June 17, 2024

What happens when a major npm library goes commercial?

This edition covers the switch of a popular library to a restrictive license, Node.js performance tips, and new releases.

Hi Folks,

A few weeks have passed, and I've been so busy catching up with my backlog. As this issue goes out, I'd be back at inbox zero. I'm glad I had some time to catch up, as the last few months have been incredibly hectic.

This issue covers a topic that is very dear to me: OSS sustainability. We have seen plenty of ways to fund Open Source in the last few years, and a move to commercial software is happening. This is now happening to libraries in npm as well.

ua-parser-js switching to AGPL+commercial. Welcome my-ua-parser.

What happens when a library with 54 million monthly downloads switches from MIT to an AGPL+commercial license? We are about to find out as this license combo is very restrictive and it rules out any commercial SaaS usage (or any other usage that does not involve releasing the full source code).

In issue #680, Faisal Salman explains the reasoning behind the change and his choice for monetizing this project after the huge success. In essence, he did a "rug pull". It's important to note that old versions will not be altered. However, they will not receive many releases and new features.

Unfortunately, any permissive Open Source project relying on this library can't continue using it long term. We used ua-parser-js in Platformatic for a simple check, and we couldn't justify having our users pay a license for this. Therefore, I have decided to fork the library and create my-ua-parser.

I don't plan to do much work on it; I need it to be Open Source to avoid an accidental upgrade that our license checker might not catch in an auto-update.

Articles

• Tuning Node.js and V8 settings to unlock 2x performance and efficiency
• A PostgreSQL-based Stackable to Simplify Webhooks Integration
• I'm giving up — on open source - Blog
• Secfault Security - Deno: Digging Tunnels out of a JS Sandbox
• Should Node.js be built with ClangCL under Windows? – Daniel Lemire's blog
• Why Patching Globals Is Harmful
• It's always TCP_NODELAY. Every damn time. - Marc's Blog
• Open source is neither a community nor a democracy
• Linux maintainers were infected for 2 years by SSH-dwelling backdoor with huge reach
• Everybody wants a flexible system
• Recommend branch based feature flag overrides – Vercel
• WebAssembly: A promising technology that is quietly being sabotaged
• Cloudflare took down our website after trying to force us to pay 120k$ within 24h
• [Removing ad trackers and cookies - the technical perspective](https://blog.sentry.io/removing-ad-trackers-and-cookies-the-technical-perspective/?utm_source=social
• How To Use Corepack
• The popover drama
• Injecting HTML into a Fastify Static File Server
• Poor Express Authentication Patterns in Node.js and How to Avoid Them
• Eigensolutions: composability as the antidote to overfit • Lea Verou
• Why, after 6 years, I’m over GraphQL
• 

  
  

  Node.js core values. In Node.js, we have been fortunate to… | by Tracy Hinds | Node.js Collection | Medium

  In Node.js, we have been fortunate to get as far as we have as a project largely by luck rather than deliberate direction. Our community…

• The V8 Sandbox · V8
• We've added JavaScript-native RPC to Cloudflare Workers
• Lazy promises
• ESLint v9.0.0 released - ESLint - Pluggable JavaScript Linter
• The threat to open source comes from within
• Upcoming Changes to the Test Runner in Node 22
• How an empty S3 bucket can make your AWS bill explode
• Node.js is here to stay

Server-Side JavaScript with Node.js by Natalia Venditto

The upcoming course from Natalia Venditto is a comprehensive video collection designed for both seasoned program managers and new hires or junior developers. It features bite-sized videos covering essential JavaScript topics, including syntax, variables, functions, asynchronous programming, transpiling, and server-side JavaScript. The course emphasizes JavaScript's critical role in modern web development.

Watch at https://www.oreilly.com/library/view/server-side-javascript-with/0642572039684/.

Releases

• undici v6.18.0 add support to per-message deflate to WebSocket. v6.18.1 adds support for global Headers. v6.18.2 adds support for retrying with a body.
• asyncforge v0.3.0 remove forge() method.
• fast-json-stringify v5.16.0 reduces the bundle size of the generated serializers.
• fastify-html v0.4.0 adds support for async mode.
• @fastify/multipart v8.3.0 adds formData decorator.
• @fastify/under-pressure v8.5.0 supports the pressureHandler on the route config.
• pino-pretty v11.2.0 adds injection of lacking arguments of customPrettifiers. v11.2.1 adds the types for useOnlyCustomProps.
• fastify-html v0.5.0 upgrades to ghtml v2 which fixes a problematic security issue.
• pino v9.2.0 shallow clone target and many pino browser. v9.2.1 forward esm syntax errors.
• pino-syslog v3.1.0 configure writes synchronously.
• fastify-cli v6.2.0 adds support for preloading ES module with --import flag and many bugfixes.
• @fastify/autoload v5.9.0 supports a callback for the autoConfig property.
• @fastify/one-line-logger v1.4.0 enables colorization by default.
• thread-stream v3.1.0 forward the error ifthere is an esm syntax error
• fastify v4.28.0 add support for type inferrence with auxilliary hook handlers.
• undici v6.19.0 performance improvements; adds support for pre-shared sessions; drop websocket experimental warning.