Dreaming of a “Zero Dependency” Tech Stack

by Dr. Robert Buccigrossi, TCG CTO

Metal numerals 000 nailed to a wooden dock. t

Recently, there has been a pattern forming in my journal reading:

In short: Web application technology stacks have exploded in complexity and dependencies leading to nightmares in both operations and security management.

Using a default react app “npx create-react-app” pulls in a number of default npm libraries (and 5 “npm audit”-reported vulnerabilities). Similarly “ng new” has 39–47 vulnerabilities out of the box. Looking at vue’s dependencies I temporarily thought that it had no dependencies, but it has many: it just uses webpack to build in devDependencies into its production pack. Even if you forsake single page applications you can still find yourself with a massive pyramid of dependencies encouraged by well-meaning package utilities: Python has pip, PHP has composer, .NET has NuGet.

The reaction to network security vulnerabilities has been the rise of the “zero trust” network. Imagine a similar world for software architecture – a world in which you deliberately aim for no additional external dependencies other than your hand-picked core components. Of course, we still depend upon the operating system, our web server, and our database, but I’m compelled to ask: Have plain vanilla JS, HTML, and CSS advanced enough that “zero dependency” microframeworks are feasible? Could we dare dream of a world where “end of support” or dependency audit scan reports become a relic of the past? Could we dream of code in which our teams completely understand how it works from end-to-end and true DevSecOps can be achieved?

And if achieved, with superior security and resilience, could a “zero dependency” tech stack be a differentiator?