pnpm Dependency Analysis Skill (Fusion Framework)

Helps answer:

• Where is PACKAGE used (direct & transitive)?

• What real versions are resolved across workspaces?

• Which workspaces depend on each other (forward/reverse graph)?

• What's the blast radius / risk level for an upgrade or patch?

All commands run from the root of the repository. Replace PACKAGE with the real name (e.g., lodash , zod , @tanstack/react-query , eslint ).

1. Core: Where is this package used?

Direct usages only (fastest & cleanest)

pnpm why PACKAGE --recursive --depth=0

Shows only workspaces that list PACKAGE in dependencies , devDependencies , peerDependencies , or optionalDependencies .

Full dependency tree (transitive paths)

pnpm why PACKAGE --recursive --long

Shows how PACKAGE gets pulled in indirectly through other dependencies.

Resolved versions per workspace (critical for upgrades)

pnpm why PACKAGE --recursive --json
| jq -r '.[] | "(.workspace)\t→ (.version)\t(.dependencyType // "unknown")\t(.from // "-")"'

Why this matters:

• See all versions resolved across workspaces (handles overrides, workspace:*, catalog)

• Identify version inconsistencies or conflicts

• Understand if workspace protocol controls the version

2. Workspace → Workspace Dependency Graph

Which workspaces depend on each other (direct only)

pnpm recursive list --depth=0 --json --only-projects
| jq 'to_entries[] | {from: .key, to: (.value.dependencies // {} | keys + (.value.devDependencies // {} | keys) + (.value.peerDependencies // {} | keys))} | select(.to | length > 0)'

Shows the project-level dependency structure (e.g., which @equinor/fusion-framework-* packages depend on others).

Generate Mermaid-compatible edges (paste into GitHub PR/comments)

pnpm -r exec -- jq -r 'select(.dependencies != null or .devDependencies != null or .peerDependencies != null) | .name as $self | (.dependencies // {} | keys) + (.devDependencies // {} | keys) + (.peerDependencies // {} | keys) | .[] as $dep | "($self) --> ($dep)"' | sort | uniq

Example Mermaid output (copy the edges into a code block with ```mermaid ):

graph LR @equinor/fusion-framework-cli --> @equinor/fusion-framework-utils @equinor/fusion-framework-react --> @equinor/fusion-framework-core @equinor/fusion-framework-react --> @equinor/fusion-framework-utils

Paste into GitHub issue, PR description, or mermaid.live for interactive view.

3. One-liner investigation report

PACKAGE=some-package

echo "=== Direct usages ===" pnpm why "$PACKAGE" --recursive --depth=0

echo -e "\n=== Resolved versions ===" pnpm why "$PACKAGE" --recursive --json
| jq -r '.[] | "(.workspace)\t→ (.version)\t(.dependencyType)"'

echo -e "\n=== package.json mentions ===" grep -rl "$PACKAGE" packages/ apps/ || echo "None"

echo -e "\n=== Config/tooling mentions (eslint/vite/vitest/storybook/etc) ===" find . -type f ( -name 'eslint.' -o -name 'vite.' -o -name 'vitest.'
-o -name 'playwright.' -o -name 'storybook.' -o -name 'tsconfig.json'
-o -name 'next.config.*' )
-exec grep -l "$PACKAGE" {} ; | grep -vE 'node_modules|dist|build|.turbo|.cache' || echo "None"

Produces a clean summary of where the package appears across the monorepo.

4. Risk / Blast Radius Reference Table

Indicator Risk Level Notes

1–2 workspaces only Low Limited scope

≥ 6–8 workspaces High Widespread impact

Only in devDependencies

Lower Unless tooling: eslint, typescript, vite, vitest, jest, rollup, playwright, storybook

Uses workspace:* or workspace:^x.y.z

Very Low Controlled at workspace root

Many different resolved versions Medium May need pnpm.overrides or .npmrc resolutions

Hub node (many packages → it) High Core shared dependency

Deep/long chains in pnpm why

Medium–High Transitive dependency risks

Appears in multiple config files Medium Tooling change affects lint/format/build

5. Narrowing search with --filter

Scope down large investigations by focusing on specific package groups:

Only check /packages/* (not cookbooks, etc)

pnpm why PACKAGE --recursive --filter="./packages/*"

Only check /apps/*

pnpm why PACKAGE --recursive --filter="./apps/*"

Only check React packages

pnpm why PACKAGE --recursive --filter="@equinor/fusion-framework-react"

Tips & Notes

• Prerequisites: jq (recommended, for JSON parsing). Built-in tools (grep , find ) are used for file searches

• Faster searches: Install rg (ripgrep) to speed up searches: brew install ripgrep (optional, not required)

• Mermaid visualization: If you have many edges, ask Copilot to clean up the output or use mermaid.live with an interactive filter

• Interactive workspace graph: pnpm install -g pnpm-workspace-graph → run pnpm-workspace-graph to open an interactive browser view

• For Dependabot PRs: Run this skill before merging to gauge impact and gather context for your review

• Pair with other skills: Combine with security-audit, changelog-lookup, or version-compatibility checks for full triage

Common Dependabot Scenarios

"Should I merge this React upgrade?"

• Run: pnpm why @latest/react --recursive --depth=0

• Check if versions are consistent across workspaces

• Look at packages/react/ CHANGELOG for breaking changes

• If only in devDependencies or 1–2 packages, lower risk

"Can I upgrade this shared utility?"

• Run: pnpm why @equinor/fusion-framework-utils --recursive

• Count affected workspaces

• Check if workspace protocol is used (workspace:* )

• If yes and ≤3 packages depend on it: safe

• If no and >5 packages: run tests before merge

"What about this obscure transitive dep?"

• Run: pnpm why some-obscure-package --recursive --long

• Look at (.from) field to see which package pulled it in

• Check if it appears in only one place in the tree

• If it's behind a single package, upgrading that package is safe

For questions or improvements: Refer to pnpm docs or the Fusion Framework contributing guide.