chore: QA tool to detect missing dependencies (#1409)

use `knip` to test for missing dependencies.
since the `import/no-extraneous-dependencies` eslint rule is not
working.


TODO / DONE
- [x] add tool
- [x] configure tool
- [x] add GH workflow

---------

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

.github/workflows/nodejs.yml

@@ -74,7 +74,7 @@ jobs:
       - name: setup tools
         run: |
           echo "::group::install code-style deps"
-          npm run -- dev-setup:code-style --ignore-scripts --loglevel=silly
+          npm run -- dev-setup:tools:code-style --ignore-scripts --loglevel=silly
           echo "::endgroup::"
       - name: make reports dir
         run: mkdir -p "$REPORTS_DIR"
@@ -98,6 +98,28 @@ jobs:
           path: ${{ env.REPORTS_DIR }}
           if-no-files-found: error
 
+  test-dependencies:
+    name: test dependencies
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v4
+      - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
+        # see https://github.com/actions/setup-node
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_ACTIVE_LTS }}
+          # cache: "npm"
+          # cache-dependency-path: "**/package-lock.json"
+      - name: setup project
+        run: npm install --ignore-scripts --loglevel=silly
+      - name: setup tool
+        run: npm run -- dev-setup:tools:test-dependencies --ignore-scripts --loglevel=silly
+      - name: test
+        run: npm run -- test:dependencies -d
+
   test-jest:
     needs: [ 'build' ]
     name: test:Jest (node${{ matrix.node-version }}, ${{ matrix.os }})

.github/workflows/release.yml

@@ -117,7 +117,10 @@ jobs:
       - name: setup tools
         run: |
           echo "::group::install code-style deps"
-          npm run -- dev-setup:code-style --ignore-scripts --loglevel=silly
+          npm run -- dev-setup:tools:code-style --ignore-scripts --loglevel=silly
+          echo "::endgroup::"
+          echo "::group::install test-dependencies deps"
+          npm run -- dev-setup:tools:test-dependencies --ignore-scripts --loglevel=silly
           echo "::endgroup::"
       # no explicit npm build. if a build is required, it should be configured as prepublish/prepublishOnly script of npm.
       - name: login to registries

knip.jsonc

@@ -0,0 +1,18 @@
+{
+  "$schema": "https://unpkg.com/knip@5/schema-jsonc.json",
+  "entry": [
+    "src/plugin.ts!",
+    "bin/**!"
+  ],
+  "project": [
+    "src/**!",
+    "tests/*.js"
+  ],
+  "ignore": [
+    "tools/**"
+  ],
+  "ignoreDependencies": [
+    // needed to force the installation of the optional dependency of a 3rd party package:
+    "xmlbuilder2"
+  ]
+}

package.json

@@ -93,7 +93,9 @@
   "exports": "./dist/plugin.js",
   "scripts": {
     "dev-setup": "npm i && run-p --aggregate-output -lc dev-setup:\\*",
-    "dev-setup:code-style": "npm --prefix tools/code-style install",
+    "dev-setup:tools": "run-p --aggregate-output -lc dev-setup:tools:\\*",
+    "dev-setup:tools:code-style": "npm --prefix tools/code-style install",
+    "dev-setup:tools:test-dependencies": "npm --prefix tools/test-dependencies install",
     "prepublish": "npm run build",
     "prepublishOnly": "run-s -lc build setup-tests test",
     "prebuild": "node -r fs -e 'fs.rmSync(\"dist\",{recursive:true,force:true})'",
@@ -104,6 +106,7 @@
     "test:jest": "c8 jest",
     "test:lint": "tsc --noEmit",
     "test:standard": "npm --prefix tools/code-style exec -- eslint .",
+    "test:dependencies": "npm --prefix tools/test-dependencies exec -- knip --include dependencies,unlisted,unresolved --production",
     "cs-fix": "npm --prefix tools/code-style exec -- eslint --fix ."
   },
   "jest-junit": {

tools/test-dependencies/.gitignore

@@ -0,0 +1,4 @@
+*
+!/.gitignore
+!/package.json
+!/.npmrc

tools/test-dependencies/.npmrc

@@ -0,0 +1,5 @@
+; see the docs: https://docs.npmjs.com/cli/v9/using-npm/config
+
+package-lock=false
+engine-strict=true
+omit=peer # don't install them automatically; we take cate of them!

tools/test-dependencies/package.json

@@ -0,0 +1,11 @@
+{
+  "private": true,
+  "name": "@cyclonedx/cyclonedx-webpack-plugin/tools/test-dependencies",
+  "license": "Apache-2.0",
+  "engines": {
+    "node": ">=20.18"
+  },
+  "dependencies": {
+    "knip": "5.61.3"
+  }
+}