Frameworks send developers in the wrong direction: taking library short cuts to speed up work in the beginning only to get totally dependant on it in the long run and making changes at a later stage more complex. When you start a project don’t even think of frameworks, opt for single-purpose tools that don’t lock you into a broader ecosystem e.g. Hugo for static pages, EJS for templating sql data, Trachyons for css or better write it yourself or use what you need!
The web platform is really powerful but at times you either need to write your own custom code or reach for a third-party tool. When you do, favor tools that are small, modular, and dependency-free. For example, if you need state-based UI in your project, Preact or SolidJS are better choices than React or Vue. They’re a fraction of the size, have fewer abstractions, and render faster too!
Managing dependencies is an essential part of software development though. If your code depends on a package with a security vulnerability, this can cause a range of problems for your project or the people who use it. You should upgrade to a secure version of the package as soon as possible. This easier said than done though and often it is beyond your company’s control.
To realise the risks of web projects, you only need to have a look at the OWASP Top 10
4, a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. It is globally recognized by developers as the first step towards more secure coding.
Aug 12: After writing the above I found a recent video by Kevin Powell making the same point that it’s really important to understand the core languages that all of those things are built on top of and with ’those things’ he refers to frameworks like React, Tailwind etc.
1: Chris Ferdinandi https://gomakethings.com/about/
2: Addy Osmani https://www.youtube.com/@AddyOsmani
3: Kevin Powell https://www.kevinpowell.co/articles/