This is a tool to decode javascript bundles produced by tools like Webpack and Browserify into their original, pre-bundled source.
Reasons vary, but this tool was originally developed to help me with a reverse engineering project. Needless to say, sifting through minified bundles to try and figure out how a service works isn't fun and is a lot easier when that bundle is broken into files and those files have semantic names.
npm i -g debundle
$ debundle
Usage: debundle [input file] {OPTIONS}
Options:
--input, -i Bundle to debundle
--output, -o Directory to debundle code into.
--config, -c Configuration file
$ curl https://raw.githubusercontent.com/1egoman/debundle/master/test_bundles/browserify/bundle.js > bundle.js
$ curl https://raw.githubusercontent.com/1egoman/debundle/master/test_bundles/browserify/debundle.config.json > debundle.config.json
$ cat debundle.config.json
{
"type": "browserify",
"knownPaths": {}
}
$ debundle -i bundle.js -o dist/ -c debundle.config.json
$ tree dist/
dist/
├── index.js
└── node_modules
├── number
│ └── index.js
└── uuid
├── index.js
├── lib
│ ├── bytesToUuid.js
│ └── rng.js
├── v1.js
└── v4.js
4 directories, 7 files
{
"type": "browserify",
"entryPoint": 1,
"knownPaths": {}
}
(To debundle a simple Webpack bundle, replace browserify the above configuration with webpack)
A configuration can have a number of flags - they are documented in DOCS.md.
npm install - that should be it../src/index.js (that's how you run it!)test_bundles/. A script, test_bundles/run_test.sh can run the
debundler against a given bundle and try to debundle it into dist/. (CI will, as part of running
tests, debundle all the bundles in that folder.)npm testSome companies specify in their terms of service that their code cannot be "reverse engineered". Debundling can definitely (depending on how you're using the code) fall under that umbrella. Understand what you are doing so you don't break any agreements :smile:
FAQs
The npm package debundle receives a total of 57 weekly downloads. As such, debundle popularity was classified as not popular.
We found that debundle demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.