JavaScript packages are notoriously prone to bloat, a factor that significantly impacts the performance and maintainability of web applications. While web bundlers and tree-shaking can mitigate this issue in client-side applications, state-of-the-art techniques have limitations on the detection and removal of bloat in server-side applications. In this paper, we present the first study to investigate bloated dependencies within server-side JavaScript applications, focusing on those built with the widely used and highly dynamic CommonJS module system. We propose a trace-based dynamic analysis that monitors the OS file system to determine which dependencies are not accessed during runtime. To evaluate our approach, we curate an original dataset of 91 CommonJS packages with a total of 50,488 dependencies. Compared to the state-of-the-art dynamic and static approaches, our trace-based analysis demonstrates higher accuracy in detecting bloated dependencies. Our analysis identifies 50.6% of the 50,488 dependencies as bloated: 13.8% of direct dependencies and 51.3% of indirect dependencies. Furthermore, removing only the direct bloated dependencies by cleaning the dependency configuration file can remove a significant share of unnecessary bloated indirect dependencies while preserving functional correctness.

翻译：JavaScript包极易出现臃肿现象，这是显著影响Web应用性能与可维护性的关键因素。虽然Web打包工具与树摇（tree-shaking）技术能够缓解客户端应用中的这一问题，但现有前沿技术在检测与移除服务端应用臃肿方面仍存在局限。本文首次针对服务端JavaScript应用中的臃肿依赖展开研究，重点关注采用广泛使用且高度动态的CommonJS模块系统构建的应用。我们提出一种基于追踪的动态分析方法，通过监控操作系统文件系统来判定哪些依赖在运行时未被访问。为评估该方法，我们构建了一个包含91个CommonJS包、共计50,488个依赖项的原创数据集。相较于当前最先进的动态与静态方法，我们的追踪分析在检测臃肿依赖方面展现出更高的准确度。分析结果显示，在50,488个依赖项中有50.6%被识别为臃肿依赖：其中直接依赖占13.8%，间接依赖占51.3%。此外，仅通过清理依赖配置文件来移除直接臃肿依赖，即可在保持功能正确性的同时，显著消除大量不必要的间接臃肿依赖。