Simply hosting a front-end only app is almost free on several platforms (e.g. Cloudflare). Certainly less than the $99 Apple developer membership fee. It starts getting more expensive once you add back-end servers and…
What do you mean by runtime? The JavaScript runtimes, like V8? Yeah those are impressively fast for a dynamically typed ”scripting” language, but that has little to do with TS. TypeScript’s work ends at compilation.
For me, the main benefit is deployment bundle/artifact size reduction. Mostly from dropping unneeded files from node_modules. Many packages include both esm and cjs builds, sources, docs, TS types, etc. stuff that you…
It's an interesting discussion, but I think simply outputting text can make the software "malware", even if the output isn't executable. What if the output was To use jqwik, please login to your Office 365 account:…
Reminds me of the back and forth competition between Node.js and io.js that we had to endure back in the day. Worked out for the best in the end.
minimumReleaseAge and lockfiles also pin down transitive dependencies.
Number 1 would only be a win for zero-installs if it happened that registry was up when you made the security hotfix, since you'd need to install the depdencency the first time to get it in VC, but then suddenly down…
> Run Yarn in zero-installs mode (or equivalent for your package manager). Every new or changed dependency gets checked in. Idk, lockfiles provide almost as good protection without putting the binaries in git. At least…
- saves infra costs - saves infra headaches - devs only need to be experts in one system (or well I guess one and a half, probably there's something to learn about ParadeDB too, but probably less than in learning…
At TypeScript-level, I think simply disallowing them makes much more sense. You can already replace .push with .concat, .sort with .toSorted, etc. to get the non-mutating behavior so why complicate things.
I don't have much experience in dedicated vector databases, I've only used pgvector, so pardon me if there's an obvious answer to this, but how do people do similarity search combined with other filters and pagination…
Ehh what. I would give some merit to arguments like "no one should use lodash in 2025 because you can do most of it with built-ins nowadays" or maybe because it doesn't tree-shake well or maybe even because it doesn't…
The post links to a TS issue [1] that explains > As of TypeScript 5.0, the project's output target was switched from es5 to es2018 as part of a transition to ECMAScript modules. This meant that TypeScript could rely on…
I don't think pinning deps will help you much, as these incidents often affect transitive dependencies not listed in package.json. package-lock.json is there to protect against automatic upgrades. I know there are some…
The main issue there is that the maintainer lost access to their account. Yanking malicious packages is better, but even just being able to release new patch versions would've stopped the spread, but they were not able…
fzf [1] provides the TUI. 1: https://github.com/junegunn/fzf
According to the description in advisory, this attack was in a postinstall script. So it would've helped in this case with nx. Even if you ran the tool, this particular attack wouldn't have been triggered if you had…
Periodic reminder to disable npm install scripts. npm config set ignore-scripts true [--global] It's easy to do both at project level and globally, and these days there are quite few legit packages that don't work…
My guess would be because they affect property ordering, complicating the stringification. The default object property iteration rules in JS define that numeric properties are traversed first in their numeric order, and…
SeaQuery looks like a similar dynamic query builder for Rust as Kysely is for JS/TS, so yeah, that'd probably solve the dynamic query problem. But I think parent wasn't so much asking for another library but for…
To quote a TV show Community character Jeff Winger: > What makes humans different from other animals? We're the only species on earth that observes Shark Week. Sharks don't even observe Shark Week, but we do. For the…
Yes. And that is what a client should 100% do from the security standpoint. But since you mention caching - from the perf standpoint, it could sometimes be beneficial for the query planner to know the values before…
They seem to be measuring things like how long it takes for the dev server to spin up, and how long HMR updates take. I don't think ESBuild offers these features out of the box. I guess it could be in the "Cold build"…
Does the JSON spec actually say that those objects should be "equal", or does it just leave that detail to implementations? In JavaScript at least, those two are not exactly "the same", in the sense that you can observe…
It's great that Temporal is coming, and I'm sure there are bunch of other nice things coming up too, but unfortunately I don't share your optimism with the specific proposals that you mention (even though those would be…
Simply hosting a front-end only app is almost free on several platforms (e.g. Cloudflare). Certainly less than the $99 Apple developer membership fee. It starts getting more expensive once you add back-end servers and…
What do you mean by runtime? The JavaScript runtimes, like V8? Yeah those are impressively fast for a dynamically typed ”scripting” language, but that has little to do with TS. TypeScript’s work ends at compilation.
For me, the main benefit is deployment bundle/artifact size reduction. Mostly from dropping unneeded files from node_modules. Many packages include both esm and cjs builds, sources, docs, TS types, etc. stuff that you…
It's an interesting discussion, but I think simply outputting text can make the software "malware", even if the output isn't executable. What if the output was To use jqwik, please login to your Office 365 account:…
Reminds me of the back and forth competition between Node.js and io.js that we had to endure back in the day. Worked out for the best in the end.
minimumReleaseAge and lockfiles also pin down transitive dependencies.
Number 1 would only be a win for zero-installs if it happened that registry was up when you made the security hotfix, since you'd need to install the depdencency the first time to get it in VC, but then suddenly down…
> Run Yarn in zero-installs mode (or equivalent for your package manager). Every new or changed dependency gets checked in. Idk, lockfiles provide almost as good protection without putting the binaries in git. At least…
- saves infra costs - saves infra headaches - devs only need to be experts in one system (or well I guess one and a half, probably there's something to learn about ParadeDB too, but probably less than in learning…
At TypeScript-level, I think simply disallowing them makes much more sense. You can already replace .push with .concat, .sort with .toSorted, etc. to get the non-mutating behavior so why complicate things.
I don't have much experience in dedicated vector databases, I've only used pgvector, so pardon me if there's an obvious answer to this, but how do people do similarity search combined with other filters and pagination…
Ehh what. I would give some merit to arguments like "no one should use lodash in 2025 because you can do most of it with built-ins nowadays" or maybe because it doesn't tree-shake well or maybe even because it doesn't…
The post links to a TS issue [1] that explains > As of TypeScript 5.0, the project's output target was switched from es5 to es2018 as part of a transition to ECMAScript modules. This meant that TypeScript could rely on…
I don't think pinning deps will help you much, as these incidents often affect transitive dependencies not listed in package.json. package-lock.json is there to protect against automatic upgrades. I know there are some…
The main issue there is that the maintainer lost access to their account. Yanking malicious packages is better, but even just being able to release new patch versions would've stopped the spread, but they were not able…
fzf [1] provides the TUI. 1: https://github.com/junegunn/fzf
According to the description in advisory, this attack was in a postinstall script. So it would've helped in this case with nx. Even if you ran the tool, this particular attack wouldn't have been triggered if you had…
Periodic reminder to disable npm install scripts. npm config set ignore-scripts true [--global] It's easy to do both at project level and globally, and these days there are quite few legit packages that don't work…
My guess would be because they affect property ordering, complicating the stringification. The default object property iteration rules in JS define that numeric properties are traversed first in their numeric order, and…
SeaQuery looks like a similar dynamic query builder for Rust as Kysely is for JS/TS, so yeah, that'd probably solve the dynamic query problem. But I think parent wasn't so much asking for another library but for…
To quote a TV show Community character Jeff Winger: > What makes humans different from other animals? We're the only species on earth that observes Shark Week. Sharks don't even observe Shark Week, but we do. For the…
Yes. And that is what a client should 100% do from the security standpoint. But since you mention caching - from the perf standpoint, it could sometimes be beneficial for the query planner to know the values before…
They seem to be measuring things like how long it takes for the dev server to spin up, and how long HMR updates take. I don't think ESBuild offers these features out of the box. I guess it could be in the "Cold build"…
Does the JSON spec actually say that those objects should be "equal", or does it just leave that detail to implementations? In JavaScript at least, those two are not exactly "the same", in the sense that you can observe…
It's great that Temporal is coming, and I'm sure there are bunch of other nice things coming up too, but unfortunately I don't share your optimism with the specific proposals that you mention (even though those would be…