Frank de Jonge

My work-super-power is that I often spot when people do not understand each other, even when they say they do. This is subsequently my work curse.

Composer 2.10 is out. Native malware filtering via @AikidoSecurity, enabled by default on @Packagist. Plus a unified config.policy framework, deprecated source fallback, and wildcards in --with. #php #phpc #composerphp

Boooo fucking hooo

Another day, another GitHUb Actions disruption. Unreliable garbage.

Then why the kickflip did they do the rewrite 🤣 /obviously-kidding-i-do-not-care

@MonaKeijzer Als iedereen die vindt dat we zorgvoorzieningen moeten hebben zelf voor een ziek persoon zorgt hebben we veel minder zorg kosten. Probleem opgelost! Wat een idiote stelling, Mona. Populistische flauwekul.

Als elke persoon die een poster aanvraagt een asielzoeker in huis neemt, zijn er voorlopig geen nieuwe opvangplekken meer nodig. Echt, kan dit stoppen? We hebben een zelf georganiseerde asielcrisis in dit land die om allerlei redenen aangepakt en beëindigd moet worden.

Colleague: this really sucks, pardon my French… Me: suck-reblue

I generally do not care about the Bun rust-rewrite. What I do care about is the almost inevitable influx of non-engineers that say “we can just AI 1m lines of code, just look at Bun”.

SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down. Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys. If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised: • Rotate cloud, GitHub, and SSH credentials immediately • Audit cloud audit logs for the last several hours • Pin to a prior known-good version and reinstall from a clean lockfile Detection — the malicious manifest contains: "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root). Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level. Full technical breakdown, complete package and version list, and rolling status updates: github.com/TanStack/route… Credit to the security researcher for responsible disclosure.

@GromNaN How can the client needing to do binary encoding NOT result in latency? I understand that it removes stress from the db server, but that was not what I said.

@frankdejonge Not really, because the client generates the BSON binary directly instead of a SQL string, after JSON-encoding the document. Also, scaling a stateless client is a lot easier than the database server.

Both, JSON is faster to store, JSONB is faster to query. JSON for hot path payloads that are not queried on their content (event sourcing) and JSONB for read heavy dynamically queried projections.

@GromNaN Then the computation is just done by the client, but still done and will still affect latency.

@frankdejonge And BSON provides both because the binary data is sent by the client instead of being processed by the database server. #MongoDB

@LupacescuEuard The beauty of event sourcing is that it’s an anti-pattern to query the event stream (there are way better methods) so there my default is the opposite. But do agree, for everything else JSONB is a pretty good default.

@frankdejonge yep. in practice jsonb wins by default because teams rarely know upfront which fields will end up queried. the trap isnt the json/jsonb call, its forgetting the gin index once the access pattern shifts

@LupacescuEuard @DrizzleORM That’s correct. In our case each of the storage implementations caters to their own tables, so those cases do not really conflict.

@frankdejonge @DrizzleORM so all four drivers share one pg connection inside the async context? curious how drizzle and knex coexist without stepping on each others prepared statements

Internally achieved: A database interaction, scoped to an async call-stack, with row level security tenant isolation, across multiple storage implementation which uses @DrizzleORM, plain node-pg, knex, and #kysly... all within the SAME transaction!

@DrizzleORM The roughest one was Knex. @drizzle internal connection abstractions make it pretty easy to be in control of connection management, same for #Kysly.

@NickVanWig Logic, it makes none.

?

Not looking forward to another lockdown #hantavirus

@linear In case this helps as input. The person that retired the team didn’t anticipate this would put the project in that state, so in that experience the consequences of the actions taken by my colleague were not clear. Not before and not after retiring the team.

@frankdejonge Glad you were able to get things sorted--team is chatting from your experience around improvements to bridge the gap a bit better here.

When you retire a team on @linear, all the associated projects become "retired" which makes then uneditable, which also means you can't re-assign it to a new team. Uuuuuuuuuterly frustrating. No wait to "unretire" a project it seems too. Why am I googling "how to do X in linear"?

Love this 🫶