In March 2026, the axios maintainer's npm account got hijacked.
300 million weekly downloads. One compromised account.
That's when I asked myself:
How much of my attack surface is just... npm?
So I built something without it.
What is nulldeps?
A micro-framework for building web apps.
- β No npm
- β No build step
- β No node_modules
- β No config files
What you get:
- 𧩠Web Components
- π Client-side Router
- ποΈ Reactive Store
- π‘ EventBus
- π Http Client
Zero dependencies. Nothing to hijack.
The honest tradeoff
You lose the ecosystem. No Vite. No Tailwind out of the box.
No bundler magic.
But you gain: complete control over your dependency graph.
No supply chain attack can hit what doesn't exist.
Try it
GitHub:
github.com/mymcp-github/nulldepsLive Demo:
https://nulldeps.mymcp.de/demo/
What do you think? Where does this approach break down?
I'd love honest feedback β especially from people who've hit the
limits of vanilla JS at scale.
Top comments (0)