Wouldn't this just make the number of packages that can be targeted smaller? E.g. I publish a testrunner that needs to install Headless Chrome if not present via postinstall. People trust me and put the package on their allowlist. My account gets compromised and a malicious update is published. People execute malicious code they have never vetted.
I do understand this is still better than npm right now, but it's still broken.
You spell out a lot of examples, but all of them are purely technical. What is it that you can deliver to the user using Node that you cannot deliver using Django? This is a genuine question.
Congrats on building this. But, please do not auto translate your website content, English is fine. For my language the part about trust is really cringe, which is not really building trust, you know.
Only tangentially related, but maybe helpful still: If you struggle with OCD, the books by Sally Winston and Martin Seif are pure gold. There's nothing that helped me finding a way to deal with OCD like they did.