Bundle size directly affects Time to Interactive, Core Web Vitals scores, and user-perceived performance — all of which influence both conversion rates and Google search ranking. A 67KB gzipped moment import on a page that formats one date adds payload weight that could instead be eliminated by a two-line switch to dayjs. Beyond performance, heavy packages often bundle more code than you use, increasing the attack surface of your client-side JavaScript: a compromise of the package affects all the functionality bundled in, not just the features you call. The ISO 25010 performance-efficiency characteristic explicitly covers minimizing resource consumption relative to functional requirements.
Low because heavy packages degrade performance rather than introduce direct security vulnerabilities, but they measurably increase bundle size, slow page loads, and expand client-side attack surface.
Replace known heavy packages with lighter equivalents. Moment to Day.js:
npm uninstall moment
npm install dayjs
// before
import moment from 'moment'
moment().format('YYYY-MM-DD')
// after
import dayjs from 'dayjs'
dayjs().format('YYYY-MM-DD')
For lodash, switch to per-function imports instead of the full library:
// before — imports entire 71KB lodash
import _ from 'lodash'
_.debounce(fn, 300)
// after — imports only debounce
import debounce from 'lodash/debounce'
debounce(fn, 300)
ID: dependency-supply-chain.optimization.no-heavy-packages
Severity: low
What to look for: Scan dependencies for known heavy packages that have common lighter alternatives. Key patterns to flag: moment (use date-fns or dayjs), lodash full library where only 1-2 functions are used (use native JS or lodash/function), jQuery in a modern framework project (redundant with React/Vue/etc.), faker in production dependencies (should be in devDependencies), full aws-sdk (v2) where @aws-sdk/client-* (v3 modular) would work, request (deprecated, use native fetch). This check focuses on production dependencies only. Count all instances found and enumerate each.
Pass criteria: Evaluate the install size of the largest dependencies by analyzing node_modules disk usage or using package size analysis tools. Identify any dependency whose installed size significantly exceeds expectations for its functionality and assess whether a lighter alternative exists. Oversized dependencies slow CI/CD pipelines, increase container image sizes, and may indicate bundled test fixtures or documentation that should not be distributed. At least 1 implementation must be confirmed.
Fail criteria: One or more known heavy packages are in production dependencies where a lighter alternative is standard practice.
Skip (N/A) when: No package.json detected.
Detail on fail: "'moment' is in production dependencies (67KB gzipped) — 'dayjs' provides a near-identical API at 2KB" or "'lodash' in dependencies — if only a few functions are used, import from 'lodash/debounce' instead of the full library"
Remediation: Bundle size affects Time to Interactive and Core Web Vitals scores, which impact both user experience and SEO. Replacing heavy packages with lighter alternatives is usually a 30-minute task.
Moment → Day.js migration:
npm uninstall moment
npm install dayjs
// before
import moment from 'moment'
moment().format('YYYY-MM-DD')
// after
import dayjs from 'dayjs'
dayjs().format('YYYY-MM-DD')
Lodash selective imports:
// before (imports entire lodash)
import _ from 'lodash'
_.debounce(fn, 300)
// after (imports only debounce)
import debounce from 'lodash/debounce'
debounce(fn, 300)