Hacker News: Show HN

Show HN: DepsGuard – one command to harden NPM/pnpm/yarn/bun/uv configs

eranation — Mon, 01 Jun 2026 16:58:52 +0000

I kept seeing every npm/pnpm/yarn/bun/uv supply chain post end with the same advice (set a minimum release age, turn off install scripts), and while I know cooldowns are "controversial", they do work. But even if you convince people that they should set cooldowns, it seems many don't end up following through, not sure why, maybe because it means hand-editing five config files in five formats with five different time units, or perhaps the "it won't happen to me" syndrome (or "I'll do it later, it seems complicated" where it's actually very simple). So I created a tool that checks what you have set and fixes it for you. I looked for an existing one first and couldn't find it. It started as a small weekend project and turned into a small research project on the nuances of cooldowns across package managers. Not a proof of P vs NP, but a small convenience that can save you and your loved ones from the next supply chain attack. I've raised this in a couple of HN threads since (https://news.ycombinator.com/item?id=47878158 and https://news.ycombinator.com/item?id=48156360) but never actually did a Show HN for the tool itself.

If you know how to edit your ~/.npmrc, which settings apply to npm vs pnpm, and which one wants minutes vs days vs seconds, you probably don't need this. But if you vibe code and just want a one click fix (or you have a PhD in CS from Stanford, ex-FAANG, started 3 YC companies, now work at Anthropic, and still just want a one click fix), read on.

DepsGuard is a single Rust binary, no runtime deps, MIT. Run depsguard and it scans your user-level and repo-level configs, shows a table of what is and isn't set, you pick what to change, hit d for the diff, and apply. It writes a timestamped backup first and depsguard restore rolls it back. depsguard scan is read-only if you just want the report.

The settings are the simple ones that work: min-release-age / minimumReleaseAge (npm, pnpm, yarn, bun, and uv all name it differently and use days vs minutes vs seconds, which is half of why doing this by hand is annoying), ignore-scripts, and on newer pnpm block-exotic-subdeps, trust-policy: no-downgrade, and strict-dep-builds. It also handles Renovate and Dependabot cooldowns.

The whole thing is a bet on timing. The malicious @bitwarden/cli 2026.4.0 was up ~19 hours and got 334 installs. axios was pulled in ~3h, ua-parser-js in hours, node-ipc in days. A 7-day gate means your installer never resolves any of those, they're gone before the window even opens. It does nothing for the slow ones (event-stream sat 2+ months), and it's not SCA, it won't scan your existing lockfile for known CVEs, that's a different layer.

Disclosure: I'm a co-founder and CTO at Arnica (a commercial appsec startup) and built this because putting the same recommendations on each blog post felt like yelling at the clouds. It's free and MIT, no account, no telemetry. I'm also not the only one who had the idea (didn't know at the time), cooldowns.dev does the cooldown part across more ecosystems with a shell helper and is worth a look. DepsGuard covers fewer ecosystems but adds the other settings and the diff/backup/restore flow.

If you want to try it: cargo install depsguard, or brew/apt/winget/scoop, all in the README.

https://github.com/arnica/depsguard (full settings table and FAQ at depsguard.com)

Is this an overkill that could have been a shell script? Probably yes (but I wanted windows support, why not).

Did it save someone from a supply chain attack? Also probably yes.

Do I know personally someone that without it wouldn't have bothered changing their settings after repeatedly asking, but eventually did it when I gave them depsguard? Absolutely yes.

Comments URL: https://news.ycombinator.com/item?id=48359478

Points: 1

# Comments: 0

Show HN: A desktop app for manual QA testing and evidence gathering

adriandomc — Mon, 01 Jun 2026 16:47:05 +0000

Article URL: https://github.com/adriandomc/qastor

Comments URL: https://news.ycombinator.com/item?id=48359305

Points: 2

# Comments: 0

Show HN: CurateKit: modern del.icio.us with custom domain, team and email digest

wenbin — Mon, 01 Jun 2026 16:39:46 +0000

Article URL: https://www.curatekit.com/

Comments URL: https://news.ycombinator.com/item?id=48359209

Points: 1

# Comments: 0

Show HN: Tok - A Claude Code token counter (no ANTHROPIC_API_KEY required)

samjoch — Mon, 01 Jun 2026 16:23:55 +0000

Article URL: https://github.com/samjoch/tok

Comments URL: https://news.ycombinator.com/item?id=48358986

Points: 2

# Comments: 0

Show HN: Valdr - Valkey/Redis in safe Rust, passes >99% of Valkey test suite

ianm218 — Mon, 01 Jun 2026 16:23:47 +0000

Article URL: https://github.com/ianm199/valdr

Comments URL: https://news.ycombinator.com/item?id=48358983

Points: 2

# Comments: 2

Show HN: Get new long-tail keywords in your inbox every week

onion92 — Mon, 01 Jun 2026 16:22:12 +0000

Article URL: https://www.longtailkeyword.io

Comments URL: https://news.ycombinator.com/item?id=48358951

Points: 1

# Comments: 0

Show HN: A multi-carrier shipping rate aggregator for the EU

jetsend — Mon, 01 Jun 2026 16:11:08 +0000

Article URL: https://jetsend.eu/en-es

Comments URL: https://news.ycombinator.com/item?id=48358791

Points: 1

# Comments: 0

Show HN: Canvascript – Canvas prints of source code

EOdOW — Mon, 01 Jun 2026 16:05:03 +0000

Hi HN. I made a small store of canvas prints of source code. Eight prints at launch — Section 11 of the Bitcoin whitepaper, the BAILOUT/POODOO restart handlers from Apollo 11's Lunar Module flight software, Linus Torvalds' first Git commit, the original CERN webpage, the K&R Hello World, Adam Back's 3-line RSA Perl, the Jaromil fork bomb, and the Erudil Perl camel.

Comments URL: https://news.ycombinator.com/item?id=48358697

Points: 2

# Comments: 0

Show HN: VS Extension to Track GH Copilot Usage Creds

herrj — Mon, 01 Jun 2026 15:36:54 +0000

Been working on this VS code extension in preparation for the usage based billing change. Hoping this will help me be more mindful of my credits.

Comments URL: https://news.ycombinator.com/item?id=48358285

Points: 1

# Comments: 0

Show HN: Data Leak Prevention inside the n8n execution graph.

methreeves — Mon, 01 Jun 2026 15:34:59 +0000

Article URL: https://npmjs.com/package/n8n-nodes-privent

Comments URL: https://news.ycombinator.com/item?id=48358251

Points: 17

# Comments: 1

Show HN: WorkInProcess – an image studio that runs in the browser tab

Moeflon — Mon, 01 Jun 2026 15:33:53 +0000

Article URL: https://workinprocess.app/

Comments URL: https://news.ycombinator.com/item?id=48358232

Points: 1

# Comments: 0

Show HN: Gridiculous, my homebrew Game Boy Advance logic puzzle collection

goache — Mon, 01 Jun 2026 15:19:29 +0000

I'm a huge fan of logic puzzles and retro gaming, so I decided to merge those two and take a shot at building a Game Boy Advance game using Butano.

My collection includes games inspired by four puzzle games: Picross, Slitherlink, Akari, and Binario. Every puzzle is procedurally generated, and I made sure to exclude any that aren't solvable through step-by-step forward logic. (guessing is never required)

If you enjoy logic puzzles, be sure to check it out! Any feedback or advice would be amazing too.

Comments URL: https://news.ycombinator.com/item?id=48358006

Points: 2

# Comments: 0

Show HN: Funnel – Find a convesion leak on any landing page in 30 seconds

crimeacs — Mon, 01 Jun 2026 15:18:24 +0000

Article URL: https://www.funnel.fyi

Comments URL: https://news.ycombinator.com/item?id=48357986

Points: 1

# Comments: 2

Show HN: FormProxy – form back end for AI-generated pages – MCP Ready

gagan2020 — Mon, 01 Jun 2026 15:09:46 +0000

I kept running into the same problem building with AI code tools: the generated HTML looks great, but the

has no backend. You either reach for Formspree, write a serverless function, or ship it broken.

FormProxy wires it up in one step. Drop a page URL, get a POST endpoint, and submissions route to Slack, webhooks, or Google Sheets. (Google Sheets is currently unreliable — waiting on Google's OAuth app review, which is taking longer than expected. Webhook and Slack are production-ready.)

The angle I'm most interested in: there's an MCP skill so LLMs can provision the form endpoint themselves during code generation. Claude or GPT-4 can call FormProxy mid-session, inject the action URL into the HTML it's writing, and the page ships with a working form — no manual wiring.

Happy to be challenged on: why not just Formspree, how the MCP skill actually works in practice, and what the right pricing model is for this. I've been going back and forth on per-submission vs. per-endpoint.

formproxy.com — free tier available.

Comments URL: https://news.ycombinator.com/item?id=48357884

Points: 1

# Comments: 0

Show HN: Json2vec – build/train/deploy models with nested data structures

granthamctaylor — Mon, 01 Jun 2026 15:00:08 +0000

Article URL: https://github.com/json2vec/json2vec

Comments URL: https://news.ycombinator.com/item?id=48357711

Points: 1

# Comments: 0

Show HN: MigraDiff – migra fork with AI migration generation for Postgres

lateos-ai — Mon, 01 Jun 2026 14:54:55 +0000

Article URL: https://github.com/leochong/migradiff

Comments URL: https://news.ycombinator.com/item?id=48357624

Points: 1

# Comments: 0

Show HN: Paid or Played? – a simple recoupment calculator for music artists

lorenzosch — Mon, 01 Jun 2026 14:54:02 +0000

I built a small tool for artists to understand when a music deal actually starts paying them.

You enter the advance, marketing/video costs, other recoupable expenses, royalty rate, and revenue scenario. The tool shows how much the label needs to make before the artist starts seeing new master royalties.

Comments URL: https://news.ycombinator.com/item?id=48357616

Points: 1

# Comments: 0

Show HN: Climbing Grade Converter

citrus1330 — Mon, 01 Jun 2026 14:39:08 +0000

Outside of programming, my main hobby is rock climbing. Because the grading systems used to communicate difficulty vary depending on climbing discipline and country, I often find myself needing to convert grades when reading climbing content online. Several tools for this already exist, but I wasn't entirely happy with any of them so I decided to build my own.

I focused on making my converter as fast, clean, and easy to use as possible. It's a simple one-page utility hosted on my blog that currently supports V-Scale, Font, YDS, and French. The blog is built with astro and the converter itself is built with vue.

Feedback welcome, especially from fellow climbers.

Comments URL: https://news.ycombinator.com/item?id=48357443

Points: 1

# Comments: 0

Show HN: Fregata – a macOS native port of Frigate NVR

nulledy — Mon, 01 Jun 2026 14:27:53 +0000

Article URL: https://fregata.app/

Comments URL: https://news.ycombinator.com/item?id=48357311

Points: 2

# Comments: 1

Show HN: 2-command CLI to give AI agents structured data retrieval on PostgreSQL

0xJaksun — Mon, 01 Jun 2026 14:21:21 +0000

AI agents need structured data, not similarity search. Graph DBs are expensive, vector stores are fuzzy.

Lithium is a storage engine on PostgreSQL ltree. Hierarchical, versioned, scoped queries. Two commands:

npx @lithium-ai/kit init

claude mcp add lithium -- npx @lithium-ai/kit serve

Your agents get tools to navigate, store, and retrieve structured data on your existing Postgres.

Open source, MIT.

Comments URL: https://news.ycombinator.com/item?id=48357212

Points: 2

# Comments: 0