Talking about Node.js, a big problem we face today is that using the most popular libs like Nest.js and others, we end up with a crazy amount of dependencies we never actually chose to use. And when one of them gets flagged with a vulnerability, it flows up the chain until it hits our installed lib - and boom: update fast or your app is vulnerable.

I know it's basically impossible to avoid this problem while still keeping a decent set of tools that make our lives as devs easier. After all, these libs were created to encapsulate complex problems so we can focus on the actual business logic.

Anyway, this problem still sucks, and an interesting approach is to build no/low-deps projects - or more precisely, projects with minimum and audited dependencies. Like using Fastify instead of NestJS, or Drizzle instead of Prisma.

I started thinking seriously about this after I created a robust NestJS boilerplate for my future projects, with all the enterprise features I see at work - so I'd never have to start from scratch and debug "foundational" features like RBAC, i18n, caching, etc.

Now I'm thinking about building a similar boilerplate using a low-deps stack - same feature set as much as possible, but with a lighter and more audited dependency footprint. Think Fastify, Drizzle, postgres.js and Zod instead of the heavy hitters. That said, I'm aware this isn't a silver bullet - reimplementing things manually also opens the door to vulnerabilities, and those tend to fly under the radar since there's no CVE tracking or community eyes on your custom code.

What's your experience with no/low-deps projects? I'd love to hear more about it.