Keyboard shortcuts

Press ← or β†’ to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

ghostdep πŸ‘»

A fast, cross-language phantom dependency detector.

ghostdep scans your project and finds two things:

  • Phantom dependencies β€” packages you import in code but forgot to add to your manifest
  • Unused dependencies β€” packages declared in your manifest that nothing actually imports

It works across Go, JavaScript/TypeScript, Python, Rust, and Java. Single binary, zero runtime dependencies, built in Rust.

Why does this matter?

Phantom dependencies are a real problem:

  • Your code works locally because some transitive dep happens to provide the package
  • CI breaks, or worse β€” production breaks when that transitive dep gets removed
  • Supply chain attacks can exploit undeclared dependencies

Unused dependencies are less dangerous but still annoying:

  • Bloated install times
  • Larger container images
  • Confusing dependency lists for new contributors

ghostdep catches both in milliseconds.

How it works

source files ──→ AST parser ──→ import list ──┐
                                               β”œβ”€β”€β†’ matching engine ──→ findings
manifest file ──→ manifest parser ──→ dep list β”˜
  1. Walks your project directory
  2. Parses source files using tree-sitter (Go, Python, Rust, Java) or OXC (JS/TS) to extract imports
  3. Parses your manifest file to get declared dependencies
  4. Cross-references the two lists
  5. Reports what’s missing and what’s unused

Quick example

$ ghostdep -p my-project

[phantom] axios at src/api.js:3 (confidence: high)
[unused] lodash at package.json (confidence: high)

Found 1 phantom and 1 unused dependencies (12 files scanned in 3ms)