Performance
Third-party scripts: the silent budget killer
A team spends a sprint cutting their app bundle from 800 KB to 350 KB. Lighthouse score improves by 12 points. A week later the data team adds Segment, Hotjar, and a new Intercom widget — collectively 450 KB. The sprint’s work is erased. No one noticed because third-party scripts are not in the app repository.
The third-party tax
Most production web apps load 5-15 third-party scripts per page. Common ones and their approximate sizes:
- Segment analytics: ~150 KB
- Hotjar recording: ~200 KB
- Intercom chat widget: ~200 KB
- Google Tag Manager (with several tags): ~500 KB+
- Full Optimizely A/B testing: ~400 KB
- A single poorly optimised ad tag: ~300 KB
Ten average scripts × 100 KB = 1 MB of third-party JS before your own code. None of this appears in your bundle analyzer because the files load from external domains at runtime. None of it can be tree-shaken because you do not control the source. And most of it runs on the main thread, blocking paint and interaction.
The problem compounds: business teams often add scripts through Google Tag Manager without engineering review. Each tag manager addition escapes code review entirely.
Pattern 1: Interaction gating
Load the script only when the user takes an action that requires it. The chat widget loads when the user clicks “Help”. The analytics SDK loads after the first meaningful interaction. The newsletter modal script loads when the user scrolls to 80% of the page.
<!-- Defer until user clicks -->
<button id="chat-btn">Chat with us</button>
<script>
document.getElementById('chat-btn').addEventListener('click', () => {
const script = document.createElement('script');
script.src = 'https://widget.intercom.io/widget/APP_ID';
document.body.appendChild(script);
});
</script>Tradeoff: the first interaction that triggers the load has a visible delay as the chunk downloads and parses. Mitigate with prefetch when the trigger element becomes visible (IntersectionObserver on the button) or on mouseenter.
Pattern 2: Web Worker isolation via PartyTown
PartyTown is an open-source library (Builder.io) that runs third-party scripts in a Web Worker via a service-worker proxy. DOM access from the Worker is bridged via synchronous postMessage. The main thread is freed from the analytics, ad, and tracking scripts entirely.
<script>
partytown = { forward: ['dataLayer.push', 'fbq', 'gtag'] };
</script>
<script src="/~partytown/partytown.js"></script>
<script type="text/partytown" src="https://www.googletagmanager.com/gtm.js?id=GTM-XXXX"></script>Tradeoff: scripts that rely on synchronous DOM reads are incompatible (rare for analytics). postMessage round-trips add ~5-15 ms per call. Some scripts break when proxied. Test each vendor before deploying.
Pattern 3: Server-side measurement
Move analytics events to the server. Instead of shipping a 150 KB Segment client to every user, fire Segment events from your API server on relevant actions. Users get the tracking; browsers get nothing.
Similar options: Google Analytics Measurement Protocol, Sentry server-side error capture for SSR errors, custom event pipeline via a lightweight beacon endpoint.
Tradeoff: you lose browser-only context — user agent details, real-time client errors, click heatmaps. Suitable for core funnel analytics; combine with a lean client SDK for browser-specific signals.
| Pattern | Main-thread cost | Tradeoff |
|---|---|---|
| Interaction gating | Zero until triggered | First-use latency; mitigate with prefetch |
| PartyTown Web Worker | Near-zero (proxied to Worker) | DOM-sync incompatible scripts; postMessage overhead |
| Server-side measurement | Zero (nothing on client) | Loses browser-specific context |
Governance: a separate third-party budget
Senior teams maintain a separate third-party budget alongside the app bundle budget. Concretely: a third-party-budget.json file in the repo that lists every permitted third-party domain, its approved size, and the owning team. Any new script added via GTM or <script src> that is not in the file fails CI.
Complementary enforcement: CSP (Content Security Policy) script-src header lists allowed origins. Scripts from unlisted origins are blocked by the browser. This prevents accidental or malicious third-party script injection. Quarterly audit reviews every entry, removes unused vendors, and checks vendor track records.
Why this works
Why do third-party scripts disproportionately hurt? (1) Vendors prioritise features over bytes — a chat SDK supports every use case even if the app uses 5%. (2) No tree shaking — you cannot remove unused vendor code. (3) Cumulative effect — 10 scripts average 100 KB each = 1 MB before your own code. (4) Main-thread blocking — most run synchronously on page load unless explicitly deferred.
Marketing wants a 200 KB chat widget on every page and says it must load immediately. Senior compromise?
A team runs five analytics scripts through GTM totalling 600 KB. They migrate funnel events to server-side Measurement Protocol. What is the expected client-side impact?
Why is a Content Security Policy (CSP) script-src header relevant to third-party budget governance?
- 01Why do third-party scripts disproportionately inflate bundle cost compared to first-party code?
- 02Describe the interaction gating pattern and its tradeoff.
Third-party scripts regularly add 500 KB to 1 MB to every page, outside the app repo and outside code review. Three structural mitigations: interaction gating (load on trigger, zero initial cost), PartyTown Web Worker isolation (main thread freed), and server-side measurement (nothing on client). Governance via a third-party budget file and CSP enforce the allow-list at CI and browser level respectively. The next lesson covers CI enforcement: how to make the budget a hard constraint rather than a guideline.
appears again in159
- The journey of a request: seven stops from socket to responsejunior
- Accept and parse: from kernel queue to a typed requestmiddle
- Routing and middleware: choosing what runs, and in what ordermiddle
- Handler and response: from business logic to bytes on the wiremiddle
- Streaming and backpressure: when the client reads slower than you writesenior
- Timeouts and tail latency: budgets, deadlines, and the fan-out trapsenior
- Middleware and DI: the two patterns that shape every backendjunior
- Writing middleware: signatures, next(), and the three framework modelsmiddle
- Inversion of control: how dependencies reach a classmiddle
- DI scopes and lifecycles: singleton, request, transientmiddle
- DI as a testing seam: fakes, mocks, and the boundary that matterssenior
- DI containers in production: resolution graphs, circular deps, and when not tosenior
- Blocking vs non-blocking I/O: two ways to waitjunior
- The event loop: one thread, ordered phasesmiddle
- What blocks the loop: CPU work and sync callsmiddle
- Offloading CPU work: worker threads and the libuv poolmiddle
- Backpressure and bounded concurrencysenior
- Throughput under load: tail latency and saturationsenior
- Why pool: the cost of creating a connectionjunior
- Pool sizing: why bigger is not fastermiddle
- Acquisition and timeouts: the wait queue is the real latency dialmiddle
- Retry strategies: backoff, jitter, and thundering herdmiddle
- Observability, production failures, and global-scale designsenior
- Tasks, microtasks, and scheduler.yield()middle
- Timer accuracy, throttling, and idle workmiddle
- Node.js event loop: phases, nextTick, and loop lagsenior
- Rendering strategies: SSG, SSR, ISR, streaming, and hydrationjunior
- SSG, SSR, ISR, streaming, and RSC — how each worksmiddle
- Hydration cost: selective, progressive, islands, resumabilitymiddle
- Core Web Vitals: what LCP, INP, and CLS measurejunior
- LCP: four phases, one dominant costmiddle
- INP: input delay, processing, presentationmiddle
- Lab vs field: why the two disagree and how to use eachmiddle
- Metric tradeoffs, RUM attribution, and the CI+field loopsenior
- The full picture: URL to LCP to INP as a relay racejunior
- Eight layers traced: from the service worker to the second navigationmiddle
- Five canonical breaks: where production reliably diessenior
- The three-track method: reading traces and building a monitored systemsenior
- What an index is and how it speeds up queriesjunior
- The leading-column rule and composite index designmiddle
- Partial, expression, and covering indexesmiddle
- Index types: GIN, GiST, BRIN, Hash, Bloom, and HOT updatesmiddle
- Index-only scans, the Visibility Map, and INCLUDEsenior
- Production failure modes and the index audit playbooksenior
- Index design exercise: full-text search strategysenior
- EXPLAIN and execution plans: what the planner decides and whyjunior
- Scan types: Seq, Index, Bitmap, Index-Onlymiddle
- Join algorithms and the row-estimate cascademiddle
- pg_statistic, ANALYZE, and production observabilitymiddle
- Extended statistics: fixing correlated-column estimate failuressenior
- Plan cache, cost-constant tuning, and planner internalssenior
- Production failure modes and plan stabilitysenior
- Connection pools: amortising the cost of a Postgres backendjunior
- PgBouncer session, transaction, and statement modesmiddle
- Pool sizing: the (cores × 2) + spindles formula and the two-layer stackmiddle
- Pool exhaustion and idle-in-transaction: the 3 AM failure modemiddle
- Migrating to transaction mode: rollout playbook and PgBouncer 1.21 prepared statementsmiddle
- The Postgres process model and why raising max_connections degrades throughputsenior
- Pooler landscape 2026, serverless connection storms, and the full failure-mode taxonomysenior
- ADD COLUMN: instant in PG 11+ vs rewrite in older Postgresjunior
- The lock-queue failure mode: why instant DDL can freeze the databasemiddle
- Safe DDL patterns: NOT VALID, CONCURRENTLY, and unsafe-op fixesmiddle
- Migration failure taxonomy and production disciplinesenior
- Shard-key selection: hash, range, list, and directory strategiesmiddle
- Co-location and Citus: the invariant that makes sharding usablemiddle
- The hot-shard failure mode: detection, isolation, and durable policymiddle
- Online resharding, 2PC, and the operational cost of shardingsenior
- The seven acts: from CREATE TABLE to Citusjunior
- Acts 1–3 in depth: schema, indexes, and planner statisticsmiddle
- Acts 4–6 in depth: MVCC bloat, connection pooling, and safe migrationsmiddle
- Act 7 in depth: sharding, co-location, and the seven-tier tradeoff cascademiddle
- Observability, anti-patterns, and production triagesenior
- Bits on the wirejunior
- Latency mathmiddle
- Bufferbloat and congestionsenior
- The physical frontiersenior
- Sequence numbers and connection statemiddle
- Flow control and congestion controlmiddle
- BBR, production observability, and beyond TCPsenior
- CDN: putting content next doorjunior
- Anycast and GeoDNS: routing to the nearest edgemiddle
- Tiered cache and Cache-Controlmiddle
- Vary header and cache keysmiddle
- Stale-while-revalidate and cache stampedesenior
- Edge workers and edge-side compositionsenior
- CDN operations and observabilitysenior
- WebSocket: the HTTP upgrade handshakejunior
- WebSocket vs SSE vs long-polling: choosing the right transportmiddle
- WebSocket backpressure: when clients can''''t keep upmiddle
- Reconnection: jittered backoff, thundering herd, message resumptionsenior
- WebSocket at scale: HTTP/2 multiplexing, permessage-deflate, C10Msenior
- WebSocket in production: proxies, security, and distributed architecturesenior
- What reverse proxies dojunior
- Balancing algorithms: round-robin to power-of-two-choicesmiddle
- L4 vs L7 load balancing and client-IP preservationmiddle
- Health checks, connection draining, and slow startmiddle
- Retry storms, circuit breakers, and load sheddingsenior
- Resilient LB architecture: anycast, zone-aware routing, and observabilitysenior
- Why QUIC and not TCP+TLSjunior
- QUIC streams and head-of-line blockingjunior
- Integrated handshake and 1-RTTmiddle
- Connection IDs and network migrationmiddle
- Loss detection and congestion controlmiddle
- 0-RTT resumption and packet encryptionsenior
- Deployment tradeoffs and CPU costsenior
- DDoS: what it is and why it worksjunior
- Amplification attacks and state exhaustionmiddle
- Rate limiting: algorithms and architecturemiddle
- WAFs, firewalls, mTLS, and HSTSmiddle
- DNS cache poisoning and BGP hijackingsenior
- Defense-in-depth architecture and attack economicssenior
- The twelve layers: one URL, seven actorsjunior
- DNS, TCP, TLS in sequence: where the milliseconds gomiddle
- Critical render path and Core Web Vitalsmiddle
- Proxy intercepts and security gates: rate limiters, WAF, mTLSmiddle
- Alternate paths: QUIC 0-RTT, WebSocket upgrade, connection migrationmiddle
- Observability: distributed traces, USE/RED, and samplingsenior
- Resilience: cascading retries, circuit breakers, and error budgetssenior
- What the three signals are: logs, metrics, and tracesjunior
- Metrics and cardinality: the cost model of a time-series databasemiddle
- Logs and volume: the cost model of structured loggingmiddle
- Traces and sampling: the cost model of distributed tracingmiddle
- Join keys and exemplars: making the three signals composemiddle
- Observability 2.0: wide events and the cost shiftsenior
- Failure modes and engineering practice: cardinality budgets, PII, and samplingsenior
- Why structured logs exist: the diary vs the spreadsheetjunior
- The production log schema: fields every line must carrymiddle
- Log levels and alert routingmiddle
- Sampling strategies and log costmiddle
- PII redaction and log injectionsenior
- Trace context propagation in logssenior
- OTel Logs Data Model and audit logs as a subsystemsenior
- OTel signals, Semantic Conventions, and the OTLP wire formatmiddle
- Auto-instrumentation and manual spans: the 80/20 of OTelmiddle
- The OTel Collector: receivers, processors, exporters, and deployment patternsmiddle
- Sampling strategies: head, tail, and parent-basedmiddle
- Vendor neutrality, eBPF instrumentation, the Operator, and browser/serverless OTelsenior
- Operating the OTel Collector: reliability, version skew, failure modes, and governancesenior
- RED and USE: two checklists, one triage disciplinejunior
- Instrumenting RED in Prometheus: counters, histograms, and cardinality disciplinemiddle
- USE on Linux: CPU, memory, disk, network, and PSImiddle
- Golden signals, dashboard layout, and service mesh auto-REDmiddle
- Cardinality as a cost driver: labels, PII, exemplars, and samplingmiddle
- Native histograms, SLO tie-in, and production failure patternsmiddle
- Choosing SLIs and SLO targets: ratios, not feelingsmiddle
- Multi-window multi-burn-rate alerting: why AND beats ORmiddle
- Error budget policy, latency SLOs, and composite journeysmiddle
- Iceberg SLIs, composite SLO math, and SLA vs SLOsenior
- Flame graphs: reading the picture that shows where time goesjunior
- Sampling vs instrumentation profiling: why 99 Hz wins in productionmiddle
- Profile types: CPU, memory, off-CPU, mutex — which one to reach formiddle
- Continuous profiling: always-on flame graphs with eBPF and trace-id correlationmiddle
- How flame graphs are built from samples, and the production workflows that use themmiddle
- Linux perf, eBPF internals, PGO, and the limits of samplingsenior
- Profiling in production: security, war stories, OTel profiles, and the infrastructure designsenior
- The debugging funnel: SLO → RED → trace → profilejunior
- OTel architecture: one SDK, four signals, one wire formatmiddle
- Cost discipline: keeping observability under 5% of infra spendmiddle
- Scale, security, and the ROI of observable systemssenior