@versini/auth0-thin
Verify that the Auth0 bundle-size thin forks are installed and intact in your app.
Auth0's @auth0/auth0-react inlines @auth0/auth0-spa-js, which inlines
@auth0/auth0-auth-js → openid-client + oauth4webapi + jose (~26 KB gzip of
first-paint weight) powering only MFA/Passkey APIs. If your app uses only basic
login, three pnpm npm: alias overrides swap in slimmed forks + a stub and drop that
weight. This package is the CI guard that the swap is working and stays safe.
Setup
Add the overrides (run
npx auth0-thin overridesto print this), pinning each version to the SDK version you want:# pnpm-workspace.yaml overrides: "@auth0/auth0-react": "npm:@versini/auth0-react-thin@2.19.0" "@auth0/auth0-spa-js": "npm:@versini/auth0-spa-js-no-authjs@2.21.2" "@auth0/auth0-auth-js": "npm:@versini/auth0-auth-js-stub@1.0.0"pnpm install.Add the verifier to CI:
// package.json "devDependencies": { "@versini/auth0-thin": "^1.0.0" }- run: npx auth0-thin verify
What verify checks
Resolved against your install (works with npm: alias or local file: overrides):
- Neither
@auth0/auth0-reactnor@auth0/auth0-spa-jsshipsopenid-client/oauth4webapi/jose— the override chain is taking effect. - Every
@auth0/auth0-auth-jssymbol spa-js imports is exported by the stub. - spa-js reads only
.mfa/.passkeyoff the stubbedAuthClient— so a future SDK that routed a core token path through it fails the build instead of silently locking users out. - The stub's
index.js/.cjs/.d.tsexport the same runtime symbols. - The stub's runtime contract holds (constructs without throwing; MFA/Passkey throw).
This setup is only safe if your app never uses Auth0 MFA, Passkey, MyAccount, or DPoP. The verifier enforces the structural half of that; you still own the product decision. Smoke-test login after any SDK version bump.
Programmatic use
import { verifyAuth0Thin } from "@versini/auth0-thin";
const { problems, warnings } = await verifyAuth0Thin({ cwd: process.cwd() });License
MIT.