MagicMirrorOrg
diff --git a/‎cspell.config.json‎
Lines changed: 6 additions & 0 deletions b/‎cspell.config.json‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎docs/pipeline-refactor-roadmap.md‎
Lines changed: 19 additions & 19 deletions b/‎docs/pipeline-refactor-roadmap.md‎
Lines changed: 19 additions & 19 deletions
diff --git a/‎docs/pipeline/check-modules-reference.md‎
Lines changed: 13 additions & 11 deletions b/‎docs/pipeline/check-modules-reference.md‎
Lines changed: 13 additions & 11 deletions
diff --git a/‎scripts/check-modules/__tests__/dependency-usage.test.js‎
Lines changed: 92 additions & 0 deletions b/‎scripts/check-modules/__tests__/dependency-usage.test.js‎
Lines changed: 92 additions & 0 deletions
@@ -17,11 +17,15 @@
     "depandabot",
     "dependencie",
     "diffing",
+    "envsub",
+    "feedme",
     "Fenner",
     "fontawesome",
     "Gitea",
     "Goldens",
     "hoster",
+    "ical",
+    "ipfilter",
     "Itay",
     "Kristjan",
     "magicmirror",
@@ -41,11 +45,13 @@
     "refspecs",
     "rollup",
     "smarthome",
+    "suncalc",
     "testconfig",
     "trumpetx",
     "Updat",
     "venv",
     "virtualenv",
+    "weathericons",
     "workstream",
     "workstreams",
     "Workstreams"
 
@@ -46,21 +46,21 @@ This document captures the long-term improvements we want to implement in the mo
 
 ### 4. Checks & Developer Experience
 
-| Task  | Description                                                                                                                                                                     | Dependencies | Effort |
-| ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ------ |
-| P4.1  | Split checks into a registry with metadata (category, severity, auto-fixable) ✅ Completed Oct 2025                                                                             | P2.3         | M      |
-| P4.2  | Add configuration file to toggle check groups (`fast`, `deep`, optional ESLint/ncu`) ✅ Completed Oct 2025                                                                      | P4.1         | S      |
-| P4.3  | Create sample dataset + regression tests for check outputs (golden files), reusing the curated fixtures where possible ✅ Completed Oct 2025                                    | P4.1         | M      |
-| P4.4  | Provide CLI progress UI and Markdown summary per run ✅ Completed Oct 2025                                                                                                      | P1.2         | S      |
-| P4.5  | Add rule detecting modules that rely on MagicMirror core dependencies without declaring them ([#78](https://github.com/MagicMirrorOrg/MagicMirror-3rd-Party-Modules/issues/78)) | P4.1         | M      |
-| P4.6  | Check README install/update sections for copyable fenced command blocks ([#54](https://github.com/MagicMirrorOrg/MagicMirror-3rd-Party-Modules/issues/54))                      | P4.1         | S      |
-| P4.7  | Recommend `npm ci --omit=dev` when modules expose devDependencies in instructions ([#53](https://github.com/MagicMirrorOrg/MagicMirror-3rd-Party-Modules/issues/53))            | P4.1         | S      |
-| P4.8  | Flag modules with multi-year inactivity that are not marked `outdated` and nudge maintainers to review status                                                                   | P4.1         | M      |
-| P4.9  | Inspect Dependabot configs for schedule scope (quarterly cadence, production-only) and suggest adjustments                                                                      | P4.1         | M      |
-| P4.10 | Evaluate migrating the `ntl` task menu into a `pipeline` subcommand (interactive launcher built on the orchestrator CLI) _(low priority)_                                       | P1.2         | S      |
-| P4.11 | Extend the rule registry to cover every pipeline check stage (legacy JS script + future additions) ✅ Completed Oct 2025                                                        | P4.1         | L      |
-| P4.R1 | Audit every rule in the registry for relevance and clarity                                                                                                                      | P4.11        | S      |
-| P4.R2 | Audit every recommendation in the registry for relevance and consistency                                                                                                        | P4.11        | S      |
+| Task  | Description                                                                                                                                                                                     | Dependencies | Effort |
+| ----- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ------ |
+| P4.1  | Split checks into a registry with metadata (category, severity, auto-fixable) ✅ Completed Oct 2025                                                                                             | P2.3         | M      |
+| P4.2  | Add configuration file to toggle check groups (`fast`, `deep`, optional ESLint/ncu`) ✅ Completed Oct 2025                                                                                      | P4.1         | S      |
+| P4.3  | Create sample dataset + regression tests for check outputs (golden files), reusing the curated fixtures where possible ✅ Completed Oct 2025                                                    | P4.1         | M      |
+| P4.4  | Provide CLI progress UI and Markdown summary per run ✅ Completed Oct 2025                                                                                                                      | P1.2         | S      |
+| P4.5  | Add rule detecting modules that import third-party dependencies without declaring them ([#78](https://github.com/MagicMirrorOrg/MagicMirror-3rd-Party-Modules/issues/78)) ✅ Completed Oct 2025 | P4.1         | M      |
+| P4.6  | Check README install/update sections for copyable fenced command blocks ([#54](https://github.com/MagicMirrorOrg/MagicMirror-3rd-Party-Modules/issues/54))                                      | P4.1         | S      |
+| P4.7  | Recommend `npm ci --omit=dev` when modules expose devDependencies in instructions ([#53](https://github.com/MagicMirrorOrg/MagicMirror-3rd-Party-Modules/issues/53))                            | P4.1         | S      |
+| P4.8  | Flag modules with multi-year inactivity that are not marked `outdated` and nudge maintainers to review status                                                                                   | P4.1         | M      |
+| P4.9  | Inspect Dependabot configs for schedule scope (quarterly cadence, production-only) and suggest adjustments                                                                                      | P4.1         | M      |
+| P4.10 | Evaluate migrating the `ntl` task menu into a `pipeline` subcommand (interactive launcher built on the orchestrator CLI) _(low priority)_                                                       | P1.2         | S      |
+| P4.11 | Extend the rule registry to cover every pipeline check stage (legacy JS script + future additions) ✅ Completed Oct 2025                                                                        | P4.1         | L      |
+| P4.R1 | Audit every rule in the registry for relevance and clarity                                                                                                                                      | P4.11        | S      |
+| P4.R2 | Audit every recommendation in the registry for relevance and consistency                                                                                                                        | P4.11        | S      |
 
 ### 5. Documentation & Collaboration
 
@@ -99,10 +99,10 @@ Routine reminders for keeping the written guidance in sync with the code:
 
 Immediate action items:
 
-1. Add the dependency-declaration rule for core MagicMirror usage (P4.5).
-2. Audit README install/update sections for copyable fenced command blocks (P4.6).
-3. Recommend `npm ci --omit=dev` when modules list devDependencies in instructions (P4.7).
-4. Flag modules with multi-year inactivity that are not marked `outdated` and nudge maintainers to review status (P4.8).
+1. Audit README install/update sections for copyable fenced command blocks (P4.6).
+2. Recommend `npm ci --omit=dev` when modules list devDependencies in instructions (P4.7).
+3. Flag modules with multi-year inactivity that are not marked `outdated` and nudge maintainers to review status (P4.8).
+4. Inspect Dependabot configs for schedule scope (quarterly cadence, production-only) and suggest adjustments (P4.9).
 
 ---
 
 
@@ -1,6 +1,6 @@
 # Check Modules Reference
 
-_Last updated: October 3, 2025_
+_Last updated: October 4, 2025_
 
 This page consolidates the material that previously lived in the P2.3 rollout documents. It should stay up to date as we evolve Stage 5 (`scripts/check-modules/index.ts`), the comparison harness, and the curated fixture set.
 
@@ -9,6 +9,7 @@ This page consolidates the material that previously lived in the P2.3 rollout do
 - ✅ TypeScript implementation is the default Stage 5 runner.
 - ✅ Comparison harness (`npm run checkModules:compare`) can execute multiple commands, capture artifacts, and (when two runs complete) produce diffs for analysis.
 - ✅ CLI progress indicator renders live module throughput and emits a per-run Markdown summary under `.pipeline-runs/check-modules/`.
+- ✅ Stage 5 flags modules that import any non built-in dependency without declaring it in their own `package.json` (Node built-ins and the allowlist `express`, `node_helper`, `logger` are ignored).
 - 🔄 Follow-ups tracked here: extend harness diff coverage (README/HTML artifacts) and define warning/failure thresholds ahead of diff gating in CI.
 
 ## Check group configuration
@@ -77,16 +78,17 @@ These are the rule IDs currently implemented by the TypeScript checker. Keep thi
 
 ### `package.json` rules
 
-| Rule ID                                  | Pattern                                      | Category       | Notes                             |
-| ---------------------------------------- | -------------------------------------------- | -------------- | --------------------------------- |
-| pkg-deprecated-electron-rebuild          | `"electron-rebuild"`                         | Deprecated     | Use `@electron/rebuild`.          |
-| pkg-deprecated-eslint-config-airbnb      | `eslint-config-airbnb`                       | Deprecated     | Seek modern configuration.        |
-| pkg-recommend-eslint-plugin-json         | `"eslint-plugin-json"`/`eslint-plugin-jsonc` | Recommendation | Suggest `@eslint/json`.           |
-| pkg-deprecated-grunt                     | `"grunt"`                                    | Deprecated     | Tool largely unmaintained.        |
-| pkg-outdated-husky-install               | `husky install`                              | Outdated       | Husky v9 no longer needs it.      |
-| pkg-recommend-needle                     | `"needle"`                                   | Recommendation | Suggest fetch.                    |
-| pkg-deprecated-rollup-banner             | `rollup-plugin-banner`                       | Deprecated     | Replace with built-in banner.     |
-| pkg-deprecated-stylelint-config-prettier | `stylelint-config-prettier`                  | Deprecated     | Remove in newer Stylelint setups. |
+| Rule ID                                  | Pattern                                      | Category       | Notes                                                                                                                                                                         |
+| ---------------------------------------- | -------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| pkg-deprecated-electron-rebuild          | `"electron-rebuild"`                         | Deprecated     | Use `@electron/rebuild`.                                                                                                                                                      |
+| pkg-deprecated-eslint-config-airbnb      | `eslint-config-airbnb`                       | Deprecated     | Seek modern configuration.                                                                                                                                                    |
+| pkg-recommend-eslint-plugin-json         | `"eslint-plugin-json"`/`eslint-plugin-jsonc` | Recommendation | Suggest `@eslint/json`.                                                                                                                                                       |
+| pkg-deprecated-grunt                     | `"grunt"`                                    | Deprecated     | Tool largely unmaintained.                                                                                                                                                    |
+| pkg-outdated-husky-install               | `husky install`                              | Outdated       | Husky v9 no longer needs it.                                                                                                                                                  |
+| pkg-recommend-needle                     | `"needle"`                                   | Recommendation | Suggest fetch.                                                                                                                                                                |
+| pkg-missing-dependency                   | _n/a (detected via usage scan)_              | Recommendation | Flags modules that import third-party packages without declaring them in `package.json` (built-ins and the default allowlist `express`, `node_helper`, `logger` are ignored). |
+| pkg-deprecated-rollup-banner             | `rollup-plugin-banner`                       | Deprecated     | Replace with built-in banner.                                                                                                                                                 |
+| pkg-deprecated-stylelint-config-prettier | `stylelint-config-prettier`                  | Deprecated     | Remove in newer Stylelint setups.                                                                                                                                             |
 
 ### `package-lock.json` rules
 
 
@@ -0,0 +1,92 @@
+import {
+  MISSING_DEPENDENCY_RULE_ID,
+  detectUsedDependencies,
+  extractDeclaredDependencyNames,
+  findMissingDependencies,
+  shouldAnalyzeFileForDependencyUsage
+} from "../dependency-usage.js";
+
+import assert from "node:assert/strict";
+import test from "node:test";
+
+function toSortedArray (iterable) {
+  return Array.from(iterable).sort((a, b) => a.localeCompare(b));
+}
+
+test("exports the shared rule id", () => {
+  assert.equal(MISSING_DEPENDENCY_RULE_ID, "pkg-missing-dependency");
+});
+
+test("detects third-party dependency imports via require and import", () => {
+  const sample = [
+    "import dayjs from 'dayjs';",
+    "const tz = require('moment-timezone/builds');",
+    "await import('@scope/example/utils');",
+    "const fetchImpl = await import('node-fetch');",
+    "const express = require('express');"
+  ].join("\n");
+
+  const detected = detectUsedDependencies(sample);
+  assert.deepEqual(
+    toSortedArray(detected),
+    ["@scope/example", "dayjs", "moment-timezone", "node-fetch"]
+  );
+});
+
+test("ignores relative and built-in dependencies", () => {
+  const sample = [
+    "const fs = require('fs');",
+    "import path from 'node:path';",
+    "const http = await import('node:http');",
+    "import util from './util.js';",
+    "const styles = require('../styles.css');",
+    "const helper = require('node_helper');",
+    "const logger = require('logger');"
+  ].join("\n");
+
+  const detected = detectUsedDependencies(sample);
+  assert.deepEqual(Array.from(detected), []);
+});
+
+test("ignores unrelated content", () => {
+  const detected = detectUsedDependencies("const value = 42;");
+  assert.deepEqual(Array.from(detected), []);
+});
+
+test("only analyzes supported source files", () => {
+  assert.ok(shouldAnalyzeFileForDependencyUsage("node_helper.js"));
+  assert.ok(shouldAnalyzeFileForDependencyUsage("src/helpers/util.ts"));
+  assert.ok(!shouldAnalyzeFileForDependencyUsage("README.md"));
+  assert.ok(!shouldAnalyzeFileForDependencyUsage("vendor/moment.min.js"));
+  assert.ok(!shouldAnalyzeFileForDependencyUsage("examples/demo.js"));
+});
+
+test("extracts declared dependencies across sections", () => {
+  const declared = extractDeclaredDependencyNames({
+    dependencies: {
+      moment: "^2.29.4",
+      axios: "^1.7.0"
+    },
+    devDependencies: {
+      eslint: "^9.0.0"
+    },
+    optionalDependencies: {
+      express: "^4.18.2"
+    },
+    peerDependencies: {
+      "socket.io": "^4.7.5"
+    }
+  });
+
+  assert.deepEqual(toSortedArray(declared), ["axios", "eslint", "express", "moment", "socket.io"]);
+});
+
+test("finds missing dependencies", () => {
+  const declared = new Set(["moment", "express"]);
+  const missing = findMissingDependencies({
+    declaredDependencies: declared,
+    usedDependencies: new Set(["moment", "moment-timezone", "express"])
+  });
+
+  assert.deepEqual(missing, ["moment-timezone"]);
+});