The Changelog: Software Development, Open Source - The scariest chart in all of software (News)
Episode Date: July 1, 2024Software developer jobs are trending down, the creator of dotenv creates a better dotenv, the Chrome team puts Gemini Nano AI model right inside your browser, a pollyfill.js supply chain attack hits 1...00k+ sites & Steph Ango asks, "What can we remove?"
Transcript
Discussion (0)
What's up, nerds?
I'm Jared, and this is Changelog News for the week of Monday, July 1st, 2024.
At the risk of sounding like Chicken Little, I think we should all be aware of this concerning
trend in developer job postings.
Check the chapter image if your podcast app is any good.
What you'll see is a line chart that plots a bell curve where postings in May of 2020 ramp up to a high in spring of 22,
then precipitously decline back to 2020 levels by May of this year. Grain of salt alert, this data is
only on Indeed and only in the US, but still, stay safe and employed out there. Okay, let's get into
the news. A better.env from the creator of.env. As a longtime user of.env, I was pleasantly surprised to learn of.envx.
The new version still loads environment variables from.env files for Node.js projects,
but can also do it cross-platform via.envx run in multiple environments like prod, dev, etc.
via.envx-f with encryption via.envx-encrypt. Looks like a great upgrade all
around. Check it out if you too use.env. Everything about Chrome's new window.ai feature.
The Chrome team recently announced they're adding built-in AI, a Gemini Nano AI model,
right inside your browser. It's currently
only on Canary and hidden behind some flags, but you can play with it right now if you want to.
From the article, quote, the new Chrome.ai API is a game changer because it runs locally and
completely offline. This feature is set to become a web browser standard, which in the future will
enable developers to use AI models that don't rely on a third-party API. End quote.
That part about this feature is set to become a web browser standard?
That's pure conjecture, best I can tell.
However, Google did mention standardization once in their overview,
so it's at least on the table.
Local and offline language models are coming soon to Apple devices,
so the web will have to eventually follow suit to stay competitive.
It's now time for Sponsored News.
A discussion with back-end experts.
Sentry's July 16th Behind the Code session features some amazingly talented folks,
such as Taylor Otwell, founder of Laravel,
Paul Copplestone, founder of Superbase,
Soren Schmidt, CEO of Prisma, Yajiz Nizipli, apologies on the pronunciation, Node TSC member,
Sarah Guthrals, head of DevRel, that's entry. Join this all-star cast as they chat through
the latest trends, technologies, and what's next for back-end development.
Hear how they navigate challenges, listen to their community, and leverage cutting-edge tools to innovate fast.
Don't miss this free event. Sign up by following the link in the chapter data and the newsletter.
And thank you to Sentry for sponsoring Changelog News.
Polyfill supply chain attack hits 100,000 plus sites.
Hopefully you already heard about this one,
but just in case you haven't,
quote, polyfill.js is a popular open source library
to support older browsers.
100,000 plus sites embedded
using the cdn.polyfill.io domain.
Notable users are JSTOR, Intuit, and World Economic Forum.
However, in February this year, a Chinese company bought the domain and the GitHub account.
Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io.
End quote.
Yesterday's best practice, loading common static assets from third-party CDNs, are today's malpractice.
You did not just say that.
I think it's time we transpile Jeff Bezos' regret minimization framework for decision-making
into one for software devs, introducing the dependency minimization framework.
That's a great idea. I'm glad I had it.
What can we remove?
This beautiful short piece by Steph Engo pairs gloriously with the previous story.
Quote, our bias is to always add more. More rules, more process, more code, more features, more stuff.
Interdependencies proliferate and gradually strangle us. Systems want to grow and grow,
but without pruning, they collapse. Slowly, then spectacularly. End quote.
I almost want to quote this entire thing. You know what? Who's stopping me? Here's the rest.
When a piece of trash drifts across the beach, it is our duty to pick it up so the next person
can enjoy a pristine shoreline. When a thousand pieces litter the beach, it's too late. We can
only lament the landscape. That's just how beaches are now.
A good system is designed to be periodically cleared of cruft.
It has a built-in counterbalance.
Without this pressure, our bias drives us to add band-aid after band-aid until the only choice is to destroy the whole system and start from scratch.
Why is it so much easier to add than to remove?
Maybe because we attach our identity to what is visible.
But there is a difference between the ornamentation that defines our style and the vestigial burdens
we carry. Remember those who did the invisible work of removing. Their legacy was not to build
a sandcastle, but to care for the beautiful beach on which we play. End quote. I love this. Please
go visit Steph's website so I don't feel so bad about
quoting his piece in its entirety. Cyber Scarecrow. I love this idea of running software in the
background of your computer that makes it scary to viruses and malware. Quote, when hackers install
malicious software on a compromised victim, they first check to make sure it's safe for them to
run. They don't want to get caught and they avoid computers that have security analysis or anti-malware tools on them.
Scarecrow takes advantage of this by running in the background of your computer and faking these
indicators. It's super lightweight and tricks malware into thinking your computer is not the
place for them to be. End quote. The idea for Scarecrow came from reading malware analyses where they found that many malwares first check for various indicators on the compromised machine and, if detected, they will stop.
I have no idea if this actually works in practice, but I do find it clever and interesting, so maybe you will too.
That's the news for now, but I forgot to do our Changelog++ shoutouts on episode 100, so let's do it now.
Shoutout to our newest members!
John H, Joshua P, Eugen D, Matthew B.H., Aiden S, Magnus M, Sylvain R, Ingo V, James M, Trip M,
Blake G, Marcus B, Marco C, Jimmy S, Raphael L, and Tim S.
We appreciate you for supporting our work with your hard-earned cash.
If ChangeLog++ is new to you, that's our membership program.
You can join to ditch the ads, get closer to the metal with bonus content,
receive a free sticker pack in the mail, directly support our work,
and get shout-outs like the ones you just heard.
Check it out at changelog.com slash plus plus.
Changelog plus plus.
It's better.
Have a great week.
Leave us a five star review if you dig it.
And I'll talk to you again real soon.