Bundle impact of significant new dependencies is evaluated

Why it matters

Without bundle analysis tooling, you have no visibility into the JavaScript payload your users download. A single npm install can add 100KB to your production bundle without any visible signal in your development workflow — and that cost compounds with each new dependency. The ISO 25010 performance-efficiency characteristic requires that resource use be measured and managed relative to functional requirements; shipping an unmeasured bundle means you cannot know whether that requirement is being met. SSDF PW.4 treats third-party component evaluation as ongoing, not one-time. Bundle analysis is the instrumentation that makes that evaluation possible: you cannot manage what you cannot see.

Remediation

Add a bundle analyzer to your dev dependencies and configure it for on-demand analysis. For Next.js:

npm install --save-dev @next/bundle-analyzer

// next.config.js
const withBundleAnalyzer = require('@next/bundle-analyzer')({
  enabled: process.env.ANALYZE === 'true',
})
module.exports = withBundleAnalyzer({})

# Run analysis before merging any PR that adds a dependency
ANALYZE=true npm run build

For Vite projects, use rollup-plugin-visualizer. For non-Next.js webpack projects, use webpack-bundle-analyzer.

Detection

ID: dependency-supply-chain.optimization.bundle-impact-evaluated
Severity: info
What to look for: Check package.json devDependencies for bundle analysis tools: @next/bundle-analyzer, rollup-plugin-visualizer, webpack-bundle-analyzer, vite-bundle-visualizer, bundlesize, or size-limit. Also check package.json scripts for a analyze or bundle:analyze script. Their presence indicates the team is monitoring bundle impact. Their absence is a minor concern. Count all instances found and enumerate each.
Pass criteria: A bundle analysis tool is present in devDependencies, or a bundle analysis script is defined in package.json scripts. At least 1 implementation must be confirmed.
Fail criteria: No bundle analysis tool or script found.
Skip (N/A) when: No package.json detected. Skip for projects that are API-only with no client-side bundle (e.g., Express APIs without a frontend).
Detail on fail: "No bundle analysis tool found in devDependencies — consider adding @next/bundle-analyzer or size-limit to monitor the impact of dependency additions"
Remediation: Without bundle analysis, you won't notice when a new dependency significantly increases your JavaScript payload. This is especially important for client-side performance.

For Next.js:
```
npm install --save-dev @next/bundle-analyzer
```
```
// next.config.js
const withBundleAnalyzer = require('@next/bundle-analyzer')({
  enabled: process.env.ANALYZE === 'true',
})
module.exports = withBundleAnalyzer({})
```
```
ANALYZE=true npm run build
```
For a comprehensive performance analysis including bundle optimization strategies, the Performance & Load Readiness Audit covers this in detail.

Why it matters

Remediation

Add a bundle analyzer to your dev dependencies and configure it for on-demand analysis. For Next.js:

npm install --save-dev @next/bundle-analyzer

// next.config.js
const withBundleAnalyzer = require('@next/bundle-analyzer')({
  enabled: process.env.ANALYZE === 'true',
})
module.exports = withBundleAnalyzer({})

# Run analysis before merging any PR that adds a dependency
ANALYZE=true npm run build

For Vite projects, use rollup-plugin-visualizer. For non-Next.js webpack projects, use webpack-bundle-analyzer.

Detection

ID: dependency-supply-chain.optimization.bundle-impact-evaluated
Severity: info
What to look for: Check package.json devDependencies for bundle analysis tools: @next/bundle-analyzer, rollup-plugin-visualizer, webpack-bundle-analyzer, vite-bundle-visualizer, bundlesize, or size-limit. Also check package.json scripts for a analyze or bundle:analyze script. Their presence indicates the team is monitoring bundle impact. Their absence is a minor concern. Count all instances found and enumerate each.
Pass criteria: A bundle analysis tool is present in devDependencies, or a bundle analysis script is defined in package.json scripts. At least 1 implementation must be confirmed.
Fail criteria: No bundle analysis tool or script found.
Skip (N/A) when: No package.json detected. Skip for projects that are API-only with no client-side bundle (e.g., Express APIs without a frontend).
Detail on fail: "No bundle analysis tool found in devDependencies — consider adding @next/bundle-analyzer or size-limit to monitor the impact of dependency additions"
Remediation: Without bundle analysis, you won't notice when a new dependency significantly increases your JavaScript payload. This is especially important for client-side performance.

For Next.js:
```
npm install --save-dev @next/bundle-analyzer
```
```
// next.config.js
const withBundleAnalyzer = require('@next/bundle-analyzer')({
  enabled: process.env.ANALYZE === 'true',
})
module.exports = withBundleAnalyzer({})
```
```
ANALYZE=true npm run build
```
For a comprehensive performance analysis including bundle optimization strategies, the Performance & Load Readiness Audit covers this in detail.

Bundle impact of significant new dependencies is evaluated

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Bundle impact of significant new dependencies is evaluated

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History