Adam and Jerod talk with Dominic Tarr, creator of event-stream, the IO library that made recent news as the latest malicious package in the npm registry. event-stream was turned malware, designed to target a very specific development environment and harvest account details and private keys from Bitcoin accounts. They talk through Dominic’s backstory as a prolific contributor to open source, his stance on this package, his work in open source, the sequence of events around the hack, how we can and should handle maintainer-ship of open source infrastructure over the full life-cycle of the code’s usefulness, and what some best practices are for moving forward from this kind of attack.

Ire Aderinokun: The main reason the visibility: hidden rule isn’t just about visual visibility is because it affects the elements visibility to assistive technology as well. Love deep dives like this. Especially how it affects accessibility. Definitely something we front-end developers need to pay more attention to.

Dave Rupert feels that Microsoft Edge switching to Chromium makes other browser rendering engines “edge cases”: If there’s one thing I know about developers, it’s that we love to ignore edge cases because edge cases make our jobs more difficult. Google itself regularly ships Chrome-only products and I’ve been told by Googlers that they’re directed to only care about Chrome. Like Dave, I feel torn between different arguments. But just as Blink is a fork of WebKit, who knows if we’ll also see a fork of Chromium led by Microsoft in the future.

Jeremy Keith starts off his 24 Ways article by reminding us of Murphy’s Law. What does this have to do with the web you may ask? A service worker is a Murphy-battling technology that you can inject into a visitor’s device from your website. Once it’s installed, it can intercept any requests made to your domain. If anything goes wrong with a request—as is inevitable—you can provide instructions for the browser. That’s your opportunity to turn those server outage frowns upside down. Take those network connection lemons and make network connection lemonade. Just as we design 404 pages, designing a pleasant offline experience is important.

Crossplane provides a universal cloud computing API. Control your workloads across clouds and on-prem environments from one unified place. Nobody wants to be locked in to their current cloud provider. With Crossplane (and a new breed of ‘multi-cloud’ tools like it), you can spread your application across multiple cloud providers at a single time, migrate managed services across multiple clouds, and more. We might be looking at the future of cloud computing, right here. I’m sure this will be a hot subject at this week’s KubeCon in Seattle. (Adam is onsite covering the event. Find him and say hi if you’re attending.)

JSONPlaceholder is a free online REST API that you can use whenever you need some fake data. It’s great for tutorials, testing new libraries, sharing code examples, … It comes with a set of 6 common resources. You know, the usual suspects like /posts and /comments. Prefer to use your own data? The whole thing is powered by json-server, which will get you up and running in 30 seconds-ish.

Eran Hammer makes the case for hapi as your Node web framework of choice. We’ve been talking about dependencies a lot lately due to recent events. In light of that, think about this: hapi was the first (and still the only) framework without any external code dependencies… I personally (and manually) review every single line of code that goes into hapi (excluding node itself). I review every pull request on every dependency regardless if I am the lead maintainer. That’s quite the selling point! He has a lot of great reasons why hapi is worthy of your consideration. Click through for the hard pitch.

Here’s an interesting twist on open source funding: require all users to back the project on Open Collective, but only enforce that rule via social pressure. In other words, use an honesty policy: It is an honesty system with no code or legal enforcement. When raising an issue or a pull request, the user may be checked to ensure they are a patron, and that issue/PR may be closed without further examination. If a individual or organization has no interest in the long term sustainability of Fody, then they are legally free to ignore the honesty system. The software is MIT-licensed, so all of those liberal rules apply, but don’t expect to get your PR merged or your issue taken seriously unless you’re a patron. You must be a Patron to be a user of Fody. Contributing Pull Requests does not cancel this out. It may seem unfair to expect people both contribute PRs and also financially back this project. However it is important to remember the effort in reviewing and merging a PR is often similar to that of creating the PR. Also the project maintainers are committing to support that added code (feature or bug fix) for the life of the project. The project currently has 4 organizations and 10 individuals supporting it. What do you think those numbers will look like in 6 months or a year?

I put Terminus’ tagline in scare quotes because while it’s intriguing, I do not know for sure whether it delivers on that promise. In more of its own words, Terminus is: …heavily inspired by Hyper. It is, however, designed for people who need to get things done. Them sound like fighting words. But what does “designed for people who need to get things done” mean, exactly? From the feature list in the README, I think maybe it means that it takes Windows more seriously than Hyper and handles printing output more quickly. But that’s just a guess… I’d love to see a roundup and comparison of this new breed of Electron-based terminals. Anybody game?

One of the most exciting announcements from last week’s AWS re:Invent was Firecracker — an open source project that delivers the speed of containers with the security of VMs. Firecracker’s focus is transient and short-lived processes, so it differs from containers in that it’s optimized for startup speed. Why can’t we use containers? The answer is simple — slower cold start. While LXC and Docker are certainly faster and lighter than full-blown virtual machines, they still don’t match the speed expected by functions. There are also some security wins with how Firecracker is architected: Firecracker takes a radically different approach to isolation. It takes advantage of the acceleration from KVM, which is built into every Linux Kernel with version 4.14 or above. KVM, the Kernel Virtual Machine, is a type-1 hypervisor that works in tandem with the hardware virtualization capabilities exposed by Intel and AMD. There’s a lot to be intrigued by here. We should probably line up an episode on Firecracker. In the meantime, click through to go deeper on the topic.

arare enables you to write tacit, point-free, declarative & clean code while avoiding side-effects and mutations. Internally the library itself, comprised of over 200 functions, follows the functional programming paradigm and is materialized using fundamental functional qualities such as currying, recursion, tail calls, high-order functions, referential transparency, side-effects elimination and function composition. Ships with a built-in REPL. 💪

Fully Connected – a series where Chris and Daniel keep you up to date with everything that’s happening in the AI community. This week we discuss all things inference, which involves utilizing an already trained AI model and integrating it into the software stack. First, we focus on some new hardware from Amazon for inference and NVIDIA’s open sourcing of TensorRT for GPU-optimized inference. Then we talk about performing inference at the edge and in the browser with things like the recently announced ONNX JS.

Should I read this 22 minute read on the state of web browsers? Sure. Count me in! Microsoft has confirmed the rumor to be true. We now have one less browser engine, and a last man standing (Firefox) in deep trouble (reasons below). … The web now runs on a single engine. There is not a single browser with a non-Chromium engine on mobile of any significance other than Safari. Which runs webkit, kind of the same engine as Chromium, which is based on webkit.

Mac users don’t care about mac apps like they used to. Today and the future is a web platform world with JavaScript at the center morphing into this gigantic blackhole (mainly a gravity metaphor) with everything else being pulled into its orbit. The more Mac users there are, the more Mac apps we should see. The problem is, the users who really care about good native apps — users who know HIG violations when they see them, who care about performance, who care about Mac apps being right — were mostly already on the Mac. A lot of newer Mac users either don’t know or don’t care about what makes for a good Mac app. John Gruber also quoted SwiftOnSecurity regarding Microsoft’s switch to Chromium as Windows’s built-in rendering engine, saying: This is the end of desktop applications. There’s nowhere but JavaScript.

In this special episode of JS Party, KBall and Nick are on location at Node + JS Interactive in Vancouver. They talks with Laurie Voss, co-founder and COO of npm Inc. They chat about his talk, “npm and the Future of JavaScript”, JavaScript frameworks, and how the definition of “the fundamentals of the web” is constantly changing.

unified –for the uninitiated– is an interface for processing text with syntax trees and transforming between them. Maybe you’ve never heard of it, but you’ve probably relied on it as part of your software infrastructure: [unified] has been OSS for years, but has recently gotten more traction. It’s used in fancy technology such as MDX, Gatsby, and Prettier, and used to build things like Node’s docs, freeCodeCamp, and GitHub’s open source guide. Project’s like unified are crucial to the JavaScript ecosystem, but they’re difficult to fund and support toward sustainability. Hence, the unified collective. Today, we are pleased to announce the creation of the unified collective. It’s an effort to bring together like-minded organisations to collaboratively work on the innovation of content through seamless, interchangeable, and extendible tooling. We build parsers, transformers, and utilities so that others don’t have to worry about syntax. We make it easier for developers to develop. Let’s show these maintainers some 💚 and share this around to those who should be supporting it.

Jeremy Fuksa has had a rough few years. After deciding to go out on his own, his third year in business was filled with anxiety. Going back to working a full-time job may sound like a failure to some, but Jeremy doesn’t look at it that way. He talks to me about his unique skill set, dealing with anxiety and depression, and how his recent experience has taught him some great lessons.

If you’ve been watching the news, you know that the latest data breach involved Marriott exposing 500 million guest reservations from its Starwood database. The kicker is that the unauthorized access to the Starwood guest database stretches back to 2014. That’s FOUR YEARS of unfettered access to this database! It’s breaches like these that helped motivate the team at the Cryptography Research Group at Microsoft to be “extremely excited” to announce the release of Microsoft SEAL (Simple Encrypted Arithmetic Library) as open source under the MIT License.

Drop-in Pusher replacement, SSL support, Laravel Echo support and a debug dashboard are just some of its features. This looks really well done. The Laravel community is en fuego as of late. 🔥

When you’re looking for a programming job, there are dysfunctional companies you’ll want to avoid. This article will help you recognize one warning sign: a particularly problematic phrase.

This is a short 15 minute talk from Henry Zhu at All Things Open, who just announced their photos and videos from their 2018 conference. In this talk Henry asks: When we think about open source, we think about code. Is it more than that? What do you think? What is open source to you?