All Docs
FeaturesMaking Tax DigitalUpdated March 10, 2026

Blog: Keeping Production Dependencies Lean — DEP-11 Audit

Keeping Production Dependencies Lean — DEP-11 Audit

Release: v1.0.389
Control: DEP-11 — Minimal Dependency Count

Why Dependency Count Matters

Every package added to a project's production dependency tree carries real costs: increased bundle size, a wider attack surface, more transitive packages to audit, and a higher maintenance burden when upstream packages release breaking changes or security patches.

For a platform handling sensitive HMRC OAuth credentials and encrypted financial data, keeping the production dependency footprint as small as possible is not just good hygiene — it is a security and compliance consideration in its own right.

The DEP-11 Finding

Our latest dependency audit (control DEP-11) found the project sitting at 31 production dependencies, just one over the target threshold of 30.

The good news: the dependency set is otherwise purposeful and well-curated. There are no gratuitous utility libraries, no duplicate functionality across packages, and no obviously redundant inclusions. The overage comes from a single misplaced package.

The Culprit: @types/qrcode in dependencies

@types/qrcode is a TypeScript type-definition package. Type packages exist solely to give the TypeScript compiler information about a library's public API at build time. They are stripped entirely during compilation and have zero runtime presence in a deployed application.

Placing @types/qrcode under dependencies instead of devDependencies in package.json means it is:

  • Installed in production environments unnecessarily
  • Counted against the production dependency total
  • Included in production node_modules audits and supply-chain scans

Moving it to devDependencies is a one-line change that immediately brings the production dependency count down to 30, meeting the DEP-11 threshold. This fix is also tracked under the related DEP-17 finding.

Preventing Future Creep

Beyond fixing the immediate misplacement, the audit recommends a lightweight evaluation process before any new dependency is introduced:

NeedAlready-present package to consider first
Date and time manipulationdate-fns
Schema validation / data parsingzod

For any other new utility need, the question to ask is: can an existing package already in the tree serve this purpose? Only if the answer is clearly no should a new dependency be added.

What Has Not Changed

This audit release contains no changes to application behaviour. All HMRC submission flows, bank feed imports, OAuth connections, quarterly submission lifecycle management, and encrypted credential storage continue to function identically. This is a dependency hygiene milestone only.

Next Steps

  • Move @types/qrcode from dependencies to devDependencies in package.json (tracked: DEP-17)
  • Re-run the DEP-11 control to confirm the count reaches ≤ 30
  • Adopt the pre-addition checklist above for all future dependency proposals