Phantom Dependency

Packages in node_modules but missing from package.json

warningSecurityphantom-dependency

Why this matters

A package that works locally because another dependency installed it will break in CI/CD or on a fresh install. Worse, if the transitive dependency changes, your code breaks silently.

✗ Bad

// Works locally, but 'lodash' isn't in package.json
// It's only there because another package depends on it
import { debounce } from "lodash";

✓ Good

// Explicitly listed in package.json dependencies
// npm install lodash @types/lodash
import { debounce } from "lodash";

How to fix

Run npm install for every package you import. Check that it appears in your package.json dependencies (not just in node_modules).

All rules