@shinspiegelJeferson 'Shin' That's a fair concern in general, but it applies to any dependency, not just CLI parsers. Optique's core package has zero runtime dependencies, which keeps the attack surface minimal. If supply chain security is a priority, you could also vendor the code or pin to specific versions. That said, manually parsing process.argv for anything beyond trivial cases tends to introduce its own bugs.