Zero-Dependency: Building Raw, Fast Web Architecture

by RAW_EXEC ENGINEERING 6 min read
Zero-Dependency: Building Raw, Fast Web Architecture

The average production Next.js application has 847 direct and transitive dependencies. The average critical bug discovered in those dependencies: 3.2 per year. The average time to patch: 11 days. You are shipping other people’s code. Most of it, you cannot audit. None of it, you control.

The Dependency Audit

Start with npm ls --depth=0. Count the numbers. Then ask yourself: do I know what each of these does? Could I replace any of them in under an hour? If the answer to either question is “no,” you have a dependency problem.

We run this exercise with every new client engagement. The results are consistent: 60-70% of dependencies are solving problems that have either been solved natively by the browser, solved by the platform, or are not actually problems that needed solving at all.

What We Actually Need

The honest dependency list for a production web application in 2025:

Framework: One. Pick a static site generator or a minimal server framework. Not three.

Build tools: Bundled with the framework or native. Separate bundler configuration is legacy architecture.

Type safety: TypeScript. Built into every modern toolchain.

Styling: Tailwind CSS v4. Zero configuration, pure CSS output, tree-shaken by default.

Everything else is negotiable. More specifically: everything else should have to survive a justification review before it enters your codebase.

Native APIs Are Ready

The ecosystem’s addiction to dependencies often comes from valid historical grievances. Fetch didn’t exist. CSS didn’t support variables. Intersection Observer was experimental. Grid and Flexbox were behind flags.

None of that is true anymore. The platform ships:

  • fetch() with full streaming support
  • CSS Grid, Flexbox, Container Queries, and Cascade Layers
  • Intersection Observer, Resize Observer, Mutation Observer
  • Web Animations API, View Transitions API
  • import() for dynamic code splitting without a bundler

The dependency that solved a browser gap in 2018 is technical debt in 2025. Audit accordingly.

The Supply Chain Attack Surface

The SolarWinds attack was a supply chain attack against compiled software. The left-pad incident was a supply chain attack against open-source packages. The event-stream malware was a supply chain attack that shipped in production at major financial institutions.

Every dependency is a door. Most doors are fine. The one that isn’t will cost you your users’ data, your company’s reputation, and 72 hours of your best engineers’ lives.

The zero-dependency philosophy is not about purity. It is about surface area. A codebase with 50 dependencies has 50 doors. One with five has five.

Practical Steps

You cannot eliminate all dependencies today. Here is where to start:

  1. Audit date manipulation libraries: moment, date-fns, dayjs are often replaceable with Intl.DateTimeFormat and basic arithmetic
  2. Audit animation libraries: GSAP is sometimes necessary; most projects need CSS transitions
  3. Audit utility libraries: lodash is a museum exhibit; use Array.prototype methods
  4. Audit form validation: HTML5 constraint validation handles 80% of use cases natively

Each dependency you remove is a security patch you will never need to apply, a bundle kilobyte you will never need to ship, and a breaking change you will never need to absorb.

Start counting your doors.

#performance #npm #dependencies #engineering