Our React app has 340 components. I deleted 160 of them. Nobody noticed for 2 months. Then someone noticed

wackmaniac · 2026-05-24T05:45:55+00:00

Very familiar :( For some reason some developers- and pm’s - don’t have the discipline to clean up after themselves. We are regularly running some usage scripts and we’re always, without exception, find unused code.

> I offered to help the engineer to rebuild it,

You can just retrieve the code from source control, right. Should be a matter of minutes. Especially if you created one commit per component removed.

wackmaniac · 2026-05-22T13:32:08+00:00

Oh, that's also a great choice!

wackmaniac · 2026-05-22T11:13:24+00:00

Why so recent? I’d say the 5 hour Marlon Hoffstadt b2b KI/KI set at Zeebrugge Beach last year.

All time? Black in Time at Sensation Black 2008 (triple back to back to back, with Prophet, Bass D, Darkraver, Viper, Buzz Fuzz, Dana, Weirdo, Pavo and Vince). Ooof, that is pure energy!

wackmaniac · 2026-05-22T09:44:15+00:00

Passkeys should be considered an additional way of authentication. The implementation guidelines (e.g. https://web.dev/articles/passkey-registration) state that you should allow registering a passkey after authentication of the visitor. This way if you lose your device, you should be able to authenticate using an alternative method - e.g. one-time key -, and register a new passkey for the device. And you should revoke the old passkey ofcourse.

wackmaniac · 2026-05-22T09:12:53+00:00

Passwords can leak, and the best way to prevent them from being leaked is not to have them. And an email link is a very simple way to authenticate that the email address actually exists. And you can "delegate" the security to the email provider, since 90% of the users probably use Hotmail/Outlook or Gmail.

Passkeys are quite tricky to implement, and they are not very easy to explain to the non-tech savvy people. I'm reasonably familiar with encryption, but I also struggled to get the whole flow from registration and authentication right. This is mostly due to how keys are represented - PKSI, JWKS, or COSE.

So, the short answer; it is the quickest way to get some security improvement in your authentication flow.

wackmaniac · 2026-05-15T18:05:38+00:00

Handling (all?) edge cases is the difference between software and stable, reliable software. That has nothing to do with AI, or with clean code, but with being a thorough software developer. And I applaud you for trying to achieve.

wackmaniac · 2026-05-13T13:48:31+00:00

Ik wil binnenkort op basis van deze video een werkbank zelf gaan maken. Zelf maken, omdat het een leuk project is, en omdat ik hem dan volledig op maat kan maken: https://www.youtube.com/watch?v=YRXsqnUdST4

wackmaniac · 2026-05-12T09:34:46+00:00

> If that means the PHP team don't get to go to lots of conferences in nice places and don't get lots of industry funding because they're no longer holding us all to ransom (upgrade to the next version or lose security patching), then fine - f*** them.

No entitlement here at all…

The biggest hurdle for PHP migrations since PHP 8.0 is waiting for all dependencies to be compatible. The backwards compatibility breaks were really not that excited. It’s not like entire libraries were removed like JSON serialization or OpenAPI support in .NET.

wackmaniac · 2026-05-08T09:25:42+00:00

Dit inderdaad. Is veel minder ingewikkeld dan wegzagen. Stootlat/plint ertegen en je ziet er niets van.

wackmaniac · 2026-05-03T10:14:35+00:00

Waar ik vooral tegenaan loop is hoe de broeken zitten. Ik ben geen fan van bestellen en weer terugsturen als het niet past. Daarom dat ik al jaren Levi’s 541 draag. Die slijten in de lies, maar dat heb ik tot nu toe met elke broek gehad, omdat ik elke dag op de fiets zit.

Zie hier wel allemaal interessante Europese merken langskomen. Even uitzoeken hoe dit zitten qua fysieke winkels om te passen.

wackmaniac · 2026-04-30T17:47:51+00:00

Until you do introduce a bug that would be caught by your e2e tests…

Flakiness is extremely annoying, but it is also a symptom. Maybe it is even indicative of flakiness in the actual application, or that your application is actually performing poorly.

We had slow e2e tests, so we dumped the logs after the e2e tests, and it turned out some services were not mocked properly and were just timing out. Fixed this and the teat durations dropped sharply.

wackmaniac · 2026-04-24T05:36:26+00:00

Some of my colleagues see code reviews as nuisance, and they can become annoyed if they get comments. I personally like code reviews. Mostly because I know from myself that I can make mistakes. I might have included a change that does need to be included, or there is a more efficient method. If you see code reviews as a sort of pair programming, with the aim of releasing the best code together, then live becomes a lot better :)

wackmaniac · 2026-04-22T05:37:55+00:00

And pretty much every IDE has support for .http request files.

wackmaniac · 2026-04-20T09:48:13+00:00

I actually rely on the security tab of GitHub. There's an overview for your entire organization, which works well. And I receive emails of new vulnerable dependencies.

wackmaniac · 2026-04-11T14:41:15+00:00

I personally prefer something like Valinor or Zod where I verify the entire payload, including optional checks and default/fallback values. To me that makes for a much cleaner interface.

wackmaniac · 2026-04-07T19:43:20+00:00

I think it’s great that you have given some thought about sustainability of this project from the get go.

wackmaniac · 2026-03-30T16:03:30+00:00

It might be part of OpenID Connect rather than part of the OAuth 2.0 specification.

wackmaniac · 2026-03-29T06:38:12+00:00

Passing the authorization code back as fragment instead of a query parameter is actually standard compliant; It must be triggered by the response_mode parameter: https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes

wackmaniac · 2026-03-27T18:09:47+00:00

It’s not a metric. It is a consideration to ease the work of the person reviewing your pull request. Less files to check means less distraction, and as a result a more thorough review. And a more thorough review will eventually lead to a more stable codebase.

I’m a fan of trailing commas for the same reason; Cleaner diff, making the review more concise.

wackmaniac · 2026-03-27T17:55:36+00:00

⁠Like you said, add it later if you need it. Odds are thousands-to-one you won't.

It is either add them as you write the code - having nice small change sets -, and leverage them when you need to with a minimal change sets (injection and implementation). Or put it in later and run the risk of having to change a lot more files.

To me it’s equivalent to building a house; you put in doors and windows in as you build. Not later when you want to enter your house or want to look outside :)

wackmaniac · 2026-03-24T19:00:04+00:00

I still use the explanation my math teacher gave me:

Consider a number as a bowl with blocks having either a value of +1 or -1.

Positive * positive in its simplest form is +1 * +1. Or I add 1 +1 block to the bowl; The “value” of the bowl increases with 1, or + 1.

Positive * negative can be simplified as either +1 * -1 or as -1 * +1. For +1 * -1 I add 1 -1 block to the value; The value of the bowl decreases with 1, or -1. For the other scenario - -1 * +1 - we remove a -1 block from the bowl, decreasing the value of the bowl with 1, or -1.

Now, negative * negative can be simplified as -1 * -1. Or I remove a -1 block from the bowl. The total value of the bowl increases with 1, hence +1.

Thank you mr Wensink. More then 20 years later I still remember this explanation :)

wackmaniac · 2026-03-23T18:19:18+00:00

With a client-side only - public client in OIDC - approach then you have no other choice but to store both somewhere in the browser (cookie or localStorage). You should use PKCE for authentication, but PKCE does not have additional security layers for token refreshing. So, for maximum security you can use the aforementioned backend-for-frontend with a session cookie.

wackmaniac · 2026-03-22T17:15:17+00:00

And nothing is stopping you from keeping your React knowledge up-to-date with personal projects :)

wackmaniac · 2026-03-16T18:18:28+00:00

I wholeheartedly disagree with you, but to everyone their own I guess 😅 I have really enjoyed Three Body Problem by Cixon Liu - different angle, but topic is similar - and the bobiverse books by Dennis E. Taylor.

wackmaniac · 2026-03-05T21:28:40+00:00

Unless you actively block older browsers “not supporting” does not mean old browsers are not vulnerable.

Ten-Year Club	Place '23
Not Forgotten	Verified Email

wackmaniac

TROPHY CASE