EDIT 2025-10-17 footnote 5 linking to a thoughtful reply
Over the past two weeks, I've watched two very impressive dev thinkers replace NanoId with their own implementations. Repos here and here.
Up front, NanoID is already tiny (118 bytes). Why did these guys think they could do better / it was worth their time to make different engineering choices?
They don't owe me any explanation, it's their code, and they both do a great job documenting their thought process in the code comments.
More generally, I don't personally buy the "dependencies are future vulnerabilities waiting to happen" argument, especially if you build and ship a bundle, as npm / bun / the entire JavaScript ecosystem does. A battle-tested package dependency is more Lindy, more rock-solid, and even more breaking-change-resistant than serving the site via bun or rendering with React!!
Importing packages also makes it easier to track whether your project is affected by vulnerabilities discovered later, ones which are simp...
