Simon Wijckmans: Well, in 2024 you probably should, I agree. But look back seven, eight years when people added that script to their website for the first time. This was a very real issue. So people added this script to their website. Andrew Betts, the open source contributor - he wrote the code, but he didn’t own polyfill.io. That was someone else. And that person in February this year somehow allowed a change of ownership to happen. I don’t know the details of how that happened, that is not publicly known, but there was a change of ownership and the domain name polyfill.io was purchased by a Chinese company.

And so that Chinese company didn’t do anything special with it for the first few months. On the main page of that domain they had a webpage that was saying “Yeah, this is just a polyfill package”, and all of that stuff. And obviously, the wider web community noticed that change of ownership, and it was quite weird… And then of course, the open source contributor that wrote the package originally posted about it on Twitter… Some alarm bells started going off and there were a few mirrors available at that point. So Fastly and Cloudflare did blog posts about it, and they made a mirror available of that package on their own CDN. And that then triggered, funny enough, the Chinese owner of that domain to change their website and say “Protected by Cloudflare”, which I found a rather interesting detail. If you go on the Wayback Machine, you can still see that header.

[06:08] The way that then things evolved over time is all of a sudden on the 25th of June certain users, depending on their user agent, would see that script, and that script would also include a third-party script itself pointing to googleanaiytics.com. So it was Google Analytics where the L was changed to an I. And that was then another malicious script that was known to redirect people to adult content websites and online casinos.

This is, in my opinion, an incredibly juvenile attack, because there’s really not a lot you gain from that. Perhaps some ad revenue through generating click-through… But there’s not really any big money being made here. And they also made it so that this attack only occurs on the initial requests. So when you refreshed that same website you went to, you wouldn’t be redirected to that same adult content site or casino… So it became harder to debug.

The thing is that the bad actor could have pulled off a way worse attack. They could have listened in on keystrokes, and exfiltrated that, and only made that action happen in a small percentage of requests, from specific regions, on a certain time schedule, and probably fly below the radar for months. Because the reality is that most websites do not have client-side security in place. So whatever a third-party script does, they’re just able to do, and they’re not really keeping an eye on it.

That kind of brings us to the bigger problem here… We do a lot to protect our own infrastructure. We put all types of interesting firewalls, by all types of really senior and well-known companies in front of our own infrastructure to protect our infrastructure against inbound attacks… We spend money on protecting our supply chain, or better said, parts of the supply chain, so those that live on registries… And there’s some really amazing companies out there that do a really good job at that. But then we still allow people to do things completely dynamically client-side. And we don’t actually know what people are getting in a browser of a user. And that, in my opinion, is a big part of supply chain. And it shouldn’t be sort of an entirely different subject, but the reality is that as we protect our open source dependencies, as we protect our infrastructure, bad actors will, of course, always look for a way to make themselves rich and make themselves successful in their careers… And therefore, executing attacks in a browser of a user is sort of a logical next step.

And so this polyfill attack was one of those examples where we just had to make a lot of noise as a community, to make this a known thing. In fact, if you were to go back to some of those posts back then, you’ll see that we were being referenced a lot. We were one of the companies to notice it as a first. And then we put a lot of blog posts out, I put our PR people on it, they then got all of these media outlets to write about it… So for some time, people were aware of the risk. There is a real risk that we’ve gone back to a world where people don’t know about risk, and they just kind of accepted it, and was like “This is a one-off.” Reality is, this is not a one-off. Most websites still have over 20 of these, many websites have over 50 of them. Third-party scripts are completely dynamic. They can act completely differently from what you think. Even if you think they’re static, there’s nothing really stopping them from acting dynamically… Unless, of course, if you add a hash to your script tag, which unfortunately people don’t do that often.

Sunil Pai: I shipped some things there. I shipped like a testing API, which was nice. I helped do a bunch of releases… It wasn’t a bad year all around. I worked in a bank for a year… I don’t recommend that to anyone. Companies are way better. But I worked in Cloudflare for a year, and that was cool. What happened is I got interested in the tech right about the time the beta for Durable Objects happened. And we’ll go into that in a bit… But I tried using the product, and it was a pain in the ass, so I complained about it online. I got into their DMs… And at one point, I was like “Do you want to just hire me to come fix it?” So they said “Yeah, sure. Let’s go.” And it was fun.

[08:02] What we did was we rewrote the CLI from Rust to TypeScript, which is the opposite direction that most other projects go in, and it was the right thing to do. It was a lot of fun. So I did that for a year, and not only was it fun, but I really got insight into I think what the next phase of like computing, edge computing – the way Cloudflare does it is absolutely fascinating. And then I left, because as you know, it’s a time of global world peace; the economy’s doing so well… It’s a great time to start a company, I figured. And I did that.

And I think I left Cloudflare in September last year, and it’s been an absolute ride since then. Things escalated really, really quickly, to the point where we just announced a funding round for BodyKit, a team, an office, I have my first office… I love it, it’s beautiful. We share it with TLDraw. But yeah, people might know me otherwise from a CSS-in-JS library I did a while ago called Glamour. And that was right in the middle of it being an extremely divisive topic…

Jerod Santo: And we do, we’re gonna continue to vibe… Let’s start off with the React Brussels vibe. So last week we gave a holla to React Brussels. This week we have a speaker from React Brussels. Remember, that’s the event happening in Brussels on October the 14th. And last week I gave you some of the details, but I forgot one big part. The part that I forgot is that Omar from the organizing team gave us a couple of things to help bring people out to the event. So the first thing is a coupon code, JSPARTYTIME. All caps. I don’t know if the caps matter, but go ahead and, QA test that form, see if you can go all-caps, or if they have a case-insensitive matcher… And you save 30% off when you buy a ticket.

[04:11] We also have a free IRL ticket, and five online tickets to give away. So we will be doing that. We don’t have a plan yet. Follow us on Twitter, @jspartyFM, so we’ll let you know exactly how you can enter; it’ll be pretty easy. And we will give out some tickets so we can get people out to the event. Tejas, are you excited about this conference?

Nick Nisi: Well, let me try. The number one thing that I just love about Tailwind is I don’t understand the appeal of CSS-in-JS, at any level, because I don’t like having my CSS external to where I’m using it. Because then I either have to open the same file in two splits, so I can see “Here’s the CSS, and then here’s where I’m actually applying the CSS…” I’d rather just have it all in-line. And the beauty of Tailwind - I have not run into anything that I can’t do with just pretty much the vanilla Tailwind classes… Minus some gradient stuff that I added custom to my Tailwind config. But the beauty of it is when I am working on a work project that is using Tailwind, I’ve started building up this muscle memory of all of the class names, and how I would use them. And when I go work on personal stuff that’s also using Tailwind, exact same thing. I’m not thinking “Oh, what do we call this component over here?” No, it’s just whatever. I just have those Tailwind classes, and I use them. And then to manage those things, the way longer list of classes, there’s really super-simple utilities… One that we’ve talked about on this show before called class variance authority. That is really nice in being able to say “Here’s a long list of Tailwind classes that you’re going to apply. Oh, and then in some cases, you’re going to conditionally apply these as well.” And there’s like no additional logic that you have to add to that; you don’t have to test if/else logic, because it’s all handled by that, and you just pass in the properties, and it just takes it from there. So it’s a really cool way to solve this problem… And then to only think about CSS in a Tailwind way, which is just CSS, means that it’s super-portable between every other project. And that’s why I love it.

Jerod Santo: Alright. Well, before I let you go, I do want to talk about your post you wrote, I guess last year around this time, which I loved, and was one of the only posts I actually shared with our audience here on Changelog News, because I was like – a lot of your stuff is adjacent, but this was right in our wheelhouse. A lot of people giving conference talks, a lot of people making speeches, having to demonstrate their work… And you wrote “A Gambler’s Guide”, speaking of casinos… “A Gambler’s Guide to Giving Talks.” Some posts you can just tell like everything you need to from the subtitle, and your’s says “A bewildered audience is better than a bored one.” So I think that your premise is well known, just from the subtitle. But then you go on to back that up with some argumentation. Can you unpack the short version of that? Of course, we’ll link it up for people to read the whole thing.

Adam Stacoviak: Casino.

Adam Jacob: I was a big DJB person, so there was a lot of – we were running qmail, and we were running his DNS server, and we were running all that stuff… And yeah, that was pretty much the stack. And then eventually the stack grew, so… Again, money shows up, consolidation starts to happen… So the coolest consolidation story I have was this set of old McCaw Cellular guys, who had made a bunch of money when McCaw Cellular got sold to AT&T; we made a deal with the tribe in Phoenix. So there’s a reservation sort of in the middle of Phoenix, kind of, that now has a casino. That casino, the bootstrapping money for that casino came from these McCaw Cellular guys. And what they did was made a deal with the tribe that they could build a huge data center on tribal land, and they filled it with modems, and they put in their own class – I think it was a class three switch. This is a long time ago, so somebody is going to be like “It couldn’t have been class three. It was class two”, or whatever. But they put in a phone switch that could do long distance phone switching. And then they got the tribe to put in a tariff. So any long distance call that wound up getting terminated at their giant switch, they got 10 cents. And then they split it between this telecom company and the tribe. And so then they went around to all the ISPs, and went “Stop running your own POPs. We’ve got all the modems, and we’ll just route the traffic directly to you. So just buy colo space next to our huge bank of modems, and then you don’t have to manage all the modems anymore, and you can just run your gear right next to it, and then we’ll take a nut every time.” And the guy who set that up was humongous. He was – I don’t know, in my mind he was 6’8”. He wasn’t that tall. He couldn’t have been. But in my head he was like an ogre. He was huge. And as soon as you went in there, the first thing he would do is take you to his office and show you his bathroom… Because he had a custom-built urinal that was made for him. it was a huge floor to ceiling urinal, basically, and he was incredibly proud of it. And then he would leave you with cigars. One of the racks in the data center he had turned into a humidor. And so every time you went in, he would hand you a handful of Arturo Fuente Short Stories and kick you out the door. It was great.

Deepak Prabhakara: Yeah, exactly. So that’s obviously fairly – it depends on the context as well, because for us, that secure by default, I think we’ve learned that over time. Now, of course, Mongo also patched that up, so by default, you will have some kind of reasonable layer of security, and then you can kind of build upon that.

So I think that kind of awareness has already come in. We also had cases where - you know, Internet of Things got popular maybe a decade ago. And because – I mean, from the outside, we always think an attack is quite sophisticated, mainly because we don’t really understand how that actually went about. But the reality is people get in through very simple things. They try a lot of times, and they find one or two weaknesses, and then it kind of cascades into more things internally. I think classic a case was a fish tank in I think a hedge fund - or a casino; I forget exactly - and that was IoT-enabled and connected to WiFi, and that was open… So they got into the actual internal network on the back of a fish tank that was connected.

Nick Nisi: And then another guy brought up a full ham radio set up, and he used that to spoof an AT&T cell tower… And all throughout the casino that day they had signs up saying “Between 2:30 and 3:00 if you have AT&T you will not be able to make phone calls, including to 911”, and it was because he was running his own tower, and every time you used an AT&T phone it would go directly to his cell phone and just go to voicemail. Super-cool, super-scary stuff that people dream up when they have a lot of time like that, which is really cool.

Ryan Singer: And the whole notion is if you take a whole bunch of gamblers at a casino and you average out their winnings, a few huge winners are going to throw the average, and you’re going to get the mistaken impression that gambling has a certain – you’re gonna value the risk at a certain level, based on looking at that average. But if you follow an individual gambler, what you’ll see is that they keep going bust…

Chris Benson: I’m looking back through the article right now… I didn’t see it being deployed, so I’m assuming it’s in a very controlled environment. But who knows…? Sometimes I go out to Vegas for various conferences and such, and you never know; you may walk into a casino at some point and be playing against the bot, or at least that’d be one of the players up there, and that’s the new gimmick.

Johnny Boursiquot: When I tried to go to JSTOR, it sends you to casino.com, or something. [laughter] You know, it’s not nothing…

Kent C. Dodds: Yeah, it was fun. Code mods were really helpful when I deprecated my css-in-js library called Glamorous in favor of Emotion. Tejas Kumar wrote a code mod to help people migrate… And yeah, they’re really, really nice.

Kilian Valkhof: [00:35:49.14] Well, then can switch gears, because the thing that makes Polypane feel native-ish isn’t React, but it’s actually a lot of CSS… Because there are a lot of things that native applications do, that web pages don’t do by default, that you can spend time on to make sure that your Electron app feels much more native. And that’s things making sure that users can’t select all the text. Because that’s not something you can do in a regular app. If you press Command+A in Keynote, it’s just the text on your page that gets selected, and not all the buttons. If you press something, usually something happens on key down, and not on click, on key up. But on the web, you can click a link, and then as long as you hold down the mouse, nothing happens… And then when you release, something happens. So that’s webby. But on a desktop app, as soon as you press down, the action happens. So it’s all these little things that make sure that the interactions that you have in the app, that they are appy, instead of webby. And you can do that with any framework; you just need to make sure that you pay attention to it.

And then there’s also stuff you don’t realize… Like, whenever you have a menu item in a menu, and this works on all operating systems, as soon as that menu item ends with three dots, an ellipsis, it means that clicking that menu item will open a dialog of some sort. And this is true for all applications, and you probably never realized that. And there’s not a “Welcome to macOS. If you see a menu item with three dots, this is what happens.” It’s just something that is there, and you as an app developer need to pay attention to stuff that, to make sure that you fit into all these things that users either consciously or unconsciously expect from apps. And it’s fun doing that, and it’s fun doing that across platforms, because things are slightly different…

And then some things are just very unspecified. A thing that I still struggle with is the casing of menus. That’s just all over the place, including in first party native apps. Do you use capital case, or do you use sentence case? It’s just, whatever feels right in the moment; I just need to make sure that I’m consistent.

Break: [00:38:39.24]

Adam Stacoviak: And they bring it out in like this lighthouse kind of thing, like this glass casing with a bunch of smoke… I feel like I’m at like a Catholic mass, or something like that, if you’ve ever been to a Catholic mass, during Ash Wednesday or whatever, when they’re smoking the place up… And they bring it out and they reveal, they open it up, and this big puff of smoke comes out, and it’s a smoked old fashion. So good… I mean, that’s a staple. Good steak, good bourbon, good conversation, stuffed bellies.

Dustin Bluck: Yeah, exactly. No, I mean, you have banner ads, and you have sort of an ad on the Now Playing screen… But Castro is really tilted towards our premium users. I think it’s like 25% premium. And they can hide those. Whereas the Discover ads - they can hide those too, but they’re not hidden by default. But yeah, you pay for a week, you get on those screens… It’s pretty basic. Castro’s Explore section is just not very smart right now. It’s like very naive. So there’s a ton that we can do, sort of very low-hanging fruit just to make that smarter and better.

Jerod Santo: Well, an intestinal casing is… That’s scientific, right?

Mike Basios: Thank you. Thank you, guys.

Natalie Pistunovich: [laughs] That’s a fair disclaimer. You mentioned you’ve been with Kubernetes, or been using it for five, six years or so. And you also mentioned you find comfortable saying that you generally understand it. Would you say that it’s the same easiness of understanding it for somebody who steps in now, given that it obviously grew with complexity over the time?

Nick Nisi: Yup. But you also get the benefit of this working – so one of the pain points that I’m running into right now with my CSS-in-JS stuff is that I’m trying to use like Next 13’s new app directory, and play with React Server Components… But every component that I use or create has to be a client component, because it needs to access this JavaScript state to understand how to properly apply theme values, and things like that… Whereas all of that actually – well, if we used Tailwind, all of that is predefined in Tailwind, and with the Tailwind config, and with those classes… So if it’s just using JavaScript to try and figure out “apply this class versus that class”, it can be a server component and still work 100%.

Zach Leatherman: [00:51:59.10] Yeah, I think the template syntax stuff and the processing of HTML in WebC is maybe as far as I’d want to go, and I think I’d farm out the rest of this stuff to other projects, if folks want to use it. So if you want to extend your own CSS processing pipeline into WebC, you can do that; you can actually override our WebC-scoped behavior with your own custom behavior if you want to write your own scoped CSS implementation. If you want to wire up Babel to do JS processing or whatever, you can do that if you want. But again, I’d come back to - do you want to add all those extra dependencies?

I think the temptation when folks work on projects is they want to work on the cutting edge, they want to work on the very newest features that come out before their sort of GA, or before they’re supported in browsers on the client specifically. And you get into this weird trap where you add these dependencies to process this stuff, and maybe it’s specification changes, or maybe the preprocessor went ahead of things… You saw that a lot in CSS-in-JS implementations, where they just couldn’t keep up with the specifications that were coming out. I think a lot of folks have maybe some issues with Tailwind in the same way, where it almost seems like Tailwind is having trouble keeping up with the speed of features that get delivered in the CSS world. And I don’t know if that’s actually true, but that’s like the same – like, you add on a layer, an extra dependency to work ahead of the game, in a way, to try and get access to these cutting edge features, and it really can come back to bite you later. So I just exercise caution…

Alex Russell: I think that’s an important question. I’ve been saying for a while now that I would like fewer disasters across my desk… Because it would be great to get back to working on new APIs that people need, rather than spending a lot of time convalescing with a carefully-constructed disaster.

So the way that I think we get out of this is not to switch our tools. Teams that do not operate their tools, but whose tools operate them, are unlikely to succeed with anything but the simplest tools… Which is to say, if you don’t have a lot of organizational capacity to manage complexity, pick the simplest thing that can possibly work. And that is to say, output HTML and CSS and leave JavaScript alone, because it’s not for you, no matter how good you as maybe that one developer are.

Okay, so at an organizational level, preferring tools that are simpler, because they’re simpler, because that reduces your total costs over time is just a nice thing to recognize as a pattern that can help. But that doesn’t help you if you’ve bought into a pile of complexity that you’re having a hard time managing. And I get that. So there’s a lot of good stuff that’s happening in the ecosystem right now, that I think will help. The first, of course, is that core vitals is creating visibility for management about your progress to doing a better job. I’m explicitly excited about interaction in XPaint, because it is finally starting to put a price on the worst effects of JavaScript.

So that will help both motivate, and then create credit for improving things like task scheduling, and main-thread work blocking, and all that kind of stuff. That’s great. That’s awesome. And then the tool - again, the tools themselves are depending on their endemic complexity, their basal complexity. They are more or less of a problem in and of themselves… But I have seen extreme disasters made out of the best tools, and I’ve seen teams that could sort of field-strip and rebuild the framework themselves blindfolded in two minutes - they can operate whatever, right? And I think, I think we talk about those two extremes as though they are the only thing, but in the broad middle, the thing that’s very helpful is to learn what things cost, and then start to just put a little bit of management control around it. Because there is good news in the networks and devices that we’re seeing.

Computers are about to start getting a little bit faster at the very bottom. That’s going to start to happen again. And if we can hold the line for a bit, then the sites and things that we’ve deployed today - they will certainly feel a little bit more affordable in the future, if they’re close to the line. If they’re not, you’re gonna have a hard draft, you’re gonna have to dig out…
Other things that are helpful right now - if you have one of these big complex UIs, and it’s not scaling, for instance in terms of style complexity, Nolan Lawson has been doing extraordinary work over the last year in sort of outlining how DOMs that are out of control, coupled with style sheets that are [unintelligible 00:57:32.05] and often being perturbed by very poorly-done CSS-in-JS tools - that combination is quite toxic for interactivity. But we can get it under control, right? There’s generations of CSS-in-JS tools that will extract all your style sheets out, turn it into a single CSS file that’s not being manipulated; that’s awesome.

[57:51] I’m working with and have seen teams kind of hollow out their existing React components and replace the guts with web components, so that they get Shadow DOM in isolation, and they don’t have this combinatorial explosion of complexity there. And that helps a lot.

And then teams learning to put the marginal user at the center of the conversation is just the most transformative thing. If you are sitting there talking about how it feels on the P90, the P75 if your PMs carry these low-cost devices that are relevant to your business - and I don’t want to say either is the one that you should use, although I have a post on like the performance baseline worldwide… But if you think about what you would want to know about your marginal user, and then decide intentionally to go serve that user, there are so many good tools, right? It isn’t just going to be, as you say, one size fits all. But you can learn what size fits. We’ve gotten an entire department store full of great tools. HTML and CSS, very thin frameworks, compositional things, “server-side rendering” in the style that we do it now, old school server-side rendering in static sites… There’s a lot of cool stuff happening with Astro and Eleventy, and Hugo, and PHP, and DotNet. There’s this whole closet full of stuff that we’re not talking about now, that can be extremely appropriate, and you can use it, and you can deploy it, and it probably isn’t worse. You may not be comfortable with it right now, but if the output that it creates is simpler, your chances of success with it are significantly higher.

And so dust off the Rails, dust off the Django. There is a place for this tech, and if you learn about the kind of users you’ve gotten, the sessions that they’re working through in your experience, you can make appropriate choices, and you can hire for those skills. I promise you that you can. There’s a fire sale on talent right now. In fact, one of the most depressing things about the last decade has been how folks with JavaScript skills have pushed out people who have those skills and would like to come back to using them. They’re just sitting out there, and I promise you that if your product or your team is saying “Oh, but we can’t find people like that”, t’s mostly because you aren’t trying.

Martine Dowden: [laughs] There’s a lot of – so I laugh at the CSS-in-JS because it all boils – I mean, there’s religious wars over that, and over frameworks, and stuff, and it’s like, do what you need to do to get your project done. But if you have the time and you want the knowledge, learning the core basics of CSS will help you in any of those scenarios, and is definitely valuable, regardless of what technique you’re going to be using and/or applying it within. I think that’d be kinda all opinions about it, those other religious wars aside… Because they exist for a reason, right? They exist to solve a problem. But the end-all-be-all is if you have the time and want the knowledge, learning the actual CSS underlying all of that will definitely be helpful, regardless of which technique you’re using. Michael, how about you?

Jerod Santo: Castro’s is pretty cool, because it puts the name of the current chapter right there in the middle. And if you click on that name, it pulls up the whole deal. So it’s kind of a little bit more front and center. They all have their different decisions they make, you know…