fortunately, i hacked claude. it's now writing code without npm or any stupid framework. turns out it runs way faster, is easier to fix and extend, and completely removes this vulnerability altogether. and the code itself is moxie, my trimmed down, IPC based parallelised single thread per process architecture, inspired by Rob Pike languages like Newsqueak. concurrency in the ui. concurrency in dedicated network handlers, data handlers, and whatnot. using MV2 architecture in firefox instead of retarded MV3 (pushed by google with chrome) which was disrupting my multi-process threading with communication instead of memory sharing. claude is trained to deal with all that npm stuff, but what i've made is far simpler, the bigger problem has been to stop claude reaching for those tools reflexively.