Trojan Source, Automatic type detection for Fastify routes and other Adventures in Nodeland - Issue #33

                            November 2, 2021

                Trojan Source, Automatic type detection for Fastify routes and other Adventures in Nodeland - Issue #33

                        Hi Everyone! Thanks for keep reading this weekly newsletter on my open source endeavors. This week edition is centered on a new supply chain vulnerability affecting a lot of languages/compilers/runtimes, a new feature coming in Fastify v4 and some docs for pino.

A new week start and a new supply chain attack become possible. This one is a tricky, subtle one that attacks humans by making the code they read different from the code it is excuted. Read up the paper at:

Trojan Source Attacks
Read the paper describing the new attack!

www.trojansource.codes

Then the GitHub response to it:

Warning about bidirectional Unicode text | GitHub Changelog
A warning is now displayed when a file’s contents include bidirectional Unicode text. Such text can be interpreted or compiled differently than it appears in a user interface. For example, hidden, bidirectional Unicode characters can be used to swap segments of text in a file.

github.blog

Warning about bidirectional Unicode text | GitHub Changelog
A warning is now displayed when a file’s contents include bidirectional Unicode text. Such text can be interpreted or compiled differently than it appears in a user interface. For example, hidden, bidirectional Unicode characters can be used to swap segments of text in a file.

github.blog

And finally what is the Node.js stance in all of this. If you do not bother to read all of this, there is a link with a script included that you should be including in your security scans:

Node.js project review of CVE-2021-42574 and CVE-2021-42694
Read Node.js response to the new “Trojan Source” supply chain attack.

groups.google.com

Here is the script you can use to sanitize/check your codebase.

GitHub - siddhesh/find-unicode-control
Contribute to siddhesh/find-unicode-control development by creating an account on GitHub.

github.com

      Fastify

This week I’m so proud to announce that Fastify v4 will finally solve the number one feature requested by typescript users: the ability to automatically derive the JSON schemas from types (and viceversa) and have it all wired up automatically to reduce the boilerplate to a minimum.

The following PR brings the dream of every TypeScript fan close to reality: request parameters, query and body validated and typed correctly, just by writing TypeScript. Check it out, it will be part of Fastify v4:

Fastify Type Providers by sinclairzx81 · Pull Request #3398 · fastify/fastify · GitHub
This PR provides a working type plugin system to enable third party inference libraries to interface Fastify’s type definitions. The implementation primarily focuses on setting up the necessary types to enable such plugins, but also implements the Type Provider mechanism which was mentioned on #3391.

github.com

Fastify Type Providers by sinclairzx81 · Pull Request #3398 · fastify/fastify · GitHub
This PR provides a working type plugin system to enable third party inference libraries to interface Fastify’s type definitions. The implementation primarily focuses on setting up the necessary types to enable such plugins, but also implements the Type Provider mechanism which was mentioned on #3391.

github.com

This amazing work was done by @sinclairzx81, the amazing developer behind typebox, check it out if you want to use TypeScript and Fastify together for awesome data validation.

@sinclair/typebox - npm
JSONSchema Type Builder with Static Type Resolution for TypeScript

www.npmjs.com

Check out Manuel Spigolon blog post on how to handle multipart uploads with Fastify:

Fastify Multipart File Upload
Subscribe to my newsletter and never miss my upcoming articles by Manuel Spigolon

backend.cafe

Fastify Multipart File Upload
Subscribe to my newsletter and never miss my upcoming articles by Manuel Spigolon

backend.cafe

      Pino

A few people have been opening issues about how to fix the prettyPrint deprecation in pino@7. I have been working hard on the the docs to improve this.

Mention the prettyPrint deprecation in the README. by mcollina · Pull Request #255 · pinojs/pino-pretty · GitHub
as titled

github.com

Mention the prettyPrint deprecation in the README. by mcollina · Pull Request #255 · pinojs/pino-pretty · GitHub
as titled

github.com

Improve docs and deprecation about prettyPrint by mcollina · Pull Request #1203 · pinojs/pino · GitHub
🌲 super fast, all natural json logger. Contribute to pinojs/pino development by creating an account on GitHub.

github.com

Improve docs and deprecation about prettyPrint by mcollina · Pull Request #1203 · pinojs/pino · GitHub
🌲 super fast, all natural json logger. Contribute to pinojs/pino development by creating an account on GitHub.

github.com

      Articles and News

Here is an oldish article from Shawn about REST vs GraphQL that I set aside some time back.. I would call it a classic, take a look.

Why do Webdevs keep trying to kill REST? : The epic client-server battle of our time ∊ swyx.io
How I broke out of the tiresome REST vs GraphQL debate - by realizing that the real battle is between Smart Clients and Smart Servers!

www.swyx.io

What would be needed to get an interview at a big tech company? Apparently a lot of buzzword. This twitter thread explains why it’s normal and you should not be surprised. 

Read this nice story about Hacktoberfest and how much effort might be needed to overcome some “unfortunate” limitation of JavaScript. I loved it:

setInterval() and the 32 bit debacle.
Backstory I first set out at the start of October to complete 4 Pull Requests for Hacktoberfest.

dev.to

                            Don't miss what's next. Subscribe to Adventures in Nodeland: