SShortSingh.
Back to feed

How Dead Code Silently Bloats JavaScript Bundles and How to Fix It

0
·1 views

Unused JavaScript accumulates in codebases over time without triggering errors or crashes, yet it inflates bundle sizes and slows down page load and interactivity for end users. Every byte of JavaScript carries a runtime cost because browsers must parse and compile all code before a page becomes interactive, even code that never executes. Developers can catch unused code early using TypeScript compiler flags such as noUnusedLocals and noUnusedParameters, which turn unused variables and unreachable statements into build-time errors. However, TypeScript only analyzes files in isolation and cannot detect exports that are defined but never imported elsewhere in a project, a gap filled by a tool called knip. Knip scans the entire project graph to identify unused exports, unreferenced files, and unused package dependencies, providing automated enforcement that prevents dead code from quietly re-accumulating across releases.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

Researchers Warn AI Coding Agents Are Being Hijacked via Fake Bug Reports

Security researchers have identified a scalable attack technique called 'Agentjacking,' in which malicious actors embed hidden instructions inside fake bug reports submitted to AI coding agents. Because these agents are built to read and act on issue content, they execute the injected commands as if they were legitimate tasks. The attack requires minimal effort — a convincing bug report with a concealed directive is enough — and works across common intake channels like GitHub Issues, Jira tickets, and support emails. Once triggered, the injected instructions run with the full permissions granted to the agent, including file system access, API keys, and network capabilities. Conventional defenses such as web application firewalls and input sanitization are ineffective because the attack exploits the semantic meaning of text rather than structural vulnerabilities in data.

0
ProgrammingDEV Community ·

282 of 444 iOS AI Chatbot Apps Found Leaking API Keys in Network Traffic

A study of 444 iOS AI chatbot apps found that 282 of them are exposing API keys or tokens through plaintext network traffic, with some backends requiring no authentication at all. The primary risk is financial: stolen API keys allow attackers to run up large bills on a developer's LLM account, potentially costing thousands of dollars before any anomaly is detected. Researchers note that apps with completely unauthenticated backends present an even greater threat than leaked keys, as they function as open proxies usable by anyone who discovers the endpoint. Security experts say the root cause is a widespread practice of building mobile apps that directly hold API credentials for paid upstream services, rather than routing requests through a secure, developer-controlled backend. The recommended fix — having the app authenticate to a developer's own backend, which then holds and uses the upstream key — is well-established but is evidently not being widely adopted in the current wave of AI app development.

0
ProgrammingDEV Community ·

How a Developer-Focused Password Manager Can Secure SSH Keys and API Tokens

A developer writing for DEV Community argues that switching to a developer-first password manager like 1Password transformed their workflow beyond simple login storage. The tool manages SSH keys, API tokens, and database URLs, with an SSH agent that keeps private keys off disk entirely. Using the CLI tool 'op run', environment files store only vault references rather than real credentials, which are injected at runtime and discarded when the process ends. The setup also enables Git commit signing via SSH keys already stored in the vault, requiring just three shell commands. The author notes a security benefit: malicious npm post-install scripts that scan for plaintext credentials in common directories would find nothing, eliminating one of the most common attack vectors.

0
ProgrammingDEV Community ·

How to Fix Symfony Messenger's Dual-Write Problem Using a Transactional Outbox

The dual-write problem occurs when an application writes to a database and a message broker separately, with no shared transaction guaranteeing both succeed or fail together. In Symfony Messenger, using DispatchAfterCurrentBusStamp with the doctrine_transaction middleware prevents ghost events but still leaves a gap where a committed order may never notify downstream systems if the broker is unavailable. The true fix is a transactional outbox pattern, where the event record is inserted into the database within the same transaction as the business data. Symfony Messenger's Doctrine transport acts as a database table, meaning routing messages to it causes a plain SQL INSERT that can participate in an open transaction. By wiring the dispatch to a Doctrine transport without deferring it past the commit, both the order and the outbox event are saved atomically, closing the reliability gap entirely.

How Dead Code Silently Bloats JavaScript Bundles and How to Fix It · ShortSingh