Cursor sometimes suggests importing packages that are not in your package.json, including private npm packages from other organizations, internal company packages it has seen in training data, or packages that have been deprecated and removed. By referencing your package.json with @file, creating rules that restrict imports to installed packages, and using @codebase to verify imports, you prevent build failures from missing dependencies.
Why Cursor suggests missing packages and how to prevent it
Cursor's training data includes code from thousands of projects with different dependency sets. It can suggest importing packages that are not installed in your project, including private npm packages from other organizations, packages that have been deprecated, or internal utility packages from companies whose code was in the training set. This tutorial teaches you to constrain Cursor's imports to your actual dependency list.
Prerequisites
- Cursor installed with a Node.js project
- A package.json with defined dependencies
- Basic understanding of npm package management
- Familiarity with Cursor Chat (Cmd+L) and project rules
Step-by-step guide
Create an import restriction rule
Create an import restriction rule
Add a project rule that tells Cursor to only import packages listed in your package.json. Reference the package.json file directly so Cursor can verify available packages before suggesting imports.
1---2description: Restrict imports to installed packages3globs: "*.ts,*.tsx,*.js,*.jsx"4alwaysApply: true5---67# Import Rules8- ONLY import packages that are listed in package.json dependencies or devDependencies9- ALWAYS check @package.json before suggesting a new package import10- NEVER import packages from other organizations' private registries11- NEVER import deprecated packages — suggest modern alternatives12- If a needed package is not installed, tell the user to install it first13- Use project-local imports with @/ or relative paths for internal modules1415# When suggesting a new package:16- Verify it exists on npm public registry17- Check that it is actively maintained (updated within 12 months)18- Suggest the install command: npm install <package>Expected result: Cursor only suggests imports from packages listed in your package.json.
Reference package.json in every generation prompt
Reference package.json in every generation prompt
Always include @package.json in your prompts so Cursor sees your exact dependency list. This is the most effective single action for preventing phantom package imports.
1@imports.mdc @package.json23Create a data fetching utility with caching, retry logic,4and request deduplication. Use ONLY packages that are already5installed in this project. If you need a package that is not6in package.json, tell me which one to install instead of importing it.Pro tip: The instruction 'tell me which one to install' changes Cursor's behavior from silently importing missing packages to explicitly requesting installation.
Expected result: Cursor generates code using only installed packages, and explicitly tells you when a new package is needed.
Audit generated imports with Cursor
Audit generated imports with Cursor
After a Composer or Chat session generates multiple files, audit the imports to catch any references to packages not in your dependency list.
1@package.json @codebase23Audit all import statements in the src/ directory.4Compare each imported package against package.json.5List any imports that reference packages NOT in dependencies6or devDependencies. For each missing package, indicate whether:71. It should be installed (npm install command)82. It should be replaced with an installed alternative93. It is a deprecated package that needs a modern replacementExpected result: Cursor lists all imports that reference packages not in package.json with recommended actions.
Create a .cursorignore for node_modules
Create a .cursorignore for node_modules
Ensure node_modules is in .cursorignore so Cursor does not index third-party package code. Without this, Cursor may reference internal files from packages in ways that are not part of the public API.
1# .cursorignore2node_modules/3dist/4build/5.next/6coverage/7*.min.js8*.bundle.jsExpected result: Cursor does not index node_modules, preventing it from suggesting deep imports into package internals.
Handle deprecated package suggestions
Handle deprecated package suggestions
When Cursor suggests a deprecated package, use Chat to find the modern replacement. Cursor can map deprecated packages to their successors when explicitly asked.
1@package.json23Cursor suggested importing from 'request' which is deprecated.4What is the modern replacement? Show me how to achieve the same5functionality using packages already in my package.json.6If no existing package works, suggest the best maintained7alternative to install.Expected result: Cursor suggests using an installed package like axios or node-fetch, or recommends installing a specific modern alternative.
Complete working example
1---2description: Restrict imports to installed packages and project modules3globs: "*.ts,*.tsx,*.js,*.jsx"4alwaysApply: true5---67# Import Rules89## Package Imports:10- ONLY import packages listed in package.json dependencies or devDependencies11- ALWAYS check @package.json before suggesting a new package import12- NEVER import deprecated or unmaintained packages13- NEVER import private/scoped packages from other organizations14- If a package is needed but not installed, SAY SO instead of importing it1516## Project Imports:17- Use @/ path alias for src/ directory imports18- Use relative paths only within the same module19- NEVER import from node_modules subdirectories (no deep imports)20- NEVER import test utilities in production code2122## When a New Package is Needed:23- Verify it exists on the public npm registry24- Check it has been updated within the last 12 months25- Prefer packages with TypeScript types included26- Show the install command: npm install <package>27- Show the types install if separate: npm install -D @types/<package>2829## Common Deprecated Packages to Avoid:30- request -> use axios or node-fetch31- moment -> use date-fns or dayjs32- lodash (full) -> use lodash-es or individual imports33- express-validator -> use zod34- passport (consider) -> use @auth/core or luciaCommon mistakes
Why it's a problem: Not referencing package.json in prompts
How to avoid: Add @package.json to every prompt that involves generating new code with imports.
Why it's a problem: Accepting deep imports into package internals
How to avoid: Add a rule: NEVER import from package subdirectories. Use only the documented public API imports.
Why it's a problem: Not running npm install after accepting Cursor's suggestion to add a package
How to avoid: Always check for new imports after a Cursor session and run npm install for any new dependencies before testing.
Best practices
- Reference @package.json in every code generation prompt
- Add .cursorignore for node_modules to prevent deep package indexing
- Audit imports after every major Cursor generation session
- Create an imports rule that restricts to installed packages
- Ask Cursor to identify needed packages instead of silently importing them
- Keep a list of deprecated packages and their replacements in your rules
- Run the build after accepting Cursor code to catch import errors immediately
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
Review these import statements and check each package against my package.json. For any missing packages, tell me whether to install them or suggest an alternative that is already installed. Flag any deprecated packages.
@imports.mdc @package.json Generate a file upload utility using ONLY packages from my package.json. If you need a package that is not installed, tell me which one to install and why before using it in the code.
Frequently asked questions
Why does Cursor suggest packages I have never heard of?
Cursor's training data includes code from thousands of projects. It may suggest niche packages, internal company packages, or packages popular in other ecosystems that are not relevant to your project.
Can I make Cursor auto-install missing packages?
In Agent mode with terminal access, Cursor can run npm install. However, it is safer to review suggested packages before installing. Add a rule that says ask before installing new packages.
How do I handle monorepo internal packages?
Add your monorepo workspace package names to the rules file. Cursor should know which @company/package names are internal workspace packages versus external npm packages.
What about peerDependencies?
peerDependencies are available at runtime but not in your direct dependencies. Mention them in your rules if Cursor should be allowed to import from them.
Does this affect TypeScript auto-imports?
TypeScript's built-in auto-import only suggests from installed packages. This issue is specific to Cursor's AI-generated imports which can hallucinate packages not in your project.
Can RapidDev help manage project dependencies?
Yes. RapidDev conducts dependency audits, identifies deprecated packages, and configures Cursor rules and automated tooling to keep your project's dependency graph healthy and secure.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation