<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Vishal Kelur</title>
    <description>The latest articles on DEV Community by Vishal Kelur (@creatovatic).</description>
    <link>https://dev.to/creatovatic</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3998427%2Fb3fc0b3a-1a16-40c9-8aab-3dc03cc6611d.jpg</url>
      <title>DEV Community: Vishal Kelur</title>
      <link>https://dev.to/creatovatic</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/creatovatic"/>
    <language>en</language>
    <item>
      <title>I Tested My Static Analysis Tool Against 4 Real Open-Source Repos. Here's What It Got Wrong.</title>
      <dc:creator>Vishal Kelur</dc:creator>
      <pubDate>Sun, 12 Jul 2026 12:06:07 +0000</pubDate>
      <link>https://dev.to/creatovatic/i-tested-my-static-analysis-tool-against-4-real-open-source-repos-heres-what-it-got-wrong-2464</link>
      <guid>https://dev.to/creatovatic/i-tested-my-static-analysis-tool-against-4-real-open-source-repos-heres-what-it-got-wrong-2464</guid>
      <description>&lt;p&gt;I've been building &lt;a href="https://archsetu.com" rel="noopener noreferrer"&gt;ArchSetu&lt;/a&gt;, a static analysis tool that finds dead code, undeclared dependencies, and risky code paths, fully offline, no AI involved, deterministic output every time.&lt;/p&gt;

&lt;p&gt;Before launch, I wanted real proof it worked, not just tests I wrote myself. So I ran it against four real, actively maintained open-source repos, each with roughly 5,000 GitHub stars, and treated every finding as a hypothesis to verify, not a fact to trust.&lt;/p&gt;

&lt;p&gt;Here's what happened.&lt;/p&gt;

&lt;h2&gt;
  
  
  The first result was wrong, and that was useful
&lt;/h2&gt;

&lt;p&gt;The very first run, against Express.js, flagged the repo D grade, 85% dead code. That's obviously wrong for a framework millions of projects depend on. Digging in, the bug was in how my tool traced re-exports through index files, it lost track of usage across module boundaries. Once fixed, Express scored a B, 0% false dead code, and I added seven regression tests so it can't silently regress again.&lt;/p&gt;

&lt;p&gt;That one bug set the tone for the rest of this testing round: don't trust a scary number, verify it.&lt;/p&gt;

&lt;h2&gt;
  
  
  Testing against four real repos
&lt;/h2&gt;

&lt;p&gt;I picked repos with different shapes on purpose: a monorepo API tool, a Next.js app, a plain library, and a single-maintainer editor.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;stoplightio/prism&lt;/strong&gt; (API mocking, monorepo, ~5k stars)&lt;br&gt;
Dead code: clean, 0 findings.&lt;br&gt;
Dependencies: initially flagged 37 packages as undeclared. All false positives, caused by my tool only checking the root &lt;code&gt;package.json&lt;/code&gt; in a monorepo instead of the actual sub-package that declared them. After fixing that, the list dropped to 6, and manual verification confirmed 5 genuinely undeclared dependencies. I filed &lt;a href="https://github.com/stoplightio/prism/issues/2827" rel="noopener noreferrer"&gt;an issue&lt;/a&gt; with Prism's maintainers for the confirmed ones.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;liam-hq/liam&lt;/strong&gt; (ER diagram generator, Next.js, ~5k stars)&lt;br&gt;
Dead code: initially 21 findings. Several were Next.js framework-reserved exports, like &lt;code&gt;generateMetadata&lt;/code&gt; and &lt;code&gt;ErrorPage&lt;/code&gt;, functions the framework calls implicitly by file location, not something a plain call-graph trace would ever see as "used." My tool didn't know these conventions existed. After building a framework-convention registry, false positives dropped from 5 to 0 for this category.&lt;br&gt;
Dependencies: a separate bug here too, bare imports like &lt;code&gt;@/components/Foo&lt;/code&gt; that resolve through TypeScript path aliases in &lt;code&gt;tsconfig.json&lt;/code&gt;, not real npm packages. My tool was flagging local file references as missing packages. Fixed with proper tsconfig discovery and path resolution.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;gajus/slonik&lt;/strong&gt; (PostgreSQL client library, ~5k stars)&lt;br&gt;
Dead code: 1 finding, a function only called from inside a &lt;code&gt;.test.ts&lt;/code&gt; file via test-runner discovery, not a direct call-graph reference. My tool correctly marked it "unsafe to remove," but that pointed to a broader gap, test-invoked functions have a different risk profile than production code and deserve stricter defaults.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Hufe921/canvas-editor&lt;/strong&gt; (canvas/SVG editor, single maintainer, ~5k stars)&lt;br&gt;
Dead code: 8 findings, all correctly marked "unsafe to remove." Six were test helper/factory functions, same pattern as slonik. The other two lived in a plugin-registration directory, a pattern my tool doesn't fully recognize yet.&lt;/p&gt;

&lt;h2&gt;
  
  
  What I actually shipped from this
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;A monorepo-aware dependency resolver that checks the nearest relevant &lt;code&gt;package.json&lt;/code&gt;, not just the root&lt;/li&gt;
&lt;li&gt;A framework-convention registry for implicitly-invoked exports (starting with Next.js)&lt;/li&gt;
&lt;li&gt;TypeScript/JS path alias resolution via tsconfig/jsconfig discovery&lt;/li&gt;
&lt;li&gt;Stricter, consistent "unsafe to remove" defaults for anything in test files or test-helper directories&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;All four ship with 76 passing unit tests, 18 of them new.&lt;/p&gt;

&lt;h2&gt;
  
  
  The actual takeaway
&lt;/h2&gt;

&lt;p&gt;Well-maintained real-world repos mostly don't have obvious, confidently-fileable dead code lying around. Most of what looked like findings were actually gaps in my tool's understanding of real-world patterns: monorepos, framework conventions, path aliases, test-runner invocation. Finding and fixing those gaps against real code was worth more than any synthetic test suite I could have written myself.&lt;/p&gt;

&lt;p&gt;If you want to see where this goes next, &lt;a href="https://archsetu.com" rel="noopener noreferrer"&gt;ArchSetu&lt;/a&gt; is close to launch. Feedback on false positives, especially against your own weird real-world codebase, is genuinely the most useful thing you could send me right now at &lt;a href="mailto:archsetu@gmail.com"&gt;archsetu@gmail.com&lt;/a&gt;&lt;/p&gt;

</description>
      <category>javascript</category>
      <category>typescript</category>
      <category>opensource</category>
      <category>webdev</category>
    </item>
    <item>
      <title>I Built a VS Code Extension That Understands Your Codebase Without AI</title>
      <dc:creator>Vishal Kelur</dc:creator>
      <pubDate>Tue, 23 Jun 2026 09:29:30 +0000</pubDate>
      <link>https://dev.to/creatovatic/i-built-a-vs-code-extension-that-understands-your-codebase-without-ai-1f53</link>
      <guid>https://dev.to/creatovatic/i-built-a-vs-code-extension-that-understands-your-codebase-without-ai-1f53</guid>
      <description>&lt;p&gt;A few months ago, I kept running into the same wall: opening an unfamiliar codebase — sometimes my own, six months later — and freezing. Where does this app even start? If I touch this function, what breaks? Is this code even still used?&lt;br&gt;
I couldn't find a tool that answered this deterministically. So I built one.&lt;br&gt;
ArchSetu&lt;br&gt;
It's a VS Code extension that does static analysis on JavaScript/TypeScript projects — no AI, no API keys, no internet connection required. Everything runs locally, on your machine, instantly.&lt;br&gt;
What it actually does:&lt;/p&gt;

&lt;p&gt;Cross-file call graphs — see how every function connects across your entire project&lt;br&gt;
Blast radius analysis — know exactly what breaks before you change a function&lt;br&gt;
Dead code finder — functions defined but never called anywhere&lt;br&gt;
Entry point detection — every route, export, and event listener, so you know where the app starts&lt;br&gt;
Codebase health dashboard — complexity hotspots, largest files, coupling, all in one view&lt;/p&gt;

&lt;p&gt;Why not just use Cursor or Copilot?&lt;br&gt;
Those tools are excellent at writing new code. They're not built to deterministically map what already exists — and on large codebases, they hit context/token limits that static analysis doesn't.&lt;br&gt;
ArchSetu isn't trying to replace AI coding assistants. It's meant to sit alongside them — run it before you accept a big AI-generated diff, and you know exactly what it touches before you merge.&lt;br&gt;
Where it's at right now&lt;br&gt;
Very early — just published, free, looking for honest feedback from real projects. If you try it on something real and it breaks, confuses you, or misses something, &lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fk7wpu0loknx4pzxexjyg.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fk7wpu0loknx4pzxexjyg.png" alt="Archsetu VS Code Extension" width="800" height="474"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;I'd genuinely like to know.&lt;br&gt;
&lt;a href="https://marketplace.visualstudio.com/items?itemName=Archsetu.archsetu" rel="noopener noreferrer"&gt;https://marketplace.visualstudio.com/items?itemName=Archsetu.archsetu&lt;/a&gt; &lt;/p&gt;

&lt;p&gt;Feedback form if you have 2 minutes: &lt;a href="https://docs.google.com/forms/d/e/1FAIpQLScRu1HXFj-WuV7qTkNq22A2Yi28JtQJ7RdJjMICktGUJD22Nw/viewform" rel="noopener noreferrer"&gt;https://docs.google.com/forms/d/e/1FAIpQLScRu1HXFj-WuV7qTkNq22A2Yi28JtQJ7RdJjMICktGUJD22Nw/viewform&lt;/a&gt;&lt;/p&gt;

</description>
      <category>vscode</category>
      <category>javascript</category>
      <category>archsetu</category>
      <category>opensource</category>
    </item>
  </channel>
</rss>
