A survey of tools for detecting and removing unused dependencies across multiple language ecosystems, framed as a supply-chain security practice. Covers two distinct problems: dependencies never imported at all, and dependencies where only a tiny fraction of code is actually used. Reviews tools for Python (deptry, creosote, FawltyDeps, pip-check-reqs), JavaScript (knip, depcheck), Rust (cargo-machete, cargo-shear, cargo-udeps), Go (go mod tidy), Java (maven-dependency-plugin, Dependency Analysis Gradle Plugin), PHP (composer-unused, composer-dependency-analyser), .NET (ReferenceTrimmer), Elixir (mix deps.unlock), and Ruby (degem). Also highlights unladen, a Python tool that computes a 'heft ratio' showing what fraction of each dependency's code is actually reachable. Includes practical caveats about false positives from dynamic imports, plugin systems, and type stubs.
Sort: