You usually can. You just gotta be a bit adventurous.

https://github.com/lukeed/uvu is a testing library with almost no dependency.

https://github.com/biomejs/biome is a linter written in Rust which in theory has a smaller attack surface.

And as long as you stay some versions behind bleeding edge, you can use time in your favor to catch supply chain attacks before they reach your codebase.

▲

user34283 3 days ago | parent [-]

Well, can you?

Maybe you can.

Or you're talking about an approach you utilized in some side projects rather than moderately sized commercial web applications? I don't imagine there's many out there that have less than hundreds of dependencies.

	▲	hu3 2 days ago \| parent [-]
		I'm talking about large, enterprise, projects. Just because the project is large doesn't mean we should give up on reducing dependencies. Hundreds is much better than thousands.