Edge getSession adds large joi-browser package

[nocodehummel]

Checklist

• The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

The Nextjs middleware package contains the joi-browser package when getSession is imported from @auth0/nextjs-auth0/edge. Joi-browser is deprecated and should not be part of the server bundle.

import { NextResponse } from 'next/server';
import { getSession } from '@auth0/nextjs-auth0/edge';

export async function middleware(request: Request) {
  const session = await getSession();
  return NextResponse.next();
}

It has a large impact on the Edge middleware package size.

Reproduction

1. import { getSession } from '@auth0/nextjs-auth0/edge' in middleware.ts.
2. call getSession inside the middleware function.
3. build the application with a bundle analyzer.

Additional context

Reproduced with: https://github.com/nordicgit70/nextjs-app/tree/auth0-joi.

nextjs-auth0 version

3.3.0

Next.js version

14.0.2

Node.js version

18.18.2

[adamjmcgrath]

Thanks for raising this @nordicgit70

Joi-browser is deprecated and should not be part of the server bundle.

Will take a look at upgrading to @hapi/[email protected]

[nocodehummel]

Thanks, it would great if the getSession function could have less impact on the bundle size. VSC Import Cost indicates a very large import.

import { useUser } from '@auth0/nextjs-auth0/client'; 12.3k (gzipped: 2.8k)
import { getSession } from '@auth0/nextjs-auth0'; 481.9k (gzipped: 132.9k)

[nocodehummel]

Closed by mistake.

[frederikprijck]

It looks like joi-browser.min.js is pulled in from joi and is still in there, see https://github.com/hapijs/joi/blob/master/package.json#L8C6-L8C13.

When you say joi-browser, is being deprecated, I assume you refer to the npm package and not the file used in this case, is that correct? In that case, I think having joi-browser.min.js is expected and not deprecated (unless I am missing something?).

I also think we should not migrate to @hapi/joi but stay on joi, see: hapijs/joi#2411

However, we might want to consider moving away from joi altogteher, but that isn't something we can prioritise short term.

[nocodehummel]

Hi, my main issue is with the impact on package size. If that could be resolved would be great. I do not have an opinion on the usage of Joi.

[nocodehummel]

Hi, is it planned to resolve this?

[frederikprijck]

There is currently nothing planned to move away from joi, no.

[nocodehummel]

How can I reduce the package size? The package @auth0/nextjs-auth0/edge is too large to run in Edge (middleware).

[simonseddon]

Any current plans to look at this? A project I work on has recently upgraded from 1.9.2 to 3.5.0 and our bundle size has shot up. We're seeing this in our client-side bundle analyzer report.