Hi Folks,
Almost two weeks have passed since the last update. Things are hectic at Platformatic between conferences, new features, and bug fixing. This edition links everything we released in the last two weeks, including two essential security updates for @fastify/csrf-protection
and @fastify/passport
.
In the last two weeks, we have published much Platformatic content.
We have introduced the new platformatic deploy
command.
We have published a new guide on how to integrate Platformatic with Auth0 and Next.js, building a secure frontend with a secure backend.
We have released our interviews:
* Luca’s interview
* my interview
Last but not least, here is an article explaining why we are building Platformatic: “The Business case for extensible APIs”.
Pedro Adão (@pedromigueladao) (Instituto Superior Técnico, University of Lisbon) and Marco Squarcina (@lavish) (Security & Privacy Research Unit, TU Wien) performed an analysis of session handling on Fastify, and they reported three vulnerabilities that led to the following releases:
@fastify/passport
v2.3.0 and v1.1.0 fix two vulnerabilities:
- (CVE-2023-29020) - the CSRF protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport, can be bypassed by network and same-site attackers. More details at GHSA-2ccf-ffrj-m4qw.
- (CVE-2023-29019) - Applications using @fastify/passport for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. More details at GHSA-4m3m-ppvx-xgw9.preClose
hook; many updates to docs and types. v4.17.0 fixes a regression introduced in v4.16.0 and adds a few missing error codes.GitHub has finally unveiled support for the npm package provenance. If we combine it with the fine grained access tokens, we can now build an automated release pipeline on top of GitHub actions (and soon other vendors). Check it out.
Read the story on how the Vite team made Vite 4.3 faaaaster.
Is it possible to make Prisma cold start on serverless faster? Apparently, the answer is yes.
Have you ever wondered how to How to Create Custom Apple Wallet Passes with React Native and Fastify.
A few people have asked me why I prefer writing things in JavaScript rather than TypeScript. According to recent benchmarks, using TypeScript can slow you down 2x.
This is a must-have article on software optimizations and how to write fast software. “The effort needed to optimize code grows exponentially. In other words, to multiply the performance by N, you need to 2N optimizations.” - https://lemire.me/blog/2023/04/27/hotspot-performance-engineering-fails/
If you would like to meet me in person, you will find me at these upcoming events: