I built a JS framework with zero dependencies. Here's why

In March 2026, the axios maintainer's npm account got hijacked. 300 million weekly downloads. One compromised account. That's when I asked myself: How much of my attack surface is just... npm? So I built something without it. What is nulldeps? A micro-framework for building web apps. ✅ No npm ✅ No build step ✅ No node_modules ✅ No config files What you get: 🧩 Web Components 🔀 Client-side Router 🗃️ Reactive Store 📡 EventBus 🌐 Http Client Zero dependencies. Nothing to hijack. The honest tradeoff You lose the ecosystem. No Vite. No Tailwind out of the box. No bundler magic. But you gain: complete control over your dependency graph. No supply chain attack can hit what doesn't exist. Try it GitHub: github.com/mymcp-github/nulldeps Live Demo: https://nulldeps.mymcp.de/demo/ What do you think? Where does this approach break down? I'd love honest feedback — especially from people who've hit the limits of vanilla JS at scale.