Identifying and removing dead code brought by web package managers

Résumé

Code reuse is a largely adopted practice among developers because of its convenience. Thanks to package managers like npm or yarn, a developer can import a load of new functions by executing a single command. However, as seen by analyzing popular applications, the immediate consequence is that it results in an incredible number of unused lines of code from external packages. The attack surface is then unnecessarily large as these lines could be safely removed without impacting the way the application works.

In this internship, the student will first develop new ways to identify and quantify the amount of dead code brought by package managers in web applications. In a second part, the student will develop a tool to remove these lines to mitigate the risks of using external packages.

Mots-clés

software debloating, package managers

Équipe

Spirals

Encadrants

Pierre Laperdrix(https://plaperdr.github.io/), Romain Rouvoy(http://romain.rouvoy.fr/)

Présentation détaillée

Subject

Code reuse is a largely adopted practice among developers because of its convenience. Thanks to package managers like npm or yarn, a developer can import a load of new functions by executing a single command. However, as seen by analyzing popular applications, the immediate consequence is that it results in an incredible number of unused lines of code from external packages. The attack surface is then unnecessarily large as these lines could be safely removed without impacting the way the application works.

In this internship, the student will first develop new ways to identify and quantify the amount of dead code brought by package managers in web applications. In a second part, the student will develop a tool to remove these lines to mitigate the risks of using external packages.

Prerequisites

Experience in JavaScript and package managers is optional but strongly recommended.

Bibliography

Comments

For additional information, contact either Pierre Laperdrix or Romain Rouvoy by mail.