Issue #13: Space Oddity

🎵 …And I think my spaceship knows which way to go… 🎵

The tech world loves new software and tooling launches. This love led to great projects like ProductHunt which became a kind of social network by itself. And launching and re-launching something became a routine for many, part of the job. For others it became a purely commercial (or just addictive?) nerve-racking gig where you can hit the jackpot (if you’re lucky) and hardly risk anything (otherwise) except for a reputation which has pretty low bar these days. The best thing is when the launch is the labor of love, a newly born child, unique and brilliant (with no integrated AI assistant hopefully).

I mentioned one interesting launch last time (which went a weird way and looks a bit doomed to me now but maybe we just don’t know all the things yet) — and this is in fact another kind of launches (I’d call it a “Cosa Nostra” launch where only the Family is in business and aware of the actual goals). But today we’re going to get into some other interesting new stuff of different sorts — from hippopotamus-like Next.js to dark horses like Proton, and everything in between.

The Good

Everyone would assume that a framework called Astro (the one with a rocket logo) knows a thing or two about launches. And it wouldn’t be a mistake. Astro guys (even without Ben) held a very cool launch week full of new goodies and news. You can find the summary in the official recap thread in BlueSky, in the v5.7 release blogpost, and in the Starlight April Update among other resources. What I’m very excited about is that the team constantly delivers new capabilities and APIs for the ecosystem, and this new format of releasing them makes the whole process a huge developer party — which is something other vendors should steal and practice.

And one of them, Next.js, has actually also come out with the shiny new update v15.3 bringing significant performance improvements to the tooling and the framework ecosystem, along with new navigation hooks. I mean, the list doesn’t sound too impressive and there were no launching fireworks (probably because of the relatively recent hard times on the security side) but the amount of improvements included is overwhelming, even though not that shiny. Which for complex mainstream tools like Next.js is very impressive and gives much hope for the stable future.

The Bad

To help Next.js fans strengthen the stability position mentioned above, the Arcjet team came with a good set of advice on securing the framework from existing and new vulnerabilities (yes, those you hardly could have missed). Of course, this is a product advertisement here, but it’s a good product and (as a security person) I wish there were more proactive protection tools bringing reliable security in the modern era of AI-driven vulnerability neglecting.

And while this market is served poorly, our good friend Rachid will help us by finding problems early and helping vendors to mitigate them. In the new research on React Router vulnerabilities, the noble bounty hunter finds the high-severity vulnerability in the framework, allowing to even work around tools like web application firewalls (WAF), which won’t give even Arcjet guys a possibility to protect you. The mechanics are quite similar to the researcher findings in corresponding earlier vulnerability reports for Next.js and Nuxt which means the ecosystem needs to revisit the routing and middleware patterns from the ground up.

The vulnerability is patched so make sure to update your dependencies as usual (or just approve the dependabot’s PR).

The Noteworthy

On the background of the loud events happening on the big names scene, smaller tools like Waku proceed to conquer their niche of simplicity, individuality, and streamlined innovation. The team delivered the API routes feature making it a full-blown metaframework for grown-ups eventually. Now you not only can use mysterious but enticing React Server Components (RSC) without the burden of Next.js’ CVEs but also build full-stack application with one slick and elegant tool using habitual patterns from neighbouring framework ecosystems.

And for those who want to go even more deeply into the minimalist development approaches, Valery Zinchenko suggests to try his new “frameworkless framework” called Proton. While the “tool-less” ways rarely find huge laud following, the author tries to prove that it’s possible to go with lightweight libraries and patterns and don’t lose anything on the way. They even came up with the way to provide slick plug-n-play SSR support making this approach a good field for full-stack webapp experiments.

But if you “meh” the vanilla heretics off and prefer proven (though vulnerable, as we found earlier) tools, Mark Dalgleish can help you with it by making your React (and React Router specifically) apps faster with granular lazy loading. It worth giving a try even if you shudder hearing the word “middleware”, mentioned in the article.

All in all, these loud and silent launches bring a lot of FOMO and mental itch into developer life so I have something comforting and calming for you in the end of this issue. Of course it is a new JS framework book! And it is not just your random book on Hygge or another illustrated Spiderman story — it’s the new masterpiece from Dr. Axel Rauschmayer, the JavaScript and TypeScript guru and insightful long-time educator. It’s called “Exploring TypeScript” and available for free reading. And if you’re into this kind of things and never heard about the author, check out some of their earlier works, you won’t regret the hours spent with a hot mug, warm plaid, and a several chapters on enums or type casting.

That’s what I’m coming back to until the next time.

👋