You can perform analytics almost as well from just the HTTP headers, you don’t need JS at all for fingerprinting, and hijacked NPM modules are probably still present even if there is no JS pushed into the browser.
Basically, each layer of any implementation of the OSI stack will have its own peculiarities. E.g. there's a paper on re-identifying computers via TCP clock drift.
How well they work depends on the amount of effort you're putting in. Since Javascript is easy and offers a very rich attack surface, there seems to be little rain to really plunge the depths of other layers.
Panopticlick did some of this with headers included, their order, and their timing. Which of course can be defeated without much loss of features. Tor Browser being one example