chore: QA tool to detect missing dependencies (#1264)

use `knip` to test for missing dependencies.
since the `import/no-extraneous-dependencies` eslint rule is not
working.


TODO / DONE
- [x] add tool
- [x] configure tool
- [x] add GH workflow

---------

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

.github/workflows/nodejs.yml

@@ -120,10 +120,10 @@ jobs:
       - name: setup tools
         run: |
           echo "::group::install docs-gen deps"
-          npm run -- dev-setup:docs-gen   --ignore-scripts --loglevel=silly
+          npm run -- dev-setup:tools:docs-gen   --ignore-scripts --loglevel=silly
           echo "::endgroup::"
           echo "::group::install code-style deps"
-          npm run -- dev-setup:code-style --ignore-scripts --loglevel=silly
+          npm run -- dev-setup:tools:code-style --ignore-scripts --loglevel=silly
           echo "::endgroup::"
       - name: make reports dir
         run: mkdir -p "$REPORTS_DIR"
@@ -147,6 +147,28 @@ jobs:
           path: ${{ env.REPORTS_DIR }}
           if-no-files-found: error
 
+  test-dependencies:
+    name: test dependencies
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v4
+      - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
+        # see https://github.com/actions/setup-node
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_ACTIVE_LTS }}
+          # cache: "npm"
+          # cache-dependency-path: "**/package-lock.json"
+      - name: setup project
+        run: npm install --ignore-scripts --loglevel=silly
+      - name: setup tool
+        run: npm run -- dev-setup:tools:test-dependencies --ignore-scripts --loglevel=silly
+      - name: test
+        run: npm run -- test:dependencies -d
+
   test-node:
     needs: [ 'build' ]
     name: test node (${{ matrix.node-version }}, ${{ matrix.os }})
@@ -483,7 +505,7 @@ jobs:
           npm install --ignore-scripts --loglevel=silly
           echo "::endgroup::"
           echo "::group::install docs-gen deps"
-          npm run -- dev-setup:docs-gen --ignore-scripts --loglevel=silly
+          npm run -- dev-setup:tools:docs-gen --ignore-scripts --loglevel=silly
           echo "::endgroup::"
       - name: api-doc ${{ matrix.target }}
         run: npm run api-doc:${{ matrix.target }}

.github/workflows/release.yml

@@ -120,10 +120,13 @@ jobs:
       - name: setup tools
         run: |
           echo "::group::install docs-gen deps"
-          npm run -- dev-setup:docs-gen   --ignore-scripts --loglevel=silly
+          npm run -- dev-setup:tools:docs-gen   --ignore-scripts --loglevel=silly
           echo "::endgroup::"
           echo "::group::install code-style deps"
-          npm run -- dev-setup:code-style --ignore-scripts --loglevel=silly
+          npm run -- dev-setup:tools:code-style --ignore-scripts --loglevel=silly
+          echo "::endgroup::"
+          echo "::group::install test-dependencies deps"
+          npm run -- dev-setup:tools:test-dependencies --ignore-scripts --loglevel=silly
           echo "::endgroup::"
       # no explicit npm build. if a build is required, it should be configured as prepublish/prepublishOnly script of npm.
       - name: login to registries

knip.jsonc

@@ -0,0 +1,17 @@
+{
+  "$schema": "https://unpkg.com/knip@5/schema-jsonc.json",
+  "entry": [
+    "src/index.node.ts!",
+    "src/index.web.ts!"
+  ],
+  "project": [
+    "src/**!",
+    "res/**!",
+    "tests/**",
+    "!tests/_data/normalizeResults/**",
+    "!tests/_data/schemaTestData/**"
+  ],
+  "ignore": [
+    "tools/**"
+  ]
+}

package.json

@@ -170,8 +170,10 @@
   },
   "scripts": {
     "dev-setup": "npm i && run-p --aggregate-output -lc dev-setup:\\*",
-    "dev-setup:docs-gen": "npm --prefix tools/docs-gen install",
-    "dev-setup:code-style": "npm --prefix tools/code-style install",
+    "dev-setup:tools": "run-p --aggregate-output -lc dev-setup:tools:\\*",
+    "dev-setup:tools:docs-gen": "npm --prefix tools/docs-gen install",
+    "dev-setup:tools:code-style": "npm --prefix tools/code-style install",
+    "dev-setup:tools:test-dependencies": "npm --prefix tools/test-dependencies install",
     "dev-setup:examples": "run-p --aggregate-output -lc dev-setup:examples:\\*",
     "dev-setup:examples:js": "npm --prefix examples/node/javascript i --ignore-scripts",
     "dev-setup:examples:ts-cjs": "npm --prefix examples/node/typescript/example.cjs i --ignore-scripts",
@@ -190,6 +192,7 @@
     "test:web": "node -e 'console.log(\"TODO: write web test\")'",
     "test:lint": "tsc --noEmit",
     "test:standard": "npm --prefix tools/code-style exec -- eslint .",
+    "test:dependencies": "npm --prefix tools/test-dependencies exec -- knip --include dependencies,unlisted,unresolved --production",
     "cs-fix": "npm --prefix tools/code-style exec -- eslint --fix .",
     "api-doc": "run-p --aggregate-output -lc api-doc:\\*",
     "api-doc:node": "npm --prefix tools/docs-gen exec -- typedoc --options ./typedoc.node.json",

tools/test-dependencies/.gitignore

@@ -0,0 +1,4 @@
+*
+!/.gitignore
+!/package.json
+!/.npmrc

tools/test-dependencies/.npmrc

@@ -0,0 +1,5 @@
+; see the docs: https://docs.npmjs.com/cli/v9/using-npm/config
+
+package-lock=false
+engine-strict=true
+omit=peer # don't install them automatically; we take cate of them!

tools/test-dependencies/package.json

@@ -0,0 +1,11 @@
+{
+  "private": true,
+  "name": "@cyclonedx/cyclonedx-javascript-library/tools/test-dependencies",
+  "license": "Apache-2.0",
+  "engines": {
+    "node": ">=20.18"
+  },
+  "dependencies": {
+    "knip": "5.61.3"
+  }
+}