Skip to content
CS 484: Secure Web Application Development

"Compiling" Your Web App

Software Engineering comes to Web Development

The Early Days of the Web

In the early days of the web, web pages were static and simple, primarily consisting of HTML and CSS, with JavaScript used sparingly for basic interactivity. All JavaScript was typically embedded directly in the HTML or loaded via individual <script> tags. This meant that JavaScript was executed synchronously and operated in the global scope—meaning all variables, functions, and objects were globally accessible and could easily conflict with one another. This model worked well enough when web pages were small and simple, but as web applications became more interactive and feature-rich, the lack of modularity in JavaScript became a serious limitation. Without a clear way to organize code into independent modules, developers were forced to manually manage all their JavaScript code in one monolithic scope, leading to unpredictable behavior, debugging challenges, and collisions between different parts of the codebase.

Scaling Complexity

As web development advanced, applications started handling more complex tasks—dynamic content, user interactions, and asynchronous network requests—making the JavaScript codebase larger and more interconnected. With no official mechanism for dividing code into modular pieces, developers resorted to manually concatenating scripts and controlling the order of <script> tags in HTML to ensure dependencies loaded in the correct sequence. For example, a utility function defined in one file had to be loaded before any script that depended on it, leading to fragile setups where changing one file could break the entire app. Furthermore, managing script dependencies manually meant that even minor mistakes could cause errors, such as a critical function being unavailable because it was loaded too late. As a result, working on large-scale projects became inefficient, error-prone, and difficult to maintain. The absence of structured dependency management made it nearly impossible to scale web applications without introducing complex bugs and performance issues.

Early Browser Limitations

Browsers of the time had significant limitations that exacerbated these challenges. For one, they had no built-in support for module systems, meaning that all JavaScript files had to be treated as single, global scripts. Additionally, browsers could only load scripts synchronously, which meant the page wouldn’t render or become interactive until all JavaScript files were fully loaded. This created a problem: loading many scripts slowed down the page, but bundling everything into one file also caused issues, including larger file sizes and an increased risk of conflicts. In the days of HTTP/1.x, each script request was an independent, costly operation, often blocking the page from rendering. This meant that having too many scripts on a page could lead to long load times and sluggish user experiences. Faced with these limitations, developers began to seek out solutions that would allow them to modularize their code, reduce unnecessary network requests, and speed up page loading.

The Need for Modularization

As web applications became more sophisticated, the demand for better ways to organize JavaScript code grew. Developers needed to separate concerns, reuse code more effectively, and avoid the pitfalls of global variables and script loading order. This need drove the rise of modular programming in JavaScript. Modularization allows developers to break up their code into independent, reusable modules, each with its own scope and clearly defined interface. Early attempts at modularity included techniques like Immediately Invoked Function Expressions (IIFEs) to encapsulate code, but these were stopgaps rather than complete solutions. Over time, the evolution of the web led to the development of module systems like CommonJS and ECMAScript Modules (ESM), as well as bundlers and transpilers that could efficiently manage dependencies and ensure cross-browser compatibility. These advancements paved the way for modern JavaScript development workflows, enabling developers to build more complex, maintainable, and performant web applications.

Modular JavaScript

Global Scope Issues

In the early web development landscape, every JavaScript file loaded into a webpage shared the global scope. This meant that all functions, variables, and objects existed in a single, shared space: the window object. In smaller projects, this was manageable, as there were only a few scripts, and developers could ensure that variable and function names wouldn’t collide. However, as web applications became more complex, this lack of modularity became a critical flaw. Two scripts could inadvertently define the same global variable, causing unpredictable behavior and hard-to-track bugs. For instance, loading multiple third-party libraries could lead to one library overwriting the functionality of another, simply because they used the same global variable name. This made maintaining large codebases a precarious task, where any new code could conflict with existing code. The need for encapsulation—isolating code into independent modules that don’t interfere with each other—became increasingly apparent as web applications scaled in size and complexity.

IIFE (Immediately Invoked Function Expression)

In response to the global scope problem, developers began using a pattern called the Immediately Invoked Function Expression (IIFE) to create isolated scopes. An IIFE is a function that runs as soon as it is defined, effectively creating a private scope where variables and functions exist without polluting the global namespace. By wrapping code inside an IIFE, developers could ensure that variables defined within it wouldn’t be accessible outside, thus preventing naming conflicts and helping to organize code better. This technique quickly became a best practice for managing scope in early JavaScript projects.

For example, the following code encapsulates a variable inside a function that runs immediately:

(function() {
  var message = "Hello, World!";
  console.log(message); // Outputs: Hello, World!
})();

In this example, the message variable is contained entirely within the IIFE and cannot be accessed globally. While this approach helped avoid the risks of global variable collisions, it did little to solve the problem of dependency management. If one script depended on another, developers still had to carefully manage the order in which scripts were loaded, and there was no standardized way to declare dependencies between different pieces of code. IIFEs were a useful pattern for scope management but fell short of providing a complete solution for modularity.

CommonJS (CJS)

As JavaScript expanded beyond the browser and into server-side development with the rise of Node.js, the limitations of the global scope in JavaScript became even more pronounced. On the server, developers needed a formal way to organize code into reusable, isolated components that could be loaded independently of each other. This led to the creation of the CommonJS (CJS) module system. CommonJS introduced two key features: the ability to require modules and the ability to export functionality from a module.

In CommonJS, each file is treated as a separate module. By using the require() function, developers could import the contents of one module into another, and by using module.exports, they could define what parts of a module should be exposed to the outside world. This allowed for true modularity: each module had its own scope, and dependencies could be explicitly declared and loaded in a structured manner. For example:

// math.js (a CommonJS module)
module.exports.add = function(a, b) {
  return a + b;
};


// app.js (requiring the math module)
const math = require('./math');
console.log(math.add(2, 3)); // Outputs: 5

This system worked exceptionally well for server-side JavaScript, where scripts could be loaded synchronously, meaning that one module would finish loading before the next one was processed. However, when it came to using CommonJS in the browser, things became more complicated. Browsers operate on an asynchronous model: they need to load multiple resources (scripts, images, etc.) concurrently to prevent blocking the rendering of a page. Because CommonJS modules rely on synchronous require() calls, they posed a performance bottleneck when used in the browser, potentially causing delays or even blocking the page entirely if multiple modules had to be loaded.

To address this, developers started using bundlers like Browserify and later Webpack, which could take CommonJS modules and bundle them into a single file that could be served efficiently in the browser. These tools resolved the synchronous nature of CommonJS by pre-processing the dependencies and packaging them into a format that browsers could handle more efficiently. Despite these efforts, the limitations of CommonJS in client-side JavaScript were evident, leading the community to seek a native, standardized module system that would work seamlessly across both servers and browsers. This push ultimately contributed to the development of ECMAScript Modules (ESM), which would go on to become the modern standard for modular JavaScript.

Native Modularization in the Browser

ECMAScript Modules (ESM)

The introduction of ECMAScript Modules (ESM) marked a pivotal moment in the evolution of JavaScript, offering a standardized and efficient module system natively built into the language. Prior to ESM, JavaScript relied on ad-hoc solutions like IIFEs, and CommonJS (which was designed for server-side use), to manage modularity. These methods helped but were never an ideal fit for the unique requirements of the web, where scripts needed to be loaded asynchronously and dependencies had to be handled in a non-blocking manner.

ECMAScript Modules, also known as ES Modules, were first introduced in ECMAScript 2015 (ES6) and provided a formal mechanism for defining and importing/exporting modules across both the browser and server environments. This solved several long-standing issues with modular JavaScript, particularly those related to dependency management, scope pollution, and code reuse.

  1. Synchronous vs. Asynchronous Loading: One of the most fundamental improvements in ESM is the shift to asynchronous loading. Traditional module systems like CommonJS load modules synchronously, which works well on the server where resources are local and loading times are negligible. However, in the browser, synchronous loading would block page rendering, causing performance bottlenecks. ESM’s asynchronous loading model is optimized for the browser’s needs: when an import statement is encountered, the browser fetches the module without halting the rest of the page’s execution. This allows scripts to load concurrently, drastically reducing initial page load times and enabling the browser to handle dependencies more efficiently.

  2. Static Analysis: A key advantage of ESM is that its module structure is statically analyzable. This means the dependencies between modules can be determined at compile time, not just at runtime. Unlike CommonJS’s require() function, which can be invoked dynamically, import and export statements in ESM are lexically scoped, meaning the JavaScript engine can parse and understand them during the initial parsing of the code. This static nature enables advanced optimizations, such as tree shaking, which allows unused parts of code to be identified and removed during the bundling process. The ability to analyze the dependency graph upfront improves both performance and developer tooling, as bundlers and compilers can create more efficient builds.

  3. Encapsulation and Scope: ESM also improves encapsulation by default. In contrast to IIFE-based patterns or global variables, modules in ESM do not leak any variables into the global scope. Each module has its own scope, and developers must explicitly export variables, functions, or objects that should be accessible from other modules. This significantly reduces the risk of namespace collisions, a problem that plagued earlier patterns, and encourages better code organization.

  4. Syntax Simplicity: ESM introduced a simple and intuitive syntax for defining and using modules:

math.js
export function add(a, b) {
  return a + b;
}


// main.js
import { add } from './math.js';
console.log(add(2, 3)); // Outputs: 5

The clean and declarative nature of import and export contrasts with CommonJS’s require() and module.exports, providing a more readable and concise way to manage dependencies. In the browser, this can be used directly, without the need for an additional bundling step.

  1. Tree Shaking: One of the most transformative features enabled by ESM is tree shaking, which is the process of eliminating unused code from the final output bundle. Because ESM enables static analysis, bundlers like Webpack or Rollup can easily detect which parts of a module are actually used and which are not. This results in smaller, more performant bundles, as only the necessary code is included. In contrast, CommonJS modules are harder to tree shake because they rely on dynamic require() calls, making it more difficult for tools to determine unused code. Tree shaking is especially important in modern web development, where reducing the size of JavaScript bundles is crucial for improving page load times and performance.

  2. Native Browser Support: One of the most critical innovations with ESM is its native support in modern browsers. For the first time, browsers themselves can natively load JavaScript modules without any external tools or polyfills. Developers can now include modules directly in their HTML using the <script type="module"> tag, which enables the browser to handle imports and exports natively.

<script type="module" src="main.js"></script>

This native support simplifies development workflows for small projects and allows developers to start writing modular code without needing to rely on bundlers or additional tooling. For large-scale applications, bundling and optimization are still necessary, but for simpler tasks, native ESM support is a significant improvement.

The Challenges of Mixed Environments

While ESM has become the official standard for modular JavaScript, transitioning from older module systems, particularly CommonJS (CJS), has introduced complexities, especially for developers working in environments where both systems coexist. Node.js, which has relied on CommonJS since its inception, now supports ESM, but this has led to compatibility challenges.

  1. Coexisting with CommonJS: Many JavaScript libraries and frameworks, especially those built for Node.js, still use CommonJS. This creates a challenge when trying to integrate ESM modules with a legacy codebase or third-party dependencies. The two systems have fundamentally different ways of loading and interpreting modules. For instance, ESM is lexically scoped and asynchronous, while CJS is dynamically scoped and synchronous. This means that in some cases, importing a CommonJS module in an ESM project or vice versa can result in errors or unexpected behavior.

To ease this transition, modern JavaScript bundlers like Webpack and Rollup have evolved to support hybrid environments where both ESM and CommonJS modules can coexist. These tools offer seamless support for loading CommonJS modules alongside ESM modules by internally transforming the module formats. This allows developers to continue using legacy packages while taking advantage of the modern features ESM offers.

  1. Conditional Module Loading: Some packages now ship with both CommonJS and ESM versions, using a hybrid approach often referred to as dual packages. A typical setup in package.json might look like this:
{
  "main": "dist/index.cjs.js", // CommonJS version
  "module": "dist/index.esm.js" // ESM version
}

This allows modern bundlers or Node.js to choose the correct version of the module based on the environment. While this approach has improved compatibility, it can also introduce complexity in managing the build process.

  1. Tooling and Compatibility: Node.js introduced experimental support for ESM in version 12 and stabilized it in version 14. However, the introduction of native ESM in Node.js came with some changes to the module resolution logic, leading to differences in how ESM is handled on the server versus the browser. This has required adjustments in developer tooling and workflows. For instance, Node.js requires the use of .mjs extensions or specific configuration flags to recognize a file as an ES module, while browsers do not have this restriction.

  2. Performance Considerations: While ESM is generally more efficient for browsers, especially with its support for asynchronous loading, the mix of CommonJS and ESM in hybrid environments can have performance implications. For instance, the use of interoperability layers (where a bundler transforms a CommonJS module into an ESM-compatible format) can add overhead, particularly in large projects. Thus, fully transitioning a codebase to ESM can often yield significant performance improvements.

The introduction of ECMAScript Modules (ESM) was a game-changing advancement for JavaScript, providing a robust, standardized module system that works seamlessly in both the browser and server environments. ESM addresses many of the issues associated with previous modular patterns, including global scope pollution, synchronous loading, and dynamic module resolution. It also introduces powerful features like static analysis and tree shaking, which allow for highly optimized builds. However, transitioning to ESM from legacy systems like CommonJS presents challenges, particularly in environments where both module systems coexist. Modern tooling and bundlers have mitigated these challenges by supporting hybrid environments, enabling developers to take advantage of the benefits of ESM without sacrificing compatibility with existing libraries and frameworks.

Transpiling and Polyfilling

The Problem of Browser Compatibility

As JavaScript has evolved, new language features and improvements have been introduced at a rapid pace. With each update to the ECMAScript specification, developers gain access to more powerful and expressive syntax, such as arrow functions, template literals, classes, and destructuring assignments, as well as entirely new APIs like Promise, Map, and Set. However, not all browsers implement these new features simultaneously. Some browsers, especially older ones like Internet Explorer, lag far behind the latest ECMAScript standards. Even modern browsers like Chrome, Firefox, and Safari adopt new JavaScript features at different rates, and many users run older versions of these browsers.

The challenge for developers is that they need to ensure that their web applications work consistently across a wide range of browsers, from the latest versions to older, outdated ones. This means that developers cannot rely solely on modern JavaScript syntax and APIs if they want their applications to be accessible to all users. Writing JavaScript that works across all browsers, known as cross-browser compatibility, has historically been a significant pain point.

Without solutions like transpiling and polyfilling, developers would have to either avoid using modern features entirely or write complex fallback logic to handle older browsers. This limited the pace at which developers could adopt new JavaScript capabilities and created fragmentation in how code was written and maintained. Transpiling and polyfilling emerged as solutions to these problems, enabling developers to use the latest JavaScript features while ensuring their applications remain compatible with a wide range of browser environments.

Transpiling

Transpiling is the process of converting JavaScript written in a modern version of the language into an older, more widely supported version. This ensures that browsers that don’t yet support newer language features can still run the code. Tools like esbuild have become essential in modern JavaScript development for performing this conversion.

How Transpiling Works:

When you write JavaScript using modern features, a transpiler (like esbuild) takes that code and transforms it into an older version that can be understood by legacy browsers. This typically involves converting ECMAScript 6 (ES6) code or later versions into ECMAScript 5 (ES5), which is supported by the vast majority of browsers.

For example, arrow functions were introduced in ES6 and are not supported by older browsers like Internet Explorer 11. A transpiler would convert an arrow function into an equivalent regular function expression that these browsers can understand.

Example:

Original ES6 code with arrow functions and classes:

class Person {
  constructor(name) {
    this.name = name;
  }


  greet() {
    return `Hello, my name is ${this.name}`;
  }
}


const john = new Person('John');
console.log(john.greet());

Transpiled ES5 code:

function Person(name) {
  this.name = name;
}


Person.prototype.greet = function() {
  return 'Hello, my name is ' + this.name;
};


var john = new Person('John');
console.log(john.greet());

In this example, esbuild transpiles the ES6 class and template literals into an older syntax that works across all browsers, including those that do not natively support ES6 features.

Common Transpiling Use Cases:

  • Arrow functions (() => {}) become regular function expressions (function() {}).
  • Classes (class MyClass {}) are converted into constructor functions.
  • Template literals (`Hello, ${name}`) are turned into string concatenations ('Hello, ' + name).
  • Destructuring assignments and spread/rest operators are replaced with equivalent ES5-compatible code.

By using a tool like esbuild, developers can write their code using the latest JavaScript features without worrying about compatibility issues. Esbuild then generates the older, compatible code that is served to browsers.

Transpiling Non-JavaScript Languages

In addition to standard JavaScript, many modern web applications are built using supersets or variants of JavaScript, such as TypeScript and JSX, which introduce additional functionality and syntax that browsers do not natively understand. To bridge the gap between these enhanced languages and standard JavaScript, transpilers are used to convert code written in these variants into plain JavaScript. This process ensures compatibility with browsers while allowing developers to leverage additional features such as type safety or advanced syntax. Here are some of the most popular non-JavaScript languages and how they are transpiled:

TypeScript

TypeScript is a superset of JavaScript that adds static typing, interfaces, enums, and other language features designed to improve the development experience by catching potential errors during development. While TypeScript introduces these enhancements, browsers do not understand TypeScript natively—they only execute plain JavaScript.

  • Transpiling TypeScript: The TypeScript compiler (tsc) is responsible for transpiling TypeScript code into regular JavaScript. The transpiler strips out type annotations, interfaces, and other TypeScript-specific features and downlevels modern ECMAScript features (if needed) into JavaScript that is compatible with a specified version (e.g., ES5, ES6).

    Example:

    let greeting: string = "Hello, world!";

    Transpiled to:

    var greeting = "Hello, world!";

    TypeScript is particularly valuable for large-scale projects and teams, as it offers strong typing, better tooling (IDE integration, autocomplete, etc.), and early error detection. The transpiler converts this developer-friendly syntax into vanilla JavaScript that can be executed in any environment, making it one of the most widely adopted non-JavaScript languages today.

JSX (JavaScript XML)

JSX is a syntax extension used primarily with React to describe what the UI should look like. It looks similar to HTML but can be written directly in JavaScript files, allowing developers to write markup and logic together in a more intuitive way. JSX cannot be executed by the browser directly, so it must be transpiled into standard JavaScript using tools like esbuild or TypeScript with React support.

  • Transpiling JSX: JSX is transformed into regular JavaScript function calls, such as React.createElement(). This allows the browser to understand and execute the JSX as part of the React component’s render logic.

    Example:

    const element = <h1>Hello, world!</h1>;

    Transpiled to:

    const element = React.createElement('h1', null, 'Hello, world!');

Svelte

Svelte is a framework and language variant that takes a different approach to building web applications. Unlike React or Vue, which use a virtual DOM to update the user interface, Svelte compiles components at build time into efficient JavaScript code that directly manipulates the DOM.

  • Transpiling Svelte: Svelte’s compiler converts the declarative Svelte syntax into vanilla JavaScript at build time, meaning there’s no overhead for virtual DOM diffing during runtime. The result is smaller, faster apps compared to traditional frameworks that rely on JavaScript-driven updates.

    Example:

    <script>
      let name = 'world';
    </script>
    

    <h1>Hello {name}!</h1>

    Transpiled to:

    let name = 'world';
    document.querySelector('h1').textContent = `Hello ${name}!`;

    Svelte simplifies the mental model of reactive programming by doing away with runtime frameworks, instead shifting the work to build time. This results in faster applications and less boilerplate code.

Polyfilling

While transpiling addresses syntax-level compatibility issues, it cannot solve problems related to missing APIs or runtime features. For example, older browsers may not support modern APIs like Promise, fetch(), Map, or Set. This is where polyfilling comes in.

A polyfill is a piece of code that replicates or “fills in” missing features that aren’t natively available in a browser. Polyfills allow developers to use modern APIs, even in browsers that don’t support them, by providing fallback implementations.

Example:

One of the most common examples of polyfilling is the Promise API, which is a native feature of JavaScript starting from ES6. Older browsers, like Internet Explorer, do not support Promise. A polyfill can add this functionality to the browser’s environment so that developers can use promises without having to worry about browser support.

Without a polyfill, in older browsers:

let promise = new Promise((resolve, reject) => {
  // This code would break in browsers without Promise support
});

With a polyfill (such as from core-js):

// The polyfill ensures Promise works even in older browsers
let promise = new Promise((resolve, reject) => {
  // This will work in older browsers
});

Common Polyfills:

  • Promise: Provides a polyfill for the native Promise API.
  • fetch(): Polyfills the fetch() API, which allows browsers to make HTTP requests similar to XMLHttpRequest, but with a cleaner, promise-based interface.
  • Object.assign(): Polyfills the method for copying properties from one or more source objects to a target object.
  • Array.prototype.includes(): Polyfills the includes() method, which checks if an array includes a certain value.

Polyfilling is usually accomplished using a library like core-js. The transpiler Babel can be configured to automatically include the necessary polyfills based on the target browsers specified by the developer.

Module Bundling

Why Bundle?

Bundling is the process of combining multiple JavaScript (or other asset) files into a single or smaller set of files that can be loaded by the browser in fewer HTTP requests. In the early days of the web, browsers made a separate request for each resource (JavaScript, CSS, images, etc.), which could result in dozens or even hundreds of network requests for a single page. This was particularly problematic in the era of HTTP/1.x, where each request introduced significant overhead due to connection setup, latency, and limitations in parallelism. Browsers could only handle a limited number of concurrent connections to the server (typically 6–8 per domain), meaning additional files had to wait for existing downloads to finish before starting.

Bundling became essential to reduce the number of requests and, consequently, the load time of the webpage. By combining JavaScript files into a single bundle (or a few bundles), developers could drastically improve the performance of their applications, particularly in older environments. Bundling also provided additional benefits, such as minimizing the size of each file by eliminating unnecessary code or duplication between files, further enhancing performance.

In modern environments, with the adoption of HTTP/2 (which allows multiplexing, or downloading multiple files simultaneously over a single connection), the need for bundling has diminished slightly but remains relevant for performance optimization, especially in large, complex applications where reducing the number of initial requests still provides noticeable performance gains.

Bundlers (Webpack, Rollup, Parcel)

Modern JavaScript applications, which consist of hundreds or thousands of modules, would be unmanageable without automation. Bundlers like Webpack, Rollup, and Parcel automate the task of combining, optimizing, and managing the dependency tree of JavaScript files, as well as other assets like CSS, images, and even fonts.

Bundlers work by constructing a dependency graph—a structure that maps out all the relationships between the different modules in a project. For instance, if a file app.js imports a utils.js file, the bundler recognizes this relationship and bundles them accordingly. This ensures that each module’s dependencies are properly resolved and that only the necessary modules are included in the final output.

Bundlers also handle module formats—whether you’re using CommonJS (CJS), ESM (ECMAScript Modules), or even AMD. They can transform these module formats into a single unified bundle that can be served efficiently to the browser. Additionally, modern bundlers come with a host of optimizations that allow for advanced features like lazy loading, tree shaking, and code splitting to further improve performance.

Code Splitting

Code splitting is one of the key optimizations that bundlers enable, allowing applications to load only the JavaScript required for the current user interaction or view, rather than loading the entire application upfront. This improves load times, especially for large single-page applications (SPAs), by reducing the amount of JavaScript that needs to be parsed and executed when the page is first loaded.

There are two main types of code splitting:

  1. Entry Point Splitting: This is when different entry points (e.g., main.js for the home page, admin.js for the admin dashboard) each have their own bundle. Only the relevant bundle for the current page is loaded, keeping initial load times low for each part of the application.

  2. Dynamic Importing: With dynamic imports, JavaScript modules are only loaded when they are needed. For example, when the user navigates to a specific route or clicks on a certain button, the corresponding module can be fetched asynchronously. This reduces the amount of code that is executed during the initial load and allows the application to grow without bloating the initial bundle.

Example of Dynamic Importing:

// Instead of importing all at once, load the component only when needed
document.getElementById('openMapPage').addEventListener('click', () => {
  import('./mapper.js').then(module => {
    module.renderComponent();
  });
});

Code splitting is particularly useful in SPAs where users may not need access to all functionality immediately. By splitting the code into chunks and loading them on-demand, you can ensure that the page loads quickly, with additional features brought in only when necessary.

Tree Shaking

Tree shaking is another crucial optimization performed by modern bundlers, particularly when using ESM (ECMAScript Modules). Tree shaking refers to the process of removing unused or “dead” code from the final bundle. This optimization reduces the size of the bundle and improves performance by ensuring that only the code that is actually used by the application is included in the output.

Bundlers like Rollup and Webpack are able to perform tree shaking effectively because of the static structure of ES modules. When analyzing the dependency graph, the bundler can determine which modules and functions are being used and which ones can be safely removed. This is more challenging with older module systems like CommonJS, where require() is dynamic, but still possible with modern tools.

For example, consider the following code:

utils.js
export function unusedFunction() {
  console.log("This function is not used");
}


export function usedFunction() {
  console.log("This function is used");
}


// main.js
import { usedFunction } from './utils.js';
usedFunction();

In this case, tree shaking would detect that unusedFunction is never imported or called in the application, and it would remove it from the final bundle. This reduces the overall size of the JavaScript that is sent to the browser.

The primary benefit of tree shaking is that it enables developers to import libraries or modules without worrying about pulling in excess code they don’t need. Tree shaking makes it possible to import only the specific pieces of code required for the application, significantly reducing the size of the final JavaScript bundle and improving performance.

Minification and Compression

  • Minification: Minification is the process of stripping out unnecessary characters like whitespace, comments, and shortening variable names to reduce file sizes. This process, while seemingly simple, can dramatically decrease the amount of data transferred over the network, especially for large applications.

  • Compression: In addition to minification, we’ve already seen that modern web servers use the Content-Encoding header to indicate that the body of a given response has been compressed. This is typically done using algorithms like Gzip or Brotli to further reduce the size of JavaScript files before they are sent to the browser. Compressed files are smaller and download faster, improving page load times, especially for users on slower networks.

  • Optimizing Non-JavaScript Assets: It’s not just JavaScript that benefits from optimization. Images, fonts, and other static assets can be compressed and optimized for faster delivery. Techniques like lazy loading, lossy compression, or changing the format to a modern option like webP can optimize images used in a page to make the page and/or the image load much faster. Font subsetting and resource inlining (including the content directly using a data: URL) can further reduce the initial page load time.

Dependency Management

Managing Third-Party Dependencies

Modern JavaScript applications rely heavily on third-party libraries and frameworks to speed up development and avoid reinventing the wheel. These libraries offer pre-built solutions for a wide array of use cases, from managing user authentication to making HTTP requests and implementing complex UI components. While the reuse of open-source packages increases efficiency, it also introduces complexities in managing dependencies effectively.

Package managers like npm (Node Package Manager) and bun’s integrated package manager have become essential tools for handling these dependencies. They allow developers to define their application’s dependencies in a package.json file, which acts as a manifest for all the third-party libraries the project depends on.

Semantic Versioning (SemVer)

One important concept in dependency management is Semantic Versioning (SemVer), a versioning scheme used by most libraries to communicate changes in their releases. SemVer uses a three-part version number in the format MAJOR.MINOR.PATCH, where:

  • MAJOR: Increments indicate breaking changes that are incompatible with previous versions.
  • MINOR: Increments signify the addition of new features in a backward-compatible manner.
  • PATCH: Increments represent bug fixes or other backward-compatible improvements.

For example, version 1.2.3 would mean the MAJOR version is 1, the MINOR version is 2, and the PATCH version is 3. When managing dependencies, version ranges can be specified (e.g., ^1.2.0), which allows package managers to automatically update to newer PATCH and MINOR versions but avoids breaking changes introduced by a new MAJOR version.

While in theory SemVer helps ensure that updates to dependencies are safe, it is up to library maintainers to follow these guidelines. In practice, it is still possible for breaking changes to occur even within the same MAJOR or even MINOR version, so developers must be vigilant when updating dependencies.

Key Features of Dependency Management:

  1. Version Control: With package.json, developers can specify which version of a library their project requires. This is important because libraries often receive updates that may introduce breaking changes. By locking dependencies to specific versions, developers can avoid unintended breakage in their applications due to incompatible library updates.

  2. Lock Files for Reproducible Builds: To ensure that all team members and deployment environments use the exact same versions of libraries, package managers generate lock files (e.g., package-lock.json for npm or bun.lockb for bun). These files record the exact version of each dependency, including sub-dependencies (or transitive dependencies), so that everyone working on the project is using the same set of libraries. This makes the build process reproducible—the same versions are installed every time, preventing “works on my machine” issues.

  3. Subdependency Resolution: When a project relies on a third-party library, that library may itself have dependencies on other libraries. This forms a complex web of subdependencies. Package managers automate the resolution of these subdependencies, ensuring that the correct versions are installed and that potential conflicts between versions are managed. For example, if two libraries require different versions of the same subdependency, npm and bun can often resolve these conflicts by installing multiple versions if necessary.

  4. Automatic Dependency Updates: npm-check-updates and bun update allow one to automatically update dependencies to their latest versions, either globally or on a per-package basis. While updating dependencies can bring in new features and bug fixes, care must be taken to avoid breaking changes that might impact the functionality of the app.

Security Risks in Dependencies

While third-party libraries save time and effort, they also pose significant security risks. Using external code introduces the possibility that a library might contain vulnerabilities, outdated dependencies, or even malicious code. Since libraries are often widely used across many applications, they become attractive targets for attackers. The supply chain of dependencies and subdependencies can introduce hidden vulnerabilities that may be exploited if not regularly audited and managed.

Common Security Risks in Dependencies:

  1. Vulnerabilities in Popular Libraries: Widely used libraries sometimes contain security vulnerabilities. Attackers frequently scan open-source libraries for exploits, and if an application is using an outdated or vulnerable version of a library, it can be compromised. Vulnerabilities such as cross-site scripting (XSS), remote code execution (RCE), and data exposure are some of the common risks introduced by insecure libraries.

  2. Unmaintained or Deprecated Libraries: Some libraries are no longer actively maintained, which means they may not receive patches for discovered security vulnerabilities. Continuing to use these libraries introduces risks, as vulnerabilities in them will remain unfixed, potentially exposing the application to attacks.

  3. Malicious Packages: In rare but serious cases, attackers can inject malicious code into libraries—either by directly publishing malicious packages or by gaining control of legitimate packages and adding backdoors or other exploits. These packages may perform malicious actions, such as stealing sensitive data, downloading additional malware, or compromising the server or user’s system.

  4. Subdependency Risks: Even if your direct dependencies are secure, vulnerabilities in subdependencies—the libraries that your dependencies rely on—can also introduce security risks. Since the dependency tree can be deep and complex, managing security at the subdependency level can be challenging.

To mitigate these risks, modern tools and practices are crucial to ensuring that an application’s dependencies remain secure.

Security Tools and Practices

To address the risks associated with third-party libraries, the JavaScript ecosystem offers several tools and best practices for auditing and managing the security of dependencies:

  1. npm audit scans the project’s dependencies for known security vulnerabilities. It compares the installed packages against a constantly updated database of vulnerabilities and generates a report that details the risks. It also provides recommendations for how to fix these vulnerabilities, often by updating to a patched version of the affected library. Running npm audit fix can automatically update dependencies to secure versions when possible.

  2. Dependabot, now integrated into GitHub, is a tool that continuously monitors your project’s dependencies for vulnerabilities. Instead of being a command line tool, it instead continually watches the code that you have pushed to your git repository on GitHub. When a vulnerability is found, Dependabot can automatically create pull requests to update the affected packages to a secure version. This ensures that security patches are applied quickly, reducing the window of exposure to potential attacks.

Hot Module Reloading

The Problem with Traditional Development Workflows

In traditional web development, any change in code required a complete page reload to see the effects. This was time-consuming, especially for large applications where reloading the entire page could take several seconds or more. Additionally, reloading the entire application meant losing the current application state, making testing changes to specific components or sections of the app more cumbersome. As web applications grew more complex, developers needed a more efficient way to iterate on code without disrupting the development flow.

What is Hot Module Reloading (HMR)?

Hot Module Reloading (HMR) is a technique that allows developers to update modules in a running application without requiring a full page reload. When a file is modified during development, only the updated module is replaced, while the rest of the application continues running. This preserves the application’s state, allowing developers to make changes and instantly see the results in the browser without losing their place or needing to restart the entire app. HMR drastically improves developer productivity, especially in projects where quick iterations and feedback loops are critical.

How HMR Works

HMR is typically implemented by bundlers like Webpack, Parcel, or Vite. When a file changes during development, the bundler sends the updated module to the browser via WebSockets or another communication channel. The browser then replaces the module on the fly, without reloading the entire page. Behind the scenes, the HMR runtime injected into the application listens for updates, fetches the new code, and patches the module. This mechanism ensures that only the affected code is updated, keeping the rest of the application state intact.

Example workflow:

  1. Developer edits a React component.
  2. Webpack detects the change and recompiles the specific module.
  3. Webpack sends the updated module to the browser via WebSocket.
  4. The browser applies the update without reloading the page or resetting state.

Advantages of HMR for Developers

The primary benefit of HMR is developer efficiency. By avoiding full-page reloads, HMR shortens the feedback loop between making a code change and seeing its effect in the browser. This is particularly important in large applications where full reloads are costly in terms of time and cognitive load. Another key advantage is state preservation. For example, in a React app, when a component is updated via HMR, the rest of the app, including the state of other components, remains unchanged. This allows developers to tweak specific components while maintaining the context of the current application state, making debugging and incremental development easier.

Limitations of HMR

While HMR is a powerful tool for improving developer productivity, it does have limitations. Not all code changes can be applied dynamically. For instance, changes to the structure of certain files, like CSS, HTML, or module dependencies, may still require a full page reload. Additionally, for HMR to work seamlessly, the codebase must be designed with modularity in mind. In some cases, poorly structured or monolithic code may lead to unpredictable behavior when HMR is applied. Lastly, HMR can sometimes introduce subtle bugs or inconsistencies in development environments that do not appear in production, making it essential to test changes thoroughly before deploying.

Putting It All Together: Vite with TypeScript and React

To showcase how transpiling, polyfilling, module bundling, dependency management, and security work together in a modern web development workflow, we’ll walk through an example using Vite with TypeScript and React.

Vite is a modern build tool designed for speed and simplicity. Unlike traditional bundlers like Webpack, Vite leverages native ESM in the browser during development for fast module resolution, and it provides features like Hot Module Replacement (HMR). When it’s time for production, Vite bundles and optimizes your code using Rollup under the hood, taking care of code splitting, tree shaking, and more.

Let’s walk through a practical example using TypeScript and React, exploring how Vite integrates the concepts discussed throughout this article.

Development Workflow

Let’s say you’re building a React application using TypeScript. You start by installing the necessary packages and setting up your development environment.

Terminal window
npm init vite@latest my-react-ts-app --template react-ts
 Select a framework:  React
 Select a variant:  TypeScript
cd my-react-ts-app
npm install
npm run dev

When you run npm run dev, Vite spins up a development server that uses native ESM. This means that TypeScript modules are directly transpiled and served as individual files, which is far simpler than performing a full bundling step. Between this approach and Hot Module Replacement (HMR), Vite provides a fast, efficient development experience.

Example: You’re working on a Button component in React. Here’s the TypeScript code:

import React, { useState } from 'react';


export const Button: React.FC = () => {
  const [count, setCount] = useState(0);


  return (
    <button onClick={() => setCount(count + 1)}>
      Clicked {count} times
    </button>
  );
};

When you modify the Button component, such as updating the button text, Vite detects the change and instantly updates the module in the browser without losing the current state of the component. This makes the development process faster and more efficient, reducing the time spent waiting for rebuilds.

Transpiling TypeScript

Vite uses ESBuild to handle TypeScript transpilation during development. ESBuild is extremely fast, allowing Vite to transpile TypeScript to JavaScript in a fraction of the time that traditional tools like Babel would take.

TypeScript Example:

import React from 'react';


interface Props {
  label: string;
}


export const Header: React.FC<Props> = ({ label }) => {
  return <h1>{label}</h1>;
};

Vite automatically transpiles this TypeScript code into plain JavaScript that the browser can execute. The types (Props) are stripped out during transpilation since they are used only for development and type checking. This makes it easier for developers to write clean, maintainable code while still ensuring compatibility with all browsers.

Unlike Babel, which is slower and requires extra configuration to handle TypeScript, ESBuild performs TypeScript transpilation efficiently without additional configuration. During production, Vite will pass the TypeScript code to Rollup for bundling and optimization.

Polyfilling

While TypeScript takes care of transpiling modern JavaScript syntax to be compatible with older browsers, some features require polyfills to function correctly. For example, modern APIs like Promise and fetch() are not supported in legacy browsers.

Some polyfills can be provided via @vitejs/plugin-legacy and others must be provided by a separate library, like core-js or Cloudflare’s hosted polyfills.

Thankfully browser updates have become much more streamlined and aggressive, leading to reduced need to polyfill modern features. However, if you need to support older browsers, you can do so.

Module Bundling and Code Splitting

Once development is complete, you’ll want to build your project for production using npm run build. Vite handles the production build by bundling your application using Rollup, with optimizations like code splitting and tree shaking automatically applied.

Code Splitting: Vite automatically splits your code into separate bundles based on dynamic imports and the structure of your app. For example, if your app includes multiple routes, Vite will create smaller bundles for each route, ensuring that only the necessary code for the current page is loaded. This improves initial load times and provides a faster user experience.

import React, { Suspense, lazy } from 'react';


const LazyComponent = lazy(() => import('./LazyComponent'));


export const App: React.FC = () => (
  <Suspense fallback={<div>Loading...</div>}>
    <LazyComponent />
  </Suspense>
);

In this example, Vite detects the dynamic import of LazyComponent and creates a separate bundle for it. When the user navigates to the section that requires LazyComponent, only then will the additional JavaScript be fetched.

Tree Shaking: During the production build, Vite performs tree shaking to remove any unused code from your project. This reduces the final bundle size, ensuring that only the necessary JavaScript is included.

For example, if you import a large utility library like Lodash but only use a single function from it, Vite will remove the unused parts of the library from the final bundle.

import { debounce } from 'lodash';


debounce(() => console.log('debounced'), 300);

Vite automatically removes any unused functions from Lodash, optimizing your application’s size and performance.

Building and Deploying with Vite

When you’re ready to deploy, Vite’s build process generates highly optimized assets in the dist/ directory. The generated assets include bundled JavaScript, minified CSS, and optimized images, making your app ready for deployment on any static hosting provider.

After running the production build (npm run build), placing the dist/ directory on a web server is sufficient to deploy the client side portion of your web app (if it is fully static). Many frameworks that build on top of Vite, like Astro, understand the conventions of platforms like Netlify, Vercel, or AWS that allow you to build and deploy apps with server-side functionality as well.

Vite’s build process ensures that your React and TypeScript app is bundled, minified, and split into efficient chunks, providing fast load times and improved performance for users.

Conclusion

As you can see, there’s a lot to modern web development beyond just writing HTML, CSS, and JavaScript. The tools and techniques covered here take a long time to fully understand and master, but they are essential for building modern, high-performance web applications.