remove unused dependencies? Importance?

Just wondering if unused dependencies (in package.json) effect anything other than install time (and potentially deployment-time)? i'm taking a course, they provided some starter code - there was an unused dependency - I asked if i should remove it, they said "if you want" - so i'm trying to find out!
5 Replies
Joao
Joao10mo ago
It's very common in courses to not do things "the right way" as to not distract students from the topic at hand. Of course you shouldn't keep things that are not being used. Will your machine or the server blow up if you do? Well, no. Probably. But what if 6 months from now it's discovered that this particular dependency has a dependency of its own with a vulnerability that allows privilege escalation? This has happened before. It doesn't cost you anything to just delete it. And if you do need it again, install it if and when you do.
Lucas
LucasOP10mo ago
Thanks, Again, I'm sure it depends, but is it likely to be a security risk if it's not used in any your code?
dys 🐙
dys 🐙10mo ago
Most applications go through a bundling process to produce the code that is used in production. Part of that is "tree-shaking" where only code that is accessed by the application is included in the bundle. So, your unneeded library should only be adding to your initial install time, but should generally be removed as it adds potentially confusing complexity for developers learning the project.
Lucas
LucasOP10mo ago
Thanks So generally not a huge deal, but shouldfix
Joao
Joao10mo ago
A simple npm install may be enough even if you don't even use it: https://medium.com/@nm_johnson/npm-package-hijacking-from-the-hijackers-perspective-af0c48ab9922
Want results from more Discord servers?
Add your server