Issue #11: Around the World
🎶 All around the world, we could make time rompin’ and a-stompin’… 🎶
Today we’ll visit USA and China, UK and Algeria, Portugal and Japan. As a bonus, we will find a life hack against developer migraines in the deserts of the Arabian Peninsula.
The Good
We usually don’t talk about Parcel here (as Vite had won, of course) but here we go: version 2.14.0 brought support for React Server Components (RSC) which is huge because you don’t need Next.js for that anymore (other reasons to ditch Next.js down below too, don’t miss out). Moreover, you can adopt RSC in your SPAs progressively which is a very nice perk, along with the possibility of server rendering or static prerendering. There’s a whole bunch of other updates in this release (on this background even the regular updates of the new version of Astro fade a bit) so if you’re considering alternatives to bigger players, it’s the sign. Looks like Parcel becomes another full-featured metaframework-like tool for React after all.
TanStack has been gaining more momentum lately with it’s fine-grained approach to developer tooling around web applications. In the recent post “Next.js vs TanStack” Kyle Gill proves (another time) that sometimes complexity of Next.js is a total overkill. As Jack Herrington, one of the TanStack maintainers, compared on the recent episode of the ConTejas Code Podcast, using tools like Next.js is similar to going to a guitar shop to get a guitar and being sold with a mixer, amplifyers, headphones, and a lot more in addition. So maybe TanStack is a better guitar indeed? One can only decide for themselves.
The Bad
The previous metaframework week was marked by a huge scandal around the middleware security vulnerability in Next.js. It was a chain of informational events of different sorts where proponents and opponents of the metaframework rejoiced and grieved with varying success.
There haven’t been many cases of this sort before (it’s the critical-severity zero-day vulnerability affecting Next.js’ versions starting from 11th, and potentially bringing down a huge part of the React-based web application market). It became a reason for blaming Vercel and Next.js team by different companies and individuals, which is fair but still a bit one-sided, as Next.js is just a product built by people, as everything around is. The same week basically brought (less critical but still) vulnerability findings in Nuxt (also a middleware issue BTW) and Vite (the beautiful one, IMO) too, for instance. Also there were some early findings allowing (luckilly) to protect the vulnerable code by workarounds until the dependencies are patched, which is very cool (and that’s what security tools should look into more and more, in a semi-automated way at least).
What was interesting for me personally in this whole story is the persona of the guy who spotted the vulnerability. His name is Rachid Allam, he’s from Algeria (Eid Mubarak my friend!), and he has a lot of other findings (including very interesting Next.js stories) behind his belt. The aforementioned Nuxt vulnerability is his report too, BTW (how’s that, huh?!). I was really stocked to read his researches and specifically this last notorious one which he made with his brother (presumably — those hackers, you know!) Yasser, causing all this chaos in the [mostly calm] metaframeworks security world.
This is probably an unpopular opinion, but we need more researchers and researches like that — in the end, it helps the industry to develop best practices and tools preventing drastic aftermath of adversarial acts. Metaframeworks have a lot of very specific security problems, and finding (and tackling) them helps to make this technical corner of the world better (and don’t forget to use the proper way of bringing that to life, as, for instance, Jacob Kaplan-Moss, one of the Django inventors, suggests).
The Noteworthy
And traveling this very world on, we get to beautiful Barcelona where Aral Roca has brought to life the new version of Brisa (with improved security docs, BTW, which is trendy, as we saw). And while the changes in such small tools are not huge too, as a rule (but the same I could say about the minor React Router updates, for instance — which is much bigger and ubiquitous tool, FWIW) it’s so cool to see it’s development progressing and getting covered with new capabilities and features.
Talking about capabilities and features, yours truly has [virtually] travelled to China the last weekend to find out, what UmiJS, the huge metaframework-like tooling ecosystem, actually is and how it works. Turns out there’s more to the world than Vite, and Chinese enterprise developers have access to a decently innovative set of tools and technologies for building web applications and web sites.
I did that to get distracted from my migraine, actually. And as I mentioned at the very beginning, here’s the long-awaited recipe against it (to you, my patient long-reads fiend!), if it’s something that tortures you too these AI-hype-overloaded days (no, there’s no anti-migraine MCP server, sorry!). I (being a British scientist of a sort) made a small practical research which shown that for software developers the flow state is the best cure against headaches and migraines. And on contrary, multitasking and excessive social communication (both offline and online) are the worst pain-provokers. So I recommend you to add this newsletter issue to favourites (or share it with a friend), close the browser, take on your headphones with a lo-fi jazz playlist, open your AI-disabled IDE in a focus mode, and start chilling.
That’s what we all are here for eventually.
👋