New Algorithm, Who Dis
EDIT 2025-10-17 footnote 5 linking to a thoughtful reply
Over the past two weeks, I've watched two very impressive dev thinkers replace NanoId with their own implementations. Repos here and here.
Up front, NanoID is already tiny (118 bytes). Why did these guys think they could do better / it was worth their time to make different engineering choices?
They don't owe me any explanation, it's their code, and they both do a great job documenting their thought process in the code comments.
More generally, I don't personally buy the "dependencies are future vulnerabilities waiting to happen" argument, especially if you build and ship a bundle, as npm / bun / the entire JavaScript ecosystem does. A battle-tested package dependency is more Lindy, more rock-solid, and even more breaking-change-resistant than serving the site via bun or rendering with React!!
Importing packages also makes it easier to track whether your project is affected by vulnerabilities discovered later, ones which are simply not known at this time. You get to leverage an entire ecosystem of vulnerability monitoring; as opposed to needing to maintain constant vigilance as well as a razor-sharp mind that can make the correct connections to small bits of code deep inside hundreds of projects. AI makes this worse btw, if you as the code maintainer mostly YOLO and LGTM its output without knowing it inside and out.
When I import a package with 53 million weekly downloads1, I can request, and mostly trust, an LLM's answer about the design choices and known vulnerabilities of this self-contained thing-with-a-name. Whereas in order for me to assess a dev's singular replacement algorthm inside a complex package that kind of looks to me like a useful abstraction layer or tool ... that LLM's one-shot answer better be correct in its one and only stone cold chance!
Furthermore, I feel that zero-deps gives false comfort with a language that is implemented in as many different environments as JavaScript. In 10 years, it will be running on a completely reworked stack, with lots of different things going on under the hood. On net, this is a strength of the language, not a bug!
More than any other modern language, JavaScript is a Ship of Theseus2.
Full disclosure, CONFESSION3, and humble brag: I want you all to know, five months ago I invented my own unique identifier system rather than use off-the-shelf alternatives that are good enough for Twitter! and good enough for PlayStation!
Update: a thoughtful reply4