传递依赖风险最小化治理（树修剪-可视化-生产精简）最佳实践

核心要点按环境与白名单修剪依赖树，移除开发与未使用依赖。输出精简清单与差异；对关键路径依赖保留证据链。实现示例type Node = { name: string; version: string; deps: string[]; dev?: boolean; optional?: boolean } function semverValid(v: string): boolean { return /^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-[0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*)?(?:\+[0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*)?$/.test(v) } function buildGraph(nodes: Node[]): Map<string, Node> { const m = new Map<string, Node>() for (const n of nodes) m.set(`${n.name}@${n.version}`, n) return m } function prune(graph: Map<string, Node>, allow: Set<string>, env: 'prod' | 'dev'): Set<string> { const keep = new Set<string>() const stack: string[] = Array.from(allow) while (stack.length) { const key = stack.pop() as string if (keep.has(key)) continue const n = graph.get(key) if (!n || !semverValid(n.version)) continue if (env === 'prod' && (n.dev || n.optional)) continue keep.add(key) for (const d of n.deps) stack.push(d) } return keep } function diff(all: Map<string, Node>, kept: Set<string>): { removed: string[]; kept: string[] } { const removed: string[] = [] const keptArr: string[] = [] for (const k of all.keys()) { if (kept.has(k)) keptArr.push(k) else removed.push(k) } return { removed, kept: keptArr } } 审计与CI门禁记录修剪前后差异与关键路径；生产构建仅加载保留清单。关键依赖变更需审批与回归校验；异常检出阻断并输出证据。