Every dependency you add is code you trust but never read. In 2026, that trust was exploited at scale.
The axios incident
In March 2026, a North Korean state actor (tracked as Sapphire Sleet) compromised the axios npm package through a social engineering attack on a maintainer. The malicious code ran in millions of CI/CD pipelines and production servers before detection.
axios has 2 direct dependencies. Those dependencies have their own dependencies. Each one is an attack surface. Each maintainer is a target. Each version update is a vector.
The math of supply chain risk
A package with N dependencies has N+1 points of failure (including itself). But transitive dependencies multiply the surface. got has 11 direct dependencies which expand to 20+ when you count transitives. Each one is maintained by a different human with different security practices.
Zero is the only safe number
glyde has zero runtime dependencies. The entire library is one file of TypeScript that compiles to 1.73 KB. There is nothing to compromise because there is nothing to audit beyond our own code.
- No transitive dependency vulnerabilities
- No maintainer social engineering risk (beyond us)
- No version update surprises
- No abandoned sub-dependency with known CVEs
npm auditwill always return clean
But isn't that reinventing the wheel?
No. glyde delegates to native fetch— the browser and Node.js runtime do the heavy lifting. We add a thin layer: config merging, URL building, header management, interceptors, and typed errors. All of this is straightforward code that doesn't need external libraries.
The “reinventing” argument only applies when the alternative is complex (crypto, parsers, protocols). An HTTP client wrapper is simple enough that the dependency cost outweighs the implementation cost.
Conclusion
In a post-supply-chain-attack world, every dependency is a liability. Choose libraries that minimize your exposure. glyde exists because we believe an HTTP client should ship zero liabilities alongside its features.