This is a tool to decode javascript bundles produced by tools like [Webpack](https://webpack.github.io/) and [Browserify](http://browserify.org/) into their original, pre-bundled source.
This is a tool to decode javascript bundles produced by tools like Webpack and Browserify into their original, pre-bundled source.
Reasons vary, but this tool was originally developed to help me with a reverse engineering project. Needless to say, sifting through minified bundles to try and figure out how a service works isn't fun and is a lot easier when that bundle is broken into files and those files have semantic names.
npm i -g debundle
$ debundle
Usage: debundle [input file] {OPTIONS}
Options:
--input, -i Bundle to debundle
--output, -o Directory to debundle code into.
--config, -c Configuration file
$ cat debundle-config.json
{
"type": "webpack",
"entryPoint": 1,
"knownPaths": {}
}
$ debundle -i my-bundle.js -o dist/ -c debundle-config.json
$ tree dist/
dist/
├── index.js
└── node_modules
├── number
│ └── index.js
└── uuid
├── index.js
├── lib
│ ├── bytesToUuid.js
│ └── rng.js
├── v1.js
└── v4.js
4 directories, 7 files
{
"type": "webpack",
"entryPoint": 1,
"knownPaths": {}
}
(To debundle a simple Browserify bundle, replace webpack the above configuration with browserify)
type (required)A webpack or browserify bundle.
entryPoint (required for webpack bundles)The entry point module id. If left empty in a Browserify bundle it can often be calculated procedurally.
knownPaths (required)An object mapping module ids to the location on disk to put a given module. For example, {"1": "./foo", "2": "mypackage/index", "3": "./bar/baz"} would make this structure:
├── foo.js
├── bar
│ └── baz.js
└── node_modules
└── mypackage
└── index.js
./, it's relative to the output directory.node_modules and the rest of the path indicating where inside that
module to put the file.moduleAstInstructions to get a reference to the module ast. Only required in weird bundles where the location of the modules AST can't be found (because it's in a different location in the bundle, for example). This is indicated as an array of strings / numbers used to traverse through the AST data structure.
For example, ["foo", "bar", 0, "baz", 1] would get ast.foo.bar[0].baz[1].
npm install - that should be it../src/index.js (that's how you run it!)test_bundles/. A script, test_bundles/run_test.sh can run the
debundler against a given bundle and try to debundle it into dist/. (CI will, as part of running
tests, debundle all the bundles in that folder.)npm testSome companies specify in their terms of service that their code cannot be "reverse engineered". Debundling can definitely (depending on how you're using the code) fall under that umbrella. Understand what you are doing so you don't break any agreements :smile:
FAQs
The npm package debundle receives a total of 61 weekly downloads. As such, debundle popularity was classified as not popular.
We found that debundle demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Critics call the Node.js EOL CVE a misuse of the system, sparking debate over CVE standards and the growing noise in vulnerability databases.
Security News
cURL and Go security teams are publicly rejecting CVSS as flawed for assessing vulnerabilities and are calling for more accurate, context-aware approaches.
Security News
Bun 1.2 enhances its JavaScript runtime with 90% Node.js compatibility, built-in S3 and Postgres support, HTML Imports, and faster, cloud-first performance.