I built a JS framework with zero dependencies. Here's why

Source: Dev.to

Introduction

In March 2026 the npm account of the Axios maintainer was hijacked.
With 300 million weekly downloads, a single compromised account exposed a massive attack surface.

That incident made me ask: how much of my own attack surface is just… npm?

The Solution: a Zero‑Dependency Micro‑Framework

I built a tiny framework for web apps that eliminates the need for npm entirely.

Core Features

• 🧩 Web Components – native custom elements for encapsulated UI.
• 🔀 Client‑side Router – simple routing without external libraries.
• 🗃️ Reactive Store – state management built on native proxies.
• 📡 EventBus – lightweight publish/subscribe for component communication.
• 🌐 Http Client – minimal wrapper around fetch for API calls.

What It Doesn’t Include

• No npm, no node_modules, and no build step.
• No configuration files.
• No ecosystem tools such as Vite or Tailwind out of the box.

Why It Matters

• Zero dependencies – nothing to hijack.
• Full control over your dependency graph.
• Supply‑chain attacks cannot affect code that doesn’t exist.

Trade‑offs

You lose the convenience of a rich ecosystem (e.g., automatic bundling, CSS frameworks, hot‑module replacement).
In return you gain complete transparency and security for the core of your application.

Links

• GitHub repository:
• Live demo:

Call for Feedback

What do you think? Where does this approach break down?
I’d love honest feedback—especially from people who have hit the limits of vanilla JS at scale.