`, or passed as a prop to a client component — it ends up embedded in the SSR output HTML and the RSC payload. It's exposed to the user.
In the PR diff this looks like nothing more than "a module that reads an environment variable on the server and exports it." Where that export ends up flowing requires walking the call graph. This kind of path doesn't show up in the PR diff.
#### How to catch it
- Enforce the boundary with [`server-only`](https://www.npmjs.com/package/server-only) / [`client-only`](https://www.npmjs.com/package/client-only) packages. Putting `import 'server-only'` at the top of a module makes the build break when the client tries to import it. Always attach it to modules that handle secrets.
- Lint rules like [eslint-plugin-react-server-components](https://www.npmjs.com/package/eslint-plugin-react-server-components)
- Inspect the client chunk treemap directly with Next.js Bundle Analyzer (Turbopack) or `@next/bundle-analyzer` (Webpack)
- Monitor the First Load JS in `next build` output regularly
Even with these, transitive leaks are still hard to catch. The server-only marker has to be applied consistently across every module that needs protection.
### 5. Transitive dependency duplication
If library A requires `zod@3.22` and library B requires `zod@3.23`, npm/pnpm installs both. It's visible in the lockfile but not in the PR diff. The bundle contains zod twice.
#### When duplication becomes a runtime bug
When this happens with a large library like React or Vue, it's not just a size problem — it's a runtime bug. Different React instances operating in the same tree break hooks, break context propagation, and make `instanceof` checks return false. Peer dependencies are exactly the mechanism meant to prevent this, but bad peer-range declarations or forced installs can bypass it.
Schema libraries like zod hit similar issues. If a schema instance built on one side is validated on the other, `instanceof` checks return false, producing strange errors.
#### How to find and fix
- `pnpm why
` or `npm ls ` to see which dependency tree pulled it in
- pnpm/npm `overrides`, yarn `resolutions` to force a single version
- Look for modules appearing twice in the bundle analyzer treemap
- Check dedup feasibility periodically in CI based on the lockfile (`pnpm dedupe --check`)
People won't do this voluntarily on every PR. Wire it into the CI pipeline once and forget about it.
### 6. Other patterns, briefly
These are in the same family as the patterns above rather than each requiring a deep analysis. Same structure: one line in code, an order-of-magnitude cost in the bundle.
**The first-use cost of runtime CSS-in-JS.** Runtime CSS-in-JS like styled-components or emotion pulls in the entire runtime library the moment the first using component is created. Free if it's already there; suddenly +30KB if it isn't. In App Router, compatibility with server components requires extra wrapping, so bundle size and hydration cost accumulate together.
**Polyfill auto-injection.** Automatic `core-js` injection swings by tens of KB depending on `browserslist` configuration. There's no trace in the code. A PR that changes one line of browserslist often grows or shrinks the bundle by 50KB.
**`process.env` inlining and secret leaks.** `NEXT_PUBLIC_*` environment variables are baked in as string literals at build time. Occasionally a secret that mistakenly got the `NEXT_PUBLIC_` prefix ends up exposed in the client bundle. The PR diff only shows the variable name, not that its value gets inlined. Also, environment variables baked into the bundle are pinned at deploy time, so changing them on a platform like Vercel without triggering a new build leaves the old values in place.
**Namespace import of static assets.** `import * as Icons from '@/assets/icons'` for 200 SVGs means the user sees five on a screen but all 200 sit in the build output. Same structure as the dynamic-import-path problem. If a human doesn't declare which assets are needed, the bundler includes them all.
**Dev vs prod behavior differences.** Dev mode includes the HMR runtime, skips minification, applies tree-shaking weakly, uses a different React.lazy chunking policy, and so on. In dev, every client component looks bundled into one chunk; in prod, they're split per route. As a result, the "+120KB chunk fetch on entering a specific route" that's invisible in dev only happens in prod. If you only validate the PR in dev, this cost is invisible.
## So what do we do
People doing this manually on every PR is an operating model that doesn't last. The conclusion is one line:
> **Don't only review the code. Make the artifact's change visible in the PR too.**
The real solution is not for a person to read the bundle, but for the bundle's change to be exposed in the PR in a form a person can read. In rough order of leverage:
### 1. Bundle size diff as a PR comment (mandatory)
The moment a number like "+12KB" is automatically posted to the PR, barrel additions and heavy library installs become visible automatically.
#### size-limit + size-limit-action
[size-limit](https://github.com/ai/size-limit) is the most common choice. Define budgets in `package.json`:
```json
{
"size-limit": [
{
"name": "main bundle",
"path": ".next/static/chunks/main-*.js",
"limit": "120 KB",
"gzip": true
},
{
"name": "page: /products",
"path": ".next/static/chunks/pages/products-*.js",
"limit": "40 KB"
}
]
}
```
Wire [size-limit-action](https://github.com/andresz1/size-limit-action) into a GitHub Action and it comments the size delta vs the base branch on every PR. If the budget is exceeded, CI fails. Because the budget is the basis for failing, you have to explicitly justify "why is +30KB OK" in the PR. That works as social pressure.
#### Next.js + Vercel environment
For Next.js projects, you can use the `next build` output, [Next.js Bundle Analyzer (Turbopack)](https://nextjs.org/docs/app/guides/package-bundling), and `@next/bundle-analyzer` (Webpack) together to see route-level client bundle changes. If you deploy to Vercel, the GitHub integration drops a deploy-preview comment on every PR, exposing the preview URL and deploy info. How exactly bundle information surfaces in PR comments depends on CI/Vercel setup and version, so it's worth checking once and turning it on.
#### bundlewatch
[bundlewatch](https://bundlewatch.io) is a similar concept to size-limit, but it accumulates history in its own service. Comparison against the base branch is more accurate, and you watch the time series in a dashboard.
Whichever tool you use, the point is the same: the number has to be inside the PR. Information you have to visit an external dashboard to see ends up being information no one looks at.
### 2. Surfacing import cost at the time of writing
The fastest line of defense, before CI, is the editor. Extensions like [vscode-import-cost](https://marketplace.visualstudio.com/items?itemName=wix.vscode-import-cost) display each import's module size next to the import line.
```ts
import {debounce} from 'lodash' // 71.5K (gzipped: 25.3K)
import {debounce} from 'lodash-es' // 1.8K (gzipped: 0.9K)
```
When the number is sitting next to the line as you write it, you stop before typing the next line. It's much cheaper and faster feedback than CI. The downside is that it has no enforcement; it has no effect on someone working without the extension. So it has to go alongside CI-side size-limit.
### 3. Block at the static-lint layer
Things you can prevent at the tooling layer:
- `eslint-plugin-import` (especially `no-cycle`, `no-self-import`, `no-unused-modules`)
- `eslint-plugin-barrel-files` or `eslint-plugin-no-barrel-files`
- `depcheck` / `knip`: detect unused dependencies
- `server-only` / `client-only`: enforce the RSC boundary
- `eslint-plugin-react-server-components`: RSC rules
- Next.js's own [`optimizePackageImports`](https://nextjs.org/docs/app/api-reference/config/next-config-js/optimizePackageImports): auto-rewrites packages that ship a barrel
This is one step above PR comments — the layer that prevents the issue from entering the code at all. Putting it as the first line of defense gives the best cost-to-benefit ratio.
### 4. A separate policy for `package.json`-changing PRs
PRs that change `package.json` need a separate reviewer or a separate checklist. This is a process recommendation, not a tooling one. It's worth having the team agree explicitly that adding one line of dependencies has a different cost structure than adding one line of code.
The minimum checklist is roughly:
- Check size on bundlephobia or packagephobia (the first step I always recommend in [Web Performance Analysis Part 1](/2025/05/web-performance-analysis-1))
- ESM support (`"module"` or `"exports"` field)
- `sideEffects` declaration
- Whether a lighter alternative exists for the same functionality
- Whether transitive dependencies conflict with libraries already in the tree
Wire a GitHub Action that says "when `package.json` is in the diff, attach a label and ping a designated reviewer," and the process runs automatically even if a person forgets.
### 5. Periodic checks on production artifacts
There's a class of accumulating cost that PR-time tools don't catch. You have to look at it on a schedule.
- Attach [Lighthouse CI](https://github.com/GoogleChrome/lighthouse-ci) to staging and track LCP/TBT regressions
- Upload Sentry source maps and trace what code is actually running in production
- Periodically inspect the treemap with [`source-map-explorer`](https://github.com/danvk/source-map-explorer) or webpack-bundle-analyzer
- Use a RUM tool (Vercel Speed Insights, Sentry Performance, DataDog RUM, etc.) to monitor LCP/INP distributions
PR-time size-limit catches the cost of this change; periodic checks catch the costs that have accumulated past a threshold. They're complementary.
## What about just pushing the artifact every time and comparing build outputs?
This is the natural follow-up question. If the problem is that the artifact is invisible in the PR diff, why not push the build result itself with every PR and compare artifact changes via git diff? It sounds like the simplest, most direct solution.
Don't recommend it. Pinning down why not makes the conclusion more solid.
### 1. Minified bundles don't diff in human-readable units
When you compare two bundles with `git diff`, the entire one-line giant string looks like it changed wholesale. Variable names are mangled to `a`, `b`, `c`; function boundaries are gone because of scope hoisting; and depending on the bundler's chunk-splitting or plugin execution order, the mangle output itself can change. The act of "before-and-after comparison" doesn't align in meaningful units. A one-line code change can show up as hundreds of lines of mangled-bundle diff, and a large semantic change can look like a small diff.
If you commit unminified to solve this, the size balloons by an order of magnitude, sending you straight into the next problem.
### 2. Repo size explosion
A typical SPA bundle is 200KB~2MB compressed. If it goes into git on every PR, in a year your git history bloats by gigabytes. Clone times explode, GitHub LFS costs appear, CI checkout takes longer. In a monorepo it accumulates faster.
Git deduplicates identical binary blobs, but for outputs like minifier results that change subtly every time, dedup is basically ineffective. Shallow clone is a workaround, but it means giving up on history — which was the whole point of this approach. So it's self-contradictory.
### 3. Source-of-truth confusion
When the build artifact is in the repo, sooner or later someone modifies the artifact directly. In a hotfix situation, "no time to run a build, just touch dist for a moment" happens. At that moment you have to verify again whether the artifact is in sync with the source — that's another verification layer.
Furthermore, environment differences in toolchain versions or platform-dependent plugins can cause subtle artifact differences across environments. Even with the same lockfile across CI and local environments, OS-specific binary dependencies or plugin behavior differences make byte-level identity hard to guarantee, and the result is that every PR fills up with meaningless false-positive diffs. To prevent this you have to lock the build environment fully via Docker, but whether that cost is worth paying is a separate question.
### 4. It's not the recommended practice on application frontends
In the library distribution space, projects still commit `dist/` — for direct CDN distribution, supporting consumers without a build environment, or generated-artifact review. But for application frontends, accumulating build artifacts in git history is hard to recommend as a PR review strategy. It was common in the jQuery/Bootstrap library distribution era, but as a way for humans to review application bundle diffs, the cost-to-benefit ratio is bad. There's a reason putting `dist/`, `build/`, `.next/` in `.gitignore` became the standard on the application side.
### "What if I don't use it for deploy, only push it for comparison?"
A narrower variant comes to mind at this point. What if we don't use dist as a deploy artifact, but purely for comparison — push it on every PR so we can see artifact changes via git diff? It sounds like the most reasonable middle ground, but the core of the rebuttals above is still essentially intact.
- Minified bundle diffs are unreadable in meaningful units even for comparison purposes. You can tell the bytes changed, but "why is it +18KB" doesn't show up. The information value of the comparison is nearly zero.
- "Comparison only" doesn't make the binary blobs accumulating in git history go away. Splitting into a separate branch or LFS protects main history, but at that point the simplicity of "just put it in git" is already gone.
- False positives are even more lethal when the use is comparison. The moment environment differences produce a byte difference once or twice, the entire comparison signal is poisoned, and the team starts ignoring the alarms.
Building unminified and pushing solves the first problem (diff readability), but repo size deteriorates by an order of magnitude further, and you end up comparing artifacts that aren't the minified production output, drifting away from the article's starting point: "the code the user receives."
To genuinely capture the value of comparison, you need a form that supports meaningful-unit comparison. That's stats JSON, size metrics, module graphs. At that point there's no longer any reason to put dist in git. External time-series services (RelativeCI, Codecov) are exactly the refined form of this idea.
### But the intuition is half right
The direction "compare the build result before and after" is correct. The comparison subject just needs to be the bundle's metadata, not the bundle file itself.
#### Bundle stats JSON
Webpack/vite/rollup all let you emit a stats JSON at build time:
```json
{
"entrypoints": {
"main": { "size": 245678, "assets": ["main.abc123.js"] }
},
"modules": [
{ "name": "node_modules/lodash/index.js", "size": 71234 },
{ "name": "node_modules/react-dom/index.js", "size": 134567 }
],
"chunks": [...]
}
```
It's a JSON containing only the graph and size info, not the bundle file itself. It's about 1/100 the bundle size and supports semantic comparison. You can keep history by accumulating in a separate branch (`bundle-stats`) or sending to external storage. The downside is tooling is sparse if you build it yourself.
#### External time-series services
[RelativeCI](https://relative-ci.com) and [Codecov Bundle Analysis](https://docs.codecov.com/docs/javascript-bundle-analysis) are exactly this model. They accumulate in external storage as a time series without putting the bundle in git, and automatically post comments like "+18KB vs main, lodash newly added" on every PR. The original intuition of "compare before and after" is implemented exactly in this form.
#### GitHub Actions artifacts
Keep the webpack-bundle-analyzer HTML treemap as an artifact for 90 days on every build. It's not in git history, but you can always view past artifact structure visually. It's the lightest entry point in environments where adopting an external service feels heavy.
#### Summary
| Approach | Recommendable? |
| ------------------------------------------------- | -------------------------------------------- |
| Commit the bundle file itself to git history | ❌ A pattern from a previous era that failed |
| Accumulate bundle stats JSON in a separate branch | △ Possible, but tooling is sparse |
| RelativeCI / Codecov Bundle Analysis | ✅ Most realistic |
| Keep treemaps as GitHub Actions artifacts | ✅ Good as a supplement |
Leave the shadow of the build artifact, not the artifact itself, in history. This one correction closes the gap between intuition and practice.
## Why these tools still aren't turned on
The tools above are all free, and setup takes half a day. Yet most frontend projects you look at don't have any of them on. Why?
First, **the cost of a single PR is invisible.** Nobody cares about "this PR is +5KB." It needs to accumulate 100 times to become +500KB, and at that point tracing which PR caused what is impossible. Accumulated cost has diffuse responsibility, so no one stops it.
Second, **the moment you turn the tool on, you have to set a budget.** Once you set a budget, PRs that break the budget appear, and you have to decide whether to block or pass them. Once decision cost begins, the tool gets turned off. To prevent this you need an operational policy that starts with budget = "current size + a small margin" and tightens it incrementally.
Third, **fatigue from false positives.** Toolchain differences, transitive updates without lockfile changes, the non-linear way subtle differences in pre-compression input reflect in post-compression byte size — these produce meaningless +1KB alarms occasionally. After a couple of repetitions the team starts shrugging them off as "that thing again." To prevent this you need to set thresholds appropriately. Ignore below 1KB, comment above 5KB, fail above 50KB — that kind of staged response.
Without solving all three, the tool gets adopted and then quietly disabled.
## In closing
On the frontend, "code review is enough" is only half true. We are not reviewing the code our users receive. The asymmetry where a +1-line change in the PR diff becomes +200KB in the user's browser will not close unless that cost is lifted into a place a person actually sees.
The solutions proposed here aren't new. They're all well-known tools, all free, all easy to set up. What's missing is the perspective on where and how those tools should be placed. The point isn't for a person to read the bundle, but for the bundle's change to be forced into the person's field of view. Without that perspective, this becomes another tool-recommendation post, and the tools get turned on and then off.
One last thing. In an era when AI agents automatically add dependencies and refactor components, this asymmetry accumulates at the agent's pace, not the human's. When a single PR adding three libraries and creating two barrels becomes routine, the line of defense "the reviewer will look carefully" collapses faster. By that point, automatically posting a bundle size diff to the PR is not a nice-to-have but a default. If we accept that what made compiler output trustworthy was not the compiler itself but the verification infrastructure around it, then we have to start by admitting that on the frontend, only half of that infrastructure is in place.
[^barrel-files]: [eslint-plugin-barrel-files](https://npmx.dev/package/eslint-plugin-barrel-files) — ESLint plugin that catches common mistakes related to barrel files.
[^no-barrel-files]: [eslint-plugin-no-barrel-files](https://npmx.dev/package/eslint-plugin-no-barrel-files) — ESLint plugin that disallows barrel files entirely.