Favorite Social Media Timesink
When you take a break from work, where are you going?
Video clips on TikTok/YouTube
X, Bluesky, Mastodon et al...
Web surfing
I do not get distracted by petty amusements
Frontend Development / JavaScript / Software Development

Dev News: RedwoodJS Drops Jamstack, Dropbox Reduces JS Bundles

RedwoodJS gets a makeover, the Skeleton Squad targets JavaScript package manager NPM Socket, Dropbox JS changes, Nim version 2.0, and more.
Aug 19th, 2023 6:00am by
Featued image for: Dev News: RedwoodJS Drops Jamstack, Dropbox Reduces JS Bundles
Photo by Dan Meyers on Unsplash

RedwoodJS, a young fullstack JavaScript and TypeScript framework, is moving beyond its Jamstack SPA (single page application) roots to pursue a sever-first, full stack React framework, according to this post by Tom Preston-Werner. Preston-Werner, the founder and former CEO of GitHub, is one of the four founders and 300 contributors to the RedwoodJS open source web development framework.

“For the last year, the RedwoodJS team has been prototyping solutions to the framework’s lack of a proper server-side rendering (SSR) feature,” he wrote. “Today, I’m happy to announce that we have chosen to implement a modern SSR solution with a front-end server, leveraging React’s streaming capabilities. This will also allow us to add React Server Components (RSC) to Redwood as our solution to the many downsides of pure single page applications (SPAs).”

It’s a lot of acronyms, but Preston-Werner cited a list of reasons to switch to React Server Components (RSC), including:

  • Better SEO performance in the form of statically rendered HTML delivered to the browser. With server rendering, that’s “baked in,” he added — an advantage over the SPA architecture;
  • OG tags, which require statically delivered HTML to use. Again, server-side rendering solves for this use; and
  • Providing API options to connect beyond the GraphQL API backend.

“It’s challenging to get top-notch performance out of Redwood in a Jamstack environment,” Preston-Werner wrote. “AWS Lambda’s cold start times, code payload limits, and execution timeouts are all hurdles that need to be considered. Most Redwood users today already choose a serverful deployment strategy for exactly these reasons.”

The original goal was to make it possible for most of Redwood’s features to work in serverless environments. But from now on, Redwood will be optimizing for serverful RSC and all the advantages that will bring.

“You can read a full account of RSC’s advantages elsewhere, but more of my favorites are: smaller bundle sizes shipped to the browser, large libraries can be run server-side only (more bundle savings), quicker hydration, and easy server-side secrets,” he wrote. “RSC is the future of React. The React team has made this very clear and we are lucky to be in touch with their amazing team members to help us along this path.”

The Redwood team also released a new roadmap ahead of its first in-person and virtual conference, RedwoodJSConf, which is set for Sept. 26-29 in Grants Pass, Oregon.

Dropbox Reduced Its JavaScript Bundles by 33%

Wednesday, Dropbox published a post describing at length how it reduced its JavaScript bundles by 33%. Since excessive JavaScript is a known problem for some web apps and sites, we think this piece detailing how Dropbox decluttered is worth a read.

It’s first change? A new bundler. The old one from 2014 didn’t incorporate many performance optimizations and was difficult to work with, Dropbox noted.

“While our existing bundler was relatively build-time efficient, it resulted in massive bundle sizes and proved to be a burden for engineers to maintain,” the post noted. “We relied on engineers to manually define which scripts to bundle with a package, and we simply shipped all packages involved in rendering a page with few optimizations.”

That became problematic over time, it added, creating multiple versions of bundled code, manual code splitting and no tree shaking.

The cloud provider used Rollup, a module bundler for JavaScript. The rest of the blog post shares the Dropbox deployment journey.

“After rolling out Rollup to all Dropbox users, we found that this project reduced our JavaScript bundle sizes by 33%, our total JavaScript script count by 15%, and yielded modest TTVC improvements,” the post said. “We also significantly improved front end development velocity through automatic code-splitting, which eliminated the need for developers to manually shuffle around bundle definitions with each change. Lastly and perhaps most importantly, we brought our bundling infrastructure into modernity and slashed years of tech debt accumulated since 2014, reducing our maintenance burden going forward.”

Skeleton Squad Targets JavaScript Package Manager NPM

Socket Research revealed Monday that the Skeleton Squad, which targeted the PyPi ecosystem with malicious code, has also targeted the JavaScript package manager pm in its attacks.

“The latest combatant to enter the fray is an NPM package known as pyautodllxd,” Socket Search reported Monday. “This seemingly innocuous package was uploaded by an author named ‘T4hg’ and last updated on April 18, 2023.”

At first glance, ‘pyautodllxd’ doesn’t appear to impersonate any popular package or engage in typosquatting. Its purpose and target audience remain elusive, as both the ReadMe file and description were left blank. However, when Socket Research examined the postinstall command, it uncovered suspicious code.

The postinstall command runs a PowerShell command, suggesting that the attacker targets Windows operating systems, the research note pointed out.

“Upon closer inspection, we discovered a binary named ‘esquele.exe’ being downloaded from a Dropbox URL,” the post stated. “This stealthy approach allows the payload to be deployed without raising any red flags.”

After installation, the package simultaneously downloads the malicious executable and saves it in the temp folder for later execution. Socket Research noted that several vendors had marked the decoded PowerShell script as a malicious trojan.

The firm’s analysis found that pyautodllxd runs a hidden PowerShell window, downloads a script named bypass.ps1, and uses the “Esquele” function to add exclusion paths for drives C:\ and D:\, bypassing Windows Defender’s real-time protection.

The Skeleton Squad left a cryptic message in Spanish in some of the packages published by T4hg, which translates to “They will all die in the hands of EsqueleSquad,” the research note added.

Nim v2.0 Released

Nim version 2.0 released earlier this month. Nim is a relatively new programming language, but it’s used in web development, systems programming, game development, artificial intelligence, data science and scientific computing. Among its advantages are its fast and efficient: Nim code can be compiled to native machine code. It’s also expressive and extensible, supporting metaprogramming. Finally, Nim code can be compiled to run on a variety of platforms, including Windows, Linux, macOS, and FreeBSD. So it has a lot to recommend it.

“This is an evolution (not revolution) of Nim, bringing ORC memory management as a default, along with many other new features and improvements,” the release note stated.

It also cautioned that “Nim is a programming language that is good for everything, but not for everybody.” Its customizable memory management makes it well suited for unforgiving domains such as hard real-time systems and system programming in general, the post stated.

Among the new features are:

  • Better tuple unpacking. “Tuple unpacking for variables is now treated as syntax sugar that directly expands into multiple assignments,” the release note stated. “Along with this, tuple unpacking for variables can now be nested.”
  • Improved type inference. “A new form of type inference called top-down inference has been implemented for a variety of basic cases,” the releases notes state.
  • Forbidden tags. “Tag tracking now supports the definition of forbidden tags by the .forbids pragma which can be used to disable certain effects in proc types,” it added.
  • A new standard libraries model. Essentially the overhauls its os module.

New users can download the language online.

Scheme Schism

John Cowan, the chair of the language R7RS-large project, resigned his position in a public post on Google Groups this week. That project oversees the use of Scheme as an active, rather than teaching, language.

“I have come to the conclusion that I can no longer serve as Chair. I am exhausted by the effort, and I do not think that there is any further hope that I can get sufficient agreement among the different players to have any hope of coming to a conclusion,” he wrote. “On the contrary, agreement is further away than ever, and people’s views are more and more entrenched.”

This Hacker News thread offers background information about Scheme.

Web Frameworks as Superheroes

React.js Superhero

Developer Matija Sosic used the generative AI tool Midjourney to create this image.

This is simply too cute not to share: Developer Matija Sosic recently used the generative AI tool Midjourney to visualize web frameworks as superheroes. It features popular web frameworks such as Vue, React.js, Wasp and Ruby on Rails. React.js is heralded as the king of the frameworks, while Nest.js is literally a server-side beast of a character. The Wasp contributor promises to do more frameworks in the future.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.