fidzu : tech

Comments

25 Apr 2024 1:08am GMT

Comments

25 Apr 2024 12:47am GMT

Comments

24 Apr 2024 10:29pm GMT

A new version of Clapper, a GTK4-based video player for Linux desktop has been released - the first major update in nearly 2 years. I first wrote about Clapper back in 2021 having been seduced over by its slick user interface (a superficial reason to like a media player, I know), its use of GStreamer, and a small but focused feature set that wasn't trying to distract me with features I'd never need. Subsequent updates to the app refined and expanded those selling points further and player remained my preferred video player, despite the lack of any major update since […]

You're reading Clapper Video Player for Linux Gets First Update in 2 Years, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

24 Apr 2024 8:05pm GMT

Nginx 1.26 web server debuts with HTTP/3 experimental support, per-server HTTP/2, advanced stream modules, and more.

24 Apr 2024 12:54pm GMT

TrueNAS SCALE 24.04 (Dragonfish) open storage introduces auditing, sandboxing for devs, and enhanced SMB performance.

24 Apr 2024 10:18am GMT

We're excited about the upcoming Ubuntu 24.04 LTS release, Noble Numbat. Like all Ubuntu releases, Ubuntu 24.04 LTS comes with 5 years of free security maintenance for the main repository. Support can be expanded for an extra 5 years, and to include the universe repository, via Ubuntu Pro. Organisations looking to keep their systems secure without needing […]

24 Apr 2024 8:40am GMT

QEMU 9.0 released: 2700+ commits, 220 authors, featuring multiqueue, gdbstub improvements, and more efficient VM migration.

24 Apr 2024 8:33am GMT

On behalf of the Kubernetes project, I am excited to announce that ValidatingAdmissionPolicy has reached general availability as part of Kubernetes 1.30 release. If you have not yet read about this new declarative alternative to validating admission webhooks, it may be interesting to read our previous post about the new feature. If you have already heard about ValidatingAdmissionPolicies and you are eager to try them out, there is no better time to do it than now.

Let's have a taste of a ValidatingAdmissionPolicy, by replacing a simple webhook.

Example admission webhook

First, let's take a look at an example of a simple webhook. Here is an excerpt from a webhook that enforces runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation, and privileged to be set to the least permissive values.

func verifyDeployment(deploy *appsv1.Deployment) error {
 var errs []error
 for i, c := range deploy.Spec.Template.Spec.Containers {
 if c.Name == "" {
 return fmt.Errorf("container %d has no name", i)
 }
 if c.SecurityContext == nil {
 errs = append(errs, fmt.Errorf("container %q does not have SecurityContext", c.Name))
 }
 if c.SecurityContext.RunAsNonRoot == nil || !*c.SecurityContext.RunAsNonRoot {
 errs = append(errs, fmt.Errorf("container %q must set RunAsNonRoot to true in its SecurityContext", c.Name))
 }
 if c.SecurityContext.ReadOnlyRootFilesystem == nil || !*c.SecurityContext.ReadOnlyRootFilesystem {
 errs = append(errs, fmt.Errorf("container %q must set ReadOnlyRootFilesystem to true in its SecurityContext", c.Name))
 }
 if c.SecurityContext.AllowPrivilegeEscalation != nil && *c.SecurityContext.AllowPrivilegeEscalation {
 errs = append(errs, fmt.Errorf("container %q must NOT set AllowPrivilegeEscalation to true in its SecurityContext", c.Name))
 }
 if c.SecurityContext.Privileged != nil && *c.SecurityContext.Privileged {
 errs = append(errs, fmt.Errorf("container %q must NOT set Privileged to true in its SecurityContext", c.Name))
 }
 }
 return errors.NewAggregate(errs)
}

Check out What are admission webhooks? Or, see the full code of this webhook to follow along with this walkthrough.

The policy

Now let's try to recreate the validation faithfully with a ValidatingAdmissionPolicy.

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
 name: "pod-security.policy.example.com"
spec:
 failurePolicy: Fail
 matchConstraints:
 resourceRules:
 - apiGroups: ["apps"]
 apiVersions: ["v1"]
 operations: ["CREATE", "UPDATE"]
 resources: ["deployments"]
 validations:
 - expression: object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot)
 message: 'all containers must set runAsNonRoot to true'
 - expression: object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem)
 message: 'all containers must set readOnlyRootFilesystem to true'
 - expression: object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || !c.securityContext.allowPrivilegeEscalation)
 message: 'all containers must NOT set allowPrivilegeEscalation to true'
 - expression: object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.Privileged) || !c.securityContext.Privileged)
 message: 'all containers must NOT set privileged to true'

Create the policy with kubectl. Great, no complain so far. But let's get the policy object back and take a look at its status.

kubectl get -oyaml validatingadmissionpolicies/pod-security.policy.example.com

 status:
 typeChecking:
 expressionWarnings:
 - fieldRef: spec.validations[3].expression
 warning: |
 apps/v1, Kind=Deployment: ERROR: <input>:1:76: undefined field 'Privileged'
 | object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.Privileged) || !c.securityContext.Privileged)
 | ...........................................................................^
 ERROR: <input>:1:128: undefined field 'Privileged'
 | object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.Privileged) || !c.securityContext.Privileged)
 | ...............................................................................................................................^

The policy was checked against its matched type, which is apps/v1.Deployment. Looking at the fieldRef, the problem was with the 3rd expression (index starts with 0) The expression in question accessed an undefined Privileged field. Ahh, looks like it was a copy-and-paste error. The field name should be in lowercase.

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
 name: "pod-security.policy.example.com"
spec:
 failurePolicy: Fail
 matchConstraints:
 resourceRules:
 - apiGroups: ["apps"]
 apiVersions: ["v1"]
 operations: ["CREATE", "UPDATE"]
 resources: ["deployments"]
 validations:
 - expression: object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot)
 message: 'all containers must set runAsNonRoot to true'
 - expression: object.spec.template.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.readOnlyRootFilesystem) && c.securityContext.readOnlyRootFilesystem)
 message: 'all containers must set readOnlyRootFilesystem to true'
 - expression: object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.allowPrivilegeEscalation) || !c.securityContext.allowPrivilegeEscalation)
 message: 'all containers must NOT set allowPrivilegeEscalation to true'
 - expression: object.spec.template.spec.containers.all(c, !has(c.securityContext) || !has(c.securityContext.privileged) || !c.securityContext.privileged)
 message: 'all containers must NOT set privileged to true'

Check its status again, and you should see all warnings cleared.

Next, let's create a namespace for our tests.

kubectl create namespace policy-test

Then, I bind the policy to the namespace. But at this point, I set the action to Warn so that the policy prints out warnings instead of rejecting the requests. This is especially useful to collect results from all expressions during development and automated testing.

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
 name: "pod-security.policy-binding.example.com"
spec:
 policyName: "pod-security.policy.example.com"
 validationActions: ["Warn"]
 matchResources:
 namespaceSelector:
 matchLabels:
 "kubernetes.io/metadata.name": "policy-test"

Tests out policy enforcement.

kubectl create -n policy-test -f- <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
 labels:
 app: nginx
 name: nginx
spec:
 selector:
 matchLabels:
 app: nginx
 template:
 metadata:
 labels:
 app: nginx
 spec:
 containers:
 - image: nginx
 name: nginx
 securityContext:
 privileged: true
 allowPrivilegeEscalation: true
EOF

Warning: Validation failed for ValidatingAdmissionPolicy 'pod-security.policy.example.com' with binding 'pod-security.policy-binding.example.com': all containers must set runAsNonRoot to true
Warning: Validation failed for ValidatingAdmissionPolicy 'pod-security.policy.example.com' with binding 'pod-security.policy-binding.example.com': all containers must set readOnlyRootFilesystem to true
Warning: Validation failed for ValidatingAdmissionPolicy 'pod-security.policy.example.com' with binding 'pod-security.policy-binding.example.com': all containers must NOT set allowPrivilegeEscalation to true
Warning: Validation failed for ValidatingAdmissionPolicy 'pod-security.policy.example.com' with binding 'pod-security.policy-binding.example.com': all containers must NOT set privileged to true
Error from server: error when creating "STDIN": admission webhook "webhook.example.com" denied the request: [container "nginx" must set RunAsNonRoot to true in its SecurityContext, container "nginx" must set ReadOnlyRootFilesystem to true in its SecurityContext, container "nginx" must NOT set AllowPrivilegeEscalation to true in its SecurityContext, container "nginx" must NOT set Privileged to true in its SecurityContext]

Looks great! The policy and the webhook give equivalent results. After a few other cases, when we are confident with our policy, maybe it is time to do some cleanup.

• For every expression, we repeat access to object.spec.template.spec.containers and to each securityContext;
• There is a pattern of checking presence of a field and then accessing it, which looks a bit verbose.

Fortunately, since Kubernetes 1.28, we have new solutions for both issues. Variable Composition allows us to extract repeated sub-expressions into their own variables. Kubernetes enables the optional library for CEL, which are excellent to work with fields that are, you guessed it, optional.

With both features in mind, let's refactor the policy a bit.

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
 name: "pod-security.policy.example.com"
spec:
 failurePolicy: Fail
 matchConstraints:
 resourceRules:
 - apiGroups: ["apps"]
 apiVersions: ["v1"]
 operations: ["CREATE", "UPDATE"]
 resources: ["deployments"]
 variables:
 - name: containers
 expression: object.spec.template.spec.containers
 - name: securityContexts
 expression: 'variables.containers.map(c, c.?securityContext)'
 validations:
 - expression: variables.securityContexts.all(c, c.?runAsNonRoot == optional.of(true))
 message: 'all containers must set runAsNonRoot to true'
 - expression: variables.securityContexts.all(c, c.?readOnlyRootFilesystem == optional.of(true))
 message: 'all containers must set readOnlyRootFilesystem to true'
 - expression: variables.securityContexts.all(c, c.?allowPrivilegeEscalation != optional.of(true))
 message: 'all containers must NOT set allowPrivilegeEscalation to true'
 - expression: variables.securityContexts.all(c, c.?privileged != optional.of(true))
 message: 'all containers must NOT set privileged to true'

The policy is now much cleaner and more readable. Update the policy, and you should see it function the same as before.

Now let's change the policy binding from warning to actually denying requests that fail validation.

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
 name: "pod-security.policy-binding.example.com"
spec:
 policyName: "pod-security.policy.example.com"
 validationActions: ["Deny"]
 matchResources:
 namespaceSelector:
 matchLabels:
 "kubernetes.io/metadata.name": "policy-test"

And finally, remove the webhook. Now the result should include only messages from the policy.

kubectl create -n policy-test -f- <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
 labels:
 app: nginx
 name: nginx
spec:
 selector:
 matchLabels:
 app: nginx
 template:
 metadata:
 labels:
 app: nginx
 spec:
 containers:
 - image: nginx
 name: nginx
 securityContext:
 privileged: true
 allowPrivilegeEscalation: true
EOF

The deployments "nginx" is invalid: : ValidatingAdmissionPolicy 'pod-security.policy.example.com' with binding 'pod-security.policy-binding.example.com' denied request: all containers must set runAsNonRoot to true

Please notice that, by design, the policy will stop evaluation after the first expression that causes the request to be denied. This is different from what happens when the expressions generate only warnings.

Set up monitoring

Unlike a webhook, a policy is not a dedicated process that can expose its own metrics. Instead, you can use metrics from the API server in their place.

Here are some examples in Prometheus Query Language of common monitoring tasks.

To find the 95th percentile execution duration of the policy shown above.

histogram_quantile(0.95, sum(rate(apiserver_validating_admission_policy_check_duration_seconds_bucket{policy="pod-security.policy.example.com"}[5m])) by (le))

To find the rate of the policy evaluation.

rate(apiserver_validating_admission_policy_check_total{policy="pod-security.policy.example.com"}[5m])

You can read the metrics reference to learn more about the metrics above. The metrics of ValidatingAdmissionPolicy are currently in alpha, and more and better metrics will come while the stability graduates in the future release.

24 Apr 2024 12:00am GMT

Anyone making the upgrade to Ubuntu 24.04 LTS from the previous LTS, Ubuntu 22.04, is in for a treat because the amount of improvements on offer is vast. In addition to all of the new features Ubuntu 24.04 has added in the past 6 months LTS upgraders finally get to experience and enjoy the myriad of new features that were added in the Ubuntu 22.10, 23.04, and 23.10 releases. Those upgrading from the previous LTS will find 2 years worth of changes on offer in Ubuntu 24.04 - It amounts to a lot of change! In this post I run-through […]

You're reading Ubuntu 24.04 LTS: 20 Major Changes to Look Out For, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

23 Apr 2024 11:04pm GMT

Next time you stop by the Flathub website you will notice it's had a bit of a revamp. The latest UI refresh lands a year after its last big redesign and builds on that look by adding new on-page features. These changes make it easier for Linux users to find the apps they are looking for and come across new software they might not have heard of. - That is unless they regularly read sites like mine, eh 😉. The Flathub homepage is now topped by a new banner slider (updated weekly) which promotes 5 apps. There's also a new […]

You're reading The Official Flathub Website Just Got a Fab Revamp, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

23 Apr 2024 3:16pm GMT

Read-only volume mounts have been a feature of Kubernetes since the beginning. Surprisingly, read-only mounts are not completely read-only under certain conditions on Linux. As of the v1.30 release, they can be made completely read-only, with alpha support for recursive read-only mounts.

Read-only volume mounts are not really read-only by default

Volume mounts can be deceptively complicated.

You might expect that the following manifest makes everything under /mnt in the containers read-only:

---
apiVersion: v1
kind: Pod
spec:
 volumes:
 - name: mnt
 hostPath:
 path: /mnt
 containers:
 - volumeMounts:
 - name: mnt
 mountPath: /mnt
 readOnly: true

However, any sub-mounts beneath /mnt may still be writable! For example, consider that /mnt/my-nfs-server is writeable on the host. Inside the container, writes to /mnt/* will be rejected but /mnt/my-nfs-server/* will still be writeable.

New mount option: recursiveReadOnly

Kubernetes 1.30 added a new mount option recursiveReadOnly so as to make submounts recursively read-only.

The option can be enabled as follows:

---
apiVersion: v1
kind: Pod
spec:
 volumes:
 - name: mnt
 hostPath:
 path: /mnt
 containers:
 - volumeMounts:
 - name: mnt
 mountPath: /mnt
 readOnly: true
 # NEW
 # Possible values are `Enabled`, `IfPossible`, and `Disabled`.
 # Needs to be specified in conjunction with `readOnly: true`.
 recursiveReadOnly: Enabled

This is implemented by applying the MOUNT_ATTR_RDONLY attribute with the AT_RECURSIVE flag using mount_setattr(2) added in Linux kernel v5.12.

For backwards compatibility, the recursiveReadOnly field is not a replacement for readOnly, but is used in conjunction with it. To get a properly recursive read-only mount, you must set both fields.

Feature availability

To enable recursiveReadOnly mounts, the following components have to be used:

• Kubernetes: v1.30 or later, with the RecursiveReadOnlyMounts feature gate enabled. As of v1.30, the gate is marked as alpha.

• CRI runtime:

  • containerd: v2.0 or later

• OCI runtime:

  • runc: v1.1 or later
  • crun: v1.8.6 or later

• Linux kernel: v5.12 or later

What's next?

Kubernetes SIG Node hope - and expect - that the feature will be promoted to beta and eventually general availability (GA) in future releases of Kubernetes, so that users no longer need to enable the feature gate manually.

The default value of recursiveReadOnly will still remain Disabled, for backwards compatibility.

How can I learn more?

Please check out the documentation for the further details of recursiveReadOnly mounts.

How to get involved?

This feature is driven by the SIG Node community. Please join us to connect with the community and share your ideas and feedback around the above feature and beyond. We look forward to hearing from you!

23 Apr 2024 12:00am GMT

Discover how IBM Cloud's bare metal servers offer highly confined and high-performing single-tenant cloud isolation through the use of Ubuntu Core and Snaps, supported by the AMD Pensando Elba DPU (Data Processing Unit). This setup enables the creation of secure and efficient environments for each tenant. Its design ensures the total separation of their servers […]

22 Apr 2024 4:52pm GMT

Linux provides different namespaces to isolate processes from each other. For example, a typical Kubernetes pod runs within a network namespace to isolate the network identity and a PID namespace to isolate the processes.

One Linux namespace that was left behind is the user namespace. This namespace allows us to isolate the user and group identifiers (UIDs and GIDs) we use inside the container from the ones on the host.

This is a powerful abstraction that allows us to run containers as "root": we are root inside the container and can do everything root can inside the pod, but our interactions with the host are limited to what a non-privileged user can do. This is great for limiting the impact of a container breakout.

A container breakout is when a process inside a container can break out onto the host using some unpatched vulnerability in the container runtime or the kernel and can access/modify files on the host or other containers. If we run our pods with user namespaces, the privileges the container has over the rest of the host are reduced, and the files outside the container it can access are limited too.

In Kubernetes v1.25, we introduced support for user namespaces only for stateless pods. Kubernetes 1.28 lifted that restriction, and now, with Kubernetes 1.30, we are moving to beta!

What is a user namespace?

Note: Linux user namespaces are a different concept from Kubernetes namespaces. The former is a Linux kernel feature; the latter is a Kubernetes feature.

User namespaces are a Linux feature that isolates the UIDs and GIDs of the containers from the ones on the host. The identifiers in the container can be mapped to identifiers on the host in a way where the host UID/GIDs used for different containers never overlap. Furthermore, the identifiers can be mapped to unprivileged, non-overlapping UIDs and GIDs on the host. This brings two key benefits:

• Prevention of lateral movement: As the UIDs and GIDs for different containers are mapped to different UIDs and GIDs on the host, containers have a harder time attacking each other, even if they escape the container boundaries. For example, suppose container A runs with different UIDs and GIDs on the host than container B. In that case, the operations it can do on container B's files and processes are limited: only read/write what a file allows to others, as it will never have permission owner or group permission (the UIDs/GIDs on the host are guaranteed to be different for different containers).

• Increased host isolation: As the UIDs and GIDs are mapped to unprivileged users on the host, if a container escapes the container boundaries, even if it runs as root inside the container, it has no privileges on the host. This greatly protects what host files it can read/write, which process it can send signals to, etc. Furthermore, capabilities granted are only valid inside the user namespace and not on the host, limiting the impact a container escape can have.

Without using a user namespace, a container running as root in the case of a container breakout has root privileges on the node. If some capabilities were granted to the container, the capabilities are valid on the host too. None of this is true when using user namespaces (modulo bugs, of course 🙂).

Changes in 1.30

In Kubernetes 1.30, besides moving user namespaces to beta, the contributors working on this feature:

• Introduced a way for the kubelet to use custom ranges for the UIDs/GIDs mapping
• Have added a way for Kubernetes to enforce that the runtime supports all the features needed for user namespaces. If they are not supported, Kubernetes will show a clear error when trying to create a pod with user namespaces. Before 1.30, if the container runtime didn't support user namespaces, the pod could be created without a user namespace.
• Added more tests, including tests in the cri-tools repository.

You can check the documentation on user namespaces for how to configure custom ranges for the mapping.

Demo

A few months ago, CVE-2024-21626 was disclosed. This vulnerability score is 8.6 (HIGH). It allows an attacker to escape a container and read/write to any path on the node and other pods hosted on the same node.

Rodrigo created a demo that exploits CVE 2024-21626 and shows how the exploit, which works without user namespaces, is mitigated when user namespaces are in use.

Please note that with user namespaces, an attacker can do on the host file system what the permission bits for "others" allow. Therefore, the CVE is not completely prevented, but the impact is greatly reduced.

Node system requirements

There are requirements on the Linux kernel version and the container runtime to use this feature.

On Linux you need Linux 6.3 or greater. This is because the feature relies on a kernel feature named idmap mounts, and support for using idmap mounts with tmpfs was merged in Linux 6.3.

Suppose you are using CRI-O with crun; as always, you can expect support for Kubernetes 1.30 with CRI-O 1.30. Please note you also need crun 1.9 or greater. If you are using CRI-O with runc, this is still not supported.

Containerd support is currently targeted for containerd 2.0, and the same crun version requirements apply. If you are using containerd with runc, this is still not supported.

Please note that containerd 1.7 added experimental support for user namespaces, as implemented in Kubernetes 1.25 and 1.26. We did a redesign in Kubernetes 1.27, which requires changes in the container runtime. Those changes are not present in containerd 1.7, so it only works with user namespaces support in Kubernetes 1.25 and 1.26.

Another limitation of containerd 1.7 is that it needs to change the ownership of every file and directory inside the container image during Pod startup. This has a storage overhead and can significantly impact the container startup latency. Containerd 2.0 will probably include an implementation that will eliminate the added startup latency and storage overhead. Consider this if you plan to use containerd 1.7 with user namespaces in production.

None of these containerd 1.7 limitations apply to CRI-O.

How do I get involved?

You can reach SIG Node by several means:

• Slack: #sig-node
• Mailing list
• Open Community Issues/PRs

You can also contact us directly:

• GitHub: @rata @giuseppe @saschagrunert
• Slack: @rata @giuseppe @sascha

22 Apr 2024 12:00am GMT

Why aren't there more design contributions in open source? Help us find out!

19 Apr 2024 10:11am GMT

#​684 - April 18, 2024 Read on the Web JavaScript Weekly Quill 2.0: A Powerful Rich Text Editor for the Web - A major release and significant modernization for the open source WYSIWYG editor. In Announcing Quill 2.0, we learn about Quill's transition to TypeScript and improved use of modern browser features, but there's more going on too, such as its ESM packaging. Want to play with some code? There's a playground. Slab Inc. Airbnb's Extensive JavaScript Style Guide - It's been years since we mentioned this popular, opinionated style guide, but it keeps getting little tweaks and repairs and remains a handy resource nonetheless. Airbnb WorkOS: Enterprise-Grade Auth for Modern SaaS Apps - WorkOS supports both the foundational auth and complex enterprise features like SSO. It provides flexible and easy-to-use APIs, helping companies like Vercel, Loom, and Webflow become Enterprise Ready. Best of all, WorkOS User Management supports up to 1 million MAUs for free. WorkOS sponsor Upgrading jQuery: Working Towards a Healthy Web - jQuery remains all over the Web, and the jQuery team and OpenJS Foundation have joined forces to make sure sites get up to date. Their 'Healthy Web Checkup' tool can tell you if the version of jQuery on a site is outdated (.. most likely 'yes' 😅). Timmy Willison (jQuery) Biome v1.7: Faster Formatting and Linting, Now Even Easier to Migrate To - Biome is an increasingly compelling, all-in-one JavaScript, TypeScript and JSX Prettier-compatible formatter and linter. v1.7 makes it easier to migrate to from ESLint and Prettier, can emit machine-readable JSON reports, and has some rule updates. Biome Core Team IN BRIEF: 🤡 ▶️ Interview with Senior JS Developer 2024 is a satirical(?) take on the state of modern development and increasingly complex ecosystems. Watch to either laugh or cry. (6 minutes.) 📺 Bartek Szwej has put together a list of 300 JavaScript-related videos from the past year, ordered by their YouTube view count. f(x) (a.k.a. fx) is a great CLI tool for viewing JSON data. It now includes a JS engine so you can process JSON with JavaScript one-liners at the terminal, too. Joyee Cheung shares a trip report from Node.js's latest collaboration summit, touching on the topics the Node team is thinking about lately. The folks at Deno go into depth about how they built JSR, the newest JavaScript registry, and how it can operate at scale. "Much faster JSX element creation" is on the way for React developers. 📒 Articles & Tutorials Building a CLI from Scratch with TypeScript and oclif - oclif is a mature CLI tool development framework maintained by Salesforce. This tutorial goes from zero to something that works. Josh Cunningham Qwik vs. Next.js: Which is Right for Your Next Web Project? - A point by point faceoff between Qwik vs Next.js and why the author thinks Qwik takes the gold medal. Samuel Mendenhall (Cisco) RAG to Riches Developer Quest - Interact with AI-enhanced bots and learn to build your own RAG chatbot with Atlas Vector Search and Node.js. MongoDB sponsor CSS in React Server Components - An exploration of compatibility issues between React Server Components and CSS-in-JS libraries like styled-components. Josh W Comeau Profiling Node.js Performance with Chrome's Performance Panel - Learn how to profile Node performance with Chrome's Performance panel. (The JS Profiler is going away in Chrome 124, so you'll need to become familiar with the newer approach.) Chrome for Developers 📄 Keeping Up with the Node-ish Ecosystem - How Mux updated its legacy Node SDK to work with new JS runtimes. Dylan Jhaveri (Mux) 📄 Building an Interactive 3D Event Badge with React Three Fiber Paul Henschel (Vercel) 📄 A Deep Dive into Rspack and Webpack Tree Shaking hardfist 📄 Things I Like Better in Vue Than in React Jaydev Mahadevan 📄 Converting Plain Text To Encoded HTML With Vanilla JS Alexis Kypridemos 🛠 Code & Tools TresJS: Build 3D Experiences with Vue.js - Create 3D scenes with Vue components and Three.js. Think React-three-fiber but more.. Vue flavored. There's an online playground if you want to give it a quick spin (literally). Alvaro Sabu Next.js 14.2 Released - Approaching its eighth birthday, Next.js has passed 1 million monthly active developers and landed a release with support for using Turbopack to improve local development, memory usage, CSS and caching optimizations, improved error messages, and more. Delba de Oliveira and Tim Neutkens Porkbun - The Best Domain Registrar for JavaScript Developers - JavaScript developers choose Porkbun to register their domains. Get .dev, .app, or .foo for just $5 from Porkbun now. Porkbun sponsor Otto 0.4: A JavaScript Parser and Interpreter in Go - A JavaScript parser and interpreter written natively in Go (yes, we have a newsletter for that) which could be of interest if you want to add scripting to Go apps. Robert Krimen Wedges: A Collection of UI Components for React - Built and used by the folks at Lemon Squeezy, this is a well thought, aesthetically pleasing set of Radix UI and Tailwind CSS based components. You can also download a Figma file of them to use when mocking up layouts. GitHub repo. Lemon Squeezy HyperFormula: A Headless Spreadsheet System - A headless spreadsheet system - it provides the parsing, evaluation and representation of a spreadsheet, with you providing the UI, if you need one. Boasts 'nearly full compatibility' with Excel. Note the dual GPLv3 and commercial licensing. Handsoncode svelte-dnd-action: An Action-Based Drag and Drop Container for Svelte - Makes the bold claim that it "supports almost every imaginable drag and drop use-case, any input device and is fully accessible." Isaac Hagoel ⚙️ Zoompinch: A Natural Feeling 'Pinch to Zoom' for Vue 3 - Expected to come in React and Web Component variants in time. Maurice Conrad ⚙️ Craft.js - A React framework for building drag and drop page editors. Prev Wong ⚙️ Kotekan - A simple React framework built on Bun and supporting React Server Components. Benedikt Müller ⚙️ Cytoscape.js 3.29 - Graph theory/network visualization and analysis library. ⚙️ Tailwind Next.js Starter Blog 2.2 - A blogging starter template. ⚙️ RxDB 15.18 - Offline-first, reactive database for JS apps. ⚙️ JZZ 1.8.2 - MIDI library for Node and browsers. ⚙️ Ember.js 5.8 ⏳ A Blast from the Past Visualizing Algorithms - This fantastic post is now ten years old, but I revisited it recently and it's such a joy. Mike Bostock (of D3.js fame) visually guides us through some algorithms using both demos and code. Mike Bostock

18 Apr 2024 12:00am GMT

#​683 - April 11, 2024 Read on the Web JavaScript Weekly Frontend Development Beyond React: Svelte - A surprisingly thorough article going deep into one developer's research into using Svelte to build modern front-end apps. If you've never experimented with Svelte, this is a good primer to the key concepts, tradeoffs, and techniques involved. Héla Ben Khalfallah 🛠 A JS Bin to Play with the TC39 Signals Proposal - Last week, we featured the proposal to add signals to JavaScript and by way of a polyfill, you can get experimenting with it right now. NullVoxPopuli Add Excel-Like Spreadsheet Functionality to Your JavaScript Apps - SpreadJS is the industry-leading JavaScript spreadsheet for adding advanced spreadsheet features to your enterprise apps. Build finance, analysis, budget, and other apps. Excel I/O, 500+ calc functions, tables, charts, and more. View demos now. SpreadJS from MESCIUS inc sponsor zx v8.0: Write Better Shell Scripts with Node - A popular way to make shell scripting a more pleasant experience in Node with useful wrappers around child_process, argument escaping, and sensible defaults. v8.0 makes zx 20x smaller, faster, makes it easier to kill processes, pass input to commands & more. Google IN BRIEF: Val Town is a fantastic online platform for writing and deploying TypeScript functions right from the browser and has just raised $5.5m in funding. The set methods proposal advanced to stage 4 at TC39 this week. Promise.try and Math.sumPrecise have advanced to stage 2.7. 🚗 What happens if 𝕏 you hack a car with JavaScript? Cloudflare has added a JS-native RPC to Cloudflare Workers. A recap of Angular developments at the recent ngConf 2024 event. RELEASES: ESLint 9.0 - A significant release with lots of cleanups, a new no-useless-assignment rule, and numerous tweaks and changes. VitePress 1.1 - Vite & Vue-powered static site generator. npm 10.5.2 - It's now 𝕏 faster to run scripts, though we're talking milliseconds nowadays. Node.js April 10 Security Releases - Including v18.20.2 (LTS), v20.12.1 (LTS), and v21.7.3 (Current). We mentioned Gulp 5's release last week, but missed the announcing Gulp v5 post explaining why it's a big deal. 📒 Articles & Tutorials On Developing Figma Plugins - Some interesting observations on the experience of creating Figma plugins in JavaScript, including how they're sandboxed and some implementation details of the author's own plugin. Tom MacWright React Server Components in a Nutshell - A quick overview of RSCs not all about Next.js, comparing the approach taken by several frameworks before sharing thoughts on the tech and why the smaller Waku framework is worth a look. Paul Scanlon (The New Stack) Using AI-Powered Autofix to Fix Your Broken Code - Join Sentry live on April 25th, to preview Autofix and learn how we are using ML to prioritize issues and alerts. Sentry sponsor Some DevTools Tips and Tricks - Most developers barely scratch the surface of what DevTools can accomplish, says the author, who shares ten tips here. Pankaj Parashar 📄 Object Structure in JavaScript Engines - You rarely need to know how objects are internally represented in JavaScript engines, but if you want to.. Frontend Almanac 📄 The Easiest Way to Build Reactive Local-First Apps, with TinyBase and PowerSync Benedikt Müller 📄 Building an Article Recommendation System with Upstash, Fly and OpenAI Rishi Raj Jain 📄 Browser Security Bugs That Aren't: JavaScript in PDFs ericlaw 📄 Exploring Authentication in Next.js Robin Wieruch 🛠 Code & Tools Madge 7.0: Create Graphs From Your Module Dependencies - A tool for generating a visual graph of module dependencies, finding circular dependencies, and discovering other useful info. Patrik Henningsson PythonMonkey: A JavaScript Engine in the Python VM - If you need to use Python but also want to run JavaScript, this gives you a way to do it with the Mozilla SpiderMonkey JS engine embedded into the Python runtime with Python providing the host environment. Distributive ❤️ Loving console.log Is Easy, but Hate 😡 Losing Context to View Messy Output - Developer productivity tools Wallaby.js, Quokka.js and Console Ninja show console.log values and errors right next to your code. Wallaby Team sponsor Faces.js: A Library for Generating Vector-Based Cartoon Faces - The end results are somewhat reminiscent of how the Nintendo Wii generates random Miis. Faces are drawn as SVGs with each also represented by a JavaScript object so you can draw them again later. ZenGM Color.js 0.5: 'Let's Get Serious About Color' - A fantastic library for working with colors in the browser, following the latest specs. It's even been used by browsers to test their CSS Color 4/5 implementations. Lea Verou and Chris Lilley Preview.js: Preview UI Components Instantly in Your IDE - Namely, VS Code or JetBrain IDEs, out of the box. Compatible with components built for React, Vue, Svelte and Solid. Zenc Labs Pty Kosko: Organize Kubernetes Manifests in JavaScript - Version 4.1 has just been released with a new plugin system. Tommy Chen Transformational Auth & Identity | Userfront - "Compared to our previous experiences in the security/auth space, Userfront is an order of magnitude simpler to use." Userfront sponsor Mikro ORM 6.2 - TypeScript ORM for Node.js based on Data Mapper. SQL Server and libSQL/Turso join the list of supported databases. Rspack 0.6 - Fast Rust-based web bundler. Pixi.js 8.1 - The fast WebGL and WebGPU 2D graphics engine switches back to WebGL by default due to immature browser support. Jotai 2.8 - Simple, flexible state management for React. DOMPurify 2.5 - Fast, tolerant XSS sanitizer for HTML and SVG. Reveal.js 5.1 - Framework for building presentations in HTML. Xterm.js 5.5 - Create terminal experiences on the Web. TIFF 6.0 - Pure JS TIFF image decoder. Shiki 1.3 - Powerful syntax highlighter. 🛞 It's wheely good.. Remember the iPod's click wheel? It's back. In JavaScript form!

11 Apr 2024 12:00am GMT

#​682 - April 4, 2024 Read on the Web JavaScript Weekly A Proposal to Add Signals to JavaScript - A (very) early stage proposal for bringing a new feature to ECMAScript/JavaScript: signals! The proposal brings aboard ideas from a swathe of popular frameworks and aims to align everyone and get us on the same page when it comes to working with state and making updates based upon changes to state. Rob writes more about the proposal here. Rob Eisenberg and Daniel Ehrenberg Build a RAG Chatbot App with MongoDB and Node.js - Embark on the RAG to Riches Developer Quest - a month of innovation, learning, and exclusive rewards awaits you. You'll interact with AI-enhanced bots and learn how to build your own with Atlas Vector Search and Node.js. Register now! MongoDB sponsor JS-Torch: A PyTorch-Like Library for JavaScript - Python's PyTorch is one of the gold standards amongst machine learning libraries, but this project brings some of its features directly into the JavaScript world. Here's a live browser-based demo. Early days but this could become a big deal. Eduardo Leao Bun 1.1 Released: Now Supports Windows Too - With the lighthearted codename of Bundows, the alternative server side runtime now runs directly on Windows 10 and up (plus WSL, macOS and Linux, of course). This is a key step in its adoption, with even features like Bun Shell happy on Windows out of the box. Node compatibility continues to improve with support for node:http2 and IPC support between Bun and Node processes. The Entire Bun Team IN BRIEF: Samuel Groß of the V8 team explains the V8 Sandbox, a security mechanism designed to prevent memory corruption in the V8 engine impacting other memory in the process. Dexie.js is a popular wrapper for IndexedDB and its creator has launched Dexie Cloud, a platform to store and synchronize data between apps. Svelte's Rich Harris is 'shaken up' after a misunderstanding around 'self-closing' HTML tags and their effect on Svelte. 🤡 There was a curious JS-themed April Fools prank where a .js TLD for domain names was 'announced'. Sadly, it's not true, but there is js.org if you want something vaguely similar. An official update on the merging of Angular and Wiz. RELEASES: Deno 1.42 - The alternative JS runtime adds first class support for JSR and improves Node.js compatibility further. Babylon.js 7 (homepage) - Key release of the popular rendering engine. Node.js April 3 Security Releases - Includes 18.20.1, 20.12.1 & 21.7.2. Docusaurus 3.2 - Popular content/docs site generator. Gulp 5.0 📒 Articles & Tutorials What Even Is a JSON Number? - Despite the presence of standards around JSON, the answer is more complicated than you'd think, particularly when it comes to interfacing with other ecosystems and languages that aren't JavaScript. Brian Terlson The History of JS Interop in Dart - About twelve years ago, Google introduced Dart, a language which initially seemed set to take over a lot of JavaScript's use cases, but which eventually found its own niche (notably with Flutter). JS interoperability has remained important, though, and with Dart 3.3 has gotten significantly better. Sigmund Cherem (Google) Everything I've Learned About Scaling Designs Systems (With Examples) - I've learned a lot about what it takes to build, maintain, and scale design systems initiatives at large companies. StackBlitz sponsor The BFCache Explained - The back/forward cache ('bfcache') is a browser optimization that makes going back and forward in the browser a faster experience - it's been present for years and usually leaves you alone as a JavaScript developer, but there are things worth being aware of. Sabatino Masala Running OCR Against PDFs and Images Directly in the Browser - A look behind the scenes at creating a simple tool using JavaScript to perform OCR against images and PDFs dragged on to the page. Simon Willison The Easy Way to Access the Last Array Element Ignace Maes A Comparison of JavaScript CRDTs Alexis Métaireau 🛠 Code & Tools Cally: Small, Feature-Rich Calendar Components - A collection of open-source calendar components for selecting single dates or date ranges. Framework-agnostic, themeable, localizable, and accessible (it even has an accessibility statement showing its commitment to this area). Nick Williams 📊 Counterscale: Scalable Web Analytics You Can Run on Cloudflare - A simple web analytics tracker and dashboard that's designed to be easy to deploy and maintain by hosting it on Cloudflare (for free too, up to a certain level). Ben Vinegar Product for Engineers: A Newsletter Helping Flex Your Product Muscle - Subscribe for free to get curated advice on building great products and best practices of top startups. PostHog sponsor 🎵 Tonal.js: A Music Theory Library - Packed with functions to manipulate tonal elements of music like notes, intervals, chords, scales, modes, and keys, and used as the basis of other music related projects. GitHub repo. danigb Fancy-ANSI: Convert ANSI Text to HTML - If, for some reason, you want to convert text with ANSI escape codes into HTML.. Lots of examples on the homepage. GitHub repo. Andres Morey Dioma: Dependency Injection Container for Vanilla JS and TS - No decorators, no annotations, no magic, no dependencies - you just add the static scope property to your class and use inject to get an instance. Eugene Daragan svelte-zoomable-circles: Svelte Component for Browsing Hierarchical Data - A Svelte component for displaying and browsing hierarchical data using zoomable circles. Live demo. Tyler Berbert VineJS 2.0 - Form data validation library for Node.js. PGlite 0.1.1 - Lightweight Postgres packaged as WASM into a TypeScript library for the browser, Node.js, Bun and Deno. Now supports Postgres array types. TS-Pattern 5.1 - Pattern matching library with smart type inference. ical.js 2.0 - Parser for ICS (RFC5545) and vCard (RFC6350) data. Minimatch 9.0.4 - Glob matching function - used by npm itself. vue-tel-input 9.0 - Telephone number input for Vue. (Demo.) OverlayScrollbars 2.7 - JS custom scrollbar plugin. Octokit.js 3.2 - 'Batteries-included' GitHub SDK.

04 Apr 2024 12:00am GMT