.jsmonodep.config.cjs
{
"ignorePatterns": ["**/generated/**", "**/fixtures/**"],
"ignoreDependencies": ["some-optional-peer-dep"],
"skipPackages": ["@myorg/internal-tools"],
"checkOutdated": true,
"dynamicImportPolicy": "off",
"checkInstalledPeers": false,
"ownershipReport": false
}| Option | Type | Description |
|---|---|---|
ignorePatterns |
string[] |
Glob patterns for files/directories to ignore during scanning |
ignoreDependencies |
string[] |
Dependencies to exclude from unused/missing checks |
skipPackages |
string[] |
Package names to skip entirely |
checkOutdated |
boolean |
Enable/disable outdated dependency checking (default: true) |
dynamicImportPolicy |
'off' | 'warn' | 'strict' |
Dynamic import candidate handling (off: hidden, warn: report only, strict: report + non-zero exit) |
checkInstalledPeers |
boolean |
Enable installed peer verification (default: false) |
ownershipReport |
boolean |
Enable ownership report output (default: false) |
monodep detects dependency usage from these files in each package:
- Source files:
**/*.{ts,tsx,js,jsx,mjs,cjs}- Excludes
node_modules,dist,build,coverage,fixtures,*.d.ts, and nested workspace package paths.
- Excludes
- CSS files:
**/*.css- Scans
@plugin "..."and@import "..."directives for package usage.
- Scans
- Package config:
package.json- Scans
scriptsfor common CLI tools (e.g.vite,wrangler,cross-env,tsc,tsdown,tailwindcss).
- Scans
- TypeScript config:
tsconfig.json- Reads
compilerOptions.typesand maps entries likevite/clientto package namevite. - If
tsconfig.jsonexists,typescriptis treated as toolchain usage.
- Reads
- Bun config:
bunfig.toml- Scans
install.security.scanner(e.g.@socketsecurity/bun-security-scanner).
- Scans
- Import parsing:
- Runtime imports are treated as production usage.
import typeand type-only imports are treated as development usage.
- Ignored import specifiers:
- Relative paths (
./,../) and absolute file paths. - Runtime/builtin schemes and virtual modules such as
bun:*,node:*,cloudflare:*,data:*,file:*.
- Relative paths (
- Unused dependencies:
- A dependency is
unusedif it is not referenced by source imports or config-derived usage.
- A dependency is
- Missing dependencies:
- A referenced package is
missingif it is not listed independencies,devDependencies,peerDependencies, oroptionalDependencies.
- A referenced package is
- Wrong dependency type:
devDependenciesused in production code should move todependencies.dependenciesused only in dev context should move todevDependencies.
- Catalog/version resolution:
catalog:is resolved using rootpackage.jsoncatalogbefore outdated/mismatch checks.workspace:andfile:specs are excluded from outdated/mismatch checks.
- Outdated dependencies:
- Compares declared semver range against npm latest version.
- Reports only when latest does not satisfy the declared range.
- Version mismatch:
- Compares normalized versions across packages and reports when the same dependency has multiple distinct versions.
- Monorepo detection: Reads
workspacesfrompackage.json(orpnpm-workspace.yaml) and resolves package boundaries. - Per-package scan: Collects dependency usage from source files and config files listed in Detection Logic.
- Usage analysis: Classifies references into production/dev usage and applies ignore rules (including virtual module specifiers).
- Dependency checks: Computes
unused,missing, andwrongTypeby comparing detected usage with declared dependencies. - Cross-package checks: Resolves
catalog:values, runsoutdatedchecks against npm, and reports versionmismatch, internal, and peer issues.
For exact file patterns and matching rules, see Detection Logic above.
The outdated dependency check requires network requests to the npm registry. To optimize performance:
- Deduplication: Same packages across multiple workspaces are only checked once
- Parallel requests: Up to 10 concurrent requests with rate limiting
- Caching: Version information is cached during execution
- Skip option: Use
--no-outdatedto skip version checks entirely for fastest execution
# Fast mode (skip outdated checks)
npx monodep . --no-outdated
# Full check with outdated detection
npx monodep .| Code | Description |
|---|---|
0 |
No issues found |
1 |
One or more issues detected |
MIT