Why Thinwrap

A direct-HTTP wrapper carries the bytes of the API surface it wraps and nothing else. That posture matters because of how a popular shared dependency can fail.

The axios incident, March 2026

In March 2026, a popular HTTP-client dependency with high transitive reach was reported compromised. Consumers using thin, direct-HTTP wrappers had no exposure to the affected code path. Consumers using bundled vendor SDKs — or aggregators that bundle vendor SDKs — inherited whatever transitive trust the bundle pulled in.

Thinwrap was authored before the incident; the posture predates it. The incident is a clear, recent illustration of what a zero-dep direct-HTTP wrapper actually buys you.

Reference: GitHub Advisories — search “axios March 2026” for the canonical writeup.

Thinwrap vs vendor SDK vs aggregator

Conceptual comparison — Thinwrap (the project) versus two categories. Numbers reflect the representative published TypeScript packages at v1.0 (the PHP builds ship only PSR HTTP interfaces) and cite their sources inline.

Comparison of Thinwrap, official vendor SDKs, and multi-vendor aggregators (e.g. @novu/providers).
DimensionThinwrapVendor SDKAggregator (e.g. @novu/providers)
Install size0 runtime deps — and it tree-shakes, so you ship only the provider you use.packagephobiaEach pulls a full dependency tree on install — AWS SES, Twilio, Vonage, Mapbox.Pulls a vendor SDK for every provider it wraps —@novu/providers.
Transitive deps0 runtime dependencies.Dozens of packages per SDK on a fresh install.Over a thousand packages on a fresh install.
Audit surfaceWrapper code only; no transitive advisories to chase.Vendor + their transitive graph.The adapters plus every vendor SDK they depend on.
BYO fetch / HTTP clientYes — required hook seam.Rarely. Some vendors expose a hook; many do not.No — the adapter owns transport, usually via the vendor’s SDK.
ProvenanceSigstore on npm; cosign on Packagist.npm provenance docsVaries per vendor; provenance not universal.Check the package’s npm page for the provenance badge.
LicenseMIT.Permissive most of the time (Apache 2.0, MIT); check each vendor.MIT; verify current terms before commercial use.
Where Thinwrap does not winA vendor SDK comes with an official support contract; Thinwrap does not. And other bundles like @novu/providers usually come as part of a larger platform that layers workflow orchestration, retries, and delivery observability on top; Thinwrap is deliberately standalone and stateless, so those operational concerns stay with you.

Vendors

If you are a vendor whose API is wrapped here, co-maintaining the wrapper for your provider is open. See /vendorsfor how to get it listed or co-maintain it.