Issue #39: Dog Days Are Over
Consolidation of ecosystem efforts for developing robust tools and maintaining healthy enterprise-backed competition (and thus balance) on the niche markets is a positive trend. Or not. You do you, everyone has opinions, hopes, and bets. But there’s definitely a positive side of large acquisitions and open-source product teams getting monetary support as a result. Today we celebrate recent news, contemplate dangerous trends, and get ready to fight for our freedom JavaScript.
The Good
Right after I had clicked the “Send” button for the latest issue of the Metaframework Records a couple of weeks ago, big news had hit the fan of metaframeworks community emotions: Astro, one of the most loved metaframeworks of modern times, got acquired by Cloudflare (one of the most inevitable cloud hosting platforms of modern times).
By working together, Cloudflare gives us the backing we need to keep innovating for our users. Now we can stop spending cycles worrying about building a business on top of Astro, and start focusing 100% on the code, with a shared vision to move the web forward.
Of course, there are different opinions on that, from
God damn, this is amazing.
(a random Reddit user)
through
thank god it wasn’t vercel lol
(another random Reddit user)
and up to
As someone who moved to Astro from Gatsby, this is PTSD triggering
(a third random Reddit user)
or
there is no incentives for cloudflare to make astro better, or even keep it around
(a random Hacker News user)
But in general, this is exciting news, as a cool startup team got their exit, a cool open-source project got massive and stable financial support, and the web in general got benefited (through the thoughtful Astro’s Web-APIs-first approach and first-class support and polyfills for new native platform features).
Astro is my go-to tool for building websites these days, and I hope for the best here and wish it will stay around forever, maintaining the crazy innovation pace and not letting me and others rest between new version updates.
But even if it bites the dust as them haters predict, we got the exciting news here: sometimes they come back! The beloved friend of my youth, jQuery, just resurrected from yore with its version 4.0.0, and that’s a breaking change, no less.
We’ve trimmed legacy code, removed some previously-deprecated APIs, removed some internal-only parameters to public functions that were never documented, and dropped support for some “magic” behaviors that were overly complicated.
So if your JavaScript metaframeworks fatigue hits hard, you know what to do — you’re just one script tag away from the good old golden hammer for your annoying web nails.
The Bad
And the fatigue can actually hit pretty hard, especially these dangerous days of never-stopping npm vulnerabilities and attacks on our favourite tools.
Svelte team has published the detailed announcement and advisories for the recent vulnerability disclosures made for the framework ecosystem tooling.
Over the last few weeks, we’ve seen a spate of high profile vulnerabilities affecting popular tools across the web development ecosystem. While they are unfortunate, it has been encouraging to see the community pulling together to keep end users safe. Using the lessons learned from these vulnerabilities, we will invest in processes that will help catch future bugs during the writing and review phases, before they go live.
For us, metaframework fiends, the most notable one is the high-severity SSRF vulnerability found by notorious Rachid Alam in the SvelteKit code, with the detailed accompanying research piece.
This issue stems from insufficient validation during origin construction, combined with subtle interactions between internal routing logic and request headers. Beyond SSRF, the same underlying behavior enables additional impact scenarios […]
But unfortunately, this vulnerability storm wasn’t the only thing that kept the Vercel’s security team busy (again!).
Multiple high-severity vulnerabilities in React Server Components were responsibly disclosed. Importantly, these vulnerabilities do not allow for Remote Code Execution.
Fortunately, these disclosures were not caused by something like the recent adversary Shai-Hulud attacks, which (not surprisingly) still echo around with new dangerous explorations.
On this background it is especially nice to see that the community and web tooling ecosystems proceed looking for good practices for maintaining code security, both from inside, like the Lodash governance reboot story, and from the outside through tools like Arcjet getting more and more stable.
The Noteworthy
The last two weeks didn’t bring too much excitement (nor negativity) otherwise (as we don’t account for the neverending AI-driven hysteria trying to keep sanity), so the most notable thing for me from other metaframework news was probably the new v4.3 release of Nuxt, bringing some niceties like setting layouts in route rules, awesome performance improvements, multiple DX improvements, and some useful helpers for plugin authors.
We’re closer than ever to the releases of Nuxt v5 and Nitro v3. In the coming weeks, the main branch of the Nuxt repository will begin receiving initial commits for Nuxt 5 […] But that’s enough about the future. We have a lot of good things for you today!
I’m glad that in this fast-moving today’s world of constant tooling battles and innovations everyone can still choose for themselves, from the calm and homey creeks like jQuery or AngularJS, to charismatic and ambitious whirlwinds of Astro or SvelteKit. In the end, the rich and abundant world of JavaScript frameworks and metaframeworks successfully helps us all to build a better web world(s) with our tools of preference which I personally cannot help appreciating.
đź‘‹