AI agent skill that audits and reduces JavaScript package dependency footprint — removes unused deps, deduplicates workspace versions, analyzes transitive closures, and applies e18e replacement recommendations. Works with npm, pnpm, Yarn, and Bun.
Keeping your dependency tree lean isn't just about bundle size — it's a frontline defense against supply-chain attacks. May 2026 has been one of the worst months on record for npm security:
TeamPCP compromised 170+ npm packages across 404 malicious versions by chaining three GitHub Actions vulnerabilities — a pull_request_target Pwn Request, CI cache poisoning, and OIDC token extraction. @tanstack/react-router alone has 12.7M+ weekly downloads. Malicious versions were live for ~20 minutes before detection.
Three malicious versions of node-ipc (10M+ weekly downloads) were simultaneously published with obfuscated credential-stealing payloads targeting cloud credentials, SSH keys, and CI/CD secrets.
The largest single-wave npm supply chain attack to date — 633+ compromised package versions across 323 unique packages published in under one hour. Attackers abused Sigstore to generate valid signing certificates, making malicious packages appear legitimately signed.
Four packages (chalk-tempalte, axois-utils, @deadcode09284814/axios-util, color-style-utils) using typosquatting on popular deps to deliver infostealers and DDoS malware.
Every unnecessary dependency in your lockfile is another potential entry point. Tools like npm-deps-cleanup reduce your attack surface by eliminating deps you don't actually use.