The wake-up call I didn't ask for Last week the TanStack folks reported what appears to be a compromise affecting some of their NPM packages (the details are still being sorted out in issue #7383 — read it yourself before drawing conclusions). I won't rehash the postmortem here. What I want to talk about is the gut-punch feeling I had reading it. I run npm install every day. I've barely thought about which third-party scripts are loading in production. And one of the worst offenders sitting in nearly every site I've ever shipped? Analytics. So this post is about something I've been chewing on for months but finally moved on: ripping Google Analytics out of three side projects and picking a privacy-focused alternative. Specifically, I'll compare Umami , Plausible , and Fathom — the three I actually evaluated — and walk through the migration steps that worked for me. Why even migrate? A few honest reasons, none of them ideological: Script weight. GA4's gtag.js is heavy.…