This is a tool to decode javascript bundles produced by tools like [Webpack](https://webpack.github.io/) and [Browserify](http://browserify.org/) into their original, pre-bunded source.
This is a tool to decode javascript bundles produced by tools like Webpack and Browserify into their original, pre-bunded source.
Reasons vary, but I originally developed this to help me with a reverse engineering project I was working on. Needless to say, sifting through minified bundles to try and figure out how a service works isn't fun and is a lot easier when that bundle is broken into files and those files have semantic names.
npm i -g debundle
Usage: debundle [input file] {OPTIONS}
Options:
--input, -i Bundle to debundle
--output, -o Directory to debundle code into.
--config, -c Configuration directory
{
"type": "webpack",
"entryPoint": 1,
"knownPaths": {}
}
(To debundle a Browserify bundle, replace webpack the above configuration with browserify)
type (required)A webpack or browserify bundle.
entryPoint (required for webpack bundles)The entry point module id. If left empty in a Browserify bundle it can often be calculated procedurally.
knownPaths (required)An object mapping module ids to the location on disk to put a given module. For example, {"1": "./foo", "2": "mypackage/index", "3": "./bar/baz"} would make this structure:
├── foo.js
├── bar
│ └── baz.js
└── node_modules
└── mypackage
└── index.js
./, it's relative to the output directory.node_modules and the rest of the path indicating where inside that
module to put the file.moduleAstInstructions to get a reference to the module ast. Only required in weird bundles where the location of the modules AST can't be found (because it's in a different location in the bundle, for example). This is indicated as an array of strings / numbers used to traverse through the AST data structure.
For example, ["foo", "bar", 0, "baz", 1] would get ast.foo.bar[0].baz[1].
FAQs
The npm package debundle receives a total of 57 weekly downloads. As such, debundle popularity was classified as not popular.
We found that debundle demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.