I Scanned 260 Packages and Found 43 With Security Vulnerabilities
I was poking around node_modules and found something disturbing.
The biggest frameworks in our ecosystem: Express, Next.js, NestJS. All depend on packages that haven't been touched in 5 years. No tests. No quality checks. No active maintainer.
Just dormant code that millions of projects blindly trust.
The challenge I found
-
ms— ReDoS vulnerability -
debug— regex injection via env variable -
function-bind— usesFunction()constructor
All sitting at the bottom of the dependency tree, silently running in production.
The added value
What if we put them all in one place? Same boilerplate. Same quality controls. Same CI.
The result: 165 packages, all faster than the originals, all zero-dep, all typed, all tested.
Quality matters
I built this with a custom quality system called CPM (Code Package Manager) that enforces:
- 100% branch coverage on all 888 tests
- TypeScript strict mode with generics and type guards
- Zero dependencies per package
- Consistent exports with types condition
- CI pipeline with multiple reviewers
This isn't just a rewrite — it's a proven, maintainable alternative.
Impact
| Framework | Replaceable deps | After flupke |
|---|---|---|
| Expo | 108 | Tested, typed, zero-dep |
| Nuxt | 71 | Tested, typed, zero-dep |
| Jest | 63 | Tested, typed, zero-dep |
| Express | 44 | Tested, typed, zero-dep |
| NestJS | 8 | Tested, typed, zero-dep |
Bundle size impact on a React app using axios, moment, uuid, qs, deepmerge:
- Bundle: 339 KB → 200 KB (-41%)
- Gzip: 110 KB → 64 KB (-42%)
Try it
One command:
npx @flupkejs/cli
That's it. Works with npm, yarn, and pnpm.
What do you think? Have you audited your transitive dependencies lately?
https://github.com/rkristelijn/flupke
Top comments (0)