Movimento 0deps: Local Dependencies and Immutable Contracts
Software developers often install hundreds of external libraries. Modern frameworks rely on thousands of transitive dependencies. This means your application runs code from strangers.
This creates a software supply chain risk.
Every dependency increases your attack surface. It can:
- Introduce security flaws.
- Become a target for supply chain attacks.
- Get abandoned by maintainers.
- Change its public API.
- Break backward compatibility.
The 0deps movement asks a simple question: What if your application only relies on code you control?
In the 0deps model, you embed necessary dependencies directly into your project repository. You stop downloading them dynamically during builds. Everything needed to run the application stays in the repo from the start.
This approach provides:
- Reproducible builds.
- Less reliance on external registries.
- Centralized security audits.
- Higher predictability.
The core principle is not to keep code static. Implementations and algorithms must evolve to fix bugs and improve security. What stays stable is the public contract.
Each library exposes a carefully designed interface. Examples include:
- authenticate()
- createSession()
- verifyPasskey()
These functions define a contract. The contract never changes. You can rewrite the code behind it or swap the library entirely. The rest of your application will not notice the change.
When a vulnerability appears, you usually face two problems:
- Fixing the flaw.
- Checking if the update breaks your app.
In a 0deps architecture, the second problem disappears. You update the internal implementation while the public API stays the same. Your application keeps working without code changes.
You isolate external integrations using an internal adapter: Application -> Public Interface -> Adapter -> Implementation
If a library disappears tomorrow, you only change the adapter. No other part of your app breaks.
0deps does not make software perfect. It reduces supply chain risks. It prevents issues like malicious packages, registry compromises, and dependency confusion.
Projects last for decades. Libraries and frameworks change. With 0deps, your application continues to use the same stable contracts regardless of how the ecosystem evolves.
