feat: add modern bundle flavor with native-API shims#1643
Open
tbrannam wants to merge 1 commit into
Open
Conversation
Adds a parallel `auth0-js/modern` ESM entry point that's ~42% smaller The default bundle is byte-identical to before; existing consumers see no change. Exposed via package.json `exports`: import auth0 from 'auth0-js' → legacy (default, unchanged) import auth0 from 'auth0-js/modern' → modern bundle Bundler users can transparently swap via alias (`auth0-js$` → `auth0-js/modern` in webpack, `auth0-js` → `auth0-js/modern` in Vite/esbuild).
aac9d09 to
9cd0ce2
Compare
tbrannam
commented
May 14, 2026
| /** | ||
| * @typedef {import('../authentication').default} Authentication | ||
| */ | ||
|
|
Author
There was a problem hiding this comment.
this change is inconsequential - it silences one of the two circular dependency warnings during builds
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
feat: add modern bundle flavor with native-API shims
Related
#1495 - cites a bundle saving opportunity that was rejected due to relying on new dependencies, this PR replicates the savings by instead leveraging Browser native functionality instead of introducing supply chain risks from other npm packages.
Summary
Adds a parallel
auth0-js/modernentry point that's ~42% smaller raw / ~44% smaller gzipped than the default bundle, by aliasing five legacy npm dependencies to small shims over native browser APIs. The default bundle is byte-identical to before — existing consumers see no change.Motivation
auth0-jsv10 still ships an IE9-compatible bundle by default, which carries:qs(the largest single dep)superagent+ its transitive deps (cookiejar, debug, fast-safe-stringify, mime, etc.)es6-promise(Promise polyfill, unconditionally bundled viaidtoken-verifier)unfetch(XHR-based fetch fallback insideidtoken-verifier)base64-js(used directly and viaidtoken-verifier)For consumers targeting evergreen browsers (no IE), every byte of these dependencies is replaceable with a thin wrapper around native APIs. This PR adds that option without removing the IE9-compatible path.
Approach
dist/auth0.modern.min.esm.js) torollup.config.mjs. Target floor: Chrome 70 / Firefox 65 / Safari 12 / Edge 79 (late 2018).MODERN_ALIASESmap inrollup.config.mjs. The alias plugin redirects five package imports to local shim files when the modern build is active.idtoken-verifierto its unbundled source (node_modules/idtoken-verifier/src/index.js) — its published artifact pre-bundles the polyfills, so without this redirect the aliases fores6-promise/unfetch/base64-jshave nothing to intercept.package.jsonexportsas./modern. Defaultimport auth0 from 'auth0-js'continues to resolve to the legacy bundle.Bundle sizes
auth0.min.esm.js(legacy ESM, IE9+)auth0.modern.min.esm.jsPer-shim savings
Measured by toggling each
MODERN_ALIASESentry off one at a time and rebuilding:qsURLSearchParamssuperagentfetch+AbortControlleres6-promisePromise(no-op shim)base64-jsbtoa/atob+Uint8ArrayunfetchfetchThe remaining ~5 KB of the legacy-vs-modern delta is from dropped Babel runtime helpers (
_classCallCheck,_typeof,_createForOfIteratorHelper, etc.) that the IE9 build needs but the modern target doesn't.Consumer API
Direct import
Same API surface —
WebAuth,Authentication,Managementexposed identically.Bundler alias (transparent swap)
webpack:
Vite:
esbuild:
Browser support floor (modern bundle only)
Any earlier browser (including any IE) must use the default import path.
Behavior parity
The shims aim to be drop-in replacements. Where the original libraries had subtle behaviors, the shims preserve them:
qs.parse— duplicate flat keys and bracket-nested keys both collect into arrays under the base key. Matches qs's "non-string result fails strict-equality" property soparseHash's state check is unaffected. Parity test against realqsfor duplicate-key shape.superagent.retry(n)— retries on the sameSTATUS_CODESset superagent uses (408, 413, 429, 500, 502, 503, 504, 521, 522, 524) plus network errors. Immediate retry (no backoff, matching superagent).superagent.abort()— silently suppresses the callback, matching superagent'sxhr.abort()readystatechange path. The shim usesAbortController(fetch's only cancel mechanism).base64-js.toByteArray— accepts URL-safe base64 (-/_) and missing trailing padding. Required becauseidtoken-verifier'sdecodeToHEXpasses URL-safe JWT signature bytes directly through.application/jsonandapplication/...+jsonvendor types both auto-parse as JSON (matches superagent's regex).Validation
npm run smoke:modernpasses — headless Chrome drives the full OIDC implicit (id_token) flow against the bundledoidc-provider, exercises every shim in the call path (qs for hash parsing, fetch shim for JWKS, base64-js shim for JWT verification), and assertsparseHashreturns a valid id_token.How to test locally
The
smoke:modernscript requires a chromedriver matching your installed Chrome major version (npm i -D chromedriver@<major>if you see "session not created").Test plan checklist
npm test)npm run lint)npm run buildproduces all expected artifactsnpm run smoke:modernpasses end-to-end against the local oidc-providerdist/auth0.modern.min.esm.jsis appropriate to publish