nulldeps: a no‑npm micro‑framework that removes node_modules, build steps, and external dependencies
nulldeps is a micro‑framework for building web apps with no npm, no node_modules and no build step, with zero dependencies to reduce supply‑chain attack surface.
In March 2026 a broadly used package distribution incident — the hijacking of the axios maintainer’s npm account, tied to a package ecosystem with roughly 300 million weekly downloads — prompted a developer to ask a simple question: how much of my attack surface is npm? The answer that followed was nulldeps, a deliberately minimal micro‑framework that strips away npm, node_modules, build tooling and configuration files and provides a compact set of runtime building blocks for web applications. Its stated aim is straightforward: eliminate the parts of a project that can be hijacked by third‑party package compromise, and keep a working surface that is entirely under the project’s control.
What prompted nulldeps
The catalyst behind nulldeps is described plainly in the project origin: a high‑profile npm account compromise in March 2026 exposed how a single compromised account can touch a vast portion of the ecosystem. The entry describing nulldeps cites that incident directly and notes the scale of the npm ecosystem’s reach — cited as 300 million weekly downloads — as context for rethinking dependency surface area. That event led the author to evaluate how much of an application’s external attack surface is simply the package registry, and to pursue an alternative that avoids that surface entirely.
What nulldeps is and what it includes
nulldeps is presented as a micro‑framework for building web applications that deliberately avoids external package dependencies. The project advertises a minimal, zero‑dependency runtime and bundles a concise set of core capabilities intended to cover common application needs without pulling in npm packages. Those components, listed by the author, are:
- Web Components
- Client‑side Router
- Reactive Store
- EventBus
- Http Client
These elements form the functional footprint nulldeps aims to offer out of the box, enabling developers to structure client‑facing logic, manage state reactively, route within single‑page contexts, emit and listen for application events, and perform HTTP requests — all without relying on npm packages or node_modules.
Design choices: no npm, no build step, no node_modules, no config files
The project explicitly enumerates what it removes from a conventional modern JavaScript toolchain: no npm, no build step, no node_modules, and no configuration files. That set of design constraints is central to nulldeps’ identity. By avoiding a build step and eschewing the node_modules tree, the approach rejects the typical bundler and package‑manager lifecycle in favor of a codebase that can run without the usual package installation and bundling stages. The absence of configuration files is similarly a deliberate simplification to reduce surface area and external tool dependencies.
Those choices imply a return to a more self‑contained, vanilla‑JavaScript model for web apps, where the application brings its own minimal runtime primitives rather than assembling them from an ecosystem of packages.
The honest tradeoff: ecosystem convenience versus dependency control
The author frames nulldeps as an explicit tradeoff. In return for the smaller, more auditable dependency graph and reduced supply‑chain exposure, developers give up the convenience and breadth of the wider JavaScript ecosystem. The project statement lists examples of ecosystem tools that are not part of the nulldeps experience: Vite and Tailwind are named specifically as absent from the out‑of‑the‑box experience, and the author notes the lack of "bundler magic" more generally.
That tradeoff is presented candidly: developers lose access to the ecosystem’s prebuilt integrations and tooling conveniences, but gain "complete control over your dependency graph." The project’s reasoning ties this control directly to security posture: with fewer external components, there are fewer external points that an attacker can compromise.
Security rationale: removing supply‑chain targets
A central argument in the project’s presentation is security through absence. The author states the core security premise concisely: "Zero dependencies. Nothing to hijack." Elsewhere the writeup summarizes that "No supply chain attack can hit what doesn’t exist." Those lines encapsulate nulldeps’ motivation — reducing potential supply‑chain attack vectors by minimizing or eliminating external packages that might be compromised.
Framed this way, nulldeps positions itself as a defensive design choice. Rather than attempting to harden or monitor a large, complex dependency tree, the approach is to reduce the tree to near zero so that there are fewer third‑party components that need to be trusted or audited. That rationale is directly tied to the event that inspired the project and is repeated throughout the project’s description.
What nulldeps leaves and what it removes from developer workflows
By removing npm, bundlers and configuration, nulldeps changes common developer workflows. The project’s listing implies that standard bundler tooling — exemplified by Vite — and utility toolchains — exemplified by Tailwind — are not included. That absence affects tasks many teams rely on, such as CSS utility frameworks, fast development servers with hot module replacement, and automated build pipelines; the project statement makes clear these conveniences are part of what is sacrificed for a smaller dependency surface.
At the same time, the provided primitives (web components, a router, reactive store, an event bus and an HTTP client) are meant to give developers a workable set of tools to structure apps without the ecosystem. The project’s stance is that for teams and projects where absolute control over dependencies and minimal external trust are prioritized, this compromise is acceptable.
Who the project is aimed at
The source frames the project as aimed at developers who are concerned about dependency attack surface and those who have "hit the limits of vanilla JS at scale." The author explicitly invites feedback "especially from people who’ve hit the limits of vanilla JS at scale," indicating that nulldeps targets an audience that has experience building larger applications without heavy dependency chains and is curious about a zero‑dependency alternative. Beyond that, the source does not claim particular enterprise readiness, adoption numbers or production guarantees; it presents nulldeps as a deliberately small toolkit with a focused security motive.
Practical questions and limits left open by the project description
The project description is resolutely concise and leaves several practical deployment and adoption questions open. The source does not describe installation, distribution, compatibility with existing codebases, or explicit migration paths from typical npm‑based projects. It likewise does not list performance characteristics, API surface details beyond the high‑level components, or community and maintenance plans. Because the author does not supply those specifics in the project summary, readers and evaluators should treat nulldeps as a conceptual and technical experiment rather than a fully specified drop‑in replacement for a full modern toolkit.
The author invites feedback and asks candidly, "Where does this approach break down?" That open question underscores that the project anticipates limitations and seeks input from practitioners who can point to practical scalability, ergonomics or integration issues that may arise when avoiding the ecosystem entirely.
Developer implications and considerations for adoption
Given the stated constraints and capabilities, teams considering nulldeps would need to weigh several architectural and process considerations that the project implicitly raises. Because the framework removes tooling like bundlers and configuration files, common development conveniences and integrations may not be available without additional effort. CSS workflows that rely on utility frameworks, build‑time optimizations, and interoperability with the broader npm ecosystem are explicitly outside the project’s scope. The author calls this an "honest tradeoff" — accept the loss of ecosystem convenience in exchange for tighter control over dependencies.
From a maintenance perspective, the lack of external dependencies shifts responsibility onto the project’s authors and operators: any functionality not provided by nulldeps’ built‑in primitives must be implemented in‑house or accepted as out of scope. The source frames this as a conscious choice to minimize external trust rather than as an oversight.
Industry context and broader implications
The origin story for nulldeps is tied to a high‑visibility supply‑chain incident, and the project’s premise contributes to broader industry conversations about dependency trust and software supply‑chain resilience. By offering a concrete design that eliminates package manager reliance, nulldeps highlights one end of the spectrum of defensive strategies: rather than adding monitoring, signing, or provenance checks to a large dependency graph, it asks whether the most secure stance in some contexts is to avoid that graph altogether.
That position will feed into broader debates about tradeoffs between productivity and security. Some organizations prioritize rapid iteration and leverage the vast npm ecosystem to accelerate development; others, especially those handling highly sensitive contexts, accept slower development velocity in exchange for minimized external trust and attack surface. nulldeps sits clearly in the latter camp as a provocative option for teams assessing different risk models.
Community response and experimentation
The project’s short presentation closes with an invitation to "Try it" and a request for honest feedback. That posture suggests nulldeps is intended to spark experimentation and discussion rather than to impose a one‑size‑fits‑all solution. The author’s outreach to practitioners who have encountered the limits of vanilla JavaScript indicates a desire to test the approach against real‑world scale and complexity and to surface where the minimal model will fail or demand additional tooling.
Because the source itself keeps the description compact and does not provide further documentation or distribution details, the project’s viability will likely be evaluated through hands‑on experimentation and community exchange — precisely the feedback loop the author solicits.
Practical reader questions addressed in the source
The project summary addresses several reader concerns directly or indirectly:
- What the software does: nulldeps is a micro‑framework that supplies web components, client routing, a reactive store, an event bus, and an HTTP client while avoiding external packages.
- How it works: in principle, by avoiding npm and the accompanying node_modules, build steps and configuration files so that the project has zero dependencies; the source does not detail implementation mechanics.
- Why it matters: the stated driver is supply‑chain risk — a single compromised npm account demonstrated how widely upstream compromises can propagate, so removing that class of external dependency reduces attack surface.
- Who can use it: the author invites especially those who have worked with vanilla JavaScript at scale, implying it targets experienced web developers willing to accept tradeoffs.
- When it will be available: the source does not provide release timing, distribution details or versioning information.
Because the writeup omits operational and distribution specifics, readers looking to adopt the approach will need to seek additional documentation or direct engagement with the author or project repository to answer detailed implementation and lifecycle questions.
Where the approach may break down
The author frames the absence of tooling and ecosystem as an explicit liability: no Vite, no Tailwind, and no bundler magic. These missing parts are likely the most immediate points of friction for teams accustomed to modern JavaScript developer ergonomics. For projects that rely heavily on build‑time optimizations, CSS frameworks, plugin ecosystems, or a broad set of third‑party integrations pulled in via npm, nulldeps’ model will demand significant adjustments. The author’s solicitation of candid feedback reflects an expectation that practical limits exist and that community experience will be necessary to identify them.
Questions for teams considering testing nulldeps
Teams contemplating a trial of the approach may want to evaluate it along a few axes suggested by the project’s framing:
- Tolerance for lost tooling conveniences and how that impacts developer velocity.
- The ability and willingness to implement missing integrations in‑house or accept lightweight alternatives.
- Security posture tradeoffs: how much risk reduction is achieved in practice by removing external packages, and what new responsibilities are assumed internally.
- The fit with existing infrastructure and deployment pipelines, given the lack of a build step and node_modules.
The source does not supply prescriptive guidance on these questions, but the project’s core statements — the components included, the removals enacted, and the tradeoffs acknowledged — provide a foundation for teams to design targeted experiments.
A forward view on what might follow
nulldeps’ concentrated design and its origin in a supply‑chain incident pose a clear challenge to conventional JavaScript practices: can meaningful, production‑grade web applications be built while avoiding npm and the ecosystem that has become a default for many teams? The project’s author frames nulldeps as an experiment and invites community scrutiny; the answers to that experiment will emerge from use, testing and candid reports from developers who push the model at scale. Whether nulldeps becomes a niche defensive pattern, a reference design, or a starting point for hybrid approaches, it has already contributed to an important conversation about dependency control, developer tooling and how teams choose to balance productivity with a smaller attack surface.
