Phantom dependency auditor that spans multiple language ecosystems

dev tool weekend hack •• multiple requests

Maintainers on HN keep complaining about undeclared (phantom) and unused dependencies silently shipping to prod. They want a single CLI/CI tool that reports both cases across package.json, pyproject.toml, go.mod, and Cargo.toml in a polyglot monorepo, with a clean SARIF output for GitHub Actions.

builder note

Do not build a new static analyzer. Shell out to Knip, deptry, and go mod why, normalize their output to SARIF, and charge for the GitHub App that posts inline PR annotations. The unification is the product.

landscape (3 existing solutions)

Every language ecosystem has a point tool. No unified scanner reports phantom + unused deps across the four dominant backend/frontend ecosystems with a shared config.

Knip Excellent for JS/TS, nothing for Python, Go, Rust

depcheck JS/TS only, noisy false positives on monorepos with workspaces

deptry Python only, does not detect phantom deps introduced by transitive imports in other language toolchains

sources (2)

hn https://news.ycombinator.com/item?id=47797632 "phantom deps keep biting us when we move the monorepo" 2026-04-11

hn https://news.ycombinator.com/item?id=47741527 "wrote a tiny unused-dep scanner, went viral because nothing does both langs" 2026-04-07

dependenciesmonoreposupply-chainci-cd