Picture this: March 2026. The axios maintainer’s npm account vanishes into hacker hands.
300 million weekly downloads, suddenly a ticking bomb.
Developers everywhere froze—how deep did their own npm reliance run?
That’s the spark for nulldeps, a zero dependencies JS framework that strips away the package manager entirely. No npm. No node_modules bloating your repo. No build step to babysit. Just pure, hijack-proof code.
It changes everything because we’ve all grown lazy on npm’s promises—endless libraries at a pip-install away. But supply chain attacks? They’re the new normal. XZ Utils in 2024, axios in 2026. Who’s next? Nulldeps says: build without them.
What Sparked This Zero-Deps Rebellion?
In March 2026, the axios maintainer’s npm account got hijacked. 300 million weekly downloads. One compromised account.
Boom. That’s the creator’s wake-up call, straight from the GitHub post. He’d been knee-deep in vanilla JS limits, scaling web apps without the full toolchain crutch. But that hijacking? Personal.
His fix: a micro-framework packing Web Components for UI, client-side routing, reactive store, EventBus, even an HTTP client. All vanilla. Git it from GitHub, drop in an HTML file, done. Live demo at nulldeps.mymcp.de/demo/ proves it—snappy, no fluff.
Here’s the thing. We’ve forgotten the pre-npm web. Early 2010s, jQuery ruled with its one-script-drop magic. No bundlers. No configs. Devs wrote tight code because they had to. Nulldeps revives that ethos—my unique insight: it’s not regression; it’s a firewall against the monoculture npm’s become. Like ditching centralized water for a rainwater collector in a poisoned city.
But. Trade-offs loom large.
Why Does Ditching npm Feel So Freeing—Until It Doesn’t?
No Vite plugins. No Tailwind CSS shorthand. You’re back to copy-pasting utils or rolling your own.
The gain? Total control. Your dependency graph? A straight line to vanilla JS. No transitive deps sneaking in malware. Security audits shrink to glancing at your own commits.
And scale? The creator asks for feedback on vanilla JS limits at scale—fair point. Web Components shine for encapsulation, but reactivity without signals or proxies? It’s manual diffing in the store. EventBus handles comms cleanly, router’s basic but functional.
I’ve tinkered with similar no-build setups (think htmx + hyperscript). They fly for MVPs, dashboards. But enterprise sprawl? 10 devs, 50 components—someone’s reinventing pub/sub wheels. Still, in a post-axios world, that’s a feature, not a bug. Forces discipline.
Corporate spin check: none here. Creator’s transparent—no hype, just ‘what do you think? Where does it break?’ Refreshing amid Vite’s “zero config” fairy tales that still snag on edge cases.
How Nulldeps Rewires Your Web App Architecture
Start simple. HTML file loads nulldeps.js—3KB minified, gzipped to nothing. Define components as classes extending HTMLElement. Reactive store? A singleton with subscribers. Router parses hash or path, swaps shadow DOM. HTTP? Fetch wrapper, no axios cruft.
Architecturally, it’s a throwback to modular monoliths. Everything colocated—no import hell. Shadow DOM isolates styles, quashing global CSS wars. EventBus decouples like custom events on steroids.
Prediction: this catches fire in air-gapped orgs, embedded kiosks, or anywhere npm’s a non-starter. Gov contracts? IoT firmware? Perfect fit. And for indie hackers—ship faster, audit easier.
Downsides hit hard, though. No tree-shaking (irrelevant without deps). Debugging? Console.log city. Testing? Roll your own DOM mocks. At scale, you’ll crave TypeScript—ironic, since npm’s the typing hub.
One-paragraph deep dive: imagine a SaaS dashboard. Nulldeps handles auth flows via store + router, components fetch via HTTP client, EventBus broadcasts user updates. No webpack watching files—edit, refresh, iterate. Pure. But add charts? Hand-code SVG or embed vanilla D3 (copy the minified build). It’s doable, just sweaty.
Is a Zero-Deps JS Framework Ready for Prime Time?
Short answer: for niches, yes.
Everyone expected frameworks to bloat forever—Next.js at 100MB installs, npm as the only game. Nulldeps flips it: minimalism as security.
Breaks down? Polyfills for old browsers (you ship ‘em). Team adoption—veterans miss autocomplete. Ecosystem lock-in’s the real killer; rebuilding Tailwind equiv takes weeks.
Yet, in 2026’s attack-riddled npmscape, it’s a bold pivot. Forces better code. Reminds us JS was built lean.
🧬 Related Insights
- Read more: AI Agents Stuck in Yesterday’s Timestamp
- Read more: Open Source Business Model: Stop Chasing Ghosts
Frequently Asked Questions
What is nulldeps and how does it work?
Nulldeps is a zero-dependency JS micro-framework for web apps, offering Web Components, routing, reactive state, EventBus, and HTTP client—all vanilla JS, no npm or build tools needed. Drop the script tag, extend HTMLElement, and build.
Does nulldeps prevent supply chain attacks?
Yes, by eliminating npm and node_modules entirely—no external deps means no hijack vectors like the axios incident. You control every line.
Can nulldeps handle large-scale apps?
It scales for disciplined teams via Web Components and manual reactivity, but lacks ecosystem tools—best for MVPs, secure environments, or when avoiding bloat.
