Bundle impact of significant new dependencies is evaluated

ab-000970 · dependency-supply-chain.optimization.bundle-impact-evaluated

Severity: infoactive

Why it matters

Without bundle analysis tooling, you have no visibility into the JavaScript payload your users download. A single npm install can add 100KB to your production bundle without any visible signal in your development workflow — and that cost compounds with each new dependency. The ISO 25010 performance-efficiency characteristic requires that resource use be measured and managed relative to functional requirements; shipping an unmeasured bundle means you cannot know whether that requirement is being met. SSDF PW.4 treats third-party component evaluation as ongoing, not one-time. Bundle analysis is the instrumentation that makes that evaluation possible: you cannot manage what you cannot see.

Severity rationale

Info because the absence of bundle analysis tooling is an observability gap rather than an active defect — but without it, you have no mechanism to detect when a new dependency significantly degrades client-side performance.

Remediation

Add a bundle analyzer to your dev dependencies and configure it for on-demand analysis. For Next.js:

npm install --save-dev @next/bundle-analyzer

// next.config.js
const withBundleAnalyzer = require('@next/bundle-analyzer')({
  enabled: process.env.ANALYZE === 'true',
})
module.exports = withBundleAnalyzer({})

# Run analysis before merging any PR that adds a dependency
ANALYZE=true npm run build

For Vite projects, use rollup-plugin-visualizer. For non-Next.js webpack projects, use webpack-bundle-analyzer.

Detection

ID: bundle-impact-evaluated
Severity: info
What to look for: Check package.json devDependencies for bundle analysis tools: @next/bundle-analyzer, rollup-plugin-visualizer, webpack-bundle-analyzer, vite-bundle-visualizer, bundlesize, or size-limit. Also check package.json scripts for a analyze or bundle:analyze script. Their presence indicates the team is monitoring bundle impact. Their absence is a minor concern. Count all instances found and enumerate each.
Pass criteria: A bundle analysis tool is present in devDependencies, or a bundle analysis script is defined in package.json scripts. At least 1 implementation must be confirmed.
Fail criteria: No bundle analysis tool or script found.
Skip (N/A) when: No package.json detected. Skip for projects that are API-only with no client-side bundle (e.g., Express APIs without a frontend).
Detail on fail: "No bundle analysis tool found in devDependencies — consider adding @next/bundle-analyzer or size-limit to monitor the impact of dependency additions"
Remediation: Without bundle analysis, you won't notice when a new dependency significantly increases your JavaScript payload. This is especially important for client-side performance.

For Next.js:
```
npm install --save-dev @next/bundle-analyzer
```
```
// next.config.js
const withBundleAnalyzer = require('@next/bundle-analyzer')({
  enabled: process.env.ANALYZE === 'true',
})
module.exports = withBundleAnalyzer({})
```
```
ANALYZE=true npm run build
```
For a comprehensive performance analysis including bundle optimization strategies, the Performance & Load Readiness Audit covers this in detail.

External references

iso-25010:2011 · performance-efficiency — Performance Efficiency characteristic
ssdf:800-218 · PW.4 — Reuse Existing, Well-Secured Software

Taxons

supply-chain

History

2026-04-18·v1.0.0·Initial import from dependency-supply-chain·automated

Why it matters

Remediation

Add a bundle analyzer to your dev dependencies and configure it for on-demand analysis. For Next.js:

npm install --save-dev @next/bundle-analyzer

// next.config.js
const withBundleAnalyzer = require('@next/bundle-analyzer')({
  enabled: process.env.ANALYZE === 'true',
})
module.exports = withBundleAnalyzer({})

# Run analysis before merging any PR that adds a dependency
ANALYZE=true npm run build

For Vite projects, use rollup-plugin-visualizer. For non-Next.js webpack projects, use webpack-bundle-analyzer.

Detection

ID: bundle-impact-evaluated
Severity: info
What to look for: Check package.json devDependencies for bundle analysis tools: @next/bundle-analyzer, rollup-plugin-visualizer, webpack-bundle-analyzer, vite-bundle-visualizer, bundlesize, or size-limit. Also check package.json scripts for a analyze or bundle:analyze script. Their presence indicates the team is monitoring bundle impact. Their absence is a minor concern. Count all instances found and enumerate each.
Pass criteria: A bundle analysis tool is present in devDependencies, or a bundle analysis script is defined in package.json scripts. At least 1 implementation must be confirmed.
Fail criteria: No bundle analysis tool or script found.
Skip (N/A) when: No package.json detected. Skip for projects that are API-only with no client-side bundle (e.g., Express APIs without a frontend).
Detail on fail: "No bundle analysis tool found in devDependencies — consider adding @next/bundle-analyzer or size-limit to monitor the impact of dependency additions"
Remediation: Without bundle analysis, you won't notice when a new dependency significantly increases your JavaScript payload. This is especially important for client-side performance.

For Next.js:
```
npm install --save-dev @next/bundle-analyzer
```
```
// next.config.js
const withBundleAnalyzer = require('@next/bundle-analyzer')({
  enabled: process.env.ANALYZE === 'true',
})
module.exports = withBundleAnalyzer({})
```
```
ANALYZE=true npm run build
```
For a comprehensive performance analysis including bundle optimization strategies, the Performance & Load Readiness Audit covers this in detail.