Issue #47: Ka-Ching!
🎶 We spend the money that we don’t possess, our religion is to go and blow it all… 🎶
Today we talk about expenses and benefits, whether that’s JavaScript performance or selling your (or somebody else’s) labor of love. This area of the tech world is full of debatable decisions and risky bets, but in the end we know people and tools get through it. At least in most cases, right…
The Good
On the positive side of things, we have two interesting articles about the aforementioned performance bets that let us dig deeper into personal experience with metaframeworks and the technologies that power them.
Dennis Brotzky wrote a beautiful (probably even too beautiful) blog post in the form of insights from an interview with one of Conductor’s founders about their experience [vibe-]migrating the codebase from react-router to @tanstack/react-router. There’s a lot of technical excellence in both the decision and the process, including the fact that these technologies can move beyond web development into cross-platform desktop development with Tauri, bringing plenty of runtime specifics and debugging hurdles.
We’ve re-built Conductor from scratch to make it twice as fast. Creating tabs, switching workspaces, and rendering files are all 50% faster, memory usage is lower, and the app is 150 MB smaller.
Sankalpa Acharya wrote about the other side of the metaframeworks toolbox — server-client boundary construction during the application build process.
One interesting thing here is that React does not expose the exact same implementation to both environments. When we build an RSC app, we are effectively building for two different runtimes.
The source code example the author refers to is quite interesting on its own: a kind of metaframework based on Rspack (not Vite!), which is surprising and enticing.
The Bad
Talking about bundlers and such stuff: Vite, one of the biggest go-to ecosystems that metaframeworks are built on top of, along with all the projects and (more importantly) contributors around it, went under new governance, specifically Cloudflare, as part of the VoidZero acquisition deal. It wasn’t a big surprise for many people, as it was a predictable direction for an OSS-based, venture-backed company led by the Vue and Vite creator and supported by a brilliant team of OSS superstars. Of course, it brings some EvilCorp discourse, as many such acquisitions do, but eventually the hope is greater sustainability for one of the most important pillars of the metaframeworks ecosystem, so that’s where we should focus our attention. Rita Kozlov and Steve Faulkner of Cloudflare talked a lot about the process and the new direction for the team on the devtoolsFM podcast recently and shared a lot of insights about the way the company works with OSS these days. Another good thing is that Cloudflare, being big on security, will definitely help Vite face vulnerability threats popping up in the ecosystem almost constantly, even though almost all the tools are rewritten in airtight Rust.
But you know what else is often written in Rust? Right, cool new malware like Shai-Hulud and the gang. Rust and JavaScript/Node are wonderfully connected in this regard for some reason, with npm being a constant (and easy) target for adversaries. GitHub constantly tries to improve this, and in v12 npm will have good new security provisions borrowed from pnpm, so there’s some hope the situation will improve, but there are just so many moving parts…
For instance, tools like Nuxt and Vitest continue to process multiple new vulnerability reports time and time again, with some findings being critical. Check out your package.json on a regular basis; it’s a brave new world of tech security fatigue.
From this point of view, researchers like Rachid Allam look like new knights of the open-source metaframeworks world, working deeply inside the stack and publishing their thoughtful and insightful findings which eventually benefit not only the target technology but the wider web-dev community.
Although the vulnerability was exploited in Next.js, which, as we will see, met all the conditions for reliable exploitation, it stems from an unusual mistake: mirroring request headers into response headers.
And Next.js, being a complex and multifaceted construction, comes with a lot of hurdles by itself, unfortunately. New victims like Shubhra Pokhariya share their pains and gains related to recent upgrades, and old victims like the folks from CodePen share their Stockholm syndrome aftermath related to SSR.
All in all, isn’t this a fertile ground for research?
The Noteworthy
Release notes from popular metaframework repositories were also quite fertile for updates over the last couple of weeks.
The Svelte world brought a lot of cool updates, but the most anticipated set of news is on the releases page of SvelteKit, of course, where the version 3 train is heading toward its official publishing date at full steam.
More or less the same goes on the Astro side with preparations for version 7 and corresponding breaking changes.
The Analog team published a new minor, 2.6.0 with support for new Angular 22. Quasar also published a new minor, 2.20.0 with lots of quality-of-life improvements and codebase modernizations.
The final thing for today is slightly weird (but near and dear to my heart, of course) news about a revival fork of Gridsome (good old Vue-based static site generator) called Gridmix. This is a personal project of mine, and I’ll probably write more about it later, but for now — let me know if that rings a bell in your heart too.
You see, this fortnight was quite rich in bright bets, wins, and losses. It’s always a matter of opinion how to refer to each of these events, but that’s great too, because it’s a shame to doubt your own luck and preferences, and even if your card doesn’t play out well, you know you had a great time believing in yourself and being bold and daring.
👋