Difficulty

Intermediate

Read Time

8 min

Avoid Cross Module Dependencies with Dependency Cruiser

By Codcompass Team·2026-05-25·8 min read

Current Situation Analysis

Modern JavaScript and TypeScript ecosystems thrive on modularity, but modularity degrades predictably as codebases scale. The industry pain point isn't a lack of architectural patterns; it's the absence of automated enforcement mechanisms. Teams adopt layered designs, domain-driven boundaries, or feature-sliced architectures during initial planning, yet these structures routinely collapse under the weight of incremental feature development.

The degradation is rarely intentional. It happens silently through pragmatic shortcuts: a developer imports a utility from a sibling feature to ship faster, a UI component reaches into a data-fetching layer to avoid prop drilling, or a shared helpers directory absorbs cross-cutting concerns until it becomes a coupling hotspot. Without structural validation, these violations accumulate as technical debt that compounds with every sprint.

The problem is systematically overlooked because traditional tooling focuses on syntax, runtime behavior, or test coverage. Linters catch style violations. Unit tests verify logic. Integration tests validate API contracts. None of these tools inspect the import graph itself. Circular dependencies, for example, often pass all tests until a specific module initialization order triggers a runtime undefined reference. Layer violations rarely break the application immediately; they simply increase cognitive load and slow down refactoring cycles.

Empirical observations from large-scale frontend and backend projects show a consistent pattern: after approximately six to nine months of active development, unmonitored codebases exhibit exponential growth in cross-layer imports and circular references. Shared directories typically accumulate 40-60% of all project imports, becoming architectural bottlenecks. Teams that rely solely on code review to catch structural violations experience inconsistent enforcement, as reviewers prioritize functional correctness over import topology. Automated dependency analysis bridges this gap by treating architecture as a first-class concern, validated continuously rather than inspected sporadically.

WOW Moment: Key Findings

The shift from manual architectural oversight to automated dependency validation produces measurable improvements in codebase health and team velocity. The following comparison illustrates the operational difference between traditional code review and automated structural cruising:

Approach	Detection Latency	Coverage Scope	Enforcement Consistency	Scalability Threshold
Manual PR Review	Days to weeks	Subjective, reviewer-dependent	High variance across team members	Degrades sharply past ~50k LOC
Automated Dependency Cruising	Seconds (per commit/PR)	100% of import paths	Deterministic, rule-driven	Linear scaling with project size

This finding matters because it transforms architecture from a philosophical guideline into a verifiable contract. When structural rules are codified and executed in continuous integration, teams eliminate guesswork. Pull requests either comply with the defined topology or fail automatically. This enables:

Predictable refactoring cycles: Developers know exactly which boundaries are immutable before touching legacy code.
Reduced cognitive overhead: New team members onboard faster when import rules are explicit and enforced.
Early debt detection: Circular references and layer violations are caught at merge time, not during production incidents.

Architectural versioning*: Rule sets can evolve alongside the product, with historical violations tracked and remediated systematically.

The tooling ecosystem now supports this shift natively. dependency-cruiser provides the scanning engine, rule evaluation, and visualization pipeline required to operationalize architectural governance without custom tooling development.

Core Solution

Implementing automated dependency validation requires a structured approach: installation, baseline scanning, rule definition, visualization integration, and CI enforcement. Each step builds upon the previous one, ensuring the configuration remains maintainable and aligned with actual project topology.

Step 1: Installation and Baseline Scan

Begin by installing the package as a development dependency. The tool operates independently of bundlers or frameworks, making it universally applicable across Node.js, React, Vue, Angular, and TypeScript monorepos.

npm install --save-dev dependency-cruiser

Run an initial scan against your source directory to establish a baseline. This reveals the current state of your import graph without enforcing any constraints.

npx depcruise src --output-type json > .dep-cruise-baseline.json

The JSON output contains every resolved module, its dependencies, and dependency types. Review this file to identify existing circular references, heavily coupled directories, and unused modules before writing rules.

Step 2: Defining Structural Constraints

Rules are declared in a configuration file. The schema uses a forbidden array where each entry specifies a violation pattern. Below is a production-ready configuration for a TypeScript monorepo with strict layer boundaries. Note the use of workspace aliases, explicit path regexes, and severity levels.

// .dependency-cruiser.js
module.exports = {
  forbidden: [
    {
      name: 'no-circular-imports',
      severity: 'error',
      from: {},
      to: {
        circular: true
      }
    },
    {
      name: 'ui-must-not-import-data-layer',
      severity: 'error',
      from: {
        path: '^src/(ui|components|pages)'
      },
      to: {
        path: '^src/(data|repositories|api-clients)'
      }
    },
    {
      name: 'core-must-not-import-features',
      severity: 'warn',
      from: {
        path: '^src/core'
      },
      to: {
        path: '^src/features'
      }
    },
    {
      name: 'no-external-deps-in-utils',
      severity: 'error',
      from: {
        path: '^src/utils'
      },
      to: {
        dependencyTypes: ['npm', 'yarn', 'pnpm']
      }
    }
  ],
  options: {
    tsConfig: {
      fileName: 'tsconfig.json'
    },
    doNotFollow: {
      path: 'node_modules'
    },
    detectiveOptions: {
      ts: {
        detectImports: true,
        includeDynamic: false
      }
    }
  }
};

Architecture Rationale:

no-circular-imports is set to error because circular references break module initialization order and cause unpredictable runtime behavior.
ui-must-not-import-data-layer enforces unidirectional data flow. UI components should receive data through props or state management, not direct API calls.
core-must-not-import-features uses warn severity during transition periods. Core utilities should remain framework-agnostic; feature-specific imports indicate misplaced abstraction.
no-external-deps-in-utils prevents utility directories from becoming dependency sinks. Shared helpers should only depend on other local modules or standard library functions.

Step 3: Visualization Pipeline

Static analysis reveals topology; visualization reveals patterns. Generate a DOT graph and convert it to SVG for architectural review sessions.

npx depcruise src --include-only "^src" --output-type dot | dot -T svg > docs/dependency-graph.svg

For large projects, filter the output to specific subsystems:

npx depcruise src/features --include-only "^src/features" --output-type dot | dot -T svg > docs/features-graph.svg

Visualization serves two purposes: onboarding new developers to the codebase structure, and identifying coupling hotspots before they violate explicit rules.

Step 4: CI/CD Integration

Validation must run in continuous integration to prevent architectural drift. Add a dedicated job that fails the pipeline when rules are violated.

# .github/workflows/architecture-validation.yml
name: Architecture Validation
on: [pull_request]

jobs:
  dependency-cruise:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
      - run: npm ci
      - run: npx depcruise src --validate .dependency-cruiser.js --config .dependency-cruiser.js

Failing the build on structural violations ensures that architecture is treated with the same rigor as type safety or test coverage.

Pitfall Guide

1. Over-Constraining Early-Stage Projects

Explanation: Applying strict layer boundaries before the architecture stabilizes creates friction. Teams spend more time disabling rules than shipping features. Fix: Start with circular: true detection only. Introduce layer rules incrementally as domain boundaries solidify. Use warn severity during transition phases.

2. Ignoring Bundler Path Aliases

Explanation: dependency-cruiser resolves imports using Node.js module resolution by default. Vite, Webpack, and TypeScript path aliases (@app/core) will fail to resolve without explicit configuration. Fix: Always provide tsConfig.fileName in the options block. For Webpack-specific aliases, use the webpackConfig.fileName option or map aliases manually in the options.alias array.

3. Treating Shared Directories as Free-For-Alls

Explanation: /utils, /helpers, and /shared directories naturally attract cross-cutting imports. Without constraints, they become architectural dumping grounds that increase coupling. Fix: Enforce a rule that shared modules cannot import from feature-specific directories. Consider splitting monolithic shared folders into domain-scoped utilities (/utils/date, /utils/formatting).

4. Running Validation Only Locally

Explanation: Local pre-commit hooks catch violations for the author but miss contributions from other team members or automated dependency updates. Fix: Run validation in CI on every pull request. Use pre-commit hooks only for fast feedback; treat CI as the source of truth.

5. Misconfiguring Dynamic Import Handling

Explanation: Dynamic import() statements are often used for code splitting. If the tool attempts to statically analyze them as hard dependencies, it may report false circular references. Fix: Set detectiveOptions.ts.includeDynamic: false unless you specifically need to track dynamic import boundaries. Document this decision in the config comments.

6. Neglecting Unused Module Detection

Explanation: Dead code accumulates silently. Unused modules increase bundle size and confuse developers about active architecture boundaries. Fix: Enable options.reportUnused or run npx depcruise src --output-type err-long to surface orphaned files. Schedule quarterly cleanup sprints to remove them.

7. Hardcoding Absolute Paths Instead of Workspace Patterns

Explanation: Monorepos with multiple packages require relative path matching that adapts to package boundaries. Hardcoded ^src/ patterns break when scanning individual workspaces. Fix: Use workspace-aware regex patterns or run the cruiser per-package with --include-only scoped to each workspace root. Leverage dependency-cruiser's monorepo plugin if applicable.

Production Bundle

Action Checklist

Install dependency-cruiser as a dev dependency and run a baseline JSON scan
Configure TypeScript path alias resolution in the options block
Implement circular dependency detection as the first enforced rule
Define layer boundary rules using path regex matching
Generate SVG dependency graphs for architectural documentation
Add validation step to CI pipeline with fail-fast behavior
Schedule quarterly unused module cleanup based on cruiser reports
Document rule rationale in config comments for team alignment

Decision Matrix

Scenario	Recommended Approach	Why	Cost Impact
Startup MVP (< 3 months)	Circular detection only	Minimizes friction while preventing runtime initialization failures	Low setup cost, high stability gain
Mid-size team (5-15 devs)	Layer boundaries + circular rules	Enforces separation of concerns across parallel feature development	Moderate config overhead, reduced merge conflicts
Enterprise monorepo	Workspace-scoped rules + unused module detection	Prevents cross-package coupling and bundle bloat	Higher initial config, significant long-term maintenance savings
Legacy codebase migration	Warn severity + gradual enforcement	Allows incremental refactoring without blocking releases	Zero deployment delay, predictable debt reduction

Configuration Template

// .dependency-cruiser.js
module.exports = {
  forbidden: [
    {
      name: 'no-circular',
      severity: 'error',
      from: {},
      to: { circular: true }
    },
    {
      name: 'enforce-unidirectional-data-flow',
      severity: 'error',
      from: { path: '^src/(ui|views|components)' },
      to: { path: '^src/(data|services|repositories)' }
    },
    {
      name: 'protect-core-abstractions',
      severity: 'warn',
      from: { path: '^src/core' },
      to: { path: '^src/(features|modules)' }
    },
    {
      name: 'isolate-shared-utilities',
      severity: 'error',
      from: { path: '^src/shared' },
      to: { dependencyTypes: ['npm', 'yarn', 'pnpm'] }
    }
  ],
  options: {
    tsConfig: { fileName: 'tsconfig.json' },
    doNotFollow: { path: 'node_modules' },
    detectiveOptions: {
      ts: { detectImports: true, includeDynamic: false }
    },
    reporterOptions: {
      dot: {
        theme: {
          graph: { rankdir: 'TB' },
          node: { fontsize: 11 }
        }
      }
    }
  }
};

Quick Start Guide

Initialize: Run npm install --save-dev dependency-cruiser in your project root.
Baseline: Execute npx depcruise src --output-type json > baseline.json to map current imports.
Configure: Copy the configuration template above into .dependency-cruiser.js and adjust path regexes to match your directory structure.
Validate: Run npx depcruise src --validate .dependency-cruiser.js locally to verify rule behavior.
Automate: Add the validation command to your CI pipeline and commit the configuration file. Architecture governance is now active.

🎉 Mid-Year Sale — Unlock Full Article

Base plan from just $4.99/mo or $49/yr

7-day free trial · Cancel anytime · 30-day money-back