Stubbifier: debloating dynamic server-side JavaScript applications

JavaScript is an increasingly popular language for server-side development, thanks in part to the Node.js runtime environment and its vast ecosystem of modules. With package manager npm, users are able easily include external modules as dependencies their projects. However, npm installs with all functionality, even if only a fraction needed, which causes undue increase code size. Eliminating this unused functionality from distributions desirable, but sound analysis required find difficult due JavaScript’s extreme dynamicity. We present fully automatic technique that identifies by constructing static or dynamic call graphs application’s tests, replacing deemed unreachable either file- function-level stubs. Due highly nature, graph construction may suffer unsoundness, i.e., identified fact be reachable. To handle such cases, stub called, it will fetch execute original on-demand preserve behavior. The also provides optional guarded execution mode guard application against injection vulnerabilities untested resulted expansion. This implemented open source tool called Stubbifier, designed help developers produce minimal production distribution. Stubbifier supports ECMAScript 2019 standard. In empirical evaluation on 15 applications 75 clients these applications, reduced size 56% average while incurring minor performance overhead. shows Stubbifier’s capable preventing several known manifested stubbed-out code. Finally, can work alongside bundlers, tools bundling dependencies. For considered subject we measured reduction 37% bundled distributions.