Is this library a good choice for client-side use?

[mfialko]

zxcvbn-ts takes up a lot of space - 600KB just to validate a password. Is it really good practice to use it on the client-side rather than the backend? After all, it's the backend's responsibility to prevent password brute-forcing. I'm using it in a React project, but I'm unsure if it's common practice to bring such a sizable library to the client in a production environment

[MrWook]

Hey,
Client-side validation is helpful, but it can always be bypassed, so for full security, validation should also be implemented on the server side—or solely on the server side if needed.

In my project, I use zxcvbn-ts exclusively on the server side. However, it’s perfectly fine to use it on the client as well because if a user bypassed the checks and has a bad password its his responsibility in my opinion.
To avoid potential issues with bundle size, I recommend lazy-loading the package so it’s only downloaded on pages where users can set or update their passwords.