better-sse
EventSource
Our great sponsors
better-sse | EventSource | |
---|---|---|
5 | 16 | |
162 | 2,068 | |
- | - | |
6.8 | 0.0 | |
2 months ago | about 1 month ago | |
TypeScript | JavaScript | |
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
better-sse
-
How is barely anyone talking about the Server-Sent Events API?
I wrote a library for using SSE with Node and have read the spec front-to-back dozens of times when I was working on it, so I have a fairly good understanding if you have any more unanswered questions!
-
I made a library to make it a breeze to work with server-sent events, server push without websockets
- Do you plan to support Event history maintenance? If not, why? https://github.com/MatthewWid/better-sse/blob/master/docs/comparison.md
It actually originally started out as an Express middleware, but I then rewrote it to use the underlying Node HTTP native module so it could work with most/all frameworks, and then relied on creating a Recipes section in the docs to demonstrate how to create your own abstractions.
Link to GitHub project - Better SSE.
-
A beginner friendly intro to server sent events with node.js
I've been working on a library that makes working with server-sent events easier on the server-side that can hopefully be relevant here.
EventSource
- Can my linux system infect with malware?
-
Rise in npm protestware: another open source dev calls Russia out
The library in question is much more than one line, and it's a polyfill, which is something that provides the capabilities of the standard library to older browsers.
-
Node.js packages don't deserve your trust
It makes me deeply sad to see these sort of interactions in open source [1].
> Hmm, I think it's a worthwhile fix. Where did you see malware here?
> I think the author of this repo is free to decide what code he publishes. Say thanks to that it's for free
An incredible amount of people have dedicated sweat and tears and foreheads (from banging against the desk in frustration) to open source across the entire stack, from the contributers to OSs such as Linux to those working their arses off to create better frameworks, languages and runtimes, that we can all benefit from and use with a reasonable expectation of security, respect and privacy.
As a university student, I feel privileged to have been able to grow up in a world where so much work and knowledge is provided for free with no strings attached, regardless of demographic/location, I would not be where I am without it. A century ago this would not have been possible. To all of you who have tirelessly and selflessly worked on OSS for others, without expecting anything in return or imposing politics, ideologies, infringing on privacy, causing damage, collecting vast quantities of marketable personal information or monopolisation, I give you my heartfelt thanks for your efforts, you know who you are. You have created something that will have forever helped to improve our soceity and empower those that want to learn and create their own designs.
From my own personal experience, I want to give a shout-out to the smaller projects of Rust, Svelte and Elixir. I think it's incredible that the work and ideas of (often) a single person (Rich Harris, José Valim) can grow into larger extremely welcoming and helpful communities with many more motivated contributors that are proud of being parts of those projets and put in an extrodinary effort to try and do things _better_ than before. I'm sure there are plently of other worthy names I'm too young/ignorant to know.
Love it or hate it, Node.js has been very empowering for a large number of people to learn and publish their own full-stack applications, the JavaScript ecosystem has improved enormously since its beginnings, but has a tendancy to change slowly due to its size, unless a disruptive technology comes along such as TypeScript. Websites are a great way to introduce people to the joy of programming with its visual feedback, you can make a small penguin move across the screen, then move on to play tic tac toe. Even as a younger developer, I admit that the days of FTP, no-build-step pages with a sprinkle of JQuery were easier to understand and actually _safer_ for newcomers than introducing someone to a SPA stack (which can easily have thousands of transient dependencies) nowadays.
-
NPM package event-source-polyfill compromised by political activists
> Cool story.
Actually, "blacklists", "redlists" and many other "lists of undesirables" weren't cool at all. But every generation or so they unfortunately seem appealing again.
> the list that they're discussing has actually existed for 30 years
Where is this list? Who maintains it?
OC certainly didn't know about it: "We should probably start an open source sanction list of individuals who abuse trust to ship malware"
> When you commit a crime
"crime"? Please link me to the law you think they broke.
Here's the license: https://github.com/Yaffle/EventSource/blob/master/LICENSE.md
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED
So, how is this a "crime"?
> that knowledge never disappears in any country
Not true in any country except maybe North Korea or some other authoritarian state. In any society with checks and balances, verdicts can be appealed, judgements reversed, records expunged and rights restored. This "undo" feature is pretty critical to any legitimate system of justice, as is "innocent until proven guilty". I didn't see any details about the rights of the accused in anyone's blacklisting proposals.
> None of these address what happened in any way.
Yes, it does. MIT licensed software is provided "AS IS, WITHOUT WARRANTY". If you don't like it you can fork it. If you're afraid of a bad commit, vendor it, which is a best practice anyway, for this exact use case.
> Relatively easy for the rest of us to see.
Our entire legal branch of government exists because these lines are never easy. Judges judge things all the time, and not uniformly. If everything was easy to see, we wouldn't need judges or juries. The interpretation of language or of an act on a case by case basis is where things get tricky.
> The rest of us will act without you
At this point I have way more questions:
* Would you blacklist this contributor if they documented the Russian timezone popup as a feature in the package as the issue creator suggested (https://github.com/Yaffle/EventSource/issues/202#issuecommen...)?
* What "test" would you apply to code to determine if the developer should be blacklisted or not? Would this blacklist only pertain to malware? Wikipedia (https://en.wikipedia.org/wiki/Malware) defines a few different malware categories: "Many types of malware exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper, and scareware." If the code doesn't fall into one of those categories (as is this case), under what circumstances might you still blacklist the developer?
* If a maintainer stops maintaining their current library and says all future maintenance will be done on a new library, and that new library contains this Russian timezone popup code, would they be blacklisted?
* Would it matter if the "bad code" was intentional or not? Or a joke or not? Or temporary or not? How would you determine the author's intent? Would they have a chance (or be obligated) to respond? Or would you only look at the impact of the code? If you look at the impact, how under what conditions would a "bug" get you blacklisted?
* Would you blacklist a developer for making a breaking change to a package? What if the breaking change was politically motivated?
* Who runs and maintains the list? Does this list have an appeals process? What are the rights of the accused?
* How will you disambiguate the list so as not to misconstrue "innocent" developers as blacklisted developers? Will you include their birth name? Social profiles? Emails? Addresses? How will you deal with name changes (someone gets married, or changes their name?), or new online handles?
* What age and definition of a minor will you use? And will minors be given different treatment or excused from the blacklist?
I could go on, but if you're serious about this idea, you'll probably want to communicate it in more detail because a "forever list of bad developers" sounds a lot like a "forever list of communists" or a "forever list of undesirables". If you're not going to make the same mistakes McCarthy (and others before him) did, then these details will be really important.
Issue thread shows radio silence from the dev, this need to be escalated to NPM.
On version 1.0.26. Committed 23 days ago as "update":
https://github.com/Yaffle/EventSource/commit/de137927e13d8af...
Reading the source the compromise is on these lines in particular (https://github.com/Yaffle/EventSource/blob/de137927e13d8afac...).
To experience the exploit set your computer timezone to any Russian timezone (e.g. asia/omsk) and got to this paste this data URL to your url bar:
data:text/html;charset=utf-8,EventSourceimport "<a href="https://unpkg.com/[email protected]"" rel="nofollow">https://unpkg.com/[email protected]"
In 15 seconds an alert window will open with a message which translates to:
> On February 24, Russia attacked Ukraine.
> The people of Ukraine are universally mobilized and ready to defend their country from enemy invasion. 91% of Ukrainians fully support their President Volodymyr Zelensky and his response to the Russian attack.
> The whole world condemned the unjustified invasion and decided to impose unprecedented sanctions against Russia. With each new day, they will be felt more and more strongly among civilians.
> At the same time, the Russian government restricts citizens' access to external information, planting one-sided formulations and versions of what is happening.
> As a reliable source of information, download the secure Tor Browser:
> And visit:
> https://www.bbcweb3hytmzhn5d532owbu6oqadra5z3ar726vq5kgwwn6a...
> Stop this senseless war! Stop war criminal Putin!
After you dismiss the alert window a new window will open with the page http://www.change.org/NetVoyne
Why is "compromised by political activists" in the title?
"political activists" is 1) plural (wasn't it only 1 committer?) and 2) an opinionated label for someone we don't know much about. Sure, the commit may be an act of political activism, but to label the individual based on this one action seems inappropriate.
And "compromised" makes it sound like it's against the will of the maintainers. Do we know that? The commit was 23 days ago. There's an ongoing open discussion here where there are folks defending both sides: https://github.com/Yaffle/EventSource/issues/202
Anyway, a better title might be "event-source-polyfill displays popup about Ukraine in Russian timezones" or if it malware, then "event-source-polyfill affected by malware in Russian timezones"
-
A beginner friendly intro to server sent events with node.js
Obviously, websockets are superior and offer much more when compared to SSE. However according to me, sometimes the simplest solutions are just as good to get the job done. Besides, use of EventSource for SSE is abandoned and for that we can use polyfills such as https://github.com/Yaffle/EventSource
What are some alternatives?
fetch-event-source - A better API for making Event Source requests, with all the features of fetch()
firebase-js-sdk - Firebase Javascript SDK
WHATWG HTML Standard - HTML Standard
torsocks - Library to torify application - NOTE: upstream has been moved to https://gitweb.torproject.org/torsocks.git
Gatsby - The best React-based framework with performance, scalability and security built in.
feathers - The API and real-time application framework
gungi.io - Online real-time website to play Gungi from Hunter × Hunter ⚡
proposal-iterator-helpers - Methods for working with iterators in ECMAScript
LavaMoat - tools for sandboxing your dependency graph
CPython - The Python programming language
rua - Build tool for Arch Linux providing control, review and jailed build options