The latest articles on DEV Community by nulldeps (@nulldeps). https://dev.to/nulldeps https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3868522%2F491b47e5-3860-4538-8e91-79460bb9d209.png https://dev.to/nulldeps en nulldeps Wed, 08 Apr 2026 21:08:21 +0000 https://dev.to/nulldeps/i-built-a-js-framework-with-zero-dependencies-heres-why-kle https://dev.to/nulldeps/i-built-a-js-framework-with-zero-dependencies-heres-why-kle <p>In March 2026, the <code>axios</code> maintainer's npm account got hijacked.<br> <strong>300 million weekly downloads. One compromised account.</strong></p> <p>That's when I asked myself:</p> <blockquote> <p>How much of my attack surface is just... npm?</p> </blockquote> <p>So I built something without it.</p> <h2> What is nulldeps? </h2> <p>A micro-framework for building web apps.</p> <ul> <li>✅ No npm</li> <li>✅ No build step</li> <li>✅ No node_modules</li> <li>✅ No config files</li> </ul> <p>What you get:</p> <ul> <li>🧩 Web Components</li> <li>🔀 Client-side Router</li> <li>🗃️ Reactive Store</li> <li>📡 EventBus</li> <li>🌐 Http Client</li> </ul> <p><strong>Zero dependencies. Nothing to hijack.</strong></p> <h2> The honest tradeoff </h2> <p>You lose the ecosystem. No Vite. No Tailwind out of the box. <br> No bundler magic.</p> <p>But you gain: <strong>complete control over your dependency graph.</strong></p> <p>No supply chain attack can hit what doesn't exist.</p> <h2> Try it </h2> <ul> <li><p>GitHub: <br> <a href="https://github.com/mymcp-github/nulldeps" rel="noopener noreferrer">github.com/mymcp-github/nulldeps</a></p></li> <li><p>Live Demo: <br> <a href="https://nulldeps.mymcp.de/demo/" rel="noopener noreferrer">https://nulldeps.mymcp.de/demo/</a></p></li> </ul> <p>What do you think? Where does this approach break down?<br> I'd love honest feedback — especially from people who've hit the <br> limits of vanilla JS at scale.</p> javascript security opensource webdev