reqcraft has zero runtime dependencies. This is not a shortcut — it's a deliberate security decision.

Supply chain attacks exploit the trust graph of transitive dependencies. A package with 8+ nested dependencies (like axios) has an attack surface that grows with every npm install. One compromised sub-dependency can exfiltrate tokens, inject malware, or hijack CI pipelines — and you'd never know until it's too late.

reqcraft eliminates this entire category of risk:

• 0 runtime dependencies — nothing to compromise
• ~3kb minified — you can read the entire source in 5 minutes
• Built on native fetch — no polyfills, no shims, no wrappers around wrappers
• Open source — every line is auditable on GitHub

# Clone and inspect — the entire library is 3 files
git clone https://github.com/junaiddshaukat/reqcraft.git
wc -l reqcraft/src/*.ts
# src/client.ts  ~390 lines
# src/index.ts   ~20 lines
# src/types.ts   ~90 lines
# Total:         ~500 lines

That's it. The entire HTTP client in ~500 lines of TypeScript. No hidden code, no dynamic imports, no eval, no postinstall scripts.

If you discover a security vulnerability in reqcraft, please report it responsibly:

1. Do NOT open a public GitHub issue
2. Email security@reqcraft.dev (or DM me on X/Twitter)
3. Include a description of the vulnerability, steps to reproduce, and potential impact
4. I will respond within 48 hours and work on a fix immediately

reqcraft is designed with these security principles:

• No eval() or Function() constructors — ever
• No dynamic require() or import() — all imports are static
• No postinstall scripts — nothing runs on npm install
• No network calls during install — the package is inert until you import it
• No file system access — pure HTTP client, nothing else
• No prototype pollution — all objects are created cleanly
• Strict TypeScript — strict: true, no any escape hatches