Nightshift: Dependency Risk Analysis — Microck/opencode-studio
Task: dependency-risk | Category: analysis | Date: 2026-04-23
Summary
Analysis of the opencode-studio monorepo (root + server + client-next) identified 7 dependency risks across 3 severity levels. Key concerns include 2 unused dependencies inflating bundle size and attack surface, no Node.js engine constraints, and Express 5 in pre-release usage.
Findings
🔴 HIGH — Unused dependency: date-fns (client-next)
- File:
client-next/package.json
- Detail:
date-fns@^4.1.0 is listed as a dependency but not imported anywhere in the src/ directory. Zero grep hits for date-fns, dateFns, or any date-fns function names.
- Risk: Unnecessary dependency increases bundle size (~72KB gzipped for date-fns) and expands the attack surface. If a vulnerability is discovered in date-fns, this project would be flagged even though it's unused.
- Recommendation: Remove
date-fns from client-next/package.json and run npm prune.
🔴 HIGH — Unused dependency: pixelarticons (client-next)
- File:
client-next/package.json
- Detail:
pixelarticons@^1.8.1 is listed as a dependency but not imported anywhere in src/. Zero grep hits across all TypeScript/TSX files.
- Risk: Same as above — dead weight in
node_modules and lockfile.
- Recommendation: Remove
pixelarticons from dependencies. If icons are used via a different mechanism (e.g., copied SVGs), document this.
🟡 MEDIUM — Express 5 (pre-release) in production server
- File:
server/package.json
- Detail:
express@^5.2.1 — Express 5 is still in alpha/pre-release. While the 5.x line has been available, it has breaking API changes from Express 4 and may receive less community security scrutiny.
- Risk: API instability, potential breaking changes in patch updates, fewer battle-tested security advisories.
- Recommendation: Pin the exact version (
"5.2.1" without caret) or consider downgrading to Express 4.18.x (LTS). If staying on Express 5, add a CI check for npm audit.
🟡 MEDIUM — No Node.js engine version constraints
- Files:
package.json, server/package.json, client-next/package.json
- Detail: None of the 3
package.json files include an engines field, and there's no .nvmrc or .node-version file. The project uses modern features (ES2022 modules, NodeNext resolution) that require Node 18+.
- Risk: Contributors may run on incompatible Node versions (14, 16) causing cryptic build failures. CI may use an outdated Node.
- Recommendation: Add
"engines": { "node": ">=18.0.0" } to all 3 package.json files. Optionally add a .nvmrc.
🟡 MEDIUM — Caret ranges on all dependencies
- Files: All 3
package.json files
- Detail: Every dependency uses caret ranges (
^x.y.z). While this enables patch/minor updates, it means npm install on different machines may resolve different versions. Combined with no npm ci in CI (no CI config was found), builds may not be reproducible.
- Risk: Non-reproducible builds, potential for "works on my machine" issues.
- Recommendation: Use
npm ci instead of npm install in production/CI. Consider pinning exact versions for server dependencies.
🟢 LOW — No CI/CD pipeline for dependency auditing
- Detail: No
.github/workflows/ directory was found. There's no automated npm audit, Dependabot config, or Renovate setup.
- Risk: Vulnerabilities in dependencies may go undetected until manually discovered.
- Recommendation: Add a GitHub Actions workflow that runs
npm audit on push/PR. Enable Dependabot security updates.
🟢 LOW — @radix-ui/react-slot may be redundant
- File:
client-next/package.json
- Detail:
@radix-ui/react-slot@^1.2.4 is listed as a direct dependency, but it's typically a transitive dependency of other Radix UI packages. It may already be available through @radix-ui/react-dialog etc.
- Risk: Minor — redundant listing in package.json.
- Recommendation: Check if removing it breaks the build (since Radix packages re-export it). If not, remove the direct dependency.
Stats
| Metric |
Value |
| Total dependencies (root) |
1 |
| Total dependencies (server) |
4 |
| Total dependencies (client-next) |
18 + 8 dev |
| Unused dependencies |
2 (date-fns, pixelarticons) |
| Pre-release dependencies |
1 (express@5) |
| Engine constraints |
None |
| Lockfile integrity |
Not verified (no CI) |
Generated by Nightshift — autonomous code quality bot.
Nightshift: Dependency Risk Analysis — Microck/opencode-studio
Task:
dependency-risk| Category: analysis | Date: 2026-04-23Summary
Analysis of the opencode-studio monorepo (root + server + client-next) identified 7 dependency risks across 3 severity levels. Key concerns include 2 unused dependencies inflating bundle size and attack surface, no Node.js engine constraints, and Express 5 in pre-release usage.
Findings
🔴 HIGH — Unused dependency:
date-fns(client-next)client-next/package.jsondate-fns@^4.1.0is listed as a dependency but not imported anywhere in thesrc/directory. Zero grep hits fordate-fns,dateFns, or any date-fns function names.date-fnsfromclient-next/package.jsonand runnpm prune.🔴 HIGH — Unused dependency:
pixelarticons(client-next)client-next/package.jsonpixelarticons@^1.8.1is listed as a dependency but not imported anywhere insrc/. Zero grep hits across all TypeScript/TSX files.node_modulesand lockfile.pixelarticonsfrom dependencies. If icons are used via a different mechanism (e.g., copied SVGs), document this.🟡 MEDIUM — Express 5 (pre-release) in production server
server/package.jsonexpress@^5.2.1— Express 5 is still in alpha/pre-release. While the 5.x line has been available, it has breaking API changes from Express 4 and may receive less community security scrutiny."5.2.1"without caret) or consider downgrading to Express 4.18.x (LTS). If staying on Express 5, add a CI check fornpm audit.🟡 MEDIUM — No Node.js engine version constraints
package.json,server/package.json,client-next/package.jsonpackage.jsonfiles include anenginesfield, and there's no.nvmrcor.node-versionfile. The project uses modern features (ES2022 modules, NodeNext resolution) that require Node 18+."engines": { "node": ">=18.0.0" }to all 3 package.json files. Optionally add a.nvmrc.🟡 MEDIUM — Caret ranges on all dependencies
package.jsonfiles^x.y.z). While this enables patch/minor updates, it meansnpm installon different machines may resolve different versions. Combined with nonpm ciin CI (no CI config was found), builds may not be reproducible.npm ciinstead ofnpm installin production/CI. Consider pinning exact versions for server dependencies.🟢 LOW — No CI/CD pipeline for dependency auditing
.github/workflows/directory was found. There's no automatednpm audit, Dependabot config, or Renovate setup.npm auditon push/PR. Enable Dependabot security updates.🟢 LOW —
@radix-ui/react-slotmay be redundantclient-next/package.json@radix-ui/react-slot@^1.2.4is listed as a direct dependency, but it's typically a transitive dependency of other Radix UI packages. It may already be available through@radix-ui/react-dialogetc.Stats
date-fns,pixelarticons)express@5)Generated by Nightshift — autonomous code quality bot.