Issue #36: Run Run Rudolph
The Christmas season is officially open and everyone in the metaframeworks world is crazy helping Santa to deliver awesome features, tools, news, and other ecosystem gifts. Not all of them are nice, of course – Grinches of the web world are not sleeping too, but still – the celebration is nearing and today we’re gonna look at how we can make it even more fun, warm, engaging, or at least safe. Let’s consider all our options to date.
The Good
December is traditionally full of advents. From global and generic, like the advent of code (well, that’s a challenge I kid you not – a bit eased this year though), or the advent of AI (who would doubt it pops up!) to more specific. Like the awesome mix of the Halloween and Christmas-driven HTML hell advent – the one that feels a bit offensive as I’m sure anyone can feel this dread of revealing their own sins, but still.
My favorite one though is the Advent of Svelte – it is always fun and engaging, and it doesn’t test your developer stamina in parallel to your end-of-year releases and city mall gift marathons. This year it is purely informational, educational, and entertaining, thanks to the team.
And if you’re not into any of those but still want to have some Christmas dev fun, check out this awesome list on GitHub – there is something for everyone in it, I believe.
Wait what?! You’re not into all this cheesy snowflake fun at all?! Read on, I’ve got something hot for ya!
The Bad
So who’s faster than metaframeworks vendors in coming up with new surprises and spicy topics? Of course it is the hackers. Some of them do it for good, and some bear cruel intentions.
On the good ethical side, Astro continues to be a target for stress-testing by the metaframeworks hacker Rachid Allam and this time the high-criticality vulnerability culprit is Astro’s server islands providing a pathway for notorious cross-site scripting (XSS). Server islands, as a metaphor and a feature, have not been lucky lately in general. Another (critical!) vulnerability was found by Lachlan Davidson in React Server Components (RSC) and it can lead to an even more dangerous remote code execution (RCE) flaw. Maybe it’s time to think about the aftermath growing metaframeworks complexity leads us to. Anyways, not until we unpack the Santa’s deliveries this year, so for now make sure to update to the latest non-vulnerable versions.
On a more evil side, the only boring npm hacking attack that got its own cool name — Shai Hulud — is back, causing drastic damage to the npm ecosystem and lots of popular packages, and leading to some interesting and thoughtful post-mortems from the vendor community this time. Some less loud vulnerabilities accompany it too, which again emphasizes that even though the tooling providers try to strike back, it is not enough and we need to think better.
But for now the companies working on tooling think more about other topics, like finding more sustainable ways of doing their work. On this wave, Bun decided to join the AI army and declared the acquisition by Vercel (😮💨) Anthropic. Is it good or bad? Hard to say now, but I really like Bun’s way of doing their job and their thought leadership strategy. Obviously I’m not the only one (congrats Anthropic!) and I want to believe that it is for the better in this industry and at this time.
The Noteworthy
Analog supplemented the recent regular Angular (❤️) release (21) with their new minor version 2.1.0 adding some Vite support improvements too. Astro brought a lot of cool stuff in November, which the guys talk about in their traditional monthly blog post and the newsletter, the biggest news being the latest minor version 5.16.0 with meaningful developer experience and agent experience improvements. But not only Bun and Astro are famous for their DX love – the Oxc ecosystem widens its reach too with the alpha release of their new formatter which is expectedly blazingly fast and friendly compatible.
Yours truly also constantly tries to do some pleasanties for this metaframeworks records home, and this time it is the archive search (check this out!) which will allow you to find the news and humble opinions about any technology mentioned here regularly. I hope it will be useful (for me – definitely – to spot some errors and stuff) but please let me know otherwise.
All in all, I believe there will be more cool (yeah!) and uncool (doh!) news in December, new tools and releases, new thoughts and people, and many more. Let’s believe and wait, and try to make our own good impact on that, so that Santa would know we’re good and jump into our chimneys first!
🤞