[phkahler]

>> Five false alarms wouldn’t be too bad.

>> Unfortunately, there are hundreds.

This is primarily a result of the absurd number of dependencies NPM encourages (requires?) people to use. The duplicates are also there in part because of the large number of dependencies and should not be shown more than once by the tool.

Stop building projects with an absurdly large dependency tree, this is just one problem that results from it.

[TechBro8615]

I’d imagine that in most projects, the bulk of the dependency is due to dev tooling. I don’t think it’s fair to optimize for small dependency trees when setting up your buildchain – otherwise you’re precluding any usage of create-react-app or Next or whatever development platform. This problem is further compounded by the fact that those tools encourage including dev dependencies as regular dependencies, since the output is compiled anyway.

The answer here is probably some kind of static analysis to know which packages end up shipping in the actual bundle to users. I think Dan referenced some work in that regard.

[phkahler]

>> The answer here is probably some kind of static analysis...

So even more tools?