The Elimination Game
Strip away the WordPress plugin supply chain — 18,005 CVEs, 4 critical exploits in H1 2026. Strip away the npm supply chain — 20+ attacks in 6 months, self-replicating worms, nation-state operations. Strip away CI/CD pipeline exposure — OIDC trust abuse, GitHub Actions credential theft. Strip away server-side execution — PHP injection, remote code execution, database compromise. What's left?
Static site generators. Specifically, the ones that don't depend on npm at runtime: Hugo (Go), Jekyll (Ruby), and to a lesser degree Eleventy and Astro (which use npm for build but ship zero JavaScript by default).
Hugo: The Zero Attack Surface
Hugo is a single compiled Go binary. It takes Markdown files and produces static HTML. It has zero CVEs in the National Vulnerability Database. Zero plugins. Zero npm dependencies. Zero supply chain attacks in its history.
A Hugo site served from a CDN has no server-side code to exploit, no database to inject, no plugins to compromise, no npm packages to trojanize. The attack surface is the CDN's — Cloudflare, Netlify, or Vercel — and those are hardened infrastructure operated by security-focused teams.
The Build-Time vs. Runtime Distinction
Astro and Eleventy use npm during the build process — you run npm install and the build tool processes your content. But the output is static HTML, CSS, and (optionally) JavaScript. No npm packages execute at runtime on the production server. No dependencies are present in the deployed artifact.
This is a meaningful security distinction. A supply chain attack during build could compromise the developer's machine (the IronWorm scenario). But it cannot persist in the deployed site the way a WordPress plugin vulnerability or a runtime npm dependency can. The blast radius is contained to the build environment.
Hugo eliminates even this build-time exposure. The Go binary has no third-party dependency tree to attack. The build environment is the binary plus your content files.
Why This Matters Now
In May 2026, the conventional recommendation was simple: migrate from WordPress to a modern framework. Any modern framework was better. The supply chain data from H1 2026 adds necessary nuance. Not all modern frameworks carry the same supply chain risk.
For content sites — marketing pages, documentation, blogs, corporate sites — static generators offer something no other framework category can claim in 2026: near-zero supply chain exposure. Not 'lower risk.' Not 'better managed risk.' Near zero.
Hugo scores 75/100 on WebPulse's health index. It's not the highest overall — Astro (84) and FastAPI (83) score higher on dimensions like AI-readiness and ecosystem. But on supply chain security, Hugo is in a category of its own. When both major supply chains are under active attack, the framework with no supply chain wins by default.
