After running this blog on various platforms since 2007—WordPress, Jekyll, 11ty—I’ve landed on Hugo. The migration wasn’t driven by dissatisfaction with 11ty, which served me well. It was driven by a growing unease with npm.
The npm problem
Every time I ran npm install, I watched dozens of packages download. Dependencies of dependencies of dependencies. Each one a potential supply-chain attack vector. The event-stream incident in 2018 wasn’t an anomaly—it was a preview of an ongoing vulnerability in how we build software.
