Migrate bundlesize to size-limit

[mateothegreat]

Description

Needing to PR some fixes on the beta and hit a couple of immediate blockers post-fork.

This will be one of a series of PR's to help ya tighten things up!

Note

This PR will allow me to test my next PR that will close the issue at #256 and also help you potentially dismiss #276.

This PR covers:

• Yanked out bundlesize as it's severely outdated and breaks pnpm out the gate on node >v20.
• Replaced bundlesize with size-limit 🚀
• Updated package.json to support it and your github action runs.

Additional context

After spending enough time with cva and getting to the point to where I'm blocked (on the beta version ofc) I'm going to spend some time helping button things up 💪.

---

What is the purpose of this pull request?

• Bug fix
• New Feature
• Documentation update
• Other

Before submitting the PR, please make sure you do the following

• Read the Contributing Guidelines.
• Follow the Style Guide.
• Check that there isn't already a PR that solves the problem the same way to avoid creating a duplicate.
• Provide a description in this PR that addresses what the PR is solving, or reference the issue that it solves (e.g. fixes #123).

--
Ping me if ya wanna chat or walk through anything! I'm on mateothegreat on discord or matthew@matthewdavis.io 🙏

[vercel]

@mateothegreat is attempting to deploy a commit to the Joe Bell OSS Team on Vercel.

A member of the Team first needs to authorize it.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​13.5.7
	nextra@​2.13.4
	nextra-theme-docs@​2.13.4
	nextjs-google-analytics@​2.3.3

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click for details)
Warn		next@13.5.7 has a Critical CVE. CVE: GHSA-f82v-jwr5-mffw Authorization Bypass in Next.js Middleware (CRITICAL) Affected versions: >= 13.0.0 < 13.5.9; >= 14.0.0 < 14.2.25; >= 15.0.0 < 15.2.3; >= 11.1.4 < 12.3.5 Patched version: 12.3.5 From: docs/latest/package.json → npm/next@13.5.7 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@13.5.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[joe-bell]

Looks great, thanks @mateothegreat!

Quite like the look of size-limit-action too — will make sure to follow-up when my schedule frees up

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
docs	✅ Ready (Inspect)	Visit Preview	Jun 25, 2025 5:27am
docs-beta	✅ Ready (Inspect)	Visit Preview	Jun 25, 2025 5:27am

[joe-bell]

Thanks again 🙏