I decided to write this article when I saw another supply chain attack known as "Shai-Hulud" hit the JS ecosystem. I am and I have always been a web developer mostly working on web applications with high level languages such as Javascript. But today, I'm wondering : how did this ecosystem become such a mess ?
Javascript
The first answer that comes to my mind for answering that question is Javascript. I'm a young developer you know so I didn't live the time where classes were not supported and you had to create your own build tool to build your js program. During the JQuery era, when PHP was the main tool for creating websites, Javascript was only used in the browser for DOM manipulation. But in 2009, the NodeJs runtime was created, and Javascript escaped the browser to go server side. Npm was created along the way, and we have now the beginning of an explanation about why the web became such a mess.
Javascript was created in 10 days. And we can see that from time to time, even after the ECMA International organisation standardized the languages over the years.
Do you know the concept of the "Maslow's hammer" ? If all you have is a hammer, everything looks like a nail. Javascript has become the hammer, and the industry is trying so hard to force every single web related problem to be a nail. Because it can now be written on the frontend (React/Vue), the backend (Node/Bun), in mobile apps (React Native), and in even in desktop apps (Electron), it has created a dangerous monoculture in my opinion. This mentality of : "One language to rule them all" mentality has created serious architectural problems.
The developers fatigue...
In most engineering fields, mastering your tools means you can rely on them for decades. In web development, mastering your tools simply means you are ready to watch them become obsolete by next week. I know that the software domain has always been a fast pace environment that is constantly changing and evolving, but like... I mean this website exists for a reason you: https://dayssincelastjsframework.com/. And I'm not even talking about AI here...
1. The build tools carousel
Consider the life of a JavaScript project over just the last several years. First, you had to learn Grunt or Gulp to automate tasks. Then came Babel because browsers couldn't read modern JS. Then Webpack arrived, introducing massive, terrifying configuration files that required a specialized "Webpack Engineer" just to understand. Just as the industry normalized Webpack, Rollup and Parcel entered the ring. Today, the collective consensus has shifted again, demanding everyone migrate to Esbuild, Vite, or Turbopack because they are written in Go or Rust and compile code milliseconds faster.
2. Framework whiplash
The framework landscape is even more punishing. For years, the "Big Three" (React, Angular, Vue) provided a semblance of stability. But underneath them, a sub-ecosystem of meta-frameworks erupted.
If you use React, you didn't just learn React; you had to learn Create React App (now deprecated), then Next.js, then Remix, and maybe Gatsby. You had to learn Redux for state management, then discard it for Context, then discard that for Zustand or Jotai.
Recently, the entire paradigm shifted again. The ecosystem decided client-side rendering was too slow, pushing everyone toward Server Components and Hydration. Suddenly, frameworks like SolidJS, SvelteKit, and Qwik are gaining ground, mocking React's Virtual DOM as "outdated."
We are left with perpetual imposter syndrome. You go to bed an expert and wake up a novice because a new meta-framework trended on GitHub overnight.
Dependencies nightmare and the supply chain attacks
And how to talk about web ecosystem and Javascript without mentioning NPM and the supply chain
attacks we had in the past few months. I would even say that we have a big problem with package mangers,
in general. Not just with NPM. Package managers are by design a fundamental flaw of "implicit trust".
When you type npm install <package>, you aren't downloading a static block of text. You are granting
a third-party script permission to run code natively on your local machine and your deployment servers.
Many npm packages utilize post-install scripts. The moment the download
finishes, the package manager automatically triggers an installation hook that
can execute arbitrary shell scripts. If a malicious actor hijacks a popular
utility package, they don't even need you to run your application to compromise
your system; the moment you run npm install, your machine is already infected.
Furthermore, dependencies are deeply nested. You might explicitly install one package, but that package relies on ten others, which rely on a hundred others. You are implicitly trusting thousands of anonymous internet maintainers you have never heard of, all of whom have direct write-access to your codebase.
Conclusion
Perhaps the biggest problem introduced is a cultural one: the assumption that every website needs to be a highly complex Single Page Application (SPA). We started treating simple blogs, portfolios, and documentation sites like they were Google Maps. To display static text, we began shipping megabytes of JavaScript frameworks (React, Angular, Vue) down the wire to the client. The user's browser now has to download, parse, and execute massive bundles of code just to render a basic webpage. This destroys mobile performance, kills battery life, and creates a sluggish user experience—all to solve problems that classic server-side rendering (like the PHP era you mentioned) solved decades ago.
We have entered a punishing era of "Web Fatigue." Developers are no longer just software engineers; they are full-time maintenance workers trapped on a technological treadmill. The sheer speed at which our tools become obsolete has created a chronic state of anxiety in the industry. We are forced to constantly migrate from Webpack to Vite, from React client components to Server Components, and from one state-management library to another, simply because the community has collectively decided to chase the next shiny object. We are spending half our working energy running in circles just to keep our projects buildable, leading to widespread developer burnout and a devastating sense of imposter syndrome.
But the most alarming symptom of this bloated ecosystem lies deeper, hidden inside the tools we use to fetch these endless dependencies.
To support this massive web of frameworks and compilers, we built our entire ecosystem on top of public package managers like npm. We created a culture of blind trust, where initializing a basic project means pulling thousands of lines of unvetted, deeply nested code written by anonymous internet strangers straight into our local machines and deployment servers. This has turned the JavaScript supply chain into a minefield. As recent highly automated campaigns like the Shai-Hulud malware have proven, malicious actors don't need to hack corporate firewalls anymore; they just need to sneak a corrupted utility script into a nested dependency tree. The moment a tired developer types npm install, the trap snaps shut, leaking environment keys, cloud credentials, and source code.