Why we run zero-npm for client-facing workloads.
A practical defense of vanilla JS and native Web APIs in 2026: supply chain, ownership, longevity.
Every dependency you add is a relationship you now have to maintain — with a maintainer you’ve never met, on a release schedule you don’t control, carrying transitive code you’ve never read. For client-facing workloads we treat that relationship as a liability to be justified, not a convenience to be assumed.
The 2025–2026 wave of npm supply-chain attacks made the cost concrete: self-replicating worms, hijacked maintainer accounts, and poisoned post-install hooks shipping credential stealers inside packages with hundreds of millions of weekly downloads. A zero-npm posture doesn’t make us immune to everything, but it removes an entire category of attack from the board.
What we gain in exchange: code we own end to end, a build that still works in five years, and a security surface small enough to actually reason about. Native Web APIs cover far more ground in 2026 than most teams assume.