@norbert_tech @azjezz Nice. What kind of perf difference are we talking? More than 2x? I’m thinking of switching our monorepo over. phpstan and cs-fixer are great but painfully slow on large repos. Even when using multiple processes.
English
Raj Siva-Rajah
1.5K posts
Raj Siva-Rajah
@binaryfire
Co-creator of @HypervelPHP. DevOps engineer. Game developer. Singer in @thesunpilots.
Katılım Temmuz 2011
612 Takip Edilen130 Takipçiler
This x 1000. For web apps AND websites. Tricky animations and weird layouts just hurt readability and UX. x.com/shadcn/status/…
shadcn@shadcn
Unpopular opinion: I don’t care if most web apps look the same. All I care about is whether it does what it says and does it fast. Make it fast. Make the UX obvious. Put the right things in the right place and little to no animations.
English
I understand it’s not the same but I wouldn’t call it FUD considering what happened with intercom-php. The malicious code was executed as a plugin, not a script. The plugin confirmation prompt isn’t real security - I don’t think many users are going to manually review every package that wants to install one. And the prompt does nothing for packages that have malicious code in the package itself.
The takeover of GH accounts via social engineering is a real vector that’s being exploited regularly.
But from what I understand a min release age flag isn’t far away? Either way, I think blanket `composer update` is legitimately risky right now. Manually updating each package after verifying it’s safe, or waiting for a min age flag that can’t be bypasses, is a lot safer. IMHO anyway.
English
@binaryfire @packagist This is FUD. You have to take over someone's GitHub account to accomplish this at all, and then Composer still does not execute code during installation of the package. Further, "builds" of PHP libraries are just git archive, no dependencies present, so no spreading like on npm.
English
PHP is wide open to Shai-Hulud supply chain attacks atm. Eg. a malicious version of `intercom/intercom-php` was published on @packagist on April 30th. I'd advise holding off on running `composer update` until Composer ships their registry-backed minimum release age feature.
English
Everyone should be setting their `minimumReleaseAge` (PNPM) / `min-release-age` (NPM) to at least 1 week nowadays. x.com/tan_stack/stat…
TANSTACK@tan_stack
SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down. Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys. If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised: • Rotate cloud, GitHub, and SSH credentials immediately • Audit cloud audit logs for the last several hours • Pin to a prior known-good version and reinstall from a clean lockfile Detection — the malicious manifest contains: "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root). Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level. Full technical breakdown, complete package and version list, and rolling status updates: github.com/TanStack/route… Credit to the security researcher for responsible disclosure.
English
Raj Siva-Rajah retweetledi
These performance numbers are🔥 Building an ORM with zero overhead (more or less) is an impressive achievement. Nice work @DrizzleORM
x.com/DrizzleORM/sta…
Drizzle ORM@DrizzleORM
Drizzle v1.0.0-rc.1 is out 🚀 ▪︎ Effect v4 native support ▪︎ JIT row mappers to reduce ORM overhead to ~0 ▪︎ Reworked casing API (breaking change) ▪︎ Drizzle for LLM agents (preview) Drizzle is now as fast as using raw driver and mapping(or not mapping) results by hand 🙃
English
Raj Siva-Rajah retweetledi
TSRX looks really nice and supports multiple JS frameworks. I hope this becomes a thing. x.com/trueadm/status…
Dominic Gannaway@trueadm
Happy to announce TSRX. Think it as the spiritual successor to JSX. We extracted it from Ripple, and made it framework agnostic. It can compile to React, Ripple and Solid, other frameworks to come soon. It's a TypeScript superset language, with a parser, compiler and a selection of plugins for editors + Prettier + ESlint, etc It's early alpha but we thought people might be interested in it. 🧵
English
I want to share this with you people.
I just lost my fiancée during childbirth.
I miss her a lot of I love her with all my heart.
I'm devastated and crying all the time.
But I'll find the strength to raise our children the way she wanted to.
I have a lot of support from family and friends.
English
@BohuslavSimek This is a good paper on HipHop: dl.acm.org/doi/pdf/10.114…
It was definitely a standalone reimplementation that aimed for compatibility with Zend, not a Zend wrapper.
English
Yes, absolutely. I can still remember my enthusiasm 14 years ago when I first tried it. By the way, there is a Wikipedia page describing their original solution.
en.wikipedia.org/wiki/HipHop_fo…
"By using HPHPc as a source-to-source compiler, PHP code is translated into C++, compiled into a binary and run as an executable"
Source code of old pre HHVM can be found here:
github.com/facebook/hhvm/…
There is even a file called LICENSE.ZEND, and it’s kind of logical that one of the first things you would try is to remove the dispatch loop by compiling it against the Zend engine.
English
The Swoole team are working on an AOT (Ahead-of-Time) compiler for PHP, i.e. transpiling PHP to C++ then compiling to NATIVE binaries🤯
These guys are mad scientists in the best sense of the word🔥
x.com/albert_cht/sta…
Albert Chen@albert_cht
Back in January, I actually asked the author about the underlying architecture, and I sketched out the flowchart below based on my understanding (no guarantees on its accuracy, though!). Really looking forward to seeing it mature and get released soon!
English
@BohuslavSimek Are you sure? I thought HipHop tried to stay Zend compatible but wasn't actually using Zend. PHP-X is a Zend wrapper. Either way, just have to wait and see I guess. I know as much as you do at this stage.
English
@binaryfire @binaryfire But HipHop for PHP (HPHPc) was originally doing exactly that, and they very quickly realized that this isn’t the way. Only after that did they come up with HHVM.
English
Roman Pronskiy@pronskiy
English
@binaryfire @binaryfire How is this different from HipHop for PHP (HPHPc), and how do they aim to solve the problems of transpiling PHP to C++ differently? I mean, Facebook very quickly found out that this approach has several limits.
English