洪民憙 (Hong Minhee): @shinspiegel That's a fair concern in general, but it applies to any dependency, not just CLI parsers. Optique's core package has zero runtime dependencies, which keeps the attack surface minimal. If supply chain security is a priority, you could also vendor the code or pin to specific versions. That said, manually parsing process.argv for anything beyond trivial cases tends to introduce its own bugs.

Syntax	Description	Examples
`"` keyword `"`	Finds the string within quotes, including spaces. Case-insensitive. (Escape quotes inside with `\"`)	`"Hackers' Pub"`
`from:` handle	Finds content written by the specified user.	`from:hongminhee` `from:hongminhee@hollo.social`
`lang:` ISO 639-1	Finds content written in the specified language.	`lang:en`
`#` tag	Finds content with the specified tag. Case-insensitive.	`#HackersPub`
condition condition	Finds content that satisfies both conditions on either side of the space (logical AND).	`"Hackers' Pub" lang:en`
condition `OR` condition	Finds content that satisfies at least one of the conditions on either side of the OR operator (logical OR).	`#HackersPub OR "Hackers' Pub" lang:en`
`(` condition `)`	Combines the operators within the parentheses first.	`(#HackersPub OR "Hackers' Pub" OR "Hackers Pub") lang:en`

Jeferson 'Shin' @shinspiegel@mastodon.social

1/6/2026, 9:21:37 AM

Public

@hongminhee洪民憙 (Hong Minhee) im not sure if i agree with the main context of the post, I do understand the reasoning behind it, but using a library is just moving this to a third party, making a target for chain attacks…

洪民憙 (Hong Minhee) @hongminhee@hackers.pub

1/6/2026, 9:34:32 AM

Public

@shinspiegelJeferson 'Shin' That's a fair concern in general, but it applies to any dependency, not just CLI parsers. Optique's core package has zero runtime dependencies, which keeps the attack surface minimal. If supply chain security is a priority, you could also vendor the code or pin to specific versions. That said, manually parsing process.argv for anything beyond trivial cases tends to introduce its own bugs.

If you have a fediverse account, you can reply to this note from your own instance. Search https://hackers.pub/ap/notes/019b92a8-764c-7b4e-99e2-686119accc34 on your instance and reply to it.

Jeferson 'Shin' @shinspiegel@mastodon.social

1/6/2026, 9:40:10 AM

Public

@hongminhee洪民憙 (Hong Minhee) Good point. But if I may ask, how often do your CLI tools and utilities require more than 2~5 arguments? In my professional (and personal) work, I think I encountered a couple of cases, which we broke down into two/three different utilities and used the stdin/stdout with good piping.