0deps Movement: Local Dependencies and Security
Software developers install hundreds of external libraries in almost every project. Modern frameworks often rely on thousands of hidden dependencies. This creates a massive risk for the software supply chain.
The 0deps movement asks a simple question: What if your application only ran code you control?
Every dependency increases your attack surface. Dependencies can:
- Introduce security flaws.
- Become targets for attacks.
- Stop receiving updates.
- Change their code and break your app.
- Add new hidden dependencies.
In the 0deps model, you put every dependency directly into your project repository. You do not download them during a build. Everything stays inside your repository from the start.
This method provides:
- Reproducible builds.
- Less reliance on external registries.
- Easier security audits.
- More predictable code.
The core idea is not to stop code from changing. Algorithms and security patches must change. What stays the same is the public contract.
A library shows a specific set of functions. These functions form a contract.
- authenticate()
- createSession()
- verifyPasskey()
The implementation inside the library can change entirely. You can swap out algorithms or data structures. The rest of your application does not care because the interface remains the same.
When a security flaw appears, you face two problems:
- Fixing the flaw.
- Making sure the update does not break your app.
The 0deps architecture solves the second problem. You update the code behind the interface. The public API stays the same. Your application keeps working without any changes.
You isolate external tools behind an internal adapter: Application ↓ Public Interface ↓ Adapter ↓ Implementation
If a library dies, you only change the adapter. The rest of your app stays safe. Library versions become a small detail rather than a major headache.
The goal is not to make software perfect. The goal is to reduce supply chain risk. By removing dynamic installs, you stop:
- Malicious package releases.
- Compromised registries.
- Dependency confusion attacks.
Every line of code becomes part of your project. This allows for total control and review.
Projects last for years. Libraries and frameworks disappear. With 0deps, your application continues to use the same contracts even as the ecosystem changes.
