# Why Cursor Suggests Missing Packages

- Tool: Cursor
- Difficulty: Beginner
- Time required: 5-10 min
- Compatibility: Cursor Free+, Node.js/JavaScript projects
- Last updated: March 2026

## TL;DR

Cursor sometimes suggests importing packages that are not in your package.json, including private npm packages from other organizations, internal company packages it has seen in training data, or packages that have been deprecated and removed. By referencing your package.json with @file, creating rules that restrict imports to installed packages, and using @codebase to verify imports, you prevent build failures from missing dependencies.

## Why Cursor suggests missing packages and how to prevent it

Cursor's training data includes code from thousands of projects with different dependency sets. It can suggest importing packages that are not installed in your project, including private npm packages from other organizations, packages that have been deprecated, or internal utility packages from companies whose code was in the training set. This tutorial teaches you to constrain Cursor's imports to your actual dependency list.

## Before you start

- Cursor installed with a Node.js project
- A package.json with defined dependencies
- Basic understanding of npm package management
- Familiarity with Cursor Chat (Cmd+L) and project rules

## Step-by-step guide

### 1. Create an import restriction rule

Add a project rule that tells Cursor to only import packages listed in your package.json. Reference the package.json file directly so Cursor can verify available packages before suggesting imports.

```
---
description: Restrict imports to installed packages
globs: "*.ts,*.tsx,*.js,*.jsx"
alwaysApply: true
---

# Import Rules
- ONLY import packages that are listed in package.json dependencies or devDependencies
- ALWAYS check @package.json before suggesting a new package import
- NEVER import packages from other organizations' private registries
- NEVER import deprecated packages — suggest modern alternatives
- If a needed package is not installed, tell the user to install it first
- Use project-local imports with @/ or relative paths for internal modules

# When suggesting a new package:
- Verify it exists on npm public registry
- Check that it is actively maintained (updated within 12 months)
- Suggest the install command: npm install <package>
```

**Expected result:** Cursor only suggests imports from packages listed in your package.json.

### 2. Reference package.json in every generation prompt

Always include @package.json in your prompts so Cursor sees your exact dependency list. This is the most effective single action for preventing phantom package imports.

```
@imports.mdc @package.json

Create a data fetching utility with caching, retry logic,
and request deduplication. Use ONLY packages that are already
installed in this project. If you need a package that is not
in package.json, tell me which one to install instead of importing it.
```

> Pro tip: The instruction 'tell me which one to install' changes Cursor's behavior from silently importing missing packages to explicitly requesting installation.

**Expected result:** Cursor generates code using only installed packages, and explicitly tells you when a new package is needed.

### 3. Audit generated imports with Cursor

After a Composer or Chat session generates multiple files, audit the imports to catch any references to packages not in your dependency list.

```
@package.json @codebase

Audit all import statements in the src/ directory.
Compare each imported package against package.json.
List any imports that reference packages NOT in dependencies
or devDependencies. For each missing package, indicate whether:
1. It should be installed (npm install command)
2. It should be replaced with an installed alternative
3. It is a deprecated package that needs a modern replacement
```

**Expected result:** Cursor lists all imports that reference packages not in package.json with recommended actions.

### 4. Create a .cursorignore for node_modules

Ensure node_modules is in .cursorignore so Cursor does not index third-party package code. Without this, Cursor may reference internal files from packages in ways that are not part of the public API.

```
# .cursorignore
node_modules/
dist/
build/
.next/
coverage/
*.min.js
*.bundle.js
```

**Expected result:** Cursor does not index node_modules, preventing it from suggesting deep imports into package internals.

### 5. Handle deprecated package suggestions

When Cursor suggests a deprecated package, use Chat to find the modern replacement. Cursor can map deprecated packages to their successors when explicitly asked.

```
@package.json

Cursor suggested importing from 'request' which is deprecated.
What is the modern replacement? Show me how to achieve the same
functionality using packages already in my package.json.
If no existing package works, suggest the best maintained
alternative to install.
```

**Expected result:** Cursor suggests using an installed package like axios or node-fetch, or recommends installing a specific modern alternative.

## Complete code example

File: `.cursor/rules/imports.mdc`

```markdown
---
description: Restrict imports to installed packages and project modules
globs: "*.ts,*.tsx,*.js,*.jsx"
alwaysApply: true
---

# Import Rules

## Package Imports:
- ONLY import packages listed in package.json dependencies or devDependencies
- ALWAYS check @package.json before suggesting a new package import
- NEVER import deprecated or unmaintained packages
- NEVER import private/scoped packages from other organizations
- If a package is needed but not installed, SAY SO instead of importing it

## Project Imports:
- Use @/ path alias for src/ directory imports
- Use relative paths only within the same module
- NEVER import from node_modules subdirectories (no deep imports)
- NEVER import test utilities in production code

## When a New Package is Needed:
- Verify it exists on the public npm registry
- Check it has been updated within the last 12 months
- Prefer packages with TypeScript types included
- Show the install command: npm install <package>
- Show the types install if separate: npm install -D @types/<package>

## Common Deprecated Packages to Avoid:
- request -> use axios or node-fetch
- moment -> use date-fns or dayjs
- lodash (full) -> use lodash-es or individual imports
- express-validator -> use zod
- passport (consider) -> use @auth/core or lucia
```

## Common mistakes

- **Not referencing package.json in prompts** — Without seeing your dependency list, Cursor draws from its entire training data and may suggest any package it has seen, including private or deprecated ones. Fix: Add @package.json to every prompt that involves generating new code with imports.
- **Accepting deep imports into package internals** — Cursor sometimes suggests importing from internal package paths like 'lodash/internal/mapCacheSet' which are not public API and may break on updates. Fix: Add a rule: NEVER import from package subdirectories. Use only the documented public API imports.
- **Not running npm install after accepting Cursor's suggestion to add a package** — Cursor can add import statements for packages it recommends but cannot actually install them. The code compiles in Cursor's suggestions but fails at build time. Fix: Always check for new imports after a Cursor session and run npm install for any new dependencies before testing.

## Best practices

- Reference @package.json in every code generation prompt
- Add .cursorignore for node_modules to prevent deep package indexing
- Audit imports after every major Cursor generation session
- Create an imports rule that restricts to installed packages
- Ask Cursor to identify needed packages instead of silently importing them
- Keep a list of deprecated packages and their replacements in your rules
- Run the build after accepting Cursor code to catch import errors immediately

## Frequently asked questions

### Why does Cursor suggest packages I have never heard of?

Cursor's training data includes code from thousands of projects. It may suggest niche packages, internal company packages, or packages popular in other ecosystems that are not relevant to your project.

### Can I make Cursor auto-install missing packages?

In Agent mode with terminal access, Cursor can run npm install. However, it is safer to review suggested packages before installing. Add a rule that says ask before installing new packages.

### How do I handle monorepo internal packages?

Add your monorepo workspace package names to the rules file. Cursor should know which @company/package names are internal workspace packages versus external npm packages.

### What about peerDependencies?

peerDependencies are available at runtime but not in your direct dependencies. Mention them in your rules if Cursor should be allowed to import from them.

### Does this affect TypeScript auto-imports?

TypeScript's built-in auto-import only suggests from installed packages. This issue is specific to Cursor's AI-generated imports which can hallucinate packages not in your project.

### Can RapidDev help manage project dependencies?

Yes. RapidDev conducts dependency audits, identifies deprecated packages, and configures Cursor rules and automated tooling to keep your project's dependency graph healthy and secure.

---

Source: https://www.rapidevelopers.com/cursor-tutorial/how-to-prevent-cursor-ai-from-suggesting-code-that-references-private-npm-packages
© RapidDev — https://www.rapidevelopers.com/cursor-tutorial/how-to-prevent-cursor-ai-from-suggesting-code-that-references-private-npm-packages
