Comment by arianvanp
2 days ago
I hate everything about the Claude code plugin system. They saw GitHub Actions supply chain Fiasco and said: great let's add hallucinations on top.
It's that bad. It's embarrassingly bad.
No lock files. Nothing. And then most plugins in turn install MCPs from pypi with uvx so you have two layers of no pinning.
It's a supply chain nightmare. It's so bad that I'm ashamed for our industry
Yeah uvx gets abused out of its convenience. uv has many useful features like dev dependencies and inline dependencies, that are much more reliable than uvx.
One tip for in-line dependencies: set a max date to lock your packages - reliable and simple for small scripts.
Nix plus flakes (and optionally devenv) is such a great baseline to operate agents in. So much less thinking about dependencies on various runtime platforms, and you get pinning out of the box.
Doesnt support windows though.
and then it runs out of home directory and slurps up your secrets.
its completely asinine to install npm globals these days, especially one that is such a juicy supply chain attack target