In 2016 a developer unpublished left-pad, eleven lines that pad a string, and broke Babel, React, and thousands of builds across the internet.[8][9] The lesson everyone took was "don't let one package vanish." The lesson nobody took was "why did a string-padding function need to be a package?"
Ten years later the answer is worse than we thought. The average npm project carries 49 direct and 79 transitive dependencies.[6] Count the full tree and a modern web app pulls in 1,200 or more.[7] Roughly 16.8% of all npm packages are trivial one-liners, and the proportion keeps rising.[10] We outsourced String.padStart() to a stranger and called it engineering.
Then the bill came due. In September 2025, an attacker phished the maintainer of chalk and debug, utilities with a combined 2.6 billion weekly downloads, and shipped a crypto-clipper that rewrote wallet addresses in memory.[2] Days later the industry met Shai-Hulud, the first self-replicating npm worm: it stole tokens, republished itself into other packages, and hit around 500 of them before anyone caught up.[3] And in 2024 the world came within one code review of catastrophe when a patient attacker spent two years earning maintainer trust on xz, a compression library run by a single unpaid volunteer, and planted an SSH backdoor that nearly shipped to every Linux server on earth.[4]
Now add the accelerant. Roughly 46% of new code on GitHub is AI-generated, and between 45% and 62% of it ships with a known class of vulnerability.[11][12] Worse, the models invent dependencies: across 576,000 samples, 19.7% of the packages AI suggested did not exist.[13] The fake names repeat, so attackers pre-register them and wait, a supply-chain attack where the victim never even makes a typo. The machine does it for them.[14]
Zero Dependency is a 72-hour hackathon with one rule underneath everything else: the dependency manifest ships empty. Standard library only. Build a real tool, a parser, a server, a datastore, a password manager, the way you would have before we forgot how. Every line is yours. Nothing to audit but your own craft.
The antidote to "the AI added a package that doesn't exist" is adding no packages at all. You have 72 hours.