I'd love to see a package repository where libraries had permissions like Android apps.
It would simplify trusting obscure new libraries if I could see e.g. libfoo never accesses the network.
Related Posts
It is remarkably hard to escape command line arguments safely on Windows, and the standard libraries of multiple languages have needed patching: https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/
Are there any package managers that treat changelogs as a first class concept?
I end up looking for a CHANGELOG.md or a CHANGES.txt in the source code repository every time. The lack of standard prevents package hosting services being able to show changes.
One subtle behaviour of Claude that wasn't obvious to me: whilst each conversation is transient, permissions persist across conversations.
So if you've given permission to run e.g. 'cargo test' or even 'cargo run', you need to be sure that all future invocations are safe too.
You can see the current permissions with /permissions.