Skip to content

Decide whether to pin knip as a devDependency and wire it into CI #558

Closed as not planned
Closed as not planned
Decide whether to pin knip as a devDependency and wire it into CI#558
Assignees
ndycode
@coderabbitai

Description

@coderabbitai
coderabbitai
bot
opened on Jun 10, 2026

Background

PR #555 added knip.jsonc for ad-hoc dead-code analysis (run via npx knip), but intentionally did not wire knip into CI. The reason: this repo SHA-pins all GitHub Actions workflow steps, and adding an unpinned npx knip invocation would be a supply-chain regression.

Tracking comment: #555 (comment)

Decision needed

A maintainer decision is required on whether to add knip as a pinned devDependency (with a full lockfile entry and defined upgrade cadence).

Planned follow-up (once the decision lands)

  1. Add knip as a devDependency — pin to the current validated version (6.16.1) and update package-lock.json.
  2. Add an npm script in package.json: 
    "knip": "knip"
  3. Add a non-concurrent CI step in the relevant workflow(s) — must run before any step that mutates dist/ (i.e., before the build step) to avoid races with dist writes. Use npm run knip (windows-safe, no bare glob expansion).
  4. Extend test/ci-workflows.test.ts (see test/ci-workflows.test.ts:39-50 and test/ci-workflows.test.ts:63-81) to assert the knip script is invoked in both the linux validate job and the windows scripts-windows expectations.

References

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions