frontpage.

Hey HN — after the Axios attack I went looking for something that could help against this kind of install-time risk. I didn’t find a tool that did what I wanted, so I built one. SafeInstall is a local CLI for npm, pnpm, and bun. It checks policy before the package manager runs. Especially now, when tons of people are building with AIs like Cursor and Claude and either give them full rights or just hit enter on every prompt, I thought it was important to build a guardrail before the install happens.

By default it: blocks very fresh registry releases blocks lifecycle scripts unless explicitly allowed blocks git, tarball, and URL installs by default catches trust downgrades, like registry-to-git changes or newly introduced install scripts

Optional checks: typo-squat detection Sigstore provenance verification with publisher/repo pinning, so a package can be tied to an expected source instead of accepting any valid signature

It’s MIT licensed, runs locally, and doesn’t require an account or signup. Repo: https://github.com/Mickdownunder/SafeInstall Website: https://safeinstall.dev I’m interested in feedback on the policy model and on which checks should or shouldn’t be enabled by default.

It's OK to compare floating-points for equality

80386 Memory Pipeline

Show HN: A Birth Control Pill Reminder for Couples

OpenAI rips Anthropic, distances itself from Microsoft

Show HN: I Added Support for Qwen3-ASR and Qwen3 ForcedAligner in WhisperX

I built an AI to do my job end-to-end. The problem wasn't the AI

Using Actor Network Theory to rethink work in the age of generative AI

Show HN: Messaging without phone numbers, email, or metadata

Show HN: LoadLens – See why queues hide overload instead of solving it

Show HN: AriaType – open-source privacy-first and local-first voice-to-text app

Bot Bait – Just hit $2K MRR after 8 months of grinding

Show HN: Cliparr – Export clips from your personal media server

Same LLM, different agent: a CI debugger built on Claude

The Meta Product Manager

Building a Browser for the Agent Era

Missing Emails in Gmail? It's Your Tabs – and It Costs You More Than You Think

Ozempic Dreams

Hyperbridge exploited two weeks after April Fools' hack joke

Is This Agent Safe? Free security checker with scores no platform can revoke

Zig 0.16.0 Release Notes

Amazon Bio Discovery

Google, Microsoft, Meta All Tracking You Even When You Opt Out

Airbnb Hosts Dont Want to Talk to Guests Anymore, Are Outsourcing Messages to AI

New toothpaste stops gum disease without killing good bacteria

Prolog Implementation of the IRS Fact Graph

IMF warns global economy at risk of recession if Iran war persists

For the First Time in the U.S., Renewables Generate More Power Than Natural Gas

1-Bit Bonsai: The First Commercially Viable 1-Bit LLMs

The Fediverse deserves a dumb graphical client

Show HN: A memory database that forgets, consolidates, and detects contradiction

Show HN: SafeInstall – local install-time guardrails for NPM/pnpm/bun