In March 2026, the axios maintainer's npm account got hijacked.
300 million weekly downloads. One compromised account.
That's when I asked myself:
How much of my attack surface is just... npm?
So I built something without it.
What is nulldeps?
A micro-framework for building web apps.
- ✅ No npm
- ✅ No build step
- ✅ No node_modules
- ✅ No config files
What you get:
- 🧩 Web Components
- 🔀 Client-side Router
- 🗃️ Reactive Store
- 📡 EventBus
- 🌐 Http Client
Zero dependencies. Nothing to hijack.
The honest tradeoff
You lose the ecosystem. No Vite. No Tailwind out of the box.
No bundler magic.
But you gain: complete control over your dependency graph.
No supply chain attack can hit what doesn't exist.
Try it
GitHub:
github.com/mymcp-github/nulldepsLive Demo:
https://nulldeps.mymcp.de/demo/
What do you think? Where does this approach break down?
I'd love honest feedback — especially from people who've hit the
limits of vanilla JS at scale.
Top comments (0)