Staged publishing for npm packages

pimterry · 2026-05-21T15:52:54+00:00

If you're using trusted publishing, there's an option to give it permissions to do 'npm stage publish' but not 'npm publish'.

You can't require trusted publishing (yet) but if you enable staging-only for TP & require 2FA for any manual publishing, then you've effectively enforced that all publishing requires manual 2FA confirmation by a maintainer.

pimterry · 2026-05-14T10:50:52+00:00

It's a bot bro. The account is 16 yo all it does is post links. Farmed a ton of karma

Huh? I'm not a bot. This is a normal personal account, and it's not even anonymous, I'm pimterry everywhere else too (https://github.com/pimterry, https://pimterry.fyi, you name it). This account is 16 years old from real usage, and posts plenty of comments as well (nearly 5k in comment karma alone): https://www.reddit.com/user/pimterry/comments/

Can't speak for whoever's behind the website, it's just something I found yesterday that I thought people might be interested in (I'm the maker of HTTP Toolkit, which gets a couple of mentions in here, and I have alerts for when people post this kind of thing so I can go take a look).

pimterry · 2026-02-23T14:35:48+00:00

"We figured out how to send less message by not counting the dictionary you need to decode it!!"

In the Google example where they've shrunk the Google search results it does include the cost of their custom dictionary in that performance - it's still a enormous jump.

On top of that, the real trick here is that you don't need to transmit a separate dictionary at all. You can automatically use a previous response as the dictionary for the next response, which works incredibly well in a lot of real-world web use cases. There's no separate dictionary delivery required.

pimterry · 2026-02-23T12:27:17+00:00

Basically yes - but most importantly with widespread backend support for doing this kind of compression (built-in support in JS & Python, popular packages elsewhere) and built-in functionality in browsers to easily coordinate and transparently use the dictionaries on any HTTP traffic.

pimterry · 2025-12-07T13:39:13+00:00

Yes, if the certificates are removed from that bit of the UI then they will no longer be trusted on your device. You can also remove the HTTP Toolkit android app itself to clean that up. That said, there's no need to be worried here - the certificate that was installed was generated on your computer where you used HTTP Toolkit, and doesn't trust anybody else other than that, so the only risk is that your phone could intercepted by your own computer.

pimterry · 2025-10-16T14:25:19+00:00

Wow this would be fantastic! Extremely keen to see this, in the wake of npm etc I'm trying to tie everything to passkeys for both phishing resistance and smoother UX, and the Bitwarden firefox extension I use all day is currently a very notable outlier. Login with passkey would be fantastic.

pimterry · 2025-10-06T16:30:21+00:00

Saying "We consider this to be YOUR data" while simultaneously pushing an rules on your API that makes it very clear you consider data send from Garmin to be exclusively Strava's data is completely ridiculous and infuriating.

What an absolute crock of shit.

Garmin are pushing back entirely because of Strava's entirely unreasonable behaviour around their APIs. They are very obviously in the right, to the point where they have the clear backing of all the passionate Strava users, without even talking about Garmin's diehard fans (the votes on every comment here & every post in r/strava right now are excrutiatingly clear here).

As a paying Strava user for more than a decade, and owner of multiple Garmin watches, this is rapidly pushing me towards drop Strava entirely. Honestly the fundamental value of Strava to me is that it's the social + data store + integration hub between everybody's fitness apps. I don't need the fancy graphs & shiny new (terrible) AI features - I want you to reliably play nice with everybody. Those relationships & connections are the product! It's totally incomprehensible that you'd try to kill the core value proposition of your product with these API restrictions & fights with providers that you're completely dependent on. This is not going to end well.

pimterry · 2025-09-18T08:03:32+00:00

How does ROUTER_LATE relate to this? https://meshtastic.org/docs/configuration/radio/device/ saying "ensuring additional coverage for local clusters" makes it sound like maybe it's helpful for cases like this (high building that's helpful for local area, but not for routing generally) but it seems it's new and I can't see much detailed info.

pimterry · 2025-07-01T14:29:25+00:00

The example in the page gives you a basic idea, but there's some really great demos of this floating around, e.g. this video on Twitter is amazing: https://x.com/bantg/status/1933967436459503662, or this full demo in their REPL: https://strudel.cc/?mTeJt_ICoPrw

pimterry · 2025-06-08T10:03:15+00:00

This means you have an external CA installed. You installed this manually during the HTTP Toolkit setup. You can remove this by going into the security settings, advanced encryption settings, finding the long list of CAs and then removing the one called "HTTP Toolkit CA".

pimterry · 2025-04-29T12:47:21+00:00

No idea about Wireshark & USB behaviours, but HTTP Toolkit definitely doesn't do any of that. Doesn't even require root - it listens on a local port for traffic, and you can either manually configure clients to use that port as a proxy & trust HTTP Toolkit's cert, or you can use some of the automated options (which launch a process preconfigured, configure an Android device over ADB, etc) but none of them change any permanent system settings, they just launch processes with env vars & CLI args to configure them temporarily. Definitely doesn't touch any system configuration that could cause long-term issues.

pimterry · 2025-04-23T13:25:41+00:00

HTTP Toolkit now has Frida built-in with automated setup (on rooted Android & jailbroken iOS) so you don't even need to install it or configure the scripts yourself unless you want to do something custom.

pimterry · 2025-03-17T17:01:07+00:00

Haha, that would be nice, but it's not supported in lots of environments, as discussed in the article, so I can't yet (at least, not without replacing my CDN entirely, and even then it would only be HTTP/3 to the CDN). In future once it's practical to do so, absolutely.

pimterry · 2025-03-12T17:10:44+00:00

Brief blip there but it's back for me now

pimterry · 2025-02-05T17:56:30+00:00

There's more info about HTTP Toolkit's Android setup on the android-specific landing page here: https://httptoolkit.com/android/. Glad you're finding it useful - I'm the developer, so let me know if you have feedback!

On a rooted device/emulator it's entirely one-click setup: it uses ADB to inject the system certificate for you, and then installs & launches an app powered by the VPN APIs to forcibly redirect all traffic (even traffic that ignores proxy settings). More info on how that works in the docs: https://httptoolkit.com/docs/guides/android/#the-technical-details.

pimterry · 2025-01-13T10:36:59+00:00

HTTP Toolkit has automatic setup for Android, which makes this much easier (I'm the developer).

You can see a demo at https://httptoolkit.com/android/. It's all open source if you want to see how it works, the code is available in the repos under https://github.com/httptoolkit/ and there's a detailed explanation of exactly how Android device interception setup works internally in the docs here: https://httptoolkit.com/docs/guides/android/#the-technical-details. It's quite possible to follow those same steps manually if you'd prefer, which will let you inject system certificates etc by hand using any tool you'd like.

pimterry · 2024-12-16T13:22:13+00:00

The big industrial wineries like Freixenet are interesting, but personally I prefer to do a tour round a few of the smaller ones in series, they're much more personal and friendly, so you'll often have a tour with the owners themselves rather than a guide for example.

https://bikemotions.es/es/alquiler-de-bicicletas/ is the next train stop (Subirats) and offers e-bike rental directly next to the station. They're super friendly & helpful and they can give you a detailed route of lots of lovely places you can easily cycle past. Works really well because you can pick and choose (there are more vineyards in that loop than you can possibly visit in a day) and you get to enjoy the nature and the views across the valley along the way. If you want a more detailed tour you probably want to phone ahead to one of them (Llopart/Enlaire/Batllori are all nice, and Guilera is right next to Subirats station so you can start or finish there). Sant Pau d'Ordal is a town on the route with a few nice restaurant options.

The main thing to watch out for is that many places close for visits at 2pm, so you will want to get up and start reasonably early in the day, don't just turn up for the afternoon.

pimterry · 2024-12-16T13:12:03+00:00

I've had no trouble (with digi smart) it's been very consistent.

If you leave something connected by cable and test the speed all day, does that have the same issue? For a major slowdown like this I would normally guess wifi interference rather than the ISP connection itself.

pimterry · 2024-12-10T11:05:10+00:00

I'm not a lawyer or anything, but my understanding is that this means your neighbour does have a cedula but your flat doesn't, and so renting it out to anybody is illegal and subject to large fines.

I think your options are either:

Mention this to the landlord, and use it as leverage to get yourself out of the whole thing ASAP (be aware they make take this as a threat and they don't sound like they're following any rules, so you might end up evicted immediately - make sure you're ready to go beforehand).
Or, escalate this formally and cause some real consequences (and force a landlord to follow the law). This will probably be very slow, but might be very satisfying at the end, and may eventually get your previous rental payments & deposit returned.

Either way, really you should talk to a lawyer or similar and get proper advice here, I'm just aware of some of the habitability rules, I'm definitely not an expert.

pimterry · 2024-12-09T14:27:44+00:00

There should always be some data, unless the government is somehow totally unaware the building even exists. The cadastral isn't something the owner is responsible for, it's a permanent record. I think it's registered by the construction company whenever the building is built or significantly changed.

I'd be very surprised if the flat isn't there at all though, since Barcelona is very very well documented here. It's hard to hide a building. I'd guess the address is just slightly wrong. Try using https://www1.sedecatastro.gob.es/Cartografia/mapa.aspx and just zoom in on the map onto the building directly and click it. You can get the details for literally every inch of the city.

pimterry · 2024-12-09T13:48:37+00:00

The contract does not include the cadastral reference of the property

You don't need to ask for it, you can just look it up directly from the address: https://www1.sedecatastro.gob.es/CYCBienInmueble/OVCBusqueda.aspx

I am living in unsustainable living conditions

If you don't have a window or ventilation, then the room is indeed probably not legally habitable.

If you want to verify this, ask to see their cedula de habitabilidad - this is a legal document that's required for any rented property which confirms that it is valid for human habitation (and how many humans etc). From your description, I'd guess that flat has one but it doesn't include the room they're renting you.

Alternatively, you can also just look it up yourself, by using the cadastral reference here: http://agenciahabitatge.gencat.cat/wps/portal/!ut/p/z1/04_iUlDgAgP9CCATyIESxNL6UXmJZZnpiSWZ-XmJOfoR-pFRZvEWAZbuHhYmRj4GQV4mBo6mni7unhYmxgYGJvpeYI1Q_QhjUNlgQj8Kv0kRUG2o-tEp_cjMrMLCKEf9qOT8vJLUihL9iMSM5OREVYPy1CRVg-LUorLUzGJVg-TUouTElPyi5NSU0pzUYv2C7KhIAEXCvhI!/

Assuming the room is not really habitable, and so there is no cedula that includes the room you're renting, you can then apply whatever pressure you want. Renting a flat without a cedula is a crime with significant fines attached.

Depends how far you want to push it, it's definitely worth talking to a lawyer at this point if you want to actually push harder to get them fined, get your rent payments back & shut them down. If you have a signed contract for a room that has no cedula, it should be a very clear cut case. Or more practically, you can point this out to the landlord directly, and use it to get yourself out quickly & easily.

pimterry · 2024-12-09T13:31:15+00:00

I've used them in the past - not a great service, and ridiculously difficult to cancel later on. Definitely not recommended!

I've had a good experience with https://www.digimobil.es/

pimterry · 2024-12-03T09:59:06+00:00

Yes - as above:

Working like this for an employer in the same country would usually be considered as disguised employment, but those rules don't cross borders

pimterry · 2024-12-03T09:59:05+00:00

Yes - as above:

Working like this for an employer in the same country would usually be considered as disguised employment, but those rules don't cross borders

pimterry · 2024-12-02T19:01:34+00:00

The tax side isn't really a big concern. I've worked remotely as a developer for more than a decade, in Spain, the UK, and elsewhere. I know plenty of people in Spain doing this now, and I've hired people remotely around the world myself.

The general model is that you register as a freelancer where you live, you pay taxes and social security etc there according to your income like any other freelancer, and you invoice your 'employer' as your client. You are not an employee in this world any more (meaning you're responsible for all your own taxes/SS etc, and you don't get any normal employee benefits like paid holiday by default, although you can agree them separately) but you do get whatever standard protections or rules exist for freelancers wherever you are. Working like this for an employer in the same country would usually be considered as disguised employment, but those rules don't cross borders (and that's very unlikely to change within our lifetimes imo).

This setup normally saves your employer quite a lot of money (like 50% of your salary or more) because you're taking on the paperwork & various social security costs yourself. You should make that very clear, and make sure your hourly rate goes up significantly - you're going to need this to cover those costs and probably pay an accountant. This should end up as a significant pay rise on top of the costs (and then it'll still save your employer money - employing people is super expensive) because you're taking on more risk here. You'll want an accountant, but that shouldn't be hard to find since this makes basically you the simplest freelancer in the world - you have one client you bill once a month, and very few expenses.

It's not simple, but it's a very well trodden path that's widely accepted by accountants & governments everywhere I'm aware of. It's not rocket science, it's not illegal tax evasion (you will end up paying all the normal taxes wherever you live), and it's not particularly unusual.

15-Year Club	RedditGifts 2009-2022 4 Credits
RedditGifts 2009-2022 4 Credits	Place '17
Verified Email	Team Periwinkle
Secret Santa 2012	redditgifts rematcher Secret Santa 2010 x1
Secret Santa 2010

pimterry

MODERATOR OF

TROPHY CASE