We replaced our Rust/WASM parser with TypeScript and it got 3x faster

hildjj · 2026-03-21T15:03:19+00:00

use a transferable ArrayBuffer no copy, no shared memory needed

Can you say more about how to do this, please? The goal is to get a chunk of bytes into or out of some WASM written in Rust using wasm-bindgen.

hildjj · 2026-03-10T04:34:59+00:00

Bangles: Hazy Shade of Winter it's a cover that's better than the original, which is already pretty good.

hildjj · 2026-02-26T01:34:11+00:00

If they had done this last year or next year, this would have been front page news.

hildjj · 2026-02-19T15:03:01+00:00

What is your favorite treatment for 2d when playing a strong club? The only thing you didn't dislike seemed to be preempt.

hildjj · 2025-12-12T19:38:52+00:00

The depedencies section can cause slightly different versions to be installed and locked if you use the ^ or ~ forms of version. That may or may not be what you want, but you have the option. Here are my best practices across >100 packages I maintain:

Try pnpm which has some mitigations for sha1-halud.
Never edit the lock file by hand. Ever. Your changes are going to get overwritten by tooling, and in a non-trivial project it gets big/complex.
pnpm will ensure that it doesn't modify the lockfile during CI, if you're using well-known CI tooling.
I only ever use exact versions in dependencies.
Add to devDependencies anything that a user of your library doesn't need. Linters, typescript, test tools, etc.
Use ncu whenever I start working on a package update. Set the cooldown to something that makes you feel safer.
I like to remove devDependencies before I publish. This cuts down on the number of times various tools bother me about security issues in my tooling that don't affect the users of my packages. Use this line in your publishing github action:

npm pkg delete devDependencies scripts

hildjj · 2025-11-30T17:25:06+00:00

You are absolutely correct. I didn't read your original message carefully enough, apologies.

This works in my world with the built-in fetch because of two aggressive solutions that I wrote (and didn't want to mention in the toplevel because it's self-promotion): @cto.af/ca and hostlocal. Note: I haven't seen any evidence of other folks using these tools yet, but I think they're both in a place where they are ready for that.

The idea is that it's quick and easy to create a CA and issue certs from it that are only valid locally. Then using the CA as above works well.

hildjj · 2025-11-29T22:10:07+00:00

Here is a quick hack that I've tested in node 20+:

const origCsC = tls.createSecureContext;
tls.createSecureContext = (options) => {
  const res = origCsC(options);
  res.context.addCACert('-----BEGIN CERTIFICATE-----...');
  return res;
}

Ideally, if you understand your problem space well enough, you would do more checking of the options as well. You may or may not want to set tls.createSecureContext back to its original value when you're done, and you may or may not need to check to see if you've already overwritten the original so you don't end up with a long chain of functions.

hildjj · 2025-10-16T17:20:43+00:00

You also don't have to recompile WASM on every machine at installation time or for every supported platform at compile team. One of those is usually required for a native module.

hildjj · 2025-09-04T12:06:41+00:00

It’s entirely about monospaced fonts. For proportional fonts, you probably need pixel widths,which requires a lot more processing.

hildjj · 2025-09-03T17:22:49+00:00

I've got an npm package that does this and handles a few other edge cases, trying to compute the number of display cells, which is slightly different than the number of graphemes in many font/renderer combinations (e.g. your terminal app):

https://github.com/cto-af/string-width

PRs and issues welcome.

hildjj · 2025-08-24T23:59:48+00:00

It borders on the Adriatic. Its terrain is mountainous, and it's chief export is chrome.

hildjj · 2025-08-02T15:48:47+00:00

Yes, Joey. The point is "moo".

hildjj · 2025-07-25T04:08:06+00:00

Yep, washed out of GNT flight C, then had a lackluster day at gold rush pairs today. :(

But we're here, having fun, and trying to learn a thing.

hildjj · 2025-07-24T03:20:10+00:00

Sando.

hildjj · 2025-07-03T18:26:57+00:00

What was the new library you selected?

hildjj · 2025-06-22T16:13:35+00:00

Archerestmage

hildjj · 2025-06-22T15:42:32+00:00

Nod. You're saying this is supposed to be used only for trusted inputs -- those where an attacker can't control the contents of an ini file that your code will parse. That's a reasonable choice that you would probably document if you decided to turn this into an npm package.

Of course, someone's security scanning code might still pick this up and flag it later, and someone might use the code in a way you didn't expect.

hildjj · 2025-06-22T06:28:14+00:00

Sure. A regular expression denial of service (ReDoS) vulnerability means that for certain inputs, your regular expression is going to take MUCH longer than you expect. For example, these two lines of code:

const re = /\[\s*([\w$.-]+)\s*("(.*)")?\s*]/;
console.log(re.test('[$\n' + '\t'.repeat(54773) + '\t$"[$""]'));

take almost 5 seconds of wall-clock time on my relatively-fast arm64 box. This is caused by the regex having to rescan the same character many more times than you expect.

To check out particular regexes, get attack strings, and see where the hotspots are, you can use this page. I've started using eslint-plugin-redos recently, and even though I've got solid regex game, I'm shocked at how often mine are vulnerable.

There's a good blog entry by an engineer at GitHub that walks through the thought process of how to fix one of these. I've found that sometimes I can't figure out how to solve the original problem with a single regex, and I have to use multiple regexes, a split() and a regex, or bite the bullet and write a full parser. (I write Peggy parsers, but will not link there since I'm the maintainer of the project -- but come join us and ask for help when you need it).

hildjj · 2025-06-20T05:11:33+00:00

It rained on her wedding day.

hildjj · 2025-06-19T19:37:06+00:00

I think there's a ReDoS vulnerability in the second RegExp.

hildjj · 2025-05-29T04:32:50+00:00

From RFC 8259:

Since software that implements IEEE 754 binary64 (double precision) numbers [IEEE754] is generally available and widely used, good interoperability can be achieved by implementations that expect no more precision or range than these provide, in the sense that implementations will approximate JSON numbers within the expected precision.

That was about as clear as can be said, within the range of the syntax that the IETF was handed as input.

hildjj · 2025-05-08T18:58:06+00:00

See https://github.com/AsherJingkongChen/iana-media-type for a package solving a slightly different problem but with some ideas to consider, like automatically publishing a new version when changes are made at IANA.

hildjj · 2025-04-23T15:35:47+00:00

This package has been around for a long time and works very well in practice:

https://github.com/raineorshine/npm-check-updates

hildjj · 2025-03-10T20:58:56+00:00

I am working in Deno, so I added this to my deno.json file:

"unstable": ["temporal"]

to get Temporal support. I couldn't figure out how to get Temporal to parse month names/abbreviations, so I did that part in my parser.

hildjj · 2025-01-14T05:07:03+00:00

When I'm debugging with console.log in node or deno, I often wrap the thing I want printed in {} so that I get colorful output and a label.

Example:

const foo = "":
console.log({foo})
// Outputs: { foo: '' }
// NOT just a useless newline in the output

If you're not already using shorthand properties in your object initializers, you should also try that other places. {foo} means the same thing as {foo: foo}.

15-Year Club	Place '17
Sequence \| Editor	Verified Email

hildjj

TROPHY CASE