# NullDeps
> A zero-dependency Web Component framework built on pure web standards.
No build step. No bundler. No npm install. Just the platform.
## Why Not npm?
Supply chain attacks on the npm ecosystem are no longer rare edge cases.
They are a **systematic, growing threat** to every project with a `node_modules` folder.
| Year | Package | Impact | Vector |
|------|---------|--------|--------|
| 2021 | **ua-parser-js** | 8M weekly downloads | Crypto-miner injected via hijacked account[1][7] |
| 2021 | **node-ipc** | Millions of dependents | Protestware — deleted files on Russian IPs[1] |
| 2022 | **colors + faker** | Widespread breakage | Intentionally sabotaged by own author[1] |
| 2023 | **xz-utils** | Near-miss in Linux kernel | 2-year social engineering campaign[1] |
| 2024 | **polyfill.io** | 100k+ websites | CDN domain sold, malware served to end users[1] |
| 2026 | **axios** | **100M+ weekly downloads** | Account takeover — RAT deployed cross-platform via `postinstall` hook |
Every one of these packages was **trusted, maintained, and widely used**.
The attack surface is not your code.
**It is your dependency tree.**
> The only safe dependency is no dependency.
NullDeps has no `package.json`. No lockfile. No `node_modules`.
There is nothing to hijack.
NullDeps proves you don't need any of it.
- Zero dependencies** — no node_modules, no lockfile hell
- Pure Web Standards** — Custom Elements, Shadow DOM, native Events
- Tiny by design** — you ship exactly what you write
- Framework patterns** — without the framework tax
No setup. No install. Just open and explore.
## Getting Started
```bash
git clone https://github.com/mymcp-github/nulldeps
cd nulldeps
npx serve . -p 3000
# → Demo running at http://localhost:3000/demo/Then open http://localhost:3000/demo/ in your browser.
Demo data is stored in
localStorage— no backend required.
No package manager needed. Just import:
import { Component, Router, Store, EventBus } from './src/nulldeps.js';| Module | File | Purpose |
|---|---|---|
Component |
core/component.js |
Base class for Web Components with state & lifecycle |
Store |
core/store.js |
Reactive global state |
Router |
core/router.js |
Client-side routing |
EventBus |
core/events.js |
Cross-component communication |
import { Component } from './src/nulldeps.js';
class MyElement extends Component {
connectedCallback() {
this.setState({ count: 0 });
}
render() {
return `<p>${this.state.count}</p>`;
}
}
customElements.define('my-element', MyElement);import { Store } from './src/nulldeps.js';
const store = new Store({ user: null, theme: 'dark' });
store.subscribe((state) => console.log(state));
store.set({ user: { name: 'Max' } });import { Router } from './src/nulldeps.js';
Router.add('/home', () => renderHome());
Router.add('/tasks/:id', ({ id }) => renderTask(id));
Router.start();import { EventBus } from './src/nulldeps.js';
EventBus.on('task:completed', (data) => console.log(data));
EventBus.emit('task:completed', { id: 1, points: 10 });The best dependency is no dependency.
The best abstraction is the platform itself.
NullDeps gives you patterns without payloads.
All modern browsers. No polyfills needed.
| Chrome | Firefox | Safari | Edge |
|---|---|---|---|
| ✅ 67+ | ✅ 63+ | ✅ 16.4+ | ✅ 79+ |
PRs welcome. Keep it zero-dependency. Keep it simple.
- Fork the repo
- Make your changes in
src/ - Test against the demo in
demo/ - Submit a PR
MIT