Andrey Markin
  • home
  • services
  • projects
  • blog
  • directory
    • Tool
    • Library
    • Repo
    • Article
    • XTweet
    • Guideline
    • Video
  • courses
  • resume
  • about
  • contact
  • meet

Mark Life Ltd

  1. Home
  2. Directory
  3. Npm Deps Cleanup
Meet

Mark Life Ltd

BG208147965

HomeContactPrivacyLLM-friendlyBlog RSSDirectory RSS
  1. Directory
  2. npm-deps-cleanup
ToolDev ToolsAI Codingclidead-codesecurity

npm-deps-cleanup

AI agent skill that audits and reduces JavaScript package dependency footprint — removes unused deps, deduplicates workspace versions, analyzes transitive closures, and applies e18e replacement recommendations. Works with npm, pnpm, Yarn, and Bun.

Added May 20, 2026Anthony Shew
Visit tool

Why dependency hygiene matters now

Keeping your dependency tree lean isn't just about bundle size — it's a frontline defense against supply-chain attacks. May 2026 has been one of the worst months on record for npm security:

TanStack compromise (May 11)

TeamPCP compromised 170+ npm packages across 404 malicious versions by chaining three GitHub Actions vulnerabilities — a pull_request_target Pwn Request, CI cache poisoning, and OIDC token extraction. @tanstack/react-router alone has 12.7M+ weekly downloads. Malicious versions were live for ~20 minutes before detection.

node-ipc credential stealer (May 14)

Three malicious versions of node-ipc (10M+ weekly downloads) were simultaneously published with obfuscated credential-stealing payloads targeting cloud credentials, SSH keys, and CI/CD secrets.

AntV ecosystem wave (May 19)

The largest single-wave npm supply chain attack to date — 633+ compromised package versions across 323 unique packages published in under one hour. Attackers abused Sigstore to generate valid signing certificates, making malicious packages appear legitimately signed.

Typosquatting infostealers (May 18)

Four packages (chalk-tempalte, axois-utils, @deadcode09284814/axios-util, color-style-utils) using typosquatting on popular deps to deliver infostealers and DDoS malware.

Every unnecessary dependency in your lockfile is another potential entry point. Tools like npm-deps-cleanup reduce your attack surface by eliminating deps you don't actually use.

Related

  • memory-viewClaude Code / Codex skill that reads a project's auto-memory vault and generates a self-contained HTML explorer to visualize what the agent has remembered — MEMORY.md plus topic files — without editing or managing it.
  • session-reportClaude Code / Codex skill that generates a self-contained HTML report debugging what is in a session's context window and how every token is spent — context budget, retained thinking, the dumb-zone cutoff, loaded CLAUDE.md and skills, and full history.
  • It's Time To Rethink EverythingTheo Browne's CascadiaJS 2026 talk arguing that AI is a "new cloud moment" — just as the cloud removed the cost of provisioning servers, agents remove the cost of building, so the sacred rules of software (file systems, codebases, packages, git, deployment) are worth tearing down and rebuilding from first principles.
  • EveOpen-source agent framework from Vercel — define agents as directories of TypeScript and Markdown config and deploy them as standard Vercel projects.