Tech News - Web Development

Today, Alex Russell, a Google software engineer, submitted a patch called ‘Never-Slow Mode’ for Chromium. With this patch, various limits will be enforced for per-interaction and resources to keep the main thread clean. Russell’s patch is very similar to a bug Craig Hockenberry, a Partner at The Iconfactory, reported for WebKit, last week. He suggested adding limits on how much JavaScript code a website can load to avoid resource abuse of user computers. Here are some of the changes that will be done under this patch: Large scripts will be blocked. document.write() will be turned off Client-Hints will be enabled pervasively Resources will be buffered without ‘Content-Lenght’ set Budgets will be re-set on the interaction Long script tasks, which take more than 200ms, will pause all page execution until the next interaction. Budgets will be set for certain resource types such as script, font, CSS, and images. These are the limits that have been suggested under this patch (all the sizes are in wired size): Source: Chromium Similar to Hockenberry’s suggestion, this patch did get both negative and positive feedback from developers. Some Hacker News users believe that this will prevent web bloat. A user commented, “It's probably in Google's interest to limit web bloat that degrades UX”. Another user said, “I imagine they’re trying to encourage code splitting.” According to another Hacker News user putting hard coded limits will probably not work, “Hardcoded limits are the first tool most people reach for, but they fall apart completely when you have multiple teams working on a product, and when real-world deadlines kick in. It's like the corporate IT approach to solving problems — people can't break things if you lock everything down. But you will make them miserable and stop them doing their job”. You can check out the patch submitted by Russell at Chromium Gerrit. Chromium developers propose an alternative to webRequest API that could result in existing ad blockers’ end Chromium blacklists nouveau graphics device driver for Linux and Ubuntu users Chromium-based Brave browser shows 22% faster page load time than its Muon-based counterpart

While clicking on a link or opening a new browser tab, sometimes, audible video or audio starts playing automatically which is a distraction for many users. Mozilla is trying to solve this problem by introducing an autoplay blocking feature in Firefox 66 for desktop and Android. Firefox 66, expected to roll out on 19th March 2019, will now block audible audio and video by default. Lately, Mozilla has been working towards blocking all auto-playing content. Last year, Mozilla announced that Firefox will no longer allow auto-playing audio in order to cut down on annoying advertisements. Microsoft's Edge, Google's Chrome and, Apple's Safari browser also have taken steps in order to limit auto-playing media. Firefox 66 will allow a site to play audio or video aloud only via the HTMLMediaElement API, once a web page has some kind of user interaction (such as mouse click on the play button) to initiate the audio. In this case, any playback that happens before the user has interacted with a page via a mouse click, printable key press, or touch event, will be counted as autoplay and will be blocked if it is audible. Firefox expresses a blocked play() call to JavaScript by rejecting HTMLMediaElement.play() with a NotAllowedError. This is how most browsers function to express a block. Muted autoplay is still allowed as the script can set the “muted” attribute on HTMLMediaElement to true, and autoplay will work. The existing block autoplay implementation in Android and desktop will be replaced with this new feature. According to Mozilla’s official blog post, “In general, the advice for web authors when calling HTMLMediaElement.play(), is to not assume that calls to play() will always succeed, and to always handle the promise returned by play() being rejected.” Users can still opt out of this blocker, for sites that they don't mind playing media by default. There will be an icon which will pop up in the URL bar to indicate that auto-playing media has been blocked, and clicking on it will bring up a menu that will allow users to change the settings. In order to avoid having the audible playback blocked, website owners should only play media inside a click or keyboard event handler, or on mobile in a touchend event. Firefox 66 will also automatically allow autoplaying video on sites that the user has granted access to their cameras and microphones. Since these sites are typically for video conferencing, it would make sense allow if they work uninterrupted. Mozilla is also working on blocking autoplay for Web Audio content, but have not yet finalized the implementation. The autoplay Web Audio content blocking is expected to be shipped some time this year. Mozilla releases Firefox 65 with support for AV1, enhanced tracking protection, and more! Firefox now comes with a Facebook Container extension to prevent Facebook from tracking user’s web activity Mozilla disables the by default Adobe Flash plugin support in Firefox Nightly 69  

On the eve of Vue’s fifth anniversary yesterday, its creator, Evan You, announced the release of Vue 2.6. This version, which goes by the name “Marcoss”, comes with a new syntax for slots usage and also few performance improvements,  internal changes, and more. Following are some of the highlights in Vue 2.6: A new syntax for slots usage Vue provides the slots feature to enable flexible component composition. Vue 2.6 introduces a new unified syntax for named and scoped slots usage. The new directive v-slot combines slot and slot-scope, which are now deprecated, in a single directive syntax. This update is fully backward compatible. According to the RFC, slot-scope will be soft-deprecated. This means that it will be marked deprecated in the docs and developers will be encouraged to use the new syntax, but no deprecation messages will be shown for now. The team is planning to eventually remove slot-scope in Vue 3.0. Performance improvements in slots The rendering of normal slots happens during the parent’s render cycle, hence, when the dependency of a slot changes, it causes both the parent and child components to re-render. This version comes with an optimization to avoid this re-rendering and ensure that the parent scope dependency mutations only affect the parent. Now, the child component will not be forced to update if it uses scoped slots. If you use the new v-slot syntax, then the slots will be compiled into scoped slots. This essentially means that all slots will get the performance advantage that comes with scoped slots. Normal slots are now exposed on this.$scopedSlots as functions. Developers using the render functions instead of templates can now always use this.$scopedSlots, without having to worry about the type of slots being passed in. Async error handling in Vue Vue’s error handling mechanism, which includes in-component errorCaptured hook and the global errorHandler hook, now also capture errors inside v-on handlers. Additionally, if any of your life cycle hooks or event handlers perform asynchronous operations, you can now return a Promise from the function. This will ensure that any uncaught error from that Promise chain is also sent to your error handlers. Data pre-fetching during server-side rendering This version comes with a new serverPrefetch hook that enables any component, except route-level components, to pre-fetch data during server-side rendering. This is introduced to allow more flexible usage and reduce the coupling between data fetching and the router. Dynamic Directive Arguments Earlier, users had to use argument-less object binding in order to leverage dynamic keys as the directive arguments were static. Dynamic JavaScript expressions are now supported in directive arguments. To read more in detail, check out Evan You’s official announcement on Medium. Learning Vue in 2019 with Anthony Gore’s developer knowledge map Evan You shares Vue 3.0 updates at VueConf Toronto 2018 Vue.js 3.0 is ditching JavaScript for TypeScript. What else is new?

If you are worried about Facebook tracking your web activities outside Facebook, you can now prevent it from doing so using the Facebook Container extension for Firefox, that Mozilla launched on Wednesday. This extension is supported in Firefox 57 and higher on Desktop but does not work on other browsers and Firefox for mobile. https://twitter.com/firefox/status/1090680882401341440 Facebook Container extension, which goes by the tagline “What happens outside Facebook stays outside of Facebook”, isolates your Facebook identity into a separate container. And, hence makes it difficult for Facebook from tracking your activities outside the social media platform with third-party cookies. Facebook Container extension will close your Facebook tabs, delete your Facebook cookies, and log you out of Facebook. All the non-Facebook links you click on or non-Facebook websites you navigate to will be loaded outside of the container. To prevent Facebook from associating information about user activity on websites outside of Facebook to their Facebook identity, embedded Facebook comments and like buttons in tabs outside the Facebook Container will not work. Additionally, the “directly sign-in with Facebook credentials” option on other websites will not work properly, as it is designed to separate Facebook use from use of other websites. The extension is not meant for stopping Facebook advertisements and recommendations on their site. But, this will surely limit Facebook to use your activity collected off Facebook to send you ads and other targeted messages. To read more in detail, check out Mozilla’s website. Mozilla releases Firefox 65 with support for AV1, enhanced tracking protection, and more! Mozilla disables the by default Adobe Flash plugin support in Firefox Nightly 69 Mozilla releases Firefox 64 and Firefox 65 beta

Yesterday, Craig Hockenberry, who is a Partner at The Iconfactory, reported a bug on WebKit, which focuses on adding a limit on how much JavaScript code a website can load to avoid resource abuse of user computers. Hockenberry feels that though content blocking has helped in reducing the resource abuse and hence providing better performance and better battery life, there are few downsides of using content blockers. His bug report said, “it's hurting many smaller sites that rely on advertising to keep the lights on. More and more of these sites are pleading to disable content blockers.” This results in collateral damage to smaller sites. As a solution to this, he suggested that we need to find a way to incentivize JavaScript developers who keep their codebase smaller and minimal. “Great code happens when developers are given resource constraints... Lack of computing resources inspires creativity”, he adds. As an end result, he believes that we can allow sites to show as many advertisements as they want, but keeping the overall size under a fixed amount. He believes that we can also ask users for permission by adding a simple dialog box, for example, "The site example.com uses 5 MB of scripting. Allow it?” This bug report triggered a discussion on Hacker News, and though few users agreed to his suggestion most were against it. Some developers mentioned that users usually do not read the dialogs and blindly click OK to get the dialog to go away. And, even if users read the dialog, they will not be knowing how much JavaScript code is too much. “There's no context to tell her whether 5MB is a lot, or how it compares to payloads delivered by similar sites. It just expects her to have a strong opinion on a subject that nobody who isn't a coder themselves would have an opinion about,” he added. Other ways to prevent JavaScript code from slowing down browsers Despite the disagreement, developers do agree that there is a need for user-friendly resource limitations in browsers and some suggested the other ways we can prevent JavaScript bloat. One of them said it is good to add resource-limiting tabs on CPU usage, number of HTTP requests and memory usage: “CPU usage allows an initial burst, but after a few seconds dial down to max ~0.5% of CPU, with additional bursts allowed after any user interaction like click or keyboard) Number of HTTP requests (again, initial bursts allowed and in response to user interaction, but radically delay/queue requests for the sites that try to load a new ad every second even after the page has been loaded for 10 minutes) Memory usage (probably the hardest one to get right though)” Another user adds, “With that said, I do hope we're able to figure out how to treat web "sites" and web "apps" differently - for the former, I want as little JS as possible since that just gets in the way of content, but for the latter, the JS is necessary to get the app running, and I don't mind if its a few megabytes in size.” You can read the bug reported on WebKit Bugzilla. D3.js 5.8.0, a JavaScript library for interactive data visualizations in browsers, is now out! 16 JavaScript frameworks developers should learn in 2019 npm JavaScript predictions for 2019: React, GraphQL, and TypeScript are three technologies to learn

Along with Windows 7, Microsoft is also ending security updates and technical support for Internet Explorer 10 by January 2020 that it shared in a blog post yesterday, and users are advised to upgrade to IE11 by then. Support for IE10 and below ended back in 2016, except on a few environments like Windows server 2012 and some embedded versions and now Microsoft is just pulling the plug on those few remaining environments. Microsoft on their blog post wrote, “We encourage you to use the time available to pilot IE11 in your environments. Upgrading to the latest version of Internet Explorer will ease the migration path to Windows 10, Windows Server 2016 or 2019, or Windows 10 IoT, and unlock the next generation of technology and productivity. It will also allow you to reduce the number of Internet Explorer versions you support in your environment.” Commercial customers of Windows Server 2012 and Windows Embedded 8 Standard can download IE11 via the Microsoft Update Catalog or IE11 upgrade through Windows Update and Windows Server Update (WSUS) that Microsoft will publish later this year. IE10 will continue to receive updates for Windows 10, Windows Server 2016 or 2019, or Windows 10 IoT throughout 2019. You can find these updates on the Update Catalog and WSUS channel as a Cumulative Update for Internet Explorer 10. Similarly, updates for IE11 will be labeled as Cumulative Update Internet Explorer 11 on the Microsoft Update Catalog, Windows Update, and WSUS. Many Hacker News users are also speculating that the support of IE11 could also end by 2025. One of the users said, “If anyone is wondering about IE11, MS says "Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed. Extended support for Windows 10 ends on October 14, 2025. Extended support for Windows Server 2016 ends on January 11, 2027. Presumably one or those 2 dates could be considered the termination date for IE11.” Another Hacker News user believes, “...it is good time to start considering ending IE11 support as well, especially with Chromium-Edge coming out later this year. Edge is getting a Chromium back-end with talk of Windows 7 and 8 support. So, perhaps that's a strategy to kill IE11 too (fingers crossed).” Read the official announcement by Microsoft to know more details. Microsoft Office 365 now available on the Mac App Store Microsoft acquires Citus Data with plans to create a ‘Best Postgres Experience’ Microsoft’s Bing ‘back to normal’ in China

After releasing Firefox 64 last month, Mozilla released Firefox 65 yesterday. This version comes with support for AV1, enhanced tracking protection, improved browser experience for multilingual users, and more. Following are the updates Firefox 65 comes with: Enhanced tracking protection: This version comes with a new set of “redesigned controls”, which gives users the choice to decide their desired level of privacy protection. These controls (Standard, Strict, and Custom) are added under the newly-introduced Content Blocking section. Updated Language section: Now users can directly install multiple language packs and order language preferences for Firefox and websites, without having to download locale-specific versions. Support for AV1: Firefox 65 for Windows supports AV1, the royalty-free video compression technology developed and standardized by Alliance for Open Media (AOMedia). AV1 was created to provide users with affordable high-quality video compression technology. Support for the WebP image format: This version comes with support for the WebP image format, which provides the same image quality as the existing formats at smaller sizes. This saves bandwidth and speeds up page load, and hence improves performance and web compatibility. Updates for developers: A new Flexbox inspector tool is introduced, which shows details of Flexbox containers and helps debug Flex item sizes. The CSS changes made in the Rules panel will now be tracked in the new Changes tab. Support is added for the Storage Access API on desktop platforms. Along with these changes, Mozilla has also fixed several security flaws in this version. To read the full list of updates, check out the release notes of Firefox 65. Mozilla disables the by default Adobe Flash plugin support in Firefox Nightly 69 Mozilla releases Firefox 64 and Firefox 65 beta Mozilla shares why Firefox 63 supports Web Components

Yesterday, the team behind D3.js rolled out D3.js 5.8.0. Data-Driven Documents or D3 is a JavaScript library using which you can create dynamic, interactive data visualizations in web browsers. Updates are introduced in the following modules: d3-force The iterations argument is added to simulation.tick. A bug is fixed when initializing nodes with fixed positions. d3-scale The following new features are added: The domain and range convenience constructors for all scale types Default constructors for sequential and diverging scales The d3.tickFormatReturns function, a number format function for displaying a tick value The d3.scaleSymlog function, which constructs a new continuous scale with the specified domain and range Transformed sequential scales, for example, d3.scaleSquentialLog Transformed diverging scales, for example, d3.scaleDivergingLog d3.scaleSequentialQuantile for p-quantiles scale.unknown for all scale types Unlimited band.paddingOuter and point.padding d3-selection The selection.join method is added, a convenient alternative to the more explicit selection.enter, selection.exit, selection.append, and selection.remove. selection.order is updated to enforce relative position, rather than exact siblings. Vendor fallback for element.matches in selection.filter and d3.matcher is removed. d3-transition The transition.end is added, which returns a promise that resolves when every selected element finishes transitioning. A cancel event is added to transition.on. Performance of transition.style and transition.attr is improved To read the full list of updates on the GitHub repository of D3.js. Introducing Cycle.js, a functional and reactive JavaScript framework Introducing Howler.js, a Javascript audio library with full cross-browser support 16 JavaScript frameworks developers should learn in 2019

Yesterday, PrimeTek announced the release of PrimeReact 3.0.0, a UI component library for React. This updated version comes with few accessibility enhancements, the all-new Babylon create-react-app template, and more. Here are some of the changes PrimeReact 3.0.0 comes with: Enhanced accessibility and quality After reviewing the entire suite, the team has enhanced various components for keyboard and screen reader compatibility. They have also addressed the user feedback resulting in improved overall quality of PrimeReact. Babylon template Babylon is the newly introduced create-react-app template for PrimeReact. It comes with over 800 UI Variations with different menu options, 50+ PrimeReact themes, ready to use pages, and more. There are four flavors of Babylon menu: static, overlay, slim, and horizontal with dar/light color schemes. Additionally, a new grouped menu mode is also introduced in which submenus of the first level menu items are expanded for easier navigation. The template supports 51 built-in themes each of which offers accent, light, and dark options. You can also create your own theme by just defining a couple of SaSS variables. In the future releases, the team will be working towards adding support for more premium templates like Ultima, Serenity, Avalon, and Apollo in PrimeReact 3.0.0. They will also be improving PrimeReact core with features such as TableState, Carousel Component, Filtering for Tree/TreeTable, and more. You can read the full list of changes on PrimeTek’s website. npm JavaScript predictions for 2019: React, GraphQL, and TypeScript are three technologies to learn Introducing Cycle.js, a functional and reactive JavaScript framework JavaScript mobile frameworks comparison: React Native vs Ionic vs NativeScript

Microsoft Edge mobile browser is now flagging untrustworthy news sites with the help of a plugin named NewsGuard. Microsoft partnered with NewsGuard in August 2018 under its Defending Democracy Program. It was first supported as a downloadable plugin, but now Microsoft has started automatically installing this functionality on mobile version of Edge. Currently, it is an opt-in feature, which you can enable by going to the Settings menu . NewsGuard was founded by journalists Steven Brill and Gordon Crovitz. It evaluates a news site based on 9 specific criteria including their use of deceptive headlines, transparency regarding ownership and financing and gives users a color coded rating in green or red. Its business model is basically licensing its product to tech companies that aim to fight fake news. According to The Guardian, NewsGuard was warning users when they visited the Mail Online, “Proceed with caution: this website generally fails to maintain basic standards of accuracy and accountability.” Steve Brill says that NewsGuard takes complete responsibility for its verdicts and all complaints should be directed at his company rather than Microsoft. “They can blame us. And we’re happy to be blamed. Unlike the platforms we’re happy to be accountable. We want people to game our system. We are totally transparent. We are not an algorithm.” A spokesperson for Mail Online said to The Guardian, “We have only very recently become aware of the NewsGuard startup and are in discussions with them to have this egregiously erroneous classification resolved as soon as possible.” Though NewsGuard says that its verdict are taken by experienced journalists, there are still some issues that users have pointed out. One of the Hacker News user said that the very concern related to NewsGuard is that it flags unreliable content at the site level instead of the article level. Sharing what consequences this could impose he wrote, “It's obvious why that's necessary, but the result is a complete failure to deal with any source where quality varies widely. Fox's written reporting is sometimes quite good, but Glenn Beck's old videos are still posted under the same domain. The result is that NewsGuard happily puts a big green check-mark above a video declaring that the US is the only country in the world with birthright citizenship.” Though an opt-in feature is not a big deal, but with time this could become a default mode. We can’t deny that with time users could just see the green or red icon and based on that rating follow the website. Another Hacker News user says this could lead to something called “Truth as a service”, which means you are not using your own critical thinking and just take what the machine says. This fact is also supported by a study done by Gallup and the Knight Foundation, which surveyed 2,000 adults in U.S. They showed articles with and without the ratings and the result revealed that readers are more likely to trust articles that included the green icon in the address bar. Read the full story at The Guardian website. Microsoft confirms replacing EdgeHTML with Chromium in Edge Microsoft reportedly ditching EdgeHTML for Chromium in the Windows 10 default browser Microsoft announces container support for Azure Cognitive Services to build intelligent applications that span the cloud and the edge

Chromium developers recently shared the updates they are planning to do in Manifest V3, and one of them was limiting the blocking version of the webRequest API. They are introducing an alternative to this API called the declrativeNetRequest API. After knowing about this update many ad blocker maintainers and developers felt that introduction of the declarativeNetRequest API can lead to the end of many already existing ad blockers. One of the users at the Chromium bug tracker said: “If this (quite limited) declarativeNetRequest API ends up being the only way content blockers can accomplish their duty, this essentially means that two content blockers I have maintained for years, uBlock Origin ("uBO") and uMatrix, can no longer exist.” What is manifest version? Manifest version is basically a mechanism through which certain capabilities can be restricted to a certain class of extensions. These restrictions are specified in the form of either a minimum version or a maximum version. What Chromium states is their reason for doing this update? The webRequest API permit extensions to intercept requests to modify, redirect, or block them. The basic flow of handling a request using this API is, Chrome receives the request, asks the extension, and then gets the result. In Manifest V3, the use of this API will be limited in its blocking form. While the non-blocking form of the API, which permit extensions to observer network requests, but not modify, redirect, or block them will not be discouraged. They have not yet listed the limitations they are going to put in the webRequest API. Manifest V3 will treat the declarativeNetRequest API as the primary content-blocking API in extensions. What this API does is, it allows extensions to tell Chrome what to do with a given request, rather than have Chrome forward the request to the extension. This allows Chrome to handle a request synchronously. As per the doc shared by the team, this API is more performant and provides better privacy guarantees to users. What ad blocker developers and maintainers are saying? After knowing about this update many developers were concerned that this change will end up crippling all ad blockers. “Beside causing uBO and uMatrix to no longer be able to exist, it's really concerning that the proposed declarativeNetRequest API will make it impossible to come up with new and novel filtering engine designs, as the declarativeNetRequest API is no more than the implementation of one specific filtering engine, and a rather limited one (the 30,000 limit is not sufficient to enforce the famous EasyList alone)”, commented an ad blocker developer. He also stated that with the declarativeNetRequest API developers will not be able to implement other features like blocking of media element that are larger than a set size, disabling of JavaScript execution through the injection of CSP directives, etc. Users also feel that this is similar to Safari content blocking APIs, which basically puts limit on the number of rules. One of the developers stated on Chromium issue tab, “Safari has introduced a similar API, which I guess inspires this. My personal experience is that extensions written in that API is usable, but far inferior to the full power of uBlock Origin. I don't want to see this API to be the sole future.” You can check out the issue reported on Chromium bug tracker. Also, you can join the discussion or raise your concern on the Google group: Manifest V3: Web Request Changes. Chromium blacklists nouveau graphics device driver for Linux and Ubuntu users Chromium-based Brave browser shows 22% faster page load time than its Muon-based counterpart DragonFly BSD 5.4.1 released with new system compiler in GCC 8 and more

Ionic Framework today released Ionic Framework 4.0. The release is a complete rebuild of the popular JavaScript framework for developing mobile and desktop apps. Although Ionic has, up until now, Ionic was built using Angular components, this new version has instead been built using Web Components. This is significant, as it changes the whole ball game for the project. It means Ionic Framework is now an app development framework that can be used alongside any front end frameworks, not just Angular. The shift away from Angular makes a lot of sense for the project. It now has the chance to grow adoption beyond the estimated five million developers around the world already using the framework. While in the past Ionic could only be used by Angular developers, it now opens up new options for development teams - so, rather than exacerbating a talent gap in many organizations, it could instead help ease it. However, although it looks like Ionic is taking a significant step away from Angular, it's important to note that, at the moment, Ionic Framework 4.0 is only out on general availability for Angular - it's still only in Alpha for Vue.js and React. Ionic Framework 4.0 and open web standards Although the move to Web Components is the stand-out change in Ionic Framework 4.0, it's also worth noting that the release has been developed in accordance with open web standards. This has been done, according to the team, to help organizations develop Design Systems (something the Ionic team wrote about just a few days ago) - essentially, using a set of guidelines and components that can be reused across multiple platforms and products to maintain consistency across various user experience touch points. Why did the team make the changes to Ionic Framework 4.0 that they did? According to Max Lynch, Ionic Framework co-founder and CEO, the changes present in Ionic Framework 4.0 should help organizations achieve brand consistency quickly, and to give development teams the option of using Ionic with their JavaScript framework of choice. Lynch explains: "When we look at what’s happening in the world of front-end development, we see two major industry shifts... First, there’s a recognition that the proliferation of proprietary components has slowed down development and created design inconsistencies that hurt users and brands alike. More and more enterprises are recognizing the need to adopt a design system: a single design spec, or library of reusable components, that can be shared across a team or company. Second, with the constantly evolving development ecosystem, we recognized the need to make Ionic compatible with whatever framework developers wanted to use—now and in the future. Rebuilding our Framework on Web Components was a way to address both of these challenges and future-proof our technology in a truly unique way." What does Ionic Framework 4.0 tell us about the future of web and app development? Ionic Framework 4.0 is a really interesting release as it tells us a lot about where web and app development is today. It confirms to us, for example, that Angular's popularity is waning. It also suggests that Web Components are going to be the building blocks of the web for years to come - regardless of how frameworks evolve. As Lynch writes in a blog post introducing Ionic Framework 4.0, "in our minds, it was clear Web Components would be the way UI libraries, like Ionic, would be distributed in the future. So, we took a big bet and started porting all 100 of our components over." Ionic Framework 4.0 also suggests that Progressive Web Apps are here to stay too. Lynch writes in the blog post linked to above that "for Ionic to reach performance standards set by Google, new approaches for asynchronous loading and delivery were needed." To do this, he explains, the team "spent a year building out a web component pipeline using Stencil to generate Ionic’s components, ensuring they were tightly packed, lazy loaded, and delivered in smart collections consisting of components you’re actually using." The time taken to ensure that the framework could meet those standards - essentially, that it could support high performance PWAs - underscores that this will be one of the key use cases for Ionic in the years to come.  

Last week, a bug was reported to the VLC bug tracker that all the connections to the update server are still done in HTTP instead of HTTPS. One of the VLC developers replied back asking the bug reporter for a threat model, and when he did not submit it, the VLC developer closed the bug and marked it as “invalid”. This is not the first time this bug has been reported. In a bug reported in 2017, a user said, “It appears that VLC's updating mechanism downloads a new VLC executable over HTTP (ie, in clear-text). Please modify the update mechanism to happen over TLS (preferably with Forward Secrecy enabled).” What are some of the implications of using HTTP over HTTPS? One of the Hacker News users said, “As a trivial example, this is a privacy leak - anyone on the network path can see what version you're upgrading to. It doesn't sound like a huge deal but we are moving to a 100% encrypted world, and it is a one character change to fix the issue. If VLC wants to keep the update over plaintext then they should justify why they want to do that, not have users justify why it should be over https. Instead, it feels like the VLC devs are having a kneejerk defensive reaction.” Along with this, there are several security threats related to software that updates over HTTP, some of which are described here: An attacker can see the contents of software update requests. They can then modify these update requests or responses to change the update behavior or outcome. They can also intercept and redirect software update requests to a malicious server. Attackers can respond to the client request with a huge amount of data that will interfere with the client’s system resulting in endless data attacks. Clients can be prevented by the attackers from being aware of interference with receiving updates by responding to client requests so slowly that automated updates never complete resulting in endless data attacks. Attackers can trick a client into installing software that is older, which is known to have critical bugs. Why VideoLAN does not see it as a big problem? Jean-Baptiste Kempf, the President, and lead VLC developer, said that some of these attacks described above are the case for nearly all download systems, “I'm sorry, but some described attacks (Slow retrieval attacks, Endless data attacks) are issues that are the case for all download system like most Linux Distributions, and that will not be fixed. Mirrors are HTTP and will stay HTTP for a few obvious reasons. Moreover, they will install binaries, so there is no security issue. Moreover, downloads are never done automatically, without user intervention.” As Kempf said, this is not just the case with VLC. A Hacker News user said, “it seems to be a common practice for highly-loaded services to outsource as many cryptographies to clients as possible.” A general-purpose package manager like Pacman uses HTTP because there is not much value in using transport-level security when the payload is cryptographically signed. Even Tesla’s firmware updates are not encrypted in transit as their updates are cryptographically signed. Oracle also followed the same policy with VirtualBox distributions and that's been fine because they signed packages. You can read more in detail on the VLC bug tracker website. dav1d 0.1.0, the AV1 decoder by VideoLAN, is here Presenting dav1d, a new lightweight AV1 decoder, by VideoLAN and FFmpeg dav1d to release soon with all features of AV1, and better performance than libaom

Earlier this month, the team at Atom released Atom 1.34, a free and open source text editor that helps users to commit with a faster diff view and an ability to preview all staged changes. This release comes with improved commit preview, commit message templates and improved diffs. Improvements in Atom 1.34 Commit preview This feature will be highly useful for those who double check the specific changes that are going into each commit. While crafting commit messages, users can now draw inspiration from the diff of their staged changes. Users just have to click the ‘See All Staged Changes’ button above the commit message box, and they will be able to view their staged changes. Improved diffs The GitHub package now renders diff views with a text editor which will improve performance. Users will now be able to render large diffs faster. And the text editor key bindings will now work in diffs. Commit message templates This release now supports commit message templates. Users can now add a template on a per-project basis or globally through the git configuration. Changes in Atom 1.34 Users can view a multi-file diff of all staged changes prior to committing This release comes with added support for commit message template. This version of Atom renders git diff view with a TextEditor. This release comes with Kotlin language syntax highlighting in markdown code blocks. Major bug fixes The previous release had a bug where package searches were throwing uncaught exceptions which has been fixed now. Initially there was an error while running Bracket Matcher which has been fixed now. Users have given mixed reactions to this release. Few of the users think that the team at Atom could have worked on bigger issues related to finder reindexing and Atom-IDE packages. Few users are comparing this release with VSCode. With some users in the favor of VSCode and others supporting Atom 1.34. One user commented on HackerNews, “What makes you stick to Atom? I switched to VSCode due to Atom's terrible performance when opening huge files.” Another comment on HackerNews, reads, “I was a big fan of Atom, but it's constant performance problems combined with the fact that even after Atom's team rewriting huge parts of the project in C++, doing witchcraft and what not, made me switch to VSCode.” Another comment reads, “I'm finding VSCode's performance starts to fall apart completely where Atom performs the exact same as before.” Few users think that Atom functioned well initially but when it is used as an IDE, it falls flat. One of the users commented, “I used Atom for a couple years and raved about it's features and package management but when it came to using it as an IDE, it fell short for one reason. It doesn't have a configurable way to debug across all languages.” According to some users, Atom uses a rendering layer that doesn’t work along with the goal of a text editor, which is to be fast and responsive. While others are liking how this release auto-formats commit messages and make it easier for highlighting merge conflicts. To know more about Atom 1.34, check out the release notes. YUI 2.8: Rich Text Editor Facebook retires its open source contribution to Nuclide, Atom IDE, and other associated repos Android Studio 3.3 released with support for Navigation Editor, C++ code lint inspections, and more

Yesterday, the Mastodon team released Mastodon 2.7, which comes with major improvements to the admin interface, a new moderation warning system, and more. Mastodon is a free, open-source social network server, which is based on open web protocols like ActivityPub and OStatus. This server aims to provide users with a decentralized alternative to commercial social media silos and returns the control of the content distribution channels to the people. Profile directory The new profile directory allows users to see active posters on a given Mastodon server and filter them by the hashtags in their profile bio. With profile directory, users can find people with common interests without having to read through public timelines. A new moderation warning system This version comes with a new moderation warning system for Mastodon. Moderators can now inform users if their account is suspended or disabled. They can also send official warnings via e-mails, which are reflected in the moderator interface to keep other moderators up to date. Improvements in the administration interface Mastodon 2.7 combines administration interfaces for known servers and domain blocks into a common area. Users can see information like the number of accounts known from a particular server, the number of accounts followed from your server, the number of individuals blocked or reported, etc. A registration API A new registration API is introduced, which allows apps to directly accept new registration from their users, instead of having to send them to a web browser. Users still receive a confirmation e-mail when they sign up through the app, which contains an activation link that can open the app. New commands for managing a Mastodon server The tootctl command-line utility used for managing a Mastodon server has received two new commands: tootctl domains crawl: You can scan the Mastodon network to discover servers and aggregate statistics about Mastodon’s usage. tootctl accounts follow: You can make the users on your server follow a specified account. This command comes in handy in cases where an administrator needs to change their account. You can read the full list of improvements in Mastodon 2.7 on its website. How Dropbox uses automated data center operations to reduce server outage and downtime Obfuscating Command and Control (C2) servers securely with Redirectors [Tutorial] Fortnite server suffered a minor outage, Epic Games was quick to address the issue