Looks like a bigger version of something I built. In my case I built it as a progressive enhancement to `<time>` itself (like `<time is="relative-time">`), which also potentially makes it easier for it to gain features if the tag gains features. Of course, the most obvious (and disappointing) trade off to that approach is lack of Safari support [1].
There is inherent risk of such low level frameworks over React, that is they allow you to easily blow your foot off, by injecting raw unsanitized HTML back for dynamic execution. A thing that would not work in React apps by default. Even on those demos, you can XSS yourself with the simplest payload, confirming my point.
On Node.js there are some hardening flags like --disable-proto=throw and --frozen-intrinsics to mitigate/crash on prototype pollution, and to prevent dynamic evals with --disallow-code-generation-from-strings - however, Vercel doesn't seem to support custom node runtime options.
To stay CAN-SPAM compliant, the sender MUST NOT require anything else but an email and a single visit to a webpage. A confirmation page is OK but requiring an auth or any other information or steps is simply illegal.
As a rule of thumb, one-click List-Unsubscribe with List-Unsubscribe-Post headers and a plain opt-out page (with confirmation if you risk such security solutions clicking on them, applicable only in B2B as you say) for the unsubscribe link in the email body.
These links should ideally be personalized (i.e. encode recipient’s email/account ID) so the opt-out page would not even require users to put their emails.
And please keep List-Unsubscribe via mailto as well, some clients may not support HTTPS POST.
Just assume every form on the Internet is being constantly filled with leaked or stolen data.
I am pretty sure they (the pissed of recipients) have never even visited your site. Their emails had been submitted by persistent fraud groups hammering every possible input 24/7 for their scam and spam ops. I observe such behavior on our apps and sites, even those that you would assume no one is even aware of.
Cloudflare’s Turnstile will help you block 90% of such threats, and the final solution is to double-confirm the subscription - this way you can be pretty sure subscribers are there willingly and have not been put in by crooks.
Nowadays, I would even ditch the email input and force “Subscribe with Google/Apple/xyz” via Oauth to completely mitigate this broken unauthorized newsletter subscription flow.
I believe this was just a joke. I bet only heavily regulated enterprises would be interested in a product like yours, to checkmark their compliance sheet. Regular coders and smaller businesses won’t care.
Thanks for the feedback! We've had a few inbounds from early stage startups that try to sell to regulated industry so our assumption here is small startups might need our tool if they are targeting highly regulated industries(we could be completely wrong tho)
Joke or not, it actually made me consider reaching out to vibe coders, but yeah we are still validating the need
For the record this is not a joke, This is a very active need for alot of vibecoders. They know they need security but they don't know how/what they are missing.
Check out the Supabase or Lovable reddits, people reporting that they got stung by mass bot signups etc every other day.
Sure these are complex apps but they are trying to launch the next big thing.
If your paying $20 a month for an LLM coding app whats a $5 fee to get a once over before launch?
I imagine this will keep the lights on as you try an land the corporate whales.
True. Either way, Umami's been using `yarn` since 2020, before that release of NPM (although for what reason at that time, I don't know).
Being bad thereby creating desirable competition has lasting effects. We could get into when/why/what each thing supports all day, but it's not worth it.
Speaking of what's supported nowadays, installing other package managers is a corepack call away -- literally a whole other feature built into Node.js because NPM is/was/etc subpar. It's experimental, but this is all to say: it doesn't surprise me in the slightest that a project might use something that isn't NPM, and I actively expect it when picking up other's projects.
There is already a header for that: List-Unsubscribe with the URL, and the List-Unsubscribe-Post to support one-click unsubscribes, which Google and Yahoo began enforcing for bulk senders in February this year.
