search

svix / svix-webhooks

The enterprise-ready webhooks service 🦀
https://www.svix.com
MIT License
2.34k stars 161 forks source link

Adding svix for webhook validation adds almost 1 MB to the JS bundle #1483

Open mlafeldt opened 6 hours ago

mlafeldt commented 6 hours ago

Hey,

I've recently started using Svix to handle Clerk webhooks. For this, I tried adding the svix JS package to my Astro project to validate webhook signatures. Unfortunately, this ended up doubling my project's bundle size from 1 MB to 2 MB. 😱

As a workaround, I copied the following code and added @stablelib/base64 + fast-sha256 as dependencies:

https://github.com/svix/svix-webhooks/blob/d0443bda6fa6cccae17b5b3cc5cd420bb6d700e3/javascript/src/index.ts#L803-L939

Surprisingly, this had almost no impact on the bundle size.

I'm no expert on ESM or bundling, but there seems to be a problem with the code's structure that prevents proper tree shaking.

This is especially concerning in a constrained environment like Cloudflare Workers/Pages, where bundle size is (even more) important.

(Happy to provide more info if needed.)

mlafeldt commented 6 hours ago

Looks like I could also use https://github.com/standard-webhooks/standard-webhooks/tree/main/libraries/javascript as a lightweight alternative. However, it expects different non-branded headers...

Update: This works perfectly fine.

  // Map unbranded webhook headers to Svix headers
  const svixHeaders = {
    'webhook-id': request.headers.get('svix-id') as string,
    'webhook-timestamp': request.headers.get('svix-timestamp') as string,
    'webhook-signature': request.headers.get('svix-signature') as string,
  }

So, I'm now using the tiny standardwebhooks package for validation. 👍