audit: bundle analysis

[addyosmani]

This is a placeholder for a JS bundle analysis feature we will explore in Q3/Q4 2018: deep analysis and webperf recommendations based on your Source Maps. Something that iterates on webpack-bundle-analyzer perhaps.

Most developers I speak to are painfully unaware that they probably need to use a bundle analysis tool to discover issues in their JS and modern tools don't seem to be yelling at them loudly enough when they run into problems.

It wouldn't be easy...so..opening to discuss :)

When working with partner teams, we often find the following to be true:

• Folks are usually not using a tool like source-map-explorer or Webpack Bundle Analyzer until they realize they have performance issues with JS bundles. Opportunity for us to inform them of issues before they learn about these tools.
• When folks do discover these tools, it's not trivial to read the dependency graph visualizations and get the "so...what are my next steps here?" guidance out. We could codify some of the patterns we commonly see teams failing on and try to offer up audits around this.
• Potential audits:
  • Library-specific:
    • We noticed you're using all of Lodash in your bundle, but you're only actually calling 3 methods. Maybe use lodash-es or lodash-webpack-plugin to reduce the size of your bundle
    • We noticed you're using Moment.js, but including all of the default locales, bloating your bundle by a few hundred KB. Switch to using specific locales you wish to support to automate this using Webpack's contextual replacement plugin to trim down your bundle.
    • Debug version of React. Switch to production version.
  • Polyfill-specific: We noticed you're shipping a whole lot of Babel polyfills / core-js. Most modern browsers already support features like ES promises so...maybe use babel-preset-env and don't ship all these polyfills in your bundles.
  • Duplicate-entries: We noticed you're including a bunch of duplicate entries (e.g imports, vendor libraries) in your bundle. Maybe you should avoid this. Check out tools like Bundle Buddy and see if they can help.

etc. This could be really neat but does come with some concerns outside of whether it's technically feasible or not:

• How can we keep up with the times when it comes to these toolchain specific recommendations? Do we just bite the bullet and say we'll survey for what is still valid every year?
• Would it make more sense to scope this down to framework specific audits?

Webpack Bundle Analyzer for anyone unfamiliar with it:

cc @brendankenny @paulirish @patrickhulce

[patrickhulce]

I really like the power unlocked by having some source map analysis at our disposal. At a minimum it would be interesting in HTTPArchive to know % support for source maps (maybe we already have this?).

I somewhat seem lh-core's role in this as enabling the analysis by having a SourceMap artifact and has-valid-sourcemaps audit, but probably deferring the specific library insights to others that we consume either directly ala axe and the JS vulnerabilities or indirectly through plugins and community custom audits.

Either way, really stoked for this investigation and work to come!

[addyosmani]

I somewhat seem lh-core's role in this as enabling the analysis by having a SourceMap artifact and has-valid-sourcemaps audit, but probably deferring the specific library insights to others that we consume either directly ala axe and the JS vulnerabilities or indirectly through plugins and community custom audits.

Deferring this to external audits/plugins could also be an entirely fair direction to take this work.

I really like the power unlocked by having some source map analysis at our disposal. At a minimum it would be interesting in HTTPArchive to know % support for source maps (maybe we already have this?).

A very rough initial look suggests 5% of sites in the HTTP Archive have a valid sourceMappingURL= comment in their JS bundles.

Manually checking some of these entries to validate this appears that they are up there:

One challenge with checking this out further is we're unsure if this means the source map files themselves are actually in production. e.g a script may include a sourceMappingURL but does their deploy also include the corresponding *.map files.

This may be something @rviscomi could have insight on querying.

[patrickhulce]

One challenge with checking this out further is we're unsure if this means the source map files themselves are actually in production. e.g a script may include a sourceMappingURL but does their deploy also include the corresponding *.map files.

Yeah sorry this is mostly what I was referring to :) 5% is a scarily low starting point though if we need to then say what percent of those actually work.

[wardpeet]

I never ship .map files to production, only on staging or test. I really like the idea of the audit. We might add an option to add sourcemaps to a lighthouse run through cli or special config. A bit like sourcemap-explorer.

Not sure if we are able to hide an audit when it's unnecessary if no sourcemaps are given.

[rviscomi]

FWIW I'm seeing 16.5% of pages include a resource containing the source map signature with this query:

SELECT
  ROUND(SUM(IF(src_mapped, num_pages, 0)) * 100 / SUM(num_pages), 1) AS pct_src_mapped
FROM (
  SELECT
    body LIKE '%//# sourceMappingURL=%' AS src_mapped,
    COUNT(DISTINCT page) AS num_pages
  FROM
    `httparchive.har.2017_11_01_chrome_requests_bodies`
  GROUP BY
    src_mapped)

(Warning: this query processes 767 GB, which is most of the free monthly quota)

If it's helpful, I can also look into *.map usage.

[paulirish]

While I agree there aren't many sites that this will likely work on, I think we could use these audits as a carrot to encourage more sites to flip on sourcemaps. We can add a little section to the report like: "See what other insights we can deliver when you turn on sourcemaps" And include some juicy screenshots.

In order to pull this off we need to explore the product story a little more. Explore some of the big impact potential features and also understand if there is some low-hanging fruit. I'll set up some time next week to explore this some more.

[paulirish]

After some offline discussion we came up with this list:

Potential insights

What you bundled

• Filesize analysis

  • That source-map-explorer treemap for each bundle

• code usage (=> tree shaking, modular builds)

  • What % of each lib are you using
  • Apply to above treemaps

• Duplicate entries

  • Two copies of lodash in one bundle (or across two)

• Library-specific recommendations

  • The moment.js locales are huge
  • Diff ways to package react, etc

• Heavy use of Polyfills

  • All of babel's core.js
  • Including promise polyfills, etc.

• Library anti-recommendations

  • Run the vulnerability checks against these bundled libs
  • Other reasons to flag library usage (jquery is bad lol)

• Transpiled output is very large.

  • babel-preset-env, don't try to transpile async/await, etc?

How you bundled

• Recommending better way to chunk your bundles
  • Based on what JS was run, size, render-blocking-ness, etc.
• Sourcemap is valid, has sourcesContent or available source files
• (Do we have a recommendation on how you attach sourcemaps?)

Assisting other audits

• Resolving script locations & call stacks through the sourcemap

---

Next Steps

We think that it makes the most sense to start with 1) sourcemap validity test 2) basic treemap visualizing of existing sourcemap files, and then 3) folding coverage data into that. the rest of the insights here all depend on those fundamentals.