Among the 25 frameworks WebPulse tracks, six have zero or near-zero CVEs in the National Vulnerability Database: Hugo (0), Eleventy (0), Remix (0), SvelteKit (0), HTMX (1), and Astro (3). What do they share?
The Common Thread
Every framework on this list minimizes server-side state. Hugo and Eleventy are pure static generators — no runtime at all. Astro defaults to static with optional server islands. SvelteKit, Remix, and HTMX render on the server but produce lean output with minimal client-side attack surface.
No Plugins, No Problem
None of these frameworks have WordPress-style plugin ecosystems. They integrate with external services via APIs and imports — but each integration is explicit, version-pinned, and auditable. There's no 'install a plugin and hope for the best' pattern.
The Lesson
Zero CVEs isn't luck. It's architecture. Frameworks that produce static output, minimize runtime dependencies, and avoid plugin ecosystems don't just have fewer vulnerabilities — they have structurally fewer places where vulnerabilities can exist. The zero-CVE club isn't exclusive; it's the natural outcome of building frameworks for the modern web rather than the 2003 web.
