You're Invited:Meet the Socket Team at RSAC and BSidesSF 2026, March 23–26.RSVP
Socket
Book a DemoSign in
Socket
Book a DemoSign in

nf3

Package Overview
Dependencies
Maintainers
1
Versions
27
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

nf3

<!-- automd:badges color=yellow codecov packagephobia -->

latest
Source
npmnpm
Version
0.3.11
Version published
Weekly downloads
291K
13%
Maintainers
1
Weekly downloads
 
Created
Source

📦 nf3

npm version npm downloads install size codecov

This plugin traces and copies only the node_modules that are actually required at runtime for your built output — powered by @vercel/nft.

Bundling external dependencies can sometimes fail or cause issues, especially when modules rely on relative paths, native bindings, or dynamic imports.

To solve this, the plugin analyzes your build output, traces its runtime dependencies, and copies a tree-shaken, deduplicated, and runtime-only subset of node_modules into dist/node_modules. The result is a minimal, self-contained distribution directory that just works.

Originally extracted from Nitro and used for optimizing nf3 package dist itself!

Usage

API

import { traceNodeModules } from "nf3";

await traceNodeModules(["./index.mjs"], {
  //   outDir: "dist",
  // chmod: 0o755,
  // writePackageJson: true,
  // traceAlias: {},
  // hooks: {},
  // nft: {}, // https://github.com/vercel/nft#options
});

Rollup/Rolldown/Vite Plugin

import { externals } from "nf3/plugin";

export default {
  plugins: [
    externals({
      // rootDir: ".",
      // conditions: ["node", "import", "default"],
      // include: [/^@my-scope\//],
      // exclude: ["fsevents"],
      // traceInclude: ["some-lib"],
      // trace: {}
    }),
  ],
};

Hooks

After the Rollup plugin traces the required files, traceNodeModules processes them into an optimized node_modules output.

Each phase can be extended through hooks:

rollupNodeFileTrace({
  hooks: {
    traceStart: (files) => {},
    traceResult: (result) => {},
    tracedFiles: (files) => {},
    tracedPackages: (packages) => {},
  },
});

Transforming

Before writing files, you can transform some of them.

Example:

import { minify } from "oxc-minify";

rollupNodeFileTrace({
  transform: [
    {
      filter: (id) => /\.[mc]?js$/.test(id),
      handler: (code, id) => minify(id, code, {}).code,
    },
  ],
});

Packages DB

NF3 exports a list of known packages that include native code and require platform-specific builds.

These packages cannot be bundled and should be traced as external dependencies most of the time and often need tracing.

import { NodeNativePackages } from "nf3/db";

NF3 also exports a list of packages that must be externalized rather than bundled, due to bundler compatibility issues with their module format or dynamic imports.

import { NonBundleablePackages } from "nf3/db";

Development

local development
  • Clone this repository
  • Install latest LTS version of Node.js
  • Enable Corepack using corepack enable
  • Install dependencies using pnpm install
  • Run interactive tests using pnpm dev

License

Published under the MIT license.

FAQs

Package last updated on 09 Mar 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

5 Malicious Rust Crates Posed as Time Utilities to Exfiltrate .env Files

Research

/

Security News

5 Malicious Rust Crates Posed as Time Utilities to Exfiltrate .env Files

Published late February to early March 2026, these crates impersonate timeapi.io and POST .env secrets to a threat actor-controlled lookalike domain.

By Kirill Boychenko  -  Mar 10, 2026