JavaScript packages are notoriously prone to bloat, a factor that significantly impacts the performance and maintainability of web applications. While web bundlers and tree-shaking can mitigate this issue in client-side applications at the function level, they cannot effectively detect and remove bloat in server-side applications. In this paper, we conduct an empirical study to investigate the bloated dependencies that are entirely unused within server-side applications. Our study focuses on applications built with the widely used and highly dynamic CommonJS module system. We propose a trace-based dynamic analysis that monitors file access, to determine which dependencies are not accessed during runtime. To conduct our study, we curate an original dataset of 92 CommonJS packages with a median test coverage of 96.9% and a total of 50,661 dependencies. Our dynamic analysis identifies and successfully removes 50.7% of these dependencies while maintaining the correct build of all packages. Furthermore, we find that 14.9% of directly used dependencies and 51.3% of indirect dependencies are bloated. A key insight is that focusing on removing only the direct bloated dependencies by cleaning the package.json file, also removes a significant share of unnecessary bloated indirect dependencies. Compared to the state-of-the-art dynamic debloating technique, our analysis based on file accesses has fewer false positives, and demonstrates higher accuracy in detecting bloated dependencies. Our findings suggest that native support for dependency debloating in package managers could significantly alleviate the burden of maintaining dependencies.

翻译：众所周知，JavaScript包极易出现膨胀现象，这一因素显著影响了Web应用程序的性能与可维护性。尽管Web打包工具和tree-shaking技术能在函数层面缓解客户端应用的此类问题，但它们无法有效检测并消除服务器端应用中的膨胀依赖。本文通过实证研究，深入探究服务器端应用中完全未被使用的膨胀依赖项。本研究聚焦于采用广泛使用且高度动态的CommonJS模块系统构建的应用程序。我们提出了一种基于追踪的动态分析方法，通过监控文件访问来确定哪些依赖在运行期间未被调用。为开展研究，我们构建了一个包含92个CommonJS包的原创数据集，其测试覆盖率中位数达96.9%，共计包含50,661个依赖项。我们的动态分析成功识别并移除了其中50.7%的依赖，同时保持了所有包的正确构建。进一步研究发现，14.9%的直接使用依赖和51.3%的间接依赖存在膨胀现象。关键发现表明：通过清理package.json文件仅移除直接膨胀依赖，也能同步消除大量不必要的间接膨胀依赖。与最先进的动态去膨胀技术相比，我们基于文件访问的分析方法误报率更低，在检测膨胀依赖方面展现出更高准确性。本研究结果表明，包管理器若原生支持依赖去膨胀功能，将显著减轻依赖维护的负担。