Short notes on tech 15/2021

Week 15 of 2021

Backend development

OpenAPI tools

Building REST API with Express, TypeScript and Swagger

A categorized list of all Java and JVM features since JDK 8 to 16
"Since the release of version 8, up to version 16, Java is shaped by 180 JDK Enhancement Proposals, each of which brings some improvement to the platform." The JDK you knew years ago is nowadays quite a different beast.

Learning

A11ycasts with Rob Dodson
"Want to build accessible apps? Rod Dodson is teaching those fundamentals in his new series dedicated entirely to the art of accessibility. Meet A11ycasts!"

Practical Cryptography for Developers
"A modern practical book about cryptography for developers with code examples"

A B2B Product Management Story
"On discovering problems that customers actually care about. Very visual story thread."

Security

kubernetes-simulator
"A distributed systems and infrastructure simulator for attacking and debugging Kubernetes: simulator creates a Kubernetes cluster for you in your AWS account; runs scenarios which misconfigure it and/or leave it vulnerable to compromise and trains you in mitigating against these vulnerabilities." (from Cloud Security Reading List)

The worst so-called “best practice” for Docker
"Please install security updates"

Tools of the trade

Icecream: Never use print() to debug again in Python

Something different

Meet Stretch from Boston Dynamics
"Prototype of robot designed to automate box moving tasks in warehouses and distribution centers: unloading trucks, building pallets of boxes and order building. Stretch makes warehouse operations more efficient and safer for workers."

Short notes on tech 13/2021

Week 13 of 2021

Learn

SMS: Substitutable Message Service
"Replacing the content of previously sent SMSs is actually possible."

Emoji under the hood
How “biggest innovation in human communication since the invention of the letter 🅰️” works under the hood.

Tools of the trade

Pyright
Static type checker for Python.

lazydocker
A simple terminal UI for both docker and docker-compose, written in Go with the gocui library.

Codetour
"CodeTour is a Visual Studio Code extension, which allows you to record and playback guided walkthroughs of your codebases. It's like a table of contents, that can make it easier to onboard (or re-board!) to a new project/feature area, visualize bug reports, or understand the context of a code review/PR change."

Responsively
"Develop responsive web apps 5x faster! A must-have DevTool for all Front-End developers."

Permissions
A simple site to test permission-related UI for web APIs.

Simulator Status Magic
"Modify the iOS Simulator so that it has a perfect status bar, then run your app and take perfect screenshots every time."

Cloud

Security Logging in Cloud Environments - GCP
"If you had to architect a multi-account security logging strategy, where should you start?" (from Cloud Security Reading List)

Something different

Ask HN: What was the biggest contributor to your happiness in the past year?
"Video walks on Youtube."

Automate your dependency management using update tool

Software often consists of not just your own code but also is dependent of third party libraries and other software which has their own update cycle and new versions are released now and then with fixes to vulnerabilities and with new features. Now the question is what is your dependency management strategy and how do you automate it?

Fortunately automated dependency updates for multiple languages is a solved problem as there are several update tools to help you: Renovate, Dependabot (GitHub), Greenkeeper ($), Depfu ($) and Dependencies.io ($) to name some alternatives. In this blog post I will concentrate on using Renovate and integrate it with GitLab CI.

Renovate your dependencies

Renovate is open source tool which works with most git hosting platforms (public or self-hosted) and it's possible to host Renovate Bot yourself. It’s installable via npm/yarn or Docker Hub.

In short, the idea and workflow of dependency update tools are following:

  1. Checks for updates: pulls down your dependency files and looks for any outdated or insecure requirements.
  2. Opens pull requests: If any of your dependencies are out-of-date, tool opens individual pull requests to update each one.
  3. Review and merge: You check that your tests pass, scan the included changelog and release notes, then hit merge with confidence.

Now you just run the depedency update tool on regular basis on your continuous integration, watch how the pull requests fly and you get to keep your dependencies secure and up-to-date.

The manual chore of checking for updates, looking for changelogs, making changes, running tests, writing pull requests and more is now moved to reviewing pull requests with better confidence of what has changed.

Self-hosted in GitLab CI

Renovate Bot is a node.js application so you’ve couple of alternative ways to run it on your CI/CD environment. You can use a node docker image which installs and runs renovate, or you can use Renovate Bot's own Docker image as I chose to do. We are using docker-in-docker approach of running the Renovate docker container. That means you can start Docker containers from within an other Docker container.

First create an  account for the bot on the Gitlab instance (the best choice) or use your own account. Then generate a personal access token with the api scope for renovate to access the repositories and create the branches and merge requests containing the dependency updates.

Then create a repository for the configuration and renovate will use that repo’s CI pipelines. Paste your Gitlab token under CI / CD > Variables as a new variable and give it the name RENOVATE_TOKEN. Set it to protected and masked to hide the token from the CI logs and to only use it for Pipelines starting on protected branches (your master branch is protected by default).

You'll also need a Github access token with the repos scope for renovate to read sources and changelogs of dependencies hosted on Github. It’s not important what Github account is used as it's just needed because Github's rate-limiting would block your bot making unauthenticated requests. Paste it as an other variable with the name GITHUB_COM_TOKEN.

To configure Renovate we need to add three files to our repository:

config.js for configuring renovate:

module.exports = {
  platform: ‘gitlab’,
  endpoint: ‘https://gitlab.com/api/v4/',
  assignees: [‘your-username’],
  baseBranches: [‘master’],
  labels: ['renovate', 'dependencies', 'automated'],
  onboarding: true,
  onboardingConfig: {
    extends: ['config:base'],
  },
};

repositories.txt for repositories we want to check:

openpatch/ui-core
openpatch/template

.gitlab-ci.yml to run renovate:

default:
  image: docker:19
  services:
    - docker:19-dind

# Because our GitLab runner doesn’t have TLS certs mounted and runs on K8s
variables:
  DOCKER_HOST: tcp://localhost:2375
  DOCKER_DRIVER: overlay2
  DOCKER_TLS_CERTDIR: ‘'

renovate:
  stage: build
  script:
    - docker run -e RENOVATE_TOKEN="$RENOVATE_TOKEN" -e GITHUB_COM_TOKEN="$GITHUB_COM_TOKEN" -v $PWD/config.js:/usr/src/app/config.js renovate/renovate:13 $(cat repositories.txt | xargs)
  only:
    - master

Now everything is finished and when you run the pipeline renovate will check the repositories in repositories.txt and create merge request if a dependency needs to be updated.

The first merge request to repository is Configure Renovate which helps you to understand and configure settings before regular Merge Requests begin.

As a last step create a Pipeline Schedule to run the pipeline every x hours or x day or whatever you like. You can do this in the bot's config project / repository under CI / CD > Schedules by creating a new schedule and chosing the frequency to run your bot.

You can also reduce noise by Package Grouping and Automerging. Here’s an example of grouping eslint themed packages and automerging them if tests pass.

Project’s renovate.json:

{
    "packageRules": [
        {
          "packagePatterns": [ "eslint" ],
          "groupName": "eslint",
          "automerge": true,
          "automergeType": "branch"
        }
      ]
}

Summary

Congratulations! You’ve now automated the dependency updating with GitLab CI. Just keep waiting for the merge requests and see if your test suites are successful.  If you are really trusting your test suite, you can even let renovate auto-merge the request, if the pipeline succeeds.

Short notes on tech 11/2021

Week 11 of 2021

Work life

Handbook for Remote employees
Read how Remote works as a company and take notes.

How to Deal with Difficult People on Software Projects

Your Thinking Rate Is Fixed
"You can’t force yourself to think faster. If you try, you’re likely to end up making much worse decisions. Here’s how to improve the actual quality of your decisions instead of chasing hacks to speed them up." (from Hackernewsletter)

Generalists vs specialists - who has a greater chance of success?
(from Hackernewsletter)

Learning

The Front-End Developer Learning Roadmap

AWS Cloud Development Kit Workshop
Learn CDK.

Software development

Best practices for REST API design
"In this article, we'll look at how to design REST APIs to be easy to understand for anyone consuming them, future-proof, and secure and fast since they serve data to clients that may be confidential." (from Hackernewsletter)

You really should use dev containers
tl;dr; "use development containers, indicating the act of running and compiling code inside a container, not on the host machine OS."

The case for and against Amazon Cognito

Information Security

How often should I rotate my ssh keys?
"More often than never! As often as you can. And make sure you retire old keys when you’re done with them." (from Hackernewsletter)

Tools of the trade

Helppo
"Instant admin UI for your database" Supports PostgreSQL and MySQL.

TSDX
Zero-config CLI for TypeScript package development

Colorful VSCode titlebars for better productivity
tl;dr;
"workbench.colorCustomizations": {
"titleBar.activeBackground": "#553955" // change this color!
}

Short notes on tech 10/2021

Week 10/2021

iOS development

Analyse, Design & Code the ClubHouse app with SwiftUI
This video from Franck Ndame on recreating the Clubhouse UI from scratch is incredibly well-produced and enjoyable to watch. Follow it up by checking out the Figma design and source code. (from iOS Dev Weekly)

Cloud

A Quick Look at GKE Autopilot (in 15 minutes)
"I was curious to take a look at GKE Autopilot, so if you don't have time to play with it, I did it for you. (from Cloud Security Reading List)"

Software development

Ethical Design Guide
Resources for creating ethical products that don't cause harm. (from Weekend Reading List)

Why is it so hard to see code from 5 minutes ago?
"Do you undo recent changes to remember what the code looked like a few minutes ago? Why can’t IDEs do that for us?" Waiting for "Yestercode" to be a VS Code extension. (from Weekend Reading List)

Modules, monoliths, and microservices
(from Hacker News comments)

Worklife

Things your manager might not know
If you never managed people before, it's not obvious how to manage your manager. Julia explains how to do that. (from Weekend Reading List)

How to be more productive without forcing yourself

Something different

Internet Archive Infrastructure
tl;dr; Lots of hardware.

Short notes on tech 9/2021

Week 9/2021

Tools of the trade

Uizard
"The design tool for everybody. Scan a paper scribble and you get a wireframe. Upload images and it will extract color and style to generate a matching theme." (from Weekend Reading)

Camo
Camo makes you look great on Zoom by using your iPhone as a webcam. You can control lighting, cropping, focus, Bokeh effect, stream 1080p with no stutter (needs cable), use front-facing, telephoto or wide lens. (from Weekend Reading)

Free for developers
List of free and free tier resources.

Cloud

Kubernetes README
"A collection of useful resources to read to learn more about Kubernetes." (from Cloud Security List)

Work

Unpacking Interview Questions
"Series sharing some of the questions the writer uses when he interviews for technical roles. He’ll unpack the question, when to ask it, and how to evaluate answers."

Something different

Scientists break through the wall of sleep to the untapped world of dreams
"Researchers at Paller’s lab at Northwestern University in Illinois, along with researchers in France, Germany and the Netherlands, have independently demonstrated two-way communication with people as they are lucidly dreaming during REM (rapid eye movement) sleep." (from Weekend Reading)

Monthly notes 56

Issue 56, 26.2.2021

Work life

Researchers identify four causes of "Zoom fatigue" and their simple fixes
"Those video calls are likely tiring you out." tl;dr;

  • Excessive amounts of close-up eye contact is highly intense.
  • Seeing yourself during video chats constantly in real-time is fatiguing.
  • Video chats dramatically reduce our usual mobility.
  • The cognitive load is much higher in video chats.

Maximizing Developer Effectiveness
"It’s all about tight feedback loops." (from Weekend Reading)

Information security

OWASP Top 10 for Web
"Inspired by real-world vulnerabilities and case studies, we have created a series of interactive application security training modules to help developers understand, identify and mitigate security vulnerabilities in their applications."

3 Ways to Mitigate Risk When Using Private Package Feeds
"Microsoft whitepaper on best practices to follow to reduce risks against substitution attacks." (from Cloud Security List)

How to use Docker Security Scan Locally
"Docker and Snyk recently entered into a partnership to provide container vulnerability scanning to official images on Docker Hub. Additionally, Docker has integrated scanning directly into Docker for Desktop clients." (from Cloud Security List)

Cloud

Introducing GKE Autopilot: a revolution in managed Kubernetes
"Autopilot is a new mode of operation in Google Kubernetes Engine (GKE). Autopilot clusters are pre-configured with an optimized cluster configuration that is ready for production workloads. This streamlined configuration follows GKE best practices and recommendations for cluster and workload setup and security." You can achieve "the same" by manually ticking the right options.

AWS Account Setup Guide
A guide for configuring new AWS accounts with an emphasis on security, including customizable templates. (from Cloud Security List)

Microservices

A Practical Guide to Writing Secure Dockerfiles
How to write secure Dockerfiles, and how to automate security checks as codified policies and validate them against the Dockerfiles to identify potential security risks before deploying them into production. (from Cloud Security List)

Learning

Tackling TypeScript: Upgrading from JavaScript
"For JavaScript developers looking to learn TypeScript." (from Weekend Reading)

How they SRE
A curated collection of publicly available resources on how technology and tech-savvy organizations around the world practice Site Reliability Engineering (SRE) (from Hacker Newsletter)

Tools of the trade

skan
"sKan is a Kubernetes configuration files and resources scanner that enables developers and devops team members to check whether their work is compliant with security & ops best practices." (from Cloud Security List)

Something different

Calvin and Hobbes search engine
(from Hacker Newsletter, comments)

Short notes on tech 7/2021

Week 7/2021

Microservices

A Practical Guide to Writing Secure Dockerfiles
How to write secure Dockerfiles, and how to automate security checks as codified policies and validate them against the Dockerfiles to identify potential security risks before deploying them into production. (from Cloud Security List)

Tools of the trade

Dockle
Container Image Linter for Security, Helping build the Best-Practice Docker Image.

Cloud

AWS Account Setup Guide
A guide for configuring new AWS accounts with an emphasis on security, including customizable templates. (from Cloud Security List)

Software development

Visual Studio Code Extensions for better programming

Visual Studio Code has become "The Editor" for many in software development and it has many extensions which you can use to extend the functionality for your needs and customize it. Here’s a short list of the extensions I use for frontend (React, JavaScript, Node.js), backend (GraphQL, Python, Node.js, Java, PHP, Docker) and database (PostgreSQL, MongoDB) development.

General

editorconfig
Attempts to override user/workspace settings with settings found in .editorconfig files.

Visual Studio IntelliCode
Provides AI-assisted development features for Python, TypeScript/JavaScript and Java developers in Visual Studio Code, with insights based on understanding your code context combined with machine learning.

GitLens
Visualize code authorship at a glance via Git blame annotations and code lens, seamlessly navigate and explore Git repositories, gain valuable insights via powerful comparison commands, and so much more.
Git Blame
See Git Blame information in the status bar for the currently selected line.

Local History
Plugin for maintaining local history of files.

Language and technology specific

ESlint
Integrates ESLint into VS Code.

Prettier
Opinionated code formatter which enforces a consistent style by parsing your code and re-printing it with its own rules that take the maximum line length into account, wrapping code when necessary.

Python
Linting, Debugging (multi-threaded, remote), Intellisense, Jupyter Notebooks, code formatting, refactoring, unit tests, and more.

PHP Intelephense
PHP code intelligence for Visual Studio Code is a high performance PHP language server packed full of essential features for productive PHP development.

Java Extension Pack
Popular extensions for Java development and more.

Docker
Makes it easy to build, manage, and deploy containerized applications from Visual Studio Code. It also provides one-click debugging of Node.js, Python, and .NET Core inside a container.

Markdown All in One
All you need to write Markdown (keyboard shortcuts, table of contents, auto preview and more)
Markdownlint
Includes a library of rules to encourage standards and consistency for Markdown files.
Markdown Preview Enhanced
Provides you with many useful functionalities such as automatic scroll sync, math typesetting, mermaid, PlantUML, pandoc, PDF export, code chunk, presentation writer, etc.

Prettify JSON
Prettify ugly JSON inside VSCode.

PlantUML
Rich PlantUML support for Visual Studio Code.

HashiCorp Terraform
Syntax highlighting and autocompletion for Terraform

Database

PostgreSQL
Query tool for PostgreSQL databases. While there is a database explorer it is NOT meant for creating/dropping databases or tables. The explorer is a visual aid for helping to craft your queries.

MongoDB
Makes it easy to work with MongoDB.

GraphQL
Adds syntax highlighting, validation, and language features like go to definition, hover information and autocompletion for graphql projects. This extension also works with queries annotated with gql tag.
GraphQL for VSCode
VSCode extension for GraphQL schema authoring & consumption.
Apollo GraphQL for VS Code
Rich editor support for GraphQL client and server development that seamlessly integrates with the Apollo platform.

Javascript

Babel
JavaScript syntax highlighting for ES201x, React JSX, Flow and GraphQL.

Jest
Use Facebook's Jest with pleasure.

npm
Supports running npm scripts defined in the package.json file and validating the installed modules against the dependencies defined in the package.json.

User Interface specific

indent-rainbow
Simple extension to make indentation more readable

Rainbow Brackets
Rainbow colors for the round brackets, the square brackets and the squiggly brackets.

vscode-icons
Icons for filetypes in file browser.

Other tips

VScode Show Full Path in Title Bar
With Code open, hit: Command+ , “window.title”: “{activeEditorLong}activeEditorLong{separator}${rootName}”

Slow integrated terminal in macOS
codesign --remove-signature /Applications/Visual\ Studio\ Code.app/Contents/Frameworks/Code\ Helper\ (Renderer).app

Short notes on tech 5/2021

Week 5/2021

Worklife

Why Working from Home Will Stick
Or will it? Hacker News comments provide a good pointers why it won't stick for the broader society.

Software development

Maximizing Developer Effectiveness
"It’s all about tight feedback loops." (from Weekend Reading)

Google Engineering Practices Documentation
"Google has many generalized engineering practices that cover all languages and all projects. These documents represent our collective experience of various best practices that we have developed over time." Unfortunately it currently contains only "Google's Code Review Guidelines".

Awesome Software and Architectural Design Patterns
"A curated list of software and architecture related design patterns."

Tools of the trade

deep-email-validator
"Library that handles all the email validation strategies: regex, common typos, disposable email blacklists, MX record lookup, and SMTP to check the inbox exists." (from Weekend Reading)

Mock Service Worker
Seamless API mocking library for browser and Node. (from Weekend Reading)