[throwitaway1123]

> FrankenPHP doesn't proxy to the PHP dev server.

I didn't say FrankenPHP proxies to the PHP dev server. I'm saying FrankenPHP is a Frankenstein amalgamation of the Caddy reverse proxy server and PHP, which is necessitated by the lack of a production server built in to PHP. Some languages/runtimes like Go (which Caddy is written in) and Node have production ready servers built in to their standard libraries.

> I'd reverse proxy to it as a matter of principle [...] some other server should be managing HTTPS.

I've used Caddy and it's great, but if I have Cloudflare or some other service terminating SSL and serving static assets, then I don't necessarily need Apache, Nginx, or Caddy acting as a middleman.

> The security situation with node package dependencies is hilariously bad

Most of the security issues involving NPM are related to client side JS, not server side JS. PHP doesn't run client side at all, so it's a bit of an apples to oranges comparison. If you're just doing traditional server side templating then there are plenty of rock solid frameworks. Hapi has zero third party dependencies and was designed by one of the authors of the OAuth spec for example.