Dependency directory committed
Part of Architecture & Best Practices, which counts for 15% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
node_modules/ or a Python virtualenv was found tracked in the repo, bloating history and risking leaked local paths/secrets.
Why it matters
A committed node_modules or virtualenv adds tens of thousands of files and often hundreds of megabytes to the repo, slowing every clone, diff, and CI checkout. Virtualenvs also embed machine-specific paths and sometimes credentials picked up at install time, and the committed copy silently drifts from the lockfile. The package manager can recreate the install from the lockfile at any time, so git gains nothing by carrying it.
How to fix it
Untrack the directory with git rm -r --cached node_modules (or venv/.venv), add it to .gitignore, and commit. Fresh checkouts then install via npm ci or pip install -r requirements.txt against the pinned versions. If repo size matters, note the blobs remain in history; rewriting with git filter-repo on a coordinated push is the cleanup path.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo