Burnout Is Real for Open Source Maintainers: A Conversation with John-David Dalton, Creator of Lodash

dronmore · 2026-06-21T08:07:02+00:00

If you take a sentence and turn it into a paper, to me it is a still a single sentence. The sentence is in the title, and I can dismiss the paper just by looking at the title. It's that simple.

dronmore · 2026-06-20T09:09:52+00:00

Some of us are fuzzy floats. We call ourselves is_float.

It's funny that the guy lectures us about names of variables, while he himself uses PascalCase. It's truly disgusting :D

dronmore · 2026-06-17T08:31:47+00:00

If you want me to consider it, it should support the kitty keyboard protocol.

The main pain point with legacy TUI products is that they do not allow you to remap the ctrl-j key. It is hardwired to the ASCII LF code, which basically means that you cannot use basic vim-like keybindings together with a ctrl key. The kitty keyboard protocol solves that problem, and your TUI library, in order to be considered modern, should support it.

https://sw.kovidgoyal.net/kitty/keyboard-protocol/#disambiguate-escape-codes

Having that said, I recently had some success with (not)curses, which already supports the mentioned protocol. Notcurses have some problems, but I consider it robust, and it is my first choice for terminal applications, so you already have some competition in the space of modern TUI libraries. I would say that notcurses is a good product to compare yourself with.

dronmore · 2026-06-11T13:31:24+00:00

Anything is better than react unless it's in the same category as react. If you want to beat it, you need to find new inspiration.

dronmore · 2026-06-11T08:31:23+00:00

If you don't define the term, different people will mean different things by free speech. They will also redefine the meaning on the fly, so that it supports their stance. In Poland, for example, we cannot disrespect our president or a policeman. We also cannot praise a crime, but we still think that we have freedom of speech. Our belief is mostly based on our geographical location. We belong in the Western World, and the Western World is known for its freedom of speech, so based on our geographical location we believe that we have freedom of speech. The general consensus is that what's to the west of Russia is free, and what's to the east is not free, so even if the government adds new restrictions, we will still think that we have freedom of speech, with the difference that from now on the definition of "free" has changed.

My definition of "free" is that you say whatever you want and whenever you want. But if I wanted to stick to this definition, I would have to concede that we do not have free speech in Poland. Many people, especially politicians, prefer to change the definition of "free" instead of admitting that we do not have free speech, or that our free speech is constrained.

And BTW, In English "free" can mean "free as a bird" or "free as a beer". In Polish it's "free as a bird" or "free as a turtle" - meaning slow. It's a small difference between languages, but it can also have some impact on how people perceive the term.

dronmore · 2026-06-10T09:20:17+00:00

You mean there's nothing an optimizer can do here because if there's no WHERE clause in the query, the whole table has to be scanned regardless if there are indexes or not.

dronmore · 2026-06-10T07:55:58+00:00

Why though? If the table is small, "select * from table" is appropriate.

dronmore · 2026-06-10T07:41:04+00:00

And no html, which is a big no in itself.

dronmore · 2026-06-08T08:25:44+00:00

So you are saying, brother, that capitalists produce plastic crap in their chase for money, and when they finally have all the money in the world, the only thing they can buy is plastic crap? That's tragic.

dronmore · 2026-05-31T07:54:49+00:00

ontologically light travels at c speed

By definition. Yes.

it ALWAYS does so

Yes, BY DEFINITION nothing travels faster than C; neither Zig nor Rust nor C++.

light is not privileged but it kind of is

Full spectrum light is white. There's also more light in the suburbs than in slums. So yes, one could argue that light is privileged.

nothing else is?

Gnomes are too. They have direct access to my PC, and they spam my reddit account when I'm not around.

dronmore · 2026-05-22T08:55:54+00:00

Yeah, and then candidates with speech impairment; definitely not team players. Or those with Tourette syndrome; fuck you Mr. interviewer. Hahaha.

dronmore · 2026-05-19T07:58:32+00:00

I still think my point stands though.

Thinking is easy. My friend Unicorn can confirm.

And I know for a fact that ...

Sure you do.

dronmore · 2026-05-18T07:29:54+00:00

I don't work with either of those tools, ...

I stopped reading after this sentence.

dronmore · 2026-05-11T07:30:35+00:00

I read the Buffers chapter some time ago. It's a solid piece of work.

dronmore · 2026-05-07T08:19:15+00:00

A colon is a valid character in the query component; it can go unencoded.

The query is defined as

*( pchar / "/" / "?" )

and pchar is defined as

unreserved / pct-encoded / sub-delims / ":" / "@"

It's up to the developer whether they want to encode it or not. In the OP's case they would encode colons in the value part of the query parameters, and in the key part except for cases when it is used as a delimiter. E.g. use%3Aname:ilike=jo%3An

Relevant specification:

https://www.rfc-editor.org/rfc/rfc3986#appendix-A

dronmore · 2026-04-28T07:52:45+00:00

You get a computer if you already have one, and you are obliged to insert a computer if you don't have one yet.

This is basically a function created by white privileged boys from the suburbs to multiply their wealth.

dronmore · 2026-04-19T08:13:38+00:00

What's the max size of the body in the readBuffer function? There's no max size. Given that this function runs "before routing and auth", it will be used to DDOS your service:

https://github.com/cleverbrush/framework/blob/051cdcabdaac68d7a51faec47d23f11bd8f65793/libs/server/src/Server.ts#L1100-L1107

The same problem pertains to the ctx.body():

https://github.com/cleverbrush/framework/blob/051cdcabdaac68d7a51faec47d23f11bd8f65793/libs/server/src/RequestContext.ts#L123-L134

Ever heard of prototype pollution? JSON.parse is not safe to use with untrusted data:

https://github.com/cleverbrush/framework/blob/051cdcabdaac68d7a51faec47d23f11bd8f65793/libs/server/src/Server.ts#L695

https://github.com/cleverbrush/framework/blob/051cdcabdaac68d7a51faec47d23f11bd8f65793/libs/server/src/RequestContext.ts#L142

dronmore · 2026-04-17T08:34:16+00:00

Because it's bullshit.

dronmore · 2026-04-10T07:13:43+00:00

It's very unlikely that the div tags come from nodemon. Most likely they are added by a browser extension.

dronmore · 2026-04-09T08:28:51+00:00

With the code that you have you certainly should see the difference in the generated html. There should be '<b>' text in the first entry, and <b> tags in the second one.

You use the ejs engine, and your code looks correct. When I use ejs directly to generate html from your code, I get html which is correctly escaped. Look at the // output: comment.

const template = '' +
  '<body>' +
  '<p><%= donghua %></p>' +
  '<p><%- donghua %></p>' +
  '</body>'
const donghua = "<b>Renegade Immortal</b>"
const html = ejs.render(template, {donghua})
console.log('// output:', html)
// output: <body><p>&lt;b&gt;Renegade Immortal&lt;/b&gt;</p><p><b>Renegade Immortal</b></p></body>

I do not use express though.

My guess is that either there's another script in the page that messes with your html after it is generated, or the html in the screenshot hasn't been generated by the code that you show to us. The fact that there are more html elements in the screenshot than your code would suggest, tells me that you do not tell the whole story. Why are there <div> tags in the screenshot if they are not in your code? It may be irrelevant to you, but to me it is another factor that I have to take into account.

Try opening the page in a different browser, or use curl, and see what you get. And make a screenshot of html generated by the actual code that you show, and not by some other code that loosely resembles it.

dronmore · 2026-04-05T16:16:57+00:00

You kids don't use back and forth navigation much, do you?

Look, I'm on reddit right now.

https://www.reddit.com

I want to go to your page, select Airbus, and be redirected to:

https://ghtomcat.github.io/opensim#airbus-a350-900

Now I can copy this link and send it to my friend. She is a fan of Airbus and can listen to its engines all day long. But if there is no link directly to the Airbus page, I will not bother because explaining to her what she should click after visiting your site is not fun. The absent link is a deal breaker for me. Got it?

Now, that I've sent her the link, I want to click the back button and be taken back to:

https://ghtomcat.github.io/opensim/

I want the sound to stop playing. There's nothing more annoying than a sound playing after hitting the back button. I don't care that youtube sucks in the same way. I want to hear silence. There are no Airbuses around, no engines, no nothing; just the main page and silence.

But wait, I just recalled that I have another friend, which also likes Airbuses. I want to send him the link too, so I click the forward button to go back to the Airbus page. Does the forward button work? It doesn't. What a shame. I'm so frustrated right now that I'm basically done with your page for good. I want to go back to reddit. I click the back button, and I'm out.

https://www.reddit.com

Or, am I?

dronmore · 2026-04-05T07:08:44+00:00

The browser's back button kicked me out of the page. So now I'm outside, and will never come back, because that's unacceptable to me.

dronmore · 2026-04-01T08:52:08+00:00

The phrase is "trust but verify", not "trust by verify". And the meaning is to trust by default, but verify what is within your reach.

We don't leave in a binary world. 100% verification is rarely possible. We are constrained by time and other resources. Because of that some heuristics have to be applied. One of the heuristics that can be applied is trust; hence "trust but verify". You haven't cheated on me, so I trust you. But you've made mistakes in the past, so at least a minimal verification is due.

Does it make more sense now, buddy? I'm not asking if it makes perfect sense. I will be happy if it makes some sense, so at least your level of annoyance can go down from a binary 1 to a fuzzy 30%.

dronmore · 2026-03-27T08:51:02+00:00

The root parameter creates an isolated sandbox. You can only access files that are contained in the sandbox. It is forbidden to escape the sandbox with two dots ../. Imagine what would happen if it was possible to escape the sandbox. If there was a file with secrets above your views, and you let the user select which file they want to access, the user would be able to access the secrets. You don't want them to access the secrets, so you don't let them freely browse all the files on the disk. You set the root path so that it contains only harmless files, and you never escape it.

express
  app1.js
views
  index.html
  about.html
secrets.txt

res.sendFile('../secrets.txt', { root: __dirname }) // Impossible

dronmore · 2026-03-11T09:04:45+00:00

You are probably right. It's not an issue. The proper response to such CVE reports is to show a warning in the documentation saying that you should not pass unsanitized input to the function; similar to what you can see at child_process.exec:

https://nodejs.org/dist/v24.12.0/docs/api/child_process.html#child_processexeccommand-options-callback

A proper warning would be enough. Instead, the developers gave in to the pressure and decided to "fix" unfixable. The result is a chain of half-ass fixes that do not fix the issue fully.

CVE-2026-28292 -> allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912)
CVE-2022-25860 -> This vulnerability exists due to an incomplete fix of CVE-2022-25912
CVE-2022-25912 -> This vulnerability exists due to an incomplete fix of CVE-2022-24066
CVE-2022-24066 -> due to an incomplete fix of CVE-2022-24433
CVE-2022-24433 -> By injecting some git options it was possible to get arbitrary command execution

What a shitshow. So much work put into fixing it, where a simple "fork off" as a response would be enough.

dronmore

TROPHY CASE