Issue #31: The Road To Mandalay
🎵 Everything I touched was golden, everything I loved got broken… 🎵
Trends are like roads — they help and guide, but with that they can also mislead away from the secluded places of simplicity, safety, and beauty or even accompany us to dark sinister corners of the world. Today we’re going to look at trends proven to be good and useful, but also at those that emerge to be ubiquitously malicious and growing. Hopefully, we’re witnessing evolution and (sometimes) the rebirth of the light side, though to help it, we need to be well aware of the intrigues of the dark one.
The Good
Matt Brophy from the React Router team announced the stabilization of the middleware feature in Remix/React Router. This is something that each metaframework historically considers a good practice to have, even though it brings a lot of implications and concerns sometimes. And that’s something the author dives deeply into in the blog post (and the related decision doc). His colleague Mark Dalgleish also made quite a comprehensive overview of this feature and the reasoning behind it in the recent episode of the PodRocket podcast too.
All in all, with straightforward RSC support, and now the middleware and Context API among other cool updates from v7.9, React Router (already one of the most popular tools in the full-stack React ecosystem) and Remix proceed evolving into a full-blown all-encompassing metaframework solution for complex web apps without limits. Hopefully the team is also aware of what security dangers the middleware grounds open too, in addition to other modern security fears.
And there’s no shortage of them, unfortunately, lately.
The Bad
There were several attacks on the npm ecosystem during the last couple of weeks, which still echo loudly, bringing anxiety about the possibility of future similar events (not only in the Node.js world).
While the first huge attack was the result of almost trivial phishing, the second and the following waves were more sophisticated and even got their cool codename “Shai-Hulud”. The security team at Wiz found connections between the latter and the recent nx attack I wrote about too:
Based on victimology, Wiz Research assesses this activity is tied to the recent s1ngularity / Nx supply chain attack, where initial GitHub token theft enabled the broader chain of compromise and leaking of formerly private repositories.
These attacks hit the community hard and caused a lot of timely insights on the vulnerability reasons and the ways the ecosystem can prevent falling victim to such threats again. Popular educator Maximilian Schwarzmüller talked about that on their podcast — with quite approachable context and advice. Some tooling providers like pnpm started to think about technical ways to mitigate the problem. And of course the simplest idea of preventing the problem by getting rid of the possible sources of it comes to clever minds more and more too.
What’s good is that the news taught developers a bit about security and incentivized them to think about the contents of their package-lock.json files and about abbreviations like SBOM and what they are for.
The Noteworthy
And the last couple of weeks brought a lot of updates to our SBOMs indeed.
Version 2 of the hero of the previous issue — the Fresh metaframework — went stable with all the goodies included. The SvelteKit team released lazy discovery of remote functions in v2.39.0 and turned remote form functions’ payloads to POJOs afterwards. Version 1.2.0 of SolidStart among other interesting things brought more flexibility for working with static assets, and the Analog team in version 1.21.0 delivered highly-anticipated content resources and loaders. Looking at the series of 1.0.0-alpha.x tags on the RedwoodSDK’s releases page, we are safe to assume the team is working pretty hard to deliver the first stable version of this new metaframework reincarnation. Meanwhile, the enthusiastic UmiJS team surprisingly shifts gears in terms of their bundler solution from their own intriguingly-and-blazingly-fast Rust-based Mako to Vercel’s Turbopack as a foundation of their own utoopack (even though the Vercel team themselves actively discourage that). FWIW, I’m glad Evan You called their Webpack killer Rolldown and not Rollpack…
So as you can see, it was a pretty busy fortnight and it brought a lot of new awesomeness into the metaframework world, even though with a slightly bitter taste of worries and insecurities. The thing is, it was, is, and always will be like that and there’s no distinct and correct final destination on this road, only the journey itself. Let’s try to make that rewarding, no matter what.
đź‘‹