> if someone manages to inject arbitrary HTML

If they can, why wouldn’t it be inline <script>?

Because CSP can be configured to block inline scripts.

The syntax to allow inline scripts is even "unsafe-inline" to emphasize that you are entering the danger zone.

Good point. I think the fact that it’s named “exit status” instead of “error code” is primary confusion factor.

Sounds interesting, but what are good examples of "Visualizer" part? Screenshots section [1] only has 6 (pretty primitive [2]) images out of about a 100 total, but maybe that is outdated?

[1] https://www.dbvis.com/features/software-screenshots/

[2] https://www.dbvis.com/images/features/screens/chart3.png

I wish we also had regular word-sized ints as well instead of everything being double precision with all kinds of weird edge cases.

No need for custom parser. Right now, you can use custom format with reviver and serializer functions (2nd arg to serialize / parse). Say, have them serialize as string `^bigint[\d]+$` and revive appropriately.

But the point is to support large numbers with the traditional syntax.

e.g. so that {"foo": 1234567890123456789012345678901234567890} doesn't lose precision.

Given that `int + bigint` throws in JS, this exact thing will never happen imo, otherwise, you can't differentiate between types.

Maybe something like `{"x": 10n}`, but at that point, might as well do reviver, especially if you already agreed on a format and use some to parse out class instances vs plain objects.

Keyschain Access.app works exactly like that. Not sure if it would be easy to migrate from Lastlass, though. I know you can at least script the process.

Well, that could be a dealbreaker, though given this is a taste thing and great browser performance of iOS, I personally don't see it as a problem.

Google Photos is on the App Store. On Mac, you can rsync your photos library with cron or launchctl (~/Documents/Photos.library) or stick with time machine or dozen others file-level or block-level backup tools.

Want to second this and mention that as of iOS 11, the built-in keychain works inside apps. It's also the reason I've switched back to using Safari on the desktop as my default browser. Neither Firefox nor Chrome use the keychain properly (hard to tell whether this is Apple's intent).

Have a single "I clicked by mistake" button that resubscribes instead.

Yes, the automated system prefetching links will always click said button.

Not if the button issues a POST request.

The button I was responding about was an "undo unsubscribe". A bot won't click that button, but may follow a link.

Right, I assumed the button would be linked from a subsequent email confirming the unsubscription. You're right, a button in the unsubscription page doesn't help.

> So it is misleading to say it is secure and that security is built in.

Well, it is a PR blogpost with literally that goal of wording most basic and boring things in a way that sounds maximally sensational and groundbreaking without becoming a lie.

Example: see how they comment on performance improvement. Instead of "compared to previous major relase, npm 5" it says "compared to 1 year ago".

Yeah, hopefully now they don't have a progress bar that consumes most of the running time :)

Most likely only popular packages, forget about making `npm publish` a free security review (unless it runs custom eslint rules for stuff like Regex backtracking, etc.).

And probably only guarantee it for particular version.

And "guarantee" is probably too strong a word for it, unless there is a contract with some kind of liability attached.

Same for "security", from the wording of it, they promise notifying about vulnerabilities, not performing comprehensive audits.

I think the point was that malicious actor gets early access to "exploits" by becoming paid customer and has a lot of time to pwn general public.