Recent Posts
Archives

AI Cybersecurity DefCon32 developer Devoxx DevoxxBE2012 DevoxxBE2013 DevoxxFR DevoxxPL2022 DevoxxPoland DevoxxUS2017 DotAI2024 Google GoogleIO2024 Hibernate Java JavaScript JetBrains Jonathan Lalou Kotlin KotlinConf Maven Maven 2 Microservices Mule ESB NDCConferences ndcoslo NDCOslo2024 Node NodeCongress NodeCongress2021 NodeJS Oracle OxidizeConf2024 PHP Python recommendation RustLang Scala Security softwaredeveloper SoftwareDevelopment Spring Weblogic Weblogic 10

Posts Tagged ‘NodeJS’

« Older Entries

PostHeaderIcon ️ Prototype Pollution: The Silent JavaScript Vulnerability You Shouldn’t Ignore

Author: Jonathan Lalou

Prototype pollution is one of those vulnerabilities that many developers have heard about, but few fully understand—or guard against. It’s sneaky, dangerous, and more common than you’d think, especially in JavaScript and Node.js applications.

This post breaks down what prototype pollution is, how it can be exploited, how to detect it, and most importantly, how to fix it.

What Is Prototype Pollution?

In JavaScript, all objects inherit from Object.prototype by default. If an attacker can modify that prototype via user input, they can change how every object behaves.

This is called prototype pollution, and it can:

  • Alter default behavior of native objects
  • Lead to privilege escalation
  • Break app logic in subtle ways
  • Enable denial-of-service (DoS) or even remote code execution in some cases

Real-World Exploit Example

const payload = JSON.parse('{ "__proto__": { "isAdmin": true } }');
Object.assign({}, payload);

console.log({}.isAdmin); // → true

Now, any object in your app believes it’s an admin. That’s the essence of prototype pollution.

How to Detect It

✅ Static Code Analysis

  • ESLint
    • Use plugins like eslint-plugin-security or eslint-plugin-no-prototype-builtins
  • Semgrep
    • Detect unsafe merges with custom rules

Dependency Scanning

  • npm audit, yarn audit, or tools like Snyk, OWASP Dependency-Check
  • Many past CVEs (e.g., Lodash < 4.17.12) were related to prototype pollution

Manual Testing

Try injecting:

{ "__proto__": { "injected": true } }

Then check if unexpected object properties appear in your app.

️ How to Fix It

1. Sanitize Inputs

Never allow user input to include dangerous keys:

  • __proto__
  • constructor
  • prototype

2. Avoid Deep Merge with Untrusted Data

Use libraries that enforce safe merges:

  • deepmerge with safe mode
  • Lodash >= 4.17.12

3. Write Safe Merge Logic

function safeMerge(target, source) {
  for (let key in source) {
    if (!['__proto__', 'constructor', 'prototype'].includes(key)) {
      target[key] = source[key];
    }
  }
  return target;
}

4. Use Secure Parsers

  • secure-json-parse
  • @hapi/hoek

TL;DR

✅ Task Tool/Approach
Scan source code ESLint, Semgrep
Test known payloads Manual JSON fuzzing
Scan dependencies npm audit, Snyk
Sanitize keys before merging Allowlist strategy
Patch libraries Update Lodash, jQuery

‍ Final Thoughts

Prototype pollution isn’t just a theoretical risk. It has appeared in real-world vulnerabilities in major libraries and frameworks.

If your app uses JavaScript—on the frontend or backend—you need to be aware of it.

Share this post if you work with JavaScript.
️ Found something similar in your project? Let’s talk.

#JavaScript #Security #PrototypePollution #NodeJS #WebSecurity #DevSecOps #SoftwareEngineering

Posted in en-US | Tags: , | No Comments »

PostHeaderIcon Demystifying Parquet: The Power of Efficient Data Storage in the Cloud

Author: Jonathan Lalou

Unlocking the Power of Apache Parquet: A Modern Standard for Data Efficiency

In today’s digital ecosystem, where data volume, velocity, and variety continue to rise, the choice of file format can dramatically impact performance, scalability, and cost. Whether you are an architect designing a cloud-native data platform or a developer managing analytics pipelines, Apache Parquet stands out as a foundational technology you should understand — and probably already rely on.

This article explores what Parquet is, why it matters, and how to work with it in practice — including real examples in Python, Java, Node.js, and Bash for converting and uploading files to Amazon S3.

What Is Apache Parquet?

Apache Parquet is a high-performance, open-source file format designed for efficient columnar data storage. Originally developed by Twitter and Cloudera and now an Apache Software Foundation project, Parquet is purpose-built for use with distributed data processing frameworks like Apache Spark, Hive, Impala, and Drill.

Unlike row-based formats such as CSV or JSON, Parquet organizes data by columns rather than rows. This enables powerful compression, faster retrieval of selected fields, and dramatic performance improvements for analytical queries.

Why Choose Parquet?

✅ Columnar Format = Faster Queries

Because Parquet stores values from the same column together, analytical engines can skip irrelevant data and process only what’s required — reducing I/O and boosting speed.

Compression and Storage Efficiency

Parquet achieves better compression ratios than row-based formats, thanks to the similarity of values in each column. This translates directly into reduced cloud storage costs.

Schema Evolution

Parquet supports schema evolution, enabling your datasets to grow gracefully. New fields can be added over time without breaking existing consumers.

Interoperability

The format is compatible across multiple ecosystems and languages, including Python (Pandas, PyArrow), Java (Spark, Hadoop), and even browser-based analytics tools.

☁️ Using Parquet with Amazon S3

One of the most common modern use cases for Parquet is in conjunction with Amazon S3, where it powers data lakes, ETL pipelines, and serverless analytics via services like Amazon Athena and Redshift Spectrum.

Here’s how you can write Parquet files and upload them to S3 in different environments:

From CSV to Parquet in Practice

Python Example

import pandas as pd

# Load CSV data
df = pd.read_csv("input.csv")

# Save as Parquet
df.to_parquet("output.parquet", engine="pyarrow")

To upload to S3:

import boto3

s3 = boto3.client("s3")
s3.upload_file("output.parquet", "your-bucket", "data/output.parquet")

Node.js Example

Install the required libraries:

npm install aws-sdk

Upload file to S3:

const AWS = require('aws-sdk');
const fs = require('fs');

const s3 = new AWS.S3();
const fileContent = fs.readFileSync('output.parquet');

const params = {
    Bucket: 'your-bucket',
    Key: 'data/output.parquet',
    Body: fileContent
};

s3.upload(params, (err, data) => {
    if (err) throw err;
    console.log(`File uploaded successfully at ${data.Location}`);
});

☕ Java with Apache Spark and AWS SDK

In your pom.xml, include:

<dependency>
    <groupId>org.apache.parquet</groupId>
    <artifactId>parquet-hadoop</artifactId>
    <version>1.12.2</version>
</dependency>
<dependency>
    <groupId>com.amazonaws</groupId>
    <artifactId>aws-java-sdk-s3</artifactId>
    <version>1.12.470</version>
</dependency>

Spark conversion:

Dataset<Row> df = spark.read().option("header", "true").csv("input.csv");
df.write().parquet("output.parquet");

Upload to S3:

AmazonS3 s3 = AmazonS3ClientBuilder.standard()
    .withRegion("us-west-2")
    .withCredentials(new AWSStaticCredentialsProvider(
        new BasicAWSCredentials("ACCESS_KEY", "SECRET_KEY")))
    .build();

s3.putObject("your-bucket", "data/output.parquet", new File("output.parquet"));

Bash with AWS CLI

aws s3 cp output.parquet s3://your-bucket/data/output.parquet

Final Thoughts

Apache Parquet has quietly become a cornerstone of the modern data stack. It powers everything from ad hoc analytics to petabyte-scale data lakes, bringing consistency and efficiency to how we store and retrieve data.

Whether you are migrating legacy pipelines, designing new AI workloads, or simply optimizing your storage bills — understanding and adopting Parquet can unlock meaningful benefits.

When used in combination with cloud platforms like AWS, the performance, scalability, and cost-efficiency of Parquet-based workflows are hard to beat.

Posted in en-US | Tags: , , , , | No Comments »

PostHeaderIcon Advanced Encoding in Java, Kotlin, Node.js, and Python

Author: Jonathan Lalou

Encoding is essential for handling text, binary data, and secure transmission across applications. Understanding advanced encoding techniques can help prevent data corruption and ensure smooth interoperability across systems. This post explores key encoding challenges and how Java/Kotlin, Node.js, and Python tackle them.

1️⃣ Handling Special Unicode Characters (Emoji, Accents, RTL Text)

Java/Kotlin

Java uses UTF-16 internally, but for external data (JSON, databases, APIs), explicit encoding is required:

String text = "🔧 Café مرحبا";
byte[] utf8Bytes = text.getBytes(StandardCharsets.UTF_8);
String decoded = new String(utf8Bytes, StandardCharsets.UTF_8);
System.out.println(decoded); // 🔧 Café مرحبا

Tip: Always specify StandardCharsets.UTF_8 to avoid platform-dependent defaults.

Node.js

const text = "🔧 Café مرحبا";
const utf8Buffer = Buffer.from(text, 'utf8');
const decoded = utf8Buffer.toString('utf8');
console.log(decoded); // 🔧 Café مرحبا

Tip: Using an incorrect encoding (e.g., latin1) may corrupt characters.

Python

text = "🔧 Café مرحبا"
utf8_bytes = text.encode("utf-8")
decoded = utf8_bytes.decode("utf-8")
print(decoded)  # 🔧 Café مرحبا

Tip: Python 3 handles Unicode by default, but explicit encoding is always recommended.

2️⃣ Encoding Binary Data for Transmission (Base64, Hex, Binary Files)

Java/Kotlin

byte[] data = "Hello World".getBytes(StandardCharsets.UTF_8);
String base64Encoded = Base64.getEncoder().encodeToString(data);
byte[] decoded = Base64.getDecoder().decode(base64Encoded);
System.out.println(new String(decoded, StandardCharsets.UTF_8)); // Hello World

Node.js

const data = Buffer.from("Hello World", 'utf8');
const base64Encoded = data.toString('base64');
const decoded = Buffer.from(base64Encoded, 'base64').toString('utf8');
console.log(decoded); // Hello World

Python

import base64
data = "Hello World".encode("utf-8")
base64_encoded = base64.b64encode(data).decode("utf-8")
decoded = base64.b64decode(base64_encoded).decode("utf-8")
print(decoded)  # Hello World

Tip: Base64 encoding increases data size (~33% overhead), which can be a concern for large files.

3️⃣ Charset Mismatches and Cross-Language Encoding Issues

A file encoded in ISO-8859-1 (Latin-1) may cause garbled text when read using UTF-8.

Java/Kotlin Solution:

byte[] bytes = Files.readAllBytes(Paths.get("file.txt"));
String text = new String(bytes, StandardCharsets.ISO_8859_1);

Node.js Solution:

const fs = require('fs');
const text = fs.readFileSync("file.txt", { encoding: "latin1" });

Python Solution:

with open("file.txt", "r", encoding="ISO-8859-1") as f:
    text = f.read()

Tip: Always specify encoding explicitly when working with external files.

4️⃣ URL Encoding and Decoding

Java/Kotlin

String encoded = URLEncoder.encode("Hello World!", StandardCharsets.UTF_8);
String decoded = URLDecoder.decode(encoded, StandardCharsets.UTF_8);

Node.js

const encoded = encodeURIComponent("Hello World!");
const decoded = decodeURIComponent(encoded);

Python

from urllib.parse import quote, unquote
encoded = quote("Hello World!")
decoded = unquote(encoded)

Tip: Use UTF-8 for URL encoding to prevent inconsistencies across different platforms.

Conclusion: Choosing the Right Approach

  • Java/Kotlin: Strong type safety, but requires careful Charset management.
  • Node.js: Web-friendly but depends heavily on Buffer conversions.
  • Python: Simple and concise, though strict type conversions must be managed.

📌 Pro Tip: Always be explicit about encoding when handling external data (APIs, files, databases) to avoid corruption.

 

Posted in en-US | Tags: , , , , | No Comments »

PostHeaderIcon [DotJs2025] Node.js Will Use All the Memory Available, and That’s OK!

Author: Jonathan Lalou

In the pulsating heart of server-side JavaScript, where applications hum under relentless loads, a persistent myth endures: Node.js’s voracious appetite for RAM signals impending doom. Matteo Collina, co-founder and CTO at Platformatic, dismantled this notion at dotJS 2025, revealing how V8’s sophisticated heap stewardship—far from a liability—empowers resilient, high-throughput services. With over 15 years sculpting performant ecosystems, including Fastify’s lean framework and Pino’s swift logging, Matteo illuminated the elegance of embracing memory as a strategic asset, not an adversary. His revelation: judicious tuning transforms perceived excess into a catalyst for latency gains and stability, urging developers to recalibrate preconceptions for enterprise-grade robustness.

Matteo commenced with a ritual lament: weekly pleas from harried coders convinced their apps hemorrhage resources, only to confess manual terminations at arbitrary thresholds—no crashes, merely preempted panics. This vignette unveiled the crux: Node’s default 1.4GB cap (64-bit) isn’t a leak’s harbinger but a deliberate throttle, safeguarding against unchecked sprawl. True leaks—orphaned closures, eternal event emitters—defy GC’s mercy, accruing via retain cycles. Yet, most “leaks” masquerade as legitimate growth: caches bloating under traffic, buffers queuing async floods. Matteo advocated profiling primacy: Chrome DevTools’ heap snapshots, clinic.js’s flame charts—tools unmasking culprits sans conjecture.

Delving into V8’s bowels, Matteo traced the Orinoco collector’s cadence: minor sweeps scavenging new-space detritus, majors consolidating old-space survivors. Latency lurks in these pauses; unchecked heaps amplify them, stalling event loops. His panacea: hoist the ceiling via --max-old-space-size=4096, bartering RAM for elongated intervals between majors. Benchmarks corroborated: a 4GB tweak on a Fastify benchmark slashed P99 latency by 8-10%, throughput surging analogously—thinner GC curves yielding smoother sails. This alchemy, Matteo posited, flips economics: memory’s abundance (cloud’s elastic reservoirs) trumps compute’s scarcity, especially as SSDs eclipse HDDs in I/O velocity.

Enterprise vignettes abounded. Platformatic’s observability suite, Pino’s zero-allocation streams—testaments to lean design—thrive sans austerity. Matteo cautioned: leaks persist, demanding vigilance—nullify globals, prune listeners, wield weak maps for caches. Yet, fear not the fullness; it’s V8’s vote of confidence in your workload’s vitality. As Kubernetes autoscalers and monitoring recipes (his forthcoming tome’s bounty) democratize, Node’s memory ethos evolves from taboo to triumph.

Demystifying Heaps and Collectors

Matteo dissected V8’s realms: new-space for ephemeral allocations, old-space for tenured stalwarts—Orinoco’s incremental majors mitigating stalls. Defaults constrain; elevations liberate, as 2025’s guides affirm: monitor via --inspect, profile with heapdump.js, tuning for 10% latency dividends sans leaks.

Trading Bytes for Bandwidth

Empirical edges: Fastify’s trials evince heap hikes yielding throughput boons, GC pauses pruned. Platformatic’s ethos—frictionless backends—embodies this: Pino’s streams, Fastify’s routers, all memory-savvy. Matteo’s gift: enterprise blueprints, from K8s scaling to on-prem Next.js, in his 296-page manifesto.

Links:

Posted in en-US | Tags: , , , , , , , , , | No Comments »

PostHeaderIcon [DotJs2024] How to Test Web Applications

Author: Jonathan Lalou

Tracing the sinews of testing evolution unveils a saga of ingenuity amid constraints, where manual pokes birthed automated sentinels. Jessica Sachs, a product-minded frontend engineer at Ionic with a penchant for vintage tech, chronicled this odyssey at dotJS 2024. From St. Augustine’s cobblestone allure—America’s eldest city, founded 1565—she drew parallels to web dev’s storied paths, unearthing undocumented timelines via Wayback Machine dives and Twitter lore. Sachs’s quest: demystify the proliferation of test runners, revealing how historical exigencies—from CGI pains to Node’s ascent—shaped today’s arsenal, advocating patience for tools that integrate seamlessly into workflows.

Sachs ignited with a Twitter thread amassing 178 responses, crowdsourcing pre-2011 practices. The ’90s dawned with CGI scripts in C or Perl, rendering dynamic content via URL params—a nightmare for verification. Absent browsers, coders FTP’d to prod, editing vi in situ, then paraded to webmasters’ desks for eyeball tests on finicky monitors. Issues skewed infrastructural: network glitches, deployment fumbles, not logic lapses. Enter Selenium circa 2011, Sachs’s genesis as manual QA tapping iPads, automating browser puppeteering. Predecessors? Fragmented: HTTPUnit for server mocks, early Selenium precursors like Kantara for JavaScript injection.

The aughts splintered further. jQuery’s 2006 surge spawned QUnit; Yahoo UI birthed YUITest; Scriptaculous, Ruby-infused, shipped bespoke runners amid TDD fervor. Pushback mounted: velocity killers, JS’s ancillary role to backend logic. Breakthrough: 2007’s JS Test Driver, Mishko’s Java-forged Google tool, spawning browsers, watching files, reporting terminals—paving for Testacular (Karma’s cheeky forebear). PhantomJS enabled headless CI, universally loathed yet indispensable till Node. Sachs unearthed Ryan Florence’s GitHub plea rebranding Testacular to Karma, easing corporate qualms.

Node’s 2011 arrival unified: Jest, open-sourced by Facebook in 2014 (conceived 2011), tackled module transforms, fake DOMs for builds. Sachs lauded its webpack foresight, supplanting concatenation. Yet, sprawl persists: Bun, Deno, edge functions defy file systems; ESM, TypeScript confound. Vitest ascends, context-switching via jsdom, HappyDOM, browser modes, E2E orchestration—bundler-agnostic, coupling to transformers sans custom ones. Sachs’s epiphany: runners mirror environments; history’s lessons—manual sufficed for Android pre-automation—affirm: prioritize speed, workflow harmony. Novel tools demand forbearance; value accrues organically.

Sachs’s tapestry reminds: testing’s not punitive but enabler, evolving from ad-hoc to ecosystem symbiote, ensuring robustness amid flux.

Unearthing Testing’s Archaic Roots

Sachs’s archival foray exposed ’90s drudgery: CGI’s prod edits via vi, manual verifications on webmaster rigs, network woes trumping semantics. Selenium’s 2011 automation eclipsed this, but antecedents like HTTPUnit hinted at mocks. The 2000s fragmented—YUITest, QUnit tying to libs—yet JS Test Driver unified, birthing Karma’s headless era via PhantomJS, Node’s prelude.

The Node Era and Modern Convergence

Jest’s 2014 debut addressed builds, modules; Vitest now reigns, emulating DOMs diversely, launching browsers, integrating E2E. Sachs spotlighted bundlers as logic proxies, ESM/TS as Jest’s Achilles; Vitest’s flexibility heralds adaptability. Android’s manual heritage validates: tools must accelerate, not hinder—foster adoption through velocity.

Links:

Posted in en-US | Tags: , , , , , , , , | No Comments »

PostHeaderIcon Understanding Dependency Management and Resolution: A Look at Java, Python, and Node.js

Author: Jonathan Lalou

Understanding Dependency Management and Resolution: A Look at Java, Python, and Node.js

Mastering how dependencies are handled can define your project’s success or failure. Let’s explore the nuances across today’s major development ecosystems.

Introduction

Every modern application relies heavily on external libraries. These libraries accelerate development, improve security, and enable integration with third-party services. However, unmanaged dependencies can lead to catastrophic issues — from version conflicts to severe security vulnerabilities. That’s why understanding dependency management and resolution is absolutely essential, particularly across different programming ecosystems.

What is Dependency Management?

Dependency management involves declaring external components your project needs, installing them properly, ensuring their correct versions, and resolving conflicts when multiple components depend on different versions of the same library. It also includes updating libraries responsibly and securely over time. In short, good dependency management prevents issues like broken builds, “dependency hell”, or serious security holes.

Java: Maven and Gradle

In the Java ecosystem, dependency management is an integrated and structured part of the build lifecycle, using tools like Maven and Gradle.

Maven and Dependency Scopes

Maven uses a declarative pom.xml file to list dependencies. A particularly important notion in Maven is the dependency scope.

Scopes control where and how dependencies are used. Examples include:

  • compile (default): Needed at both compile time and runtime.
  • provided: Needed for compile, but provided at runtime by the environment (e.g., Servlet API in a container).
  • runtime: Needed only at runtime, not at compile time.
  • test: Used exclusively for testing (JUnit, Mockito, etc.).
  • system: Provided by the system explicitly (deprecated practice).

<dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <version>4.13.2</version>
  <scope>test</scope>
</dependency>

This nuanced control allows Java developers to avoid bloating production artifacts with unnecessary libraries, and to fine-tune build behaviors. This is a major feature missing from simpler systems like pip or npm.

Gradle

Gradle, offering both Groovy and Kotlin DSLs, also supports scopes through configurations like implementation, runtimeOnly, testImplementation, which have similar meanings to Maven scopes but are even more flexible.


dependencies {
    implementation 'org.springframework.boot:spring-boot-starter'
    testImplementation 'org.springframework.boot:spring-boot-starter-test'
}

Python: pip and Poetry

Python dependency management is simpler, but also less structured compared to Java. With pip, there is no formal concept of scopes.

pip

Developers typically separate main dependencies and development dependencies manually using different files:

  • requirements.txt – Main project dependencies.
  • requirements-dev.txt – Development and test dependencies (pytest, tox, etc.).

This manual split is prone to human error and lacks the rigorous environment control that Maven or Gradle enforce.

Poetry

Poetry improves the situation by introducing a structured division:


[tool.poetry.dependencies]
requests = "^2.31"

[tool.poetry.dev-dependencies]
pytest = "^7.1"

Poetry brings concepts closer to Maven scopes, but they are still less fine-grained (no runtime/compile distinction, for instance).

Node.js: npm and Yarn

JavaScript dependency managers like npm and yarn allow a simple distinction between regular and development dependencies.

npm

Dependencies are declared in package.json under different sections:

  • dependencies – Needed in production.
  • devDependencies – Needed only for development (e.g., testing libraries, linters).

{
  "dependencies": {
    "express": "^4.18.2"
  },
  "devDependencies": {
    "mocha": "^10.2.0"
  }
}

While convenient, npm’s dependency management lacks Maven’s level of strictness around dependency resolution, often leading to version mismatches or “node_modules bloat.”

Key Differences Between Ecosystems

When switching between Java, Python, and Node.js environments, developers must be aware of the following fundamental differences:

1. Formality of Scopes

Java’s Maven/Gradle ecosystem defines scopes formally at the dependency level. Python (pip) and JavaScript (npm) ecosystems use looser, file- or section-based categorization.

2. Handling of Transitive Dependencies

Maven and Gradle resolve and include transitive dependencies automatically with sophisticated conflict resolution strategies (e.g., nearest version wins). pip historically had weak transitive dependency handling, leading to issues unless careful pinning is done. npm introduced better nested module flattening with npm v7+ but conflicts still occur in complex trees.

3. Lockfiles

npm/yarn and Python Poetry use lockfiles (package-lock.json, yarn.lock, poetry.lock) to ensure consistent dependency installations across machines. Maven and Gradle historically did not need lockfiles because they strictly followed declared versions and scopes. However, Gradle introduced lockfile support with dependency locking in newer versions.

4. Dependency Updating Strategy

Java developers often manually manage dependency versions inside pom.xml or use dependencyManagement blocks for centralized control. pip requires updating requirements.txt or regenerating them via pip freeze. npm/yarn allows semver rules (“^”, “~”) but auto-updating can lead to subtle breakages if not careful.

Best Practices Across All Languages

  • Pin exact versions wherever possible to avoid surprise updates.
  • Use lockfiles and commit them to version control (Git).
  • Separate production and development/test dependencies explicitly.
  • Use dependency scanners (e.g., OWASP Dependency-Check, Snyk, npm audit) regularly to detect vulnerabilities.
  • Prefer stable, maintained libraries with good community support and recent commits.

Conclusion

Dependency management, while often overlooked early in projects, becomes critical as applications scale. Maven and Gradle offer the most fine-grained controls via dependency scopes and conflict resolution. Python and JavaScript ecosystems are evolving rapidly, but require developers to be much more careful manually. Understanding these differences, and applying best practices accordingly, will ensure smoother builds, faster delivery, and safer production systems.

Interested in deeper dives into dependency vulnerability scanning, SBOM generation, or automatic dependency update pipelines? Subscribe to our blog for more in-depth content!

Posted in en-US | Tags: , , , , , | No Comments »

PostHeaderIcon [NodeCongress2021] Can We Double HTTP Client Throughput? – Matteo Collina

Author: Jonathan Lalou

HTTP clients, the sinews of distributed dialogues, harbor untapped vigor amid presumptions of stasis. Matteo Collina, Node.js TSC stalwart, Fastify co-architect, and Pino progenitor, challenges this inertia, unveiling Undici—a HTTP/1.1 vanguard doubling, nay tripling, Node’s native throughput via HOL-blocking evasion.

Matteo’s odyssey traces TCP/IP genesis: Nagle’s algorithm coalesces packets, delaying ACKs—elegant for telnet, anathema for HTTP’s pipelined pleas. Keep-alive sustains sockets, multiplexing requests; yet core http’s single-flight per connection bottlenecks bursts.

Undici disrupts: connection pools parallelize, pipelining dispatches volleys sans serialization. Matteo benchmarks: native peaks at baselines; Undici’s agents—configurable concurrency—surge 3x, streams minimizing JSON parses.

Mitigating Head-of-Line Shadows

HOL’s specter—prior stalls cascade—yields to Undici’s ordered queues, responses slotted sans reordering. Matteo codes: fetch wrappers proxy natives, agents tune origins—pipelining: true unleashes floods.

Comparisons affirm: Undici’s strictness trumps core’s leniency, APIs diverge—request/stream for granularity. Fastify proxy’s genesis birthed Undici, Robert Nagy’s polish primed production.

Matteo’s clarion—agents mandatory, Undici transformative—ushers HTTP’s renaissance, slashing latencies in microservice meshes.

Links:

Posted in en-US | Tags: , , , , , , , , , | No Comments »

PostHeaderIcon [NodeCongress2021] Panel Discussion – Node.js in the Cloud

Author: Jonathan Lalou

Cloud paradigms reshape Node.js landscapes, blending serverless ephemera with containerized constancy, as dissected in this convocation. Moderated discourse features Ali Spittel, AWS Amplify advocate and digital nomad; Eran Hammer, Sideway founder weaving narrative webs; Ruben Casas, American Express engineer pioneering micro-frontends; and Slobodan Stojanovic, Cloud Horizon CTO scaling Vacation Tracker’s serverless saga.

Ali champions Amplify’s frictionless ingress: Git-based deploys, CI/CD alchemy transmute code to globals—Lambda for backends, AppSync for GraphQL. Eran probes costs: fixed fleets versus invocation metering, cold starts’ latency tax. Ruben extols IaC: CDK’s constructs blueprint stacks, Terraform’s declarative drifts ensure idempotence.

Slobodan chronicles evolution: singleton Lambda to hexagonal CQRS ensembles, LocalStack mocks integrations. Consensus: serverless abstracts ops, yet demands async mastery—promises over callbacks, hexagonal ports insulate.

Deployment Dynamics and Cost Conundrums

Deploys diverge: Amplify’s wizardry suits solos, Claudia.js blueprints APIs. Containers—Docker/K8s—orchestrate statefuls, Fargate abstracts. Costs confound: Slobodan’s $250/month belies bugs’ $300 spikes; alarms mitigate.

Ali lauds functions’ scalability sans provisioning; Eran tempers with vendor lock perils. Ruben integrates OneApp’s runtime swaps.

Observability and IoT Intersections

Tracing threads via X-Ray/OpenTelemetry; Datadog dashboards divine. IoT? Node’s WebSockets shine—process streams via Amplify, hexagonal fits serverless.

Panel’s tapestry—diverse voices—illuminates Node.js’s cloud ascent, from fledgling functions to enterprise echelons.

Links:

Posted in en-US | Tags: , , , , , , , , , , , | No Comments »

PostHeaderIcon [NodeCongress2021] Don’t Try This at Home: Synchronous I/O in Node.js – Anna Henningsen

Author: Jonathan Lalou

Node.js’s asynchronous creed—non-blocking I/O as ethos—clashes intriguingly with synchronous imperatives, where immediacy trumps concurrency. Anna Henningsen, erstwhile Node.js TSC member now at MongoDB’s dev tools cadre, probes this tension, cataloging detours from the async path and gleaning internals’ revelations. Pronouns she/her, Anna balances core contributions with family joys, her moniker addaleax echoing across Twitter and GitHub.

Anna queries the aversion: sync ops monopolize threads, stalling event loops—left pane’s stalled fetches versus right’s parallel prowess. Yet, exigencies persist: CLI bootstraps, config reads—fs.readFileSync reigns for startup simplicity.

Navigating Sync Detours and Their Perils

Anna enumerates evasions: worker_threads offloads to pools, yielding promises—fs.promises.readFile in isolates, main-thread yields via Atomics.wait. Threads excel for CPU hogs, but I/O yields context switches, inflating overheads.

Child processes fork interpreters, stdin/stdout pipes async, but spawnSync blocks—IPC for coordination. Anna demos: execSync shells commands, perils in untrusted inputs.

Domains? Deprecated, error silos sans true parallelism. Async_hooks? Context propagation, not computation.

Enter Anna’s brainchild: synchronous workers—native addons spawning interpreters, runUntil blocks main on promises, full API access sans multi-threading. Node 15.5+ requisites, experimental tag.

MongoDB’s Babel transpilation awaits sync-as-call sites, best-effort awaits. Anna’s taxonomy—drawbacks galore—affirms async’s supremacy, yet equips edge cases with informed arsenals.

Experimental Horizons and Practical Caveats

Anna’s holiday hack—runnable on GitHub—invites tinkering, crashes notwithstanding. Her MongoDB pivot underscores sync’s niche: edge functions crave immediacy, transpilation bridges gaps.

Anna’s disquisition, laced with humor, fortifies Node.js fidelity to flux, while charting sync’s shadowed trails.

Links:

Posted in en-US | Tags: , , , , , , , , | No Comments »

PostHeaderIcon [NodeCongress2021] Logging, Metrics, and Tracing with Node.js – Thomas Hunter II

Author: Jonathan Lalou

Observability pillars—logs, gauges, spans—form the triad illuminating Node.js constellations, where opacity breeds outages. Thomas Hunter II, a Node.js luminary and author of “Distributed Systems with Node.js,” dissects these sentinels, adapting book chapters to unveil their synergies in service scrutiny.

Thomas frames logging as cloud-elevated console.logs: structured JSON extrudes states, severity tiers—error to silly—filter verbosity. Winston orchestrates: transports serialize to stdout/files, Pino accelerates with async flushes. Conventions prescribe correlation IDs, timestamps; aggregators like ELK ingest for faceted searches.

Metrics quantify aggregates: counters tally invocations, histograms bin latencies. Prometheus scrapes via prom-client, Grafana visualizes trends—spikes foretell fractures. Thomas codes a registry: gauge tracks heap, histogram times handlers, alerting deviations.

Tracing reconstructs causal chains: spans encapsulate ops, propagators thread contexts. OpenTelemetry standardizes; Jaeger self-hosts hierarchies, timelines dissect 131ms journeys—Memcache to Yelp. Datadog APM auto-instruments, flame graphs zoom Postgres/AWS latencies.

Instrumentation Patterns and Visualization Nuances

Thomas prototypes: async_hooks namespaces contexts, cls-r tracers bridge async gulfs. Zipkin’s dependency DAGs, Datadog’s y-axis strata—live Lob.com postcard fetches—demystify depths.

Thomas’s blueprint—Winston for persistence, Prometheus for pulses, Jaeger for journeys—equips Node.js artisans to navigate nebulous networks with crystalline clarity.

Links:

Posted in en-US | Tags: , , , , , , , , , | No Comments »
« Older Entries
(c) 2008 Jonathan Lalou's Blog
All Rights Reserved.

Powered by WordPress and WordPress Theme | Host-euro.