'%3e%3cpath d='M23.8749 157.414C27.4541 123.292 42.6707 91.4417 66.9671 67.217C92.2167 41.9674 124.225 27.6014 157.164 24.1248L159.804 48.9796C131.37 51.9643 104.83 64.6466 84.6448 84.8947C63.6084 105.931 51.6347 132.613 48.7297 160.054L23.8749 157.414ZM65.3054 161.828C67.8899 137.182 78.8806 114.177 96.4299 96.6798C114.661 78.4483 137.778 68.0715 161.572 65.5494L164.218 90.4101C145.26 92.4002 127.565 100.857 114.108 114.357C100.083 128.382 92.1048 146.166 90.1602 164.468L65.2995 161.822L65.3054 161.828ZM106.742 166.236C108.331 151.068 115.094 136.911 125.893 126.143C137.112 114.923 151.337 108.536 165.98 106.986L168.626 131.847C159.147 132.842 150.299 137.07 143.57 143.82C136.82 150.549 132.592 159.397 131.597 168.875L106.736 166.23L106.742 166.236ZM148.178 170.643C148.772 164.955 151.307 159.645 155.355 155.605C159.563 151.398 164.901 149.006 170.387 148.422L173.033 173.283L148.172 170.637L148.178 170.643Z' fill='%23F0DB4F'/%3e%3cpath d='M48.2861 159.504L24.4251 156.97C28.0872 123.149 43.2229 91.5972 67.3202 67.5711L67.3207 67.5706C92.3595 42.5318 124.066 28.2318 156.72 24.6753L159.254 48.5356C130.894 51.6274 104.439 64.3305 84.2907 84.5417C63.2979 105.535 51.2941 132.128 48.2861 159.504ZM113.753 114.005C99.7727 127.986 91.7642 145.682 89.7173 163.918L65.8565 161.378C68.5247 137.036 79.4341 114.331 96.7829 97.0339L96.7835 97.0334C114.804 79.0126 137.619 68.7019 161.128 66.1005L163.668 89.9666C144.784 92.0634 127.174 100.54 113.753 114.005ZM131.155 168.326L107.294 165.786C108.966 150.923 115.647 137.065 126.246 126.497L126.246 126.496C137.255 115.487 151.178 109.166 165.536 107.538L168.076 131.405C158.671 132.506 149.909 136.754 143.217 143.467C136.504 150.159 132.256 158.921 131.155 168.326ZM155.709 155.959C159.705 151.963 164.742 149.637 169.944 148.977L172.47 172.72L148.733 170.194C149.408 164.81 151.86 159.799 155.709 155.959L155.709 155.959Z' stroke='%23F0DB4F'/%3e%3c/g%3e%3cdefs%3e%3cfilter id='filter0_d' x='-3.6778' y='0.572121' width='247.356' height='247.356' filterUnits='userSpaceOnUse' color-interpolation-filters='sRGB'%3e%3cfeFlood flood-opacity='0' result='BackgroundImageFix'/%3e%3cfeColorMatrix in='SourceAlpha' type='matrix' values='0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0' result='hardAlpha'/%3e%3cfeOffset dy='4'/%3e%3cfeGaussianBlur stdDeviation='2'/%3e%3cfeComposite in2='hardAlpha' operator='out'/%3e%3cfeColorMatrix type='matrix' values='0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.25 0'/%3e%3cfeBlend mode='normal' in2='BackgroundImageFix' result='effect1_dropShadow'/%3e%3cfeBlend mode='normal' in='SourceGraphic' in2='effect1_dropShadow' result='shape'/%3e%3c/filter%3e%3c/defs%3e%3c/svg%3e)
How it works
Indexing
Bundle Scanner maintains an inverted index of NPM libraries which lets us search for libraries by the contents of their files. To create the index, Bundle Scanner picks out NPM libraries that are likely to be bundled into frontend Javascript bundles and downloads the most popular releases of those libraries. It walks through their files to pick certain tokens from the code - mostly literals and object keys - that remain the same after minification. Production Javascript bundles are usually minified, so only these tokens are used to match a library with its minified counterpart inside of a bundle.
Scanning
When a user requests to scan a website, Bundle Scanner scrapes all the Javascript bundles that are used on that specific URL. For each bundle, it picks out tokens that can be used to search through its library index. It then scores NPM releases based mainly on how many tokens it can find in the same order in both in the bundle and in the library code. Since bundlers change the order of code in ways that are hard to predict, it is unusual to find anything close to an exact match. Bundle Scanner then selects the best matching version of every library.
In a second step, Bundle Scanner identifies the specific segment of the bundle code that has been matched by each library and excludes libraries that match intervals that are already taken by other libraries with a better match score. Finally, libraries with a match score above a certain threshold are shown to the user as being part of the bundle.
In benchmark tests, approximately 15% of libraries that are actually inside the bundle are not identified, and around 5% of libraries identified are false positives. The goal is of course to get these percentages closer to zero. The biggest challenge is the large amounts of duplicated code on NPM. Many library authors show a strong devotion to the principles of copy-paste-driven development which makes it hard for Bundle Scanner to distinguishing between libraries.
Contact
Bundle Scanner is developed by me - Markus Englund. I'm a developer based in Gothenburg doing mostly Node.js and frontend development. If you have any questions you can email me at markus@englund.dev. You can check out some of my open source work on GitHub.