Notes from React Native EU 2022

React Native EU 2022 was held couple of weeks ago and it's a conference which focuses exclusively on React Native but consists also on general topics which are universal in software development while applied to RN context. This year the online event provided great talks and especially there were many presentations about apps performance improvements, achieving better code and identifying bugs. Here are my notes from the talks I found interesting. All of the talks are available in conference stream on Youtube.

Better performance and quality code from RN EU 2022

This year the React Native EU talks had among other presentations two common topics: performance and code quality. Important aspects of software development which are often dismissed until problems arise so it was refreshing to see it talked so much about.

Here are my notes from the talks I found most interesting. Also the "Can't touch this" talk about accessibility was a good reminder that not everyone use their mobile devices by hand.

How we made our app 80% faster, a data structure story

Marin Godechot gave an interesting talk of React Native apps performance improvements and one of the crucial tools for achieving that.

Validate your assumption before investing in solutions

The learnings of the talk which went through trying different approaches to fix the performance problem was that:

  • Validate your assumption before investing in solutions
  • Performance improvements without tooling is a guessing game
  • Slow Redux selectors are bad
  • Data structures and complexity matters

The breakthrough for finding the problem was after actually measuring the performance with Datadog Real User Monitoring (RUM) and better understanding of the bottlenecks. What you can't measure, you can't improve.

The issue wasn't with useless rerenders, lists and navigation stack but with the datamodels but not the one you would guess. Although the persisted JSON stringified state with Redux was transferred between the JS side and the Native (JS <-> json <-> Bridge <-> json <-> Native) it wasn't the issue.

The big reveal was that when they instrumented Redux's selectors, reducers and sagas to monitoring tool they found that as the user permissions were handled by using the Attribute Based Access Control model the data in JSON format had grown over the years from 15 permissions per user to 10000 permissions per user which caused problems with Redux selectors. The fix was relatively simple: change array to object -> {agengy: [agency:caregivers:manage]}

What you can't measure, you can't improve

You can go EVERYWHERE but I can go FAST - holistic case study on performance

Jakub Binda made a clever comparison in his talk that apps are like cars and same modifications apply to fast cars and fast applications.

The talk starts slow but gets to speed nicely with good overview how to create faster apps. Some of the points were:

  • Reduce weight:
    • Remove dead / legacy code
    • Avoid bundling heavy JSON files (e.g. translations)
    • Keep node_modules clean
  • Keep component structure "simple"
    • More complex structure leads to longer render time and more resources consumption and more re-renders
    • Shimmers are complex and heavy (improve UX by making an impression that content appers faster than it actually does)
  • Using hooks:
    • Might lead to unexpected re-renders when: their value change, dependency array is not set correctly
    • Lead to increased resources comsumption if: their logic is complex, the consumer of the results is hidden behind the flag
  • Tooling:
    • Flipper debug tool: flame charts & performance monitoring tooling

Reducing bugs in a React codebase

Darshita Chaturvedi's hands-on and thoroughly explained talk for identifying bugs in React codebase was insightful.

Reducing bugs in a React codebase

Getting Better All the Time: How to Escape Bad Code

Josh Justice had a great presentation with hands-on example of an application with needed fixes and features and how to apply them with refactoring. And what is TDD by recreating the application.

The slides are available with rest of the TDD sequence and pointers to more resources on TDD in RN.


The key point of the talk was about what do you do about bad code? Do you work around bad code or rewrite bad code? The answer is refactoring: small changes that improve the arrangements of the code without changing its functionality. And comprehensive tests will save you with refactoring. The value is that you're making the improvements that pay off right away and code is shippable after each refactoring. But how do you get there? By using Test-Driven Development (TDD)

"TDD is too much work"
Living with bad code forever is also a lot of work

Getting Better All the Time: How to Escape Bad Code

"Make code better all the time (with refactoring and better test coverage)"

Visual Regression Testing in React Native

Rob Walker talked about visual regression testing and about using React Native OWL. Slides available.

React Native OWL:

  • Visual regression testing for React Native
  • CLI to build and run
  • Jest matcher
  • Interaction API
  • Report generator
  • Inspired by Detox
Baseline, latest, diff
Easy to approach (in theory)

Different test types:

  • Manual testing pros: great for exploratory testing, very flexible, can be outsourced
  • Manual testing cons: easy to miss things, time consuming, hard to catch small changes
  • Jest snapshot tests pros: fast to implement, fast to run, runs on CI
  • Jest snapshot tests cons: only tests in isolation, does not test flow, only comparing JSX
  • Visual regression tests pros: tests entire UI, checks multi-step flows, runs on CI
  • Visual regression tests cons: can be difficult to setup, slower to run, potentially flaky
Use case for visual regression tests

Can't touch this - different ways users interact with their mobile devices

Eevis talked about accessibility and what does this mean for a developer. The slides give a good overview to the topic.

  • Methods talked about
    • Screen reader: trouble seeing or understanding screen, speech or braille feedback, voiceover, talkback
    • Physical keyboard: i.a. tremors
    • Switch devices: movement limiting disabilites
    • Voice recognition
    • Zooming / screen magnifying: low vision
  • 4 easy to start with tips
    • Use visible focus styles
    • Annotate headings (accessibilityRole)
    • Add name, role and state for custom elements
    • Respect reduced motion
  • Key takeaways
    • Users use mobile devices differently
    • Test with different input methods
    • Educate yourself
4 easy to start with tips

Performance issues - the usual suspects

Alexande Moureaux hands-on presentation of how to use Flipper React DevTools profiler and Flamegraph and Android performance profiler to debug Android application performance issues. E.g. why the app has below 60 fps? Concentrates on debugging Android but similar approaches work also for iOS.

First make your measures deterministic, average your measures over several iterations, keep the same conditions for every measure and automate the behavior you want to test.

The presentation showed how to use Flipper React DevTools profiler Flamegraph to find which component is slow and causes e.g. rerendering. Then refactoring the view by moving and the updating component which caused rerendering. And using @perf-profiler/web-reporter to visualize the measures from JSON files.

You can record the trace Hermes profiler and open it on Google Chrome:

  • bundleInDebug: true
  • Start profiler in simulator, trace is saved in device
  • npx react-native profile-hermes pulls the trace and converts it for usable format
  • Findings: filtering tweets list by parsing weekday from tweet was slow (high complexity), replace it with Date.getDay from tweet.createdAt

Connect the app to Android Studio for profiling: finding long running animation (background skeleton content "grey boxes")

How to actually improve the performance of a RN App?

Michal Chudziak presented how to use Define, Measure, Analyze, Improve, Control (DMAIC) pattern to improve performance of a React Native application.

  • Define where we want to go, listen to customers
  • Make it measurable
  • Analyze common user paths
  • Choose priorities

Define your goals:


Measure: where are we?

  • React Profiler API
  • react-native-performance
  • Native IDEs
  • Screen capture
  • Flipper & perf monitor


  • Measurement needs to be accurate and precise

Analyze phase: how do we get there?

  • List potential root causes
  • Cause and effect diagram (fish bone diagram)
  • Narrow the list

Improve phase

  • Identify potential solutions
  • Select the best solution
  • Implement and test the solution

Control phase: are we on track?

Performance will degrade if it's not under control so create a control plan.


Monitor regressions

  • Reassure: performance regression testing (local + CI)
  • Firebase: performance monitoring on production
  • Sentry:  performance monitoring on production

Raspberry Pi 3+ and Joy-IT 7" touchscreen on Debian 11

I've had for sometime a Joy-IT 7" IPS display for Raspberry Pi waiting in my drawer and now I got around to put it into use with Ikea Ribba frame. Setting up the touch screen was easy but getting it inverted (upside down) took some extra steps.

The touchscreen is "RB-LCD-7-2" from Joy-IT which is a 7" IPS display for Raspberry Pi with 1024x600 resolution and 5 point capacitive touchscreen and HDMI connector. The manufacturer provides a manual for setting it up but as things have changed during the years it didn't work out of the box for the inverted touch matrix.

I installed Debian GNU/Linux 11 (bullseye) to my Raspberry Pi Model 3 plus and did the following changes:

Display working

Edit /boot/config.txt

# or 4
# or 1
hdmi_cvt 1024 600 60 6 0 0 0

Inverted display

Flip the command line by editing /boot/cmdline.txt and adding


For inverting the GUI use evdev:

sudo apt-get install xserver-xorg-input-evdev
sudo mv /usr/share/X11/xorg.conf.d/10-evdev.conf


Section "InputClass"
        Identifier "evdev touchscreen catchall"
        MatchIsTouchscreen "on"
        MatchDevicePath "/dev/input/event*"
        Driver "evdev"
        Option "InvertX" "true"
        Option "InvertY" "true"


Short notes on tech 31/2022

Software development

How to explain technical architecture with a natty little video
Some thoughts on explaining architecture through diagraming, in particular the advantage of scrappy videos to show diagramming step-by-step. (from DevOps Weekly)

What Are Vanity Metrics and How to Stop Using Them
Measurement and metrics are an important part of devops practices, but establishing metrics always risks issues with vanity metrics. This post explains what they are and how to avoid them.

Chrome DevTools: 10 Useful Tips & Tricks
Various tips and tricks to help you get the most out of Chrome DevTools
(from Web Design Weekly)


Awesome Cloud Native Trainings
"All the free trainings (with and without certificates) released from different companies supporting CNCF Projects and Kubernetes." (from CloudSecList)

The Docker, Kubernetes, Terraform, and AWS crash course series
"High quality learning material is hugely useful given the large number of technologies relevant to modern software development and operations. This set of crash course posts on Docker, Kubernetes, AWS and Terraform look super useful for anyone just getting started." (from DevOps Weekly)


"An Electron alternative, written in Rust under MIT or MIT/Apache 2.0 license. The advantages of Electron combined with a fast, modern and secure base makes this a really cool project to consider for multi-platform apps. And the list of partners and sponsors makes me confident that it’ll stay at least for a while on the market." (from WDRL)


Kubernetes 101
Kubernetes is one of the most exciting technologies in the world of DevOps. The article explains the concepts of it and some simple examples.

Minimal Container Images: Towards a More Secure Future
This post walks through the typical approaches in this space: minimal distributions, scratch and distroless. (from CloudSecList)


Every programmer should care about UI design
"It’s way more common for people working on iOS/macOS projects to care about design than with some other platforms, but I still come across an occasional “I don’t need to care about it“. The points raised by this article are certainly worth reading if you’re in that camp!" (from iOS Dev Weekly)

UI Filler
Placeholders for your designs.
(from Web Design Weekly)


Awesome iOS widgets
A curated list of home screen widgets for apps on iOS 14!

Short notes on tech 25/2022


Simple, intuitive web app for analysing and decoding data without having to deal with complex tools or programming languages. CyberChef encourages both technical and non-technical people to explore data formats, encryption and compression.

Software development

The Art of Code Comments
Sarah Drasner talked at JSConf Hawaii 2020 about how commenting code is a more nuanced thing than we give it credit for. There is just not one right way or one reason to write a comment. The talk will dig into some of the many beneficial types of comments that might all serve a different purpose, followed by patterns we might want to avoid.

Does Laravel Scale?
"Jack Ellis elaborates on the question whether Laravel or PHP can scale." People usually tell how awful PHP is but what I've recently used it (newer versions) it was just like any other backend framework. And as Hannemann writes "It’s a very powerful, professional language with a huge ecosystem and it can be used to serve fast, efficient, reliable and readable codebases." (from WDRL)

Atkinson Hyperlegible font
"Atkinson Hyperlegible is a typeface created in partnership with Braille Institute. It has been developed specifically to increase legibility for readers with low vision, and to improve comprehension." (from WDW)


Awesome Azure Penetration Testing
A collection of resources, tools and more for penetration testing and securing Microsoft's cloud platform. (from Cloud Security Reading List)


Important PostgreSQL 14 update to avoid silent corruption of indexes
"PostgreSQL 14.4 release fixes an issue with all versions of PostgreSQL 14 that can lead to silent corruption of indexes."

Learn to write secure code with DevSecLab

There are lots of pitfalls in software development and creating a secure Web application needs some thought and keeping especially the OWASP Top-10 in mind. One effective way to learn secure software development is to learn by doing and that's what DevSecLab by Fraktal provides: teach developers to write secure code with hands-on exercises.

I got a chance to try the DevSecLab exercices with a free "trial" and here are my short notes about the content and thoughts about what I learned. Previously I've learned secure software development with Secure Code Warrior Secure Code Bootcamp, Kontra OWASP Top 10 for Web and more academic approach with Cyber Security Base MOOC so the topics and problems were familiar.

DevSecLab: Web Security Basics

The DevSecLab will teach you about:

  • The most common vulnerabilities in web applications,
  • How to spot vulnerabilities in code review
  • How to validate your findings with proof-of-concept exploits
  • Secure coding practices that keep your systems safe

The course is split into seven independent topics and you can work through them at your own pace in any order. The interactive challenges teach new tools and give new perspectives on daily work and each topic takes about 15–30-minutes.

  • Cross-Site Scripting (XSS): Hijacking a victim's browser by embedding JavaScript fragments in an application's inputs
  • SQL Injection: Accessing an application's database by embedding SQL fragments in its input
  • Broken Authentication: Weak or missing user identity checks on sensitive data or functionality
  • Broken Authorization: Weak or missing permission checks on sensitive data or functionality
  • Sensitive Data Exposure: Accidentally leaving secrets or confidential information publicly accessible
  • Cross-Site Request Forgery (CSRF): Tricking a victim's browser into performing actions on another website
  • Server-Side Request Forgery (SSRF): Tricking a backend server into performing HTTP requests on the attacker's behalf

The content of the course is well thought and covers the main issues in software development. Each topic is described in details by going from introduction to more detailed parts with appropriate exercises on the way.

DevSecLab: Introduction to CSRF

In each topic you get lessons ticked and unlocked by reading about the vulnerability and / or solving the exercises. The exercises can be all done with a web browser as shown below. Usually in the exercises you either need to write small about of code or use some other tools found in the web or in the course environment like gitleaks or fuff.

DevSecLab: exercise can be done with the browser

Some of the exercises require more thought what you should do the exploit the given application but fortunately there are hints to help you. At the end of the each topic there's "Dos & Don'ts" part which provides key points summarized for easy reference during daily work.

DevSecLab: Sensitive Data Exposure Dos and Don'ts

What I thought about it?

After the course you should have knowledge to identify, fix and prevent vulnerabilities in your web application code. And with hands-on approach with Dos and Don'ts at the end of each topic that goal is achieved.

What I liked about the course:

  • Shows what is wrong, how vulnerabilities can be exploited.
  • Hands down approach with embedded "browser" window of the application.
  • Suggestions of tools to use for testing (exploiting) like fuzzing.
  • Suggestions what you should do.
  • Dos and Don'ts

The overall difficulty was quite good regarding the hints you are given on the way and descriptions of the vulnerabilities. I didn't really count how many hours I spent doing the course. Although all of the topics were familiar more or less in practice I also learned some new things and what is also important, rehearsing the issues with new point of view.

DevSecLab has a free trial which you can check before buying the course. I found it useful and if you need it for compliance it really is "effortless" way to fulfill competence requirements.

Short notes on tech 22/2022


GitLab's Guide to All-Remote
Good writeup of remote work in GitLab, i.a. it's benefits and drawbacks and tips to better remote.


Honeycomb’s O’Reilly Book Observability Engineering
"Achieving Production Excellence by Charity Majors, Liz Fong-Jones, and George Miranda"

Set up a Terraform Pipeline with GitHub Actions and GitHub OIDC for AWS
A walkthrough of a Terraform pipeline setup. Most interesting for the use of OpenID Connect to remove the need for persistent credentials for AWS. (from Devops Weekly #590)

Terraform Best Practices for Better Infrastructure Management
Post which explores different best practices for Terraform and Infrastructure as Code, analyzes various options for handling and structuring Terraform projects, and shows how adopting helper tools could make our life easier. (from Cloud Security Reading List)

Observability 4 JVM Frameworks with Grafana in Java and Kotlin
(from Devops Weekly #591)


A Review of the AWS Security Model
AWS have released their own security maturity model, but does it stack up against what we're seeing in real-world attacks and in the approaches being suggested by the rest of the AWS security community? (from Cloud Security Reading List)

Security Overview of AWS Fargate
Amazon's own security overview of Fargate, which is helpful for new adopters and deepens understanding of Fargate for current users. (from Cloud Security Reading List)

Override nested NPM dependency versions

Sometimes your JavaScript project's dependency contains a library which has a vulnerability and you're left with a question how to solve the issue. If the nested dependency (with vulnerability) is already fixed but the main dependency isn't, you can use overrides field of package.json as explained in StackOverflow answer.

You'll need a recently new version of npm cli v8.3.0 (2021-12-09) which comes with Node.js v16.14.0. Corresponding node.js and npm versions can be seen in the releases table.

In my case the problem was that express-openapi-validator contained a version of multer which used dicer with vulnerable version of busboy. The vulnerability was fixed in multer 1.4.4-lts.1 and now the task was to override the nested dependency.

The overrides section in package.json file provides a way to replace a package in your dependency tree with another version, or another package entirely. These changes can be scoped as specific or as vague as desired.

For example in my case I used:

  "overrides": {
    "express-openapi-validator": {
      "multer": "1.4.4-lts.1"

The overrides section is useful if you need to make specific changes to dependencies of your dependencies, for example replacing the version of a dependency with a known security issue, replacing an existing dependency with a fork or only override a package when it's a dependency of a particular package hierarchy.

And to ensure that you've correct Node.js and npm versions in use, add the following to the package.json.

"engines": {
    "node": ">=16.14",
    "npm": ">=8.3.0"

What did we learn here? About how to "patch" dependencies and how beneficial it is to read what new features comes with your tools. But in the end this all was more or less just a drill as the nested dependency of multer in express-openapi-validator was updated to the fixed version in the same day that it was released (it took around 10 days to multer have a fix).

Using CASL and roles with persisted permissions

How do you implement user groups, roles and permissions in a multitenant environment where you have multiple organizations using the same application and each have own users and groups and roles? There are different approaches to the issue and one is to implement Attributes-based access control (ABAC) in addition with roles (RBAC). But what does that actually mean?

In short: you've groups, groups have roles and roles have permission attributes. Well, read forward and I'll explain how to tie things together using CASL: an isomorphic authorization JavaScript library which restricts what resources a given client is allowed to access.

Authorization mechanisms

First let's start with short introduction to authorization: "Authorization is the process of determining which action a user can perform in the system." Authorization mechanism grants proper privileges for a user defined by some role or other factor. Two popular types of authorization are: Role-based access control (RBAC) and Attributes-based access control (ABAC)

Role based access control (RBAC) is a simple and efficient solution to manage user permissions in an organization. We have to create roles for each user group and assign permissions for certain operations to each role. This is commonly used practice with roles suchs as "System admin", "Administrator", "Editor" and "User". The drawbacks of RBAC, especially in a complex system, is that a user can have various roles, which require more time and effort to organize. Also the more roles you create, the more security holes will be born.

Attributes-based access control (ABAC) is an authorization mechanism granting access dynamically based on user characteristics, environment context, action types, and more. Here we can have some action which is permitted to certain user, e.g. "{ action: 'edit', subject: 'Registration' }", "{ action: 'manage', subject: 'User', fields: ['givenName', 'familyName', 'email', 'phone', 'role'] }". For example, a manager can view only the users in their department; an user can not access his project’s information. ABAC is sometimes referred to as claims-based access control (CBAC) or policy-based access control (PBAC). You often see ABAC authorization mechanism in cloud computing services such as AWS and Azure.

The difference between ABAC and RBAC is that ABAC supports Boolean logic, if the user meets this condition he is allowed to do that action. Attribute-based Access Control (ABAC) enables more flexible control of access permissions as you can grant, adjust or revoke permissions instantly.

RBAC is a simple but sufficient solution to manage access in an uncomplicated system. However, it is not flexible and scalable and that is why ABAC becomes an efficient approach in this case. In the contrast, ABAC may be costly to implement. There is no all-in-one solution and it depends on your business requirements. Remember that use the right tool for the right job.

RBAC table structure can be visualized with:

Role basec access control in multitenant system

And you can add attribute based permissions to RBAC model:

Attribute based permissions for roles (CASL)

Using CASL with roles and permissions

CASL is a robust authorization library for JavaScript and including RBAC it also supports ABAC implementation by adding condition expression to the permission. That's exactly what we need in this case where we have a requirement to define different permissions for custom groups: need for roles and groups.

CASL has good resources and shows a great cookbook how to implement roles with persisted permissions. To supplement that you can check Nest.js and CASL example which also shows table structures in different stages.

The code for the following part can be seen in Gist

Table structure

  • Global Users table
  • Users are grouped by tenant in TenantUsers
  • TenantUsers have a role or roles
  • Users can be added to a group
  • Groups and roles are tenant specific
  • Permissions can be added to a role

Table structure in DBDiagram syntax

Next we create the table structure to our code with help of Sequelize ORM which describes the models, relations and associations.

We have the following models for our table structure:

  • models/rolepermissions.js
  • models/role.js
  • models/permission.js
  • models/group.js
  • models/groupuser.js

The Sequelize modeled class looks like this:

const { Model } = require('sequelize');
module.exports = (sequelize, DataTypes) => {
class Permission extends Model {
static associate() {}
toJSON() {
return {
action: this.action,
subject: this.subject,
fields: this.fields,
conditions: this.conditions,
inverted: this.inverted,
system: this.system,
id: {
type: DataTypes.INTEGER,
primaryKey: true,
allowNull: false,
action: DataTypes.STRING,
subject: DataTypes.STRING,
fields: DataTypes.ARRAY(DataTypes.TEXT),
conditions: DataTypes.JSON,
inverted: DataTypes.BOOLEAN,
system: DataTypes.BOOLEAN,
modelName: 'Permission',
return Permission;

You can see all the models on the Gist.

Defining CASL permissions to user

In this example we are adding permissions directly to the JWT we are generating and signing so we don't have to fetch user's permissions every time from the database (or cache) when user makes a request. We get the claims.role from the authentication token and it can be e.g. "admin", "user" or whatever you need.

services/token.js is the class where we fetch the permissions for the role and generate the JWT. It fetches the permissions for the user's roles, gets the user groups and those groups' roles and permissions. Then it merges the permissions to be unique and adds them to the JWT.

The JWT looks something like this:

"sub": "1234567890",
"role": "user",
"groups": [1, 3],
"permissions": [
"action": "read",
"subject": "Users",
"fields": null,
"conditions": {
"id": "${user.tenant}"
"action": "edit",
"subject": "User",
"fields": null,
"conditions": {
"id": "${}",
"TenantId": "${user.tenant}"
view raw jwt-sample.json hosted with ❤ by GitHub

Now we have all the permissions for the user in JWT which we can use in our services and routes. The solution isn't optimal as the JWT can grow large if user has lots of permissions.

In the JWT you can see that the conditions attribute has a placeholder. middleware/abilities.js class parses the user JWT which we added permissions in JSON format, converts the condition to CASL’s condition and creates a CASL Ability so that we can add permission checks later on to our actions.

const { AbilityBuilder, Ability } = require('@casl/ability');
const parseCondition = (template, vars) => {
if (!template) {
return null;
JSON.parse(JSON.stringify(template), (_, rawValue) => {
if (rawValue[0] !== '$') {
return rawValue;
const name = rawValue.slice(2, -1);
const value = get(vars, name);
if (typeof value === 'undefined') {
throw new ReferenceError(`Variable ${name} is not defined`);
return value;
return null;
const defineAbilitiesFor = (jwtToken) => {
const { can: allow, build } = new AbilityBuilder(Ability);
jwtToken.permissions.forEach((item) => {
const parsedConditions = parseCondition(item.conditions, { jwtToken });
allow(item.action, item.subject, item.fields, parsedConditions);
return build();
module.exports = { defineAbilitiesFor };

Now you can check the permissions in e.g. route.

const ForbiddenOperationError = {
  from: (abilities) => ({
    throwUnlessCan: (...args) => {
      if (!abilities.can(...args)) {
        throw Forbidden();

try {
    const abilities = defineAbilitiesFor(jwtToken);
    ForbiddenOperationError.from(abilities).throwUnlessCan('read', 'Users');
    const users = await UserService.getAll(user.tenant);
    return res.send({ entities: users });
} catch (e) {
    return next(e);


Implementing authorization is an important part of software system and you've several approaches to solve it. RBAC is a simple but sufficient solution to manage access in an uncomplicated system. ABAC in the other hand is flexible and scalable approach but may be costly to implement. There is no all-in-one solution and it depends on your business requirements.

Using CASL with roles, groups and permissions makes the handling of the authorization side of things easier but as you can see from the database diagram the overal complexity of the system is still quite high and we're not even touched the user interface of managing the roles, groups and permissions.

Short notes on tech 15/2022

Week 15 of 2022

Before leaving for a short Easter holiday here are some links to go through.


Top10 CI/CD Security Risks

Automagically Auditing GitHub (Actions) Security using OpenSSF Scorecards "How to use the OpenSSF Scorecards GitHub Action to audit your GitHub and GitHub Actions configuration, and a breakdown of some of the issues raised by it." (from Cloud Security Reading List)

Software development

Please put units in names
"There is one code readability trap that is easy to avoid once you are aware of it, yet the trap is pervasive: omitting units." (from Hacker Newsletter)

The Catalog of Design Patterns
Creational, Structural and Behavioral Patterns.

Java Development on an Apple M1 – A One Year Review
"Initial pitfalls when working with the Apple M1 and a collection of valuable tricks and workarounds for developing and testing Java applications." (from Hacker Newsletter)

An up-to-date guide on running Java applications in Docker containers
(from DevOps weekly)


A list of new(ish) command line tools
"Like ripgrep and fd and fzf and exa and bat."


Maybe you should do less 'work'

Short notes on tech 13/2022


Personal Goal Setting Playbook
"Setting personal goals can be used in many contexts to help people achieve tasks, objectives or improvements of any kind, big or small."


A Designer’s Guide to Documenting Accessibility & User Interactions

Understanding Figma’s interactive components feature
(from WDRL)


How to design better APIs
15 language-agnostic, actionable tips on REST API design. (from WDRL)

PHP: The Right Way
"An easy-to-read, quick reference for modern coding standards in PHP, trying to fight all the outdated and partially wrong solutions found on the web." (from WDRL)


Postgres Auditing in 150 lines of SQL
Or you can use pgAudit. (from Hacker Newsletter)


How to test if there is any element outside the viewport with Cypress
"How to use Cypress to create an automated test that checks if there is an element out of the viewport." (from CSS Weekly)


"Healthcheck is a dedicated monitoring and alerting system for cron, with a nice looking dashboard and various alerting options." (from DevOps Weekly #585)

Who watches the watchers?
"A look at using a dead-man's-switch to monitor other monitoring systems, with code examples for implementing on AWS with Prometheus and PagerDuty." (from DevOps Weekly #586)