ChainStrip

Dependency hardening for npm applications

Dependency pruning for JavaScript and TypeScript products.

Keep only the dependency code your app actually uses, validate it against your test suite, and ship a reusable hardened artifact.

Try locally Read workflow
retained surface
full dependency files, exports, branches
live surface used call chains
validated artifact tests pass, report saved
fingerprint dependency + usage
validation target test suite
output artifact + report

Problem

Lockfiles do not tell you what dependency code executes.

Modern npm products retain large dependency trees, including files and functions the application never reaches. Every retained path is still review burden and potential supply-chain attack surface.

Audits find known vulnerabilities, lockfiles pin versions, and tree shaking helps bundle output. None of those prove which dependency source is live for your product or whether a pruned dependency still behaves correctly.

How it works

Analyze usage, prune conservatively, validate with real tests.

  1. 01 Inventory dependencies and usage.

    Record versions, imports, reachable modules, and usage signals.

  2. 02 Extract source into a controlled workspace.

    Operate on copied dependency source instead of the target checkout.

  3. 03 Prune unused files and functions conservatively.

    Candidate removals are accepted only when validation supports them.

  4. 04 Validate against the target test suite.

    Rejected removals are restored and recorded with failure evidence.

  5. 05 Publish reports and reusable artifacts.

    Release workflows consume artifacts while audit workflows inspect reports.

Workflow fit

Do cheap checks often. Re-prune when inputs change.

normal PR

Check dependency versions and import or usage fingerprints.

changed input

Run full or incremental pruning for affected dependencies.

CI gate

Validate the generated workspace before adopting artifacts.

release

Build against validated pruned artifacts with report evidence.

Evidence and reports

Reports describe what changed and why it was accepted.

Expected report fields

  • Dependencies analyzed
  • Attack-surface reduction summary
  • Accepted and rejected pruning decisions
  • Validation status and command evidence
  • Artifact fingerprint
  • Dependency update impact classification
chainstrip summarize --report-dir reports/app

dependency      retained surface      validation
@scope/ui       changed               passed
date-fns        reduced               passed
axios           unchanged             reused

artifact fingerprint: dep+usage:8f31...

Adoption modes

Start with reports, then decide where enforcement belongs.

Audit mode

Generate reports only. No build changes and no release dependency on artifacts.

CI validation mode

Test pruned dependencies when dependency or usage fingerprints change.

Enforcement mode

Release builds consume validated artifacts with provenance and review evidence.

Waitlist

Get notified when ChainStrip is ready for public use.