| ▲ | auxiliarymoose 11 hours ago |
| I really think writing dependency-free JavaScript is the way to go nowadays. The standard library in JS/CSS is great. So are static analysis (TypeScript can check JSDoc), imports (ES modules), UI (web components), etc. People keep telling me the approach I am taking won't scale or will be hard to maintain, yet my experience has been that things stay simple and easy to change in a way I haven't experienced in dependency-heavy projects. |
|
| ▲ | Joeri 7 hours ago | parent | next [-] |
| I’ve been exploring this for years, even made a tutorial website about building sites and apps without dependencies (plainvanillaweb.com). What I’ve learned is that many of the things the frameworks, libraries and build tools do can be replaced by browser built-ins and vanilla patterns, but also that making things that way is at present an obscure domain of knowledge. I think this is because the whole web dev knowledge ecosystem of youtubers and tutorial platforms is oriented around big frameworks and big tooling. People think it is much harder than it actually is to build without frameworks or build tools, or that the resulting web app will perform much worse than it actually will. A typical react codebase ported to a fully vanilla codebase ends up just as modular and around 1.5x the number of lines of code, and is tiny in total footprint due to the lack of dependencies so typically performs well. To be clear though: I’m not arguing the dependencies are bad or don’t have any benefits at all or that vanilla coding is a superior way. Coding this way takes longer and the resulting codebase has more lines of code, and web components are “uglier” than framework components. What I’m saying is that most web developers are trapped in a mindset that these dependencies must be used when in reality they are optional and not always the best choice. |
| |
| ▲ | auxiliarymoose 6 hours ago | parent | next [-] | | Thanks for creating and sharing that resource! I'm reading through it now, and it looks fantastic. I'll share it the next time someone asks where to get started with web dev. Come to think of it, I should write up the techniques I use, too...e.g. I have simple wrappers around querySelector() and createElement() with a bit of TypeScript gymnastics in a JSDoc annotation to add intellisense + type checking for custom elements. Would you be open to a pull request with a page on static analysis/type checking for vanilla JS? (intro to JSDoc, useful patterns for custom elements, etc.) If not, that's totally OK, but I figure it could be interesting to readers of the site. And agreed on vanilla/dependency-free not being a silver bullet. There aren't really one-size-fits-all solutions in software, but I've found a vanilla approach (and then adding dependencies only if/when necessary) tends to help the software evolve in a natural way and stay simple where possible. | |
| ▲ | j45 4 hours ago | parent | prev [-] | | Nice resource! Depending on the use case, minimizing dependancies can also decrease attack vectors on the page/app. |
|
|
| ▲ | arcadianalpaca 15 minutes ago | parent | prev | next [-] |
| Yeah I've been doing this more and more. The friction of keeping dependencies updated has gotten worse than the friction of just maintaining the (often times) 20 or so lines you need to write yourself. Not to mention the pain you'll eventually find yourself when a bug isn't patched fast enough, or when you need to make a small change, or when a transitive dependency you've never heard of gets compromised... |
|
| ▲ | robocat 4 hours ago | parent | prev | next [-] |
| Rendering components is the easy part. Another goal of frameworks is to provide the model (reactive updates): https://mjswensen.com/blog/the-single-most-important-factor-... What do you use for model updates? |
| |
| ▲ | j45 4 hours ago | parent [-] | | Looking into the history of reactive updates, we find that it started with simple javascript commands helped kickstart most of it. https://en.wikipedia.org/wiki/Ajax_(programming) The idea of reactivity started in the 1990's in production. When Gmail was released this technology is what made a website behave like a desktop app (plus the huge amount of storage) If we were to look into today's equivalent of doing this, it might be surprising what exists in the standard libraries. |
|
|
| ▲ | Maxion 9 hours ago | parent | prev | next [-] |
| Did this for a project in 2022. Haven't had any drama related to CVEs, hadn't had any issues related to migration from some version of something to another. The client has not had to pay a cent for any sort of migration work. |
| |
| ▲ | jsmith99 4 hours ago | parent | next [-] | | Is the lack of CVE because the implementations you wrote are better written and safer than those in the standard libraries or because no one has checked? | | |
| ▲ | foldr 4 hours ago | parent [-] | | Presumably the latter. However, mindlessly bumping package versions to fix bullshit security vulnerabilities is now industry standard practice. Once your client/company reaches a certain size, you will pretty much have to do it to satisfy the demands of some sort of security/compliance jarl. | | |
| ▲ | consp an hour ago | parent [-] | | And yet npm install [package with 1000 recursieve dependencies] is not considered a supply chain risk at all to those security/compliance jarls. Let alone having to check all licenses... |
|
| |
| ▲ | auxiliarymoose 6 hours ago | parent | prev | next [-] | | There are certainly security benefits to keeping things in-house. Less exposure to supply-chain attacks (e.g. shai-hulud malware) and widespread security bugs (e.g. react server components server-side RCE). Plus it's much easier to do a complete audit and threat model of the application when you built and understand everything soup-to-nuts. Of course, it also means you have to be cautious about problems that dependencies promise to solve (e.g. XSS), but at the same time, bringing in a bunch of third-party code isn't a substitute for fully understanding your own system. | |
| ▲ | zelphirkalt 3 hours ago | parent | prev | next [-] | | Very laudable, though this is probably also part of the issue: If the client doesn't need any migration work, the dev doesn't get more money, which in turn might be phrased: "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!" -- by someone other than me. I have worked at employer, where one could have done the frontend easily in a traditional server side templating language since most of the pages where static information anyway and very little interactive. But instead of doing that and have 1 person do that, making an easily accessible and standard-conforming frontend, they decided to go with nextjs and required 3 people fulltime to maintain this, including all the usual churn and burn of updating dependencies and changing the "router" and stuff. Porting a menu from one instance of the frontend to another frontend took 3 weeks. Fixing a menu display bug after I reported it took 2 or 3 months. | |
| ▲ | j45 4 hours ago | parent | prev | next [-] | | It's nice to sidestep the relative brittleness of web implementations simply because of versions. | |
| ▲ | bell-cot 6 hours ago | parent | prev [-] | | > The client has not had to pay a cent for ... From human society's PoV, you sound like a 10X engineer and wonderful person. But from the C-suite's PoV ...yeah. You might want to keep quite about this. |
|
|
| ▲ | Bockit 5 hours ago | parent | prev | next [-] |
| I've been doing JS for nearly a couple decades now (both front and back) and I landed on the same approach a few years ago. Pick your absolutely minimal set of dependencies, and then just make what you need for everything else. Maybe counter-intuitive to some, I feel like I'm more comfortable maintaining a larger codebase with less people. What's more, given the tools we have today, it fits really well with agentic engineering. It's even easier to create and understand a homegrown version of a dependency you may have used before. |
|
| ▲ | obsidianbases1 an hour ago | parent | prev | next [-] |
| This is the way. Even more so now that LLMs can reliably write simple utilities, the kind of things a dependency would previously frag in hundreds of other utilities (that go unused) all while depending on another dozen dependencies |
|
| ▲ | CoderLuii 10 hours ago | parent | prev | next [-] |
| been doing something similar. the projects ive been building recently use as few dependencies as possible and honestly the maintenance burden dropped significantly. when something breaks you actually know where to look instead of digging through 15 layers of node_modules. people said the same thing to me about it not scaling but the opposite turned out to be true. |
| |
| ▲ | auxiliarymoose 7 hours ago | parent [-] | | yeah, plus stack traces, debuggers, and profiling tools are easier to use when all of the non-essential complexity is stripped out. which in turn means it's possible to work productively on software that solves more complex problems. that's in contrast with the sort of stuff that invariably shows up when something falls over somewhere in a dependency: cannot access property "apply" of null
at forEach()
at setTimeout()
at digest()
at callback()
at then()
...
it's not fun to step through or profile that sort of code either... |
|
|
| ▲ | assimpleaspossi 4 hours ago | parent | prev | next [-] |
| CSS has a standard library? I stopped doing web dev just three years ago and am not aware of such a thing. Do you mean the CSS standard? |
| |
|
| ▲ | leptons 9 hours ago | parent | prev | next [-] |
| If I need a library for nodejs, the first thing I do is search for the dependency-free option. If I can make that work, great. |
|
| ▲ | anematode 9 hours ago | parent | prev [-] |
| This is absolutely the way to go |
| |
| ▲ | k__ 5 hours ago | parent [-] | | Doesn't this go against the credo of not building your own crypto? | | |
| ▲ | auxiliarymoose 5 hours ago | parent | next [-] | | No, it means using the crypto module in the standard library instead of importing some third party dependency. | |
| ▲ | embedding-shape 5 hours ago | parent | prev [-] | | Depends on what cryptography you're talking about, the Web Crypto API exists for quite some time, so I'd say that fits in (usually) with "The standard library in JS/CSS is great". |
|
|
