Bruno is an open-source API client with 15,229 analyzed functions, 757 of which fall into the critical risk band — and the most urgent are concentrated in its OpenAPI sync and CLI request-runner layers. The top real-code hotspot, an anonymous function in openapi-sync.js, carries a recent commit activity of 20.2 alongside a cyclomatic complexity of 135 and a max nesting depth of 10, making it a live regression risk: it is simultaneously one of the hardest functions in the codebase to reason about and one of the most actively changing. Every one of the top five hotspots sits in the ‘fire’ quadrant, meaning structural complexity and active commit churn are compounding in real time.
The table below ranks functions by activity-weighted risk — a score that multiplies structural complexity by recent commit frequency. A function that is both hard to understand (high cyclomatic complexity) and actively changing is a higher priority than one that is complex but untouched. CC = cyclomatic complexity (independent execution paths); ND = max nesting depth; FO = fan-out (distinct callees).
Top 5 Hotspots
| Function | File | Risk | CC | ND | FO |
|---|---|---|---|---|---|
o | packages/bruno-app/public/static/diff2Html.js | 21.5 | 27 | 6 | 15 |
<anonymous> | packages/bruno-electron/src/ipc/openapi-sync.js | 21.2 | 135 | 10 | 84 |
<anonymous> | packages/bruno-electron/src/ipc/openapi-sync.js | 20.8 | 100 | 10 | 39 |
<anonymous> | packages/bruno-converters/src/postman/postman-to-bruno.js | 20.4 | 66 | 9 | 33 |
<anonymous> | packages/bruno-cli/src/runner/run-single-request.js | 20.2 | 169 | 7 | 82 |
Codemod / Tooling Files in Results
The top-ranked hotspot by activity-weighted risk is the function o in packages/bruno-app/public/static/diff2Html.js, with a risk score of 21.52. The path public/static/diff2Html.js is a vendored or bundled third-party library (diff2html) served as a static asset — its metrics reflect the library’s internal complexity, not bruno’s own code. To exclude it from future analyses, add the following pattern to your .hotspotsrc.json exclude list: "packages/bruno-app/public/static/**".
Hotspot Analysis
<anonymous> — packages/bruno-electron/src/ipc/openapi-sync.js
This function lives in bruno’s IPC layer and, given the file name openapi-sync.js, almost certainly handles the synchronization of OpenAPI specification data — parsing, mapping, or reconciling OpenAPI structures into bruno’s internal format. Its cyclomatic complexity of 135 means there are at least 135 independent execution paths, each a required test case and a potential bug surface. A max nesting depth of 10 means logic is buried across many layers of control structures, and a fan-out of 84 means this single function calls 84 distinct other functions — any one of which becoming a dependency on this function is a broad coupling risk. With a recent commit activity of 20.2 and sitting firmly in the ‘fire’ quadrant, this is not a backlog item: it is a live regression risk where every commit touches an already-extreme structure.
Recommendation: Before the next change, write characterization tests to capture current behavior across the major execution branches. Then begin extract-method refactoring to decompose the OpenAPI parsing, mapping, and sync reconciliation concerns into named, independently testable functions — targeting the deepest nesting levels first to bring ND below 5.
<anonymous> — packages/bruno-converters/src/postman/postman-to-bruno.js
This function in the converters package handles translation of Postman collection data into bruno’s format — a task that inherently involves significant branching to accommodate Postman’s varied collection schema versions, request types, auth schemes, and script formats. A cyclomatic complexity of 66, nesting depth of 9, and fan-out of 33 confirm this: the conversion logic branches deeply across many conditions and delegates to 33 other functions. Its recent commit activity of 19.65 and ‘fire’ quadrant status indicate this converter is being actively developed and extended, likely as new Postman schema variants or edge cases are discovered. The combination of deep nesting (ND 9) and complex branching makes each new case added here harder to place correctly and harder to test in isolation.
Recommendation: Decompose the conversion function by Postman entity type — requests, auth blocks, scripts, variables — into separate named converter functions, each independently testable. This reduces both the CC and ND of the top-level function while making it easier to add new Postman schema support without increasing an already deeply nested structure.
<anonymous> — packages/bruno-cli/src/runner/run-single-request.js
Based on its file path in the CLI runner layer, this function almost certainly orchestrates the end-to-end execution of a single HTTP request — handling pre/post processing, environment variable resolution, authentication, scripting hooks, and response handling. Its cyclomatic complexity of 169 is extreme, placing it in the top tier of structural risk in the entire codebase. With a fan-out of 82, it is a hub that coordinates a very large number of collaborators, meaning a change here can ripple into dozens of downstream call sites. Its recent commit activity of 19.4 and ‘fire’ quadrant classification confirm this complexity is being actively navigated by contributors right now — every commit to this function is a high-stakes operation.
Recommendation: Audit the 82 distinct call targets (fan-out) to identify natural seams where request lifecycle phases — authentication, scripting, response validation — can be extracted into dedicated functions. Add integration-level characterization tests covering the major request types before any structural refactoring begins, given the CC of 169 implies hundreds of paths that could regress silently.
Patterns Found
Antipatterns detected across the top functions in this snapshot:
| Pattern | Occurrences |
|---|---|
complex_branching | 5 |
deeply_nested | 5 |
exit_heavy | 5 |
god_function | 5 |
cyclic_hub | 5 |
long_function | 4 |
hub_function | 1 |
These labels belong to two tiers — Tier 1 (structural): complex_branching, deeply_nested, exit_heavy, long_function, god_function. Tier 2 (relational/temporal): hub_function, cyclic_hub, middle_man, neighbor_risk, stale_complex, churn_magnet, shotgun_target, volatile_god.
Key Takeaways
- The anonymous function in
openapi-sync.jswith CC 135 and fan-out 84 is the highest-priority real-code refactoring target: characterization tests should be written before the next feature commit touches it. - The CLI runner function in
run-single-request.js(CC 169, FO 82) is the most structurally extreme function in the analyzed codebase — its fan-out of 82 means a misplaced change here can silently break dozens of downstream behaviors; map its call graph before refactoring. - All five top hotspots share god_function, complex_branching, deeply_nested, and exit_heavy patterns — the exit-heavy characteristic alone means test coverage must account for dozens of early-return paths that are easy to miss in manual review.
Reproduce This Analysis
git clone https://github.com/usebruno/bruno
cd bruno
git checkout 646c90819d6618850baa82e33b1c0806aeedbcd6
hotspots analyze . --mode snapshot --explain-patterns --forceTo run the same analysis on your own codebase, run hotspots analyze . --mode snapshot in any local git repo — no configuration required.
Hotspots highlights structural and activity risk — not “bad code.” Findings are a prioritization aid, not a bug predictor. Editorial policy →