Dev notes
How @next/bundle-analyzer exposed Auth0's client SDK shipping to the browser for no reason.
@next/bundle-analyzer, wrap next.config.ts, run ANALYZE=true next build --webpack--webpack flag is required; Next.js 16 defaults to Turbopack which the analyzer doesn't supportproxy.js edge bundle, Auth0 packages in the client bundle, and date-fns at 24 modulesproxy.js is the middleware (intentionally large: it runs auth and CSP on every request). date-fns at 24 modules is correct tree-shaking — only the calendar's named imports are includedRoot layout wrapped the whole app in <Auth0Provider>, a React context so client components could call useUser().
useUser() had zero call sites in the entire codebase. Auth0Provider pulled in jose (JWT parsing, hundreds of KB), oauth4webapi, openid-client, and swr — server-only libraries with no business in a browser bundle.
Auth0Provider from layout.tsx — three lines deleted, layout became a synchronous functionjose, oauth4webapi, openid-client, and swr disappeared from the client bundle entirelyauth0.getSession() directly; API routes call auth0.getAccessToken()useUser — zero results — confirmed the removal was safe before shipping