https://support.mozilla.org/en-US/kb/resist-fingerprinting works.

Yep, the `files` array should be required by default, but isn't, resulting in many gigabytes of garbage being pushed to the npm registry every day.

Eventually you will want to update it, every update is a risk.

But, pinning has prevented most of the recent supply chain attacks.

As long as you don't update your pins during an active supply chain attack, the risk surface is rather low.

The flip side of that is now you're running old software and CVEs get published all the time. Threat actors actively scan the internet looking for software that's vulnerable to new CVEs.

Even better would be to not use so many libs. Most use cases will do fine with native `fetch`.

npm really needs to provide a options to set individual packages to only be publishable via trusted publishing.

I have instructions for these because the attribution settings don't accept placeholder tokens like `<model>`, `<version>` etc.

Yep, it regularily ignores CLAUDE.md files. It seems these files are not weighted high enough vs. the prompt.

.claude is likely to contain secrets and also contains garbage like cache etc, if it is shared, it should only be partially shared.

Would love if there is a way to parallelize playwright mcp using multiple agents and such, but it seems it's a fundamental limitation of that MCP that only on instance/tab can be controlled.

Chrome MCP is much slower and by default pretty much unusable because Claude seems to prefer to read state from screenshots. Also, no Firefox/Safari support means no cross-browser testing.

There appears to be https://github.com/sumyapp/playwright-parallel-mcp which may be worth trying.

Effort would be better investigated making `jq` itself faster.