unused-dependencies false positive for CLI tools used in scripts

[cloud-walker]

Packages that ship a binary (via the bin field in their package.json) and are invoked in scripts get flagged as unused dependencies because they're never imported.

Example — packages/react/package.json:

{
  "scripts": {
    "lint": "publint --strict && attw --profile esm-only --pack ."
  },
  "devDependencies": {
    "@arethetypeswrong/cli": "^0.18.2"
  }
}

fallow flags @arethetypeswrong/cli as unused, but it's the package that provides the attw binary used in the lint script.

The mapping is detectable: @arethetypeswrong/cli declares "bin": { "attw": "./bin/cli.js" } in its own package.json. Fallow could parse each workspace's scripts, extract the command tokens, and cross-reference them against the bin entries of installed packages to mark them as used.

Expected behavior: packages whose binary is invoked in a scripts entry should not be flagged as unused.

Current workaround: add to ignoreDependencies in .fallowrc.json:

{
  "ignoreDependencies": ["@arethetypeswrong/cli"]
}

Is this something fallow could detect?

[BartWaardenburg]

Thanks for the report! This is now fixed in v2.34.0.

Fallow now reads dependency package.json bin fields from node_modules/ and builds a reverse map (binary name → package name). So attw correctly resolves to @arethetypeswrong/cli, and the false positive is gone.

Handles both bin forms:

• Object: "bin": { "attw": "./bin/cli.js" } → keys are binary names
• String: "bin": "./cli.js" → binary name derived from package name

Also probes workspace-level node_modules/ for non-hoisted setups (pnpm strict, Yarn workspaces).

Upgrade: npm install -D fallow@latest or download from the release page.