7,944 Matching Annotations
  1. Last 7 days
    1. Probably wouldn't work for capybara-based tests where it forks a different process for the web server?

    1. This simplifies maintenance and keeps things clean by allowing related code to be grouped before inclusion elsewhere.
    2. Paths are traversed in the order they occur in the search path. By default, this means the files in app/assets take precedence, and will mask corresponding paths in lib and vendor.
    1. SwiftUI is a user interface toolkit that lets us design apps in a declarative way. That’s a fancy way of saying that we tell SwiftUI how we want our UI to look and work, and it figures out how to make that happen as the user interacts with it.
    2. Imperative UI causes all sorts of problems, most of which revolve around state, which is another fancy term meaning “values we store in our code”. We need to track what state our code is in, and make sure our user interface correctly reflects that state.
    1. Presumably this is so that you can import React libraries, even if they depend on ReactDOM, and they will work with Svelte instead.

      Reminds me of Wine. IIRC they have some system calls that they just make to be no-ops on Linux.

    1. Especially when rollup is configured with multiple outputs, I find this particular onwarn to be helpful in reducing warning clutter. It just displays each circular reference once and doesn't repeat the warning for each output:
    2. I think my personal preference would be to see them all at once. Or maybe limit it to up to 10 messages and then list the count of how many more messages were not displayed. Pick your reaction
    3. Another thing we could do to limit output would be to only every show the first circular dependency warning. I think we already do this for other types of warnings. Then you would need to tackle the warnings one-by-one, though.
    4. To silence circular dependencies warnings for let's say moment library use: // rollup.config.js import path from 'path' const onwarn = warning => { // Silence circular dependency warning for moment package if ( warning.code === 'CIRCULAR_DEPENDENCY' && !warning.importer.indexOf(path.normalize('node_modules/moment/src/lib/')) ) { return } console.warn(`(!) ${warning.message}`) }
    5. Yeah I see what you're saying. In my case, I had a group of classes that relied on each other but they were all part of one conceptual "module" so I made a new file that imports and exposes all of them. In that new file I put the imports in the right order and made sure no code accesses the classes except through the new interface.
    6. It looks like your links for "this" and "that" no longer work, and I'd be really curious to see.

      It looks like your links for "this" and "that" no longer work, and I'd be really curious to see.

    7. In other words, this becomes that.
    8. manually specifying the order isn't really a great solution (as tempting as it sounds) because you'll probably have broken behaviour if you subsequently move away from Rollup.
    1. When you apply this pattern for the first time, it might feel very contrived.

      My feel contrived, but it's actually not....

    2. First of all, we solved our problem! As demonstrated here our app is happily running again.
    3. We don’t need to apply refactorings we don’t want.
    4. withindex.js, we have a single source of truth, giving fine grained control on what we expose to the outside world.
    5. import statements will become much smaller, as we will be importing stuff from less files. For example AbstractNode.js has only on import statement now, where it had two before.
    6. How to fix nasty circular dependency issues once and for all
    7. In the many projects I have maintained so far, sooner or later I always run into the same issue: circular module dependencies. Although there are many strategies and best practices on how to avoid circular dependencies. There is very little on how to fix them in a consistent and predictable way.
    8. The reason that this solves our problem is: we now have full control over the module loading order. Whatever the import order in internal.js is, will be our module loading order.
    9. Bonus
    10. We don’t have to compromise the architecture, API or semantic structure of our code base.
    11. Here are few, real-life commits of refactorings that make use of this solution:
    12. The index.js file is the main entry point and imports and exports everything from internal.js that you want to expose to the outside world.
    13. The internal.js module both imports and exports everything from every local module in the project
    14. Every other module in the project only imports from the internal.js file, and never directly from other files in the project.
    15. The crux of this pattern is to introduce an index.js and internal.js file.
    16. But for big projects it should work out to just apply this techniques to certain sub-folders in your project where this problems occurs, as-if they are stand alone libraries.
    17. This is how I solve circular dependency issues nowadays.
    18. However, after solving this problem a few times, a pattern appeared.
    19. At some point, a few years ago I even wrote a script to concatenate all source files and erase all import statements. A poor-mans module bundler just to get a grip on the module loading order.
    20. This does solve the problem, but now our project and API is structured differently. In large projects it might be very hard to determine how to pull this trick off, or even impossible!
    21. In a large code base, this will result in moving imports randomly around until stuff just happens to work. Which is often only temporary, as a small refactoring or change in import statements in the future can subtly adjust the module loading order, reintroducing the problem.
    22. Secondly, whether this works is highly dependent on the module bundler. For example, in codesandbox, when bundling our app with Parcel (or Webpack or Rollup), this solution doesn’t work. However, when running this locally with Node.js and commonJS modules this workaround might work just fine.
    23. There is a base class, AbstractNode, that defines the contract and offers some common functionality, like parent and getDepth().
    24. Examples of this include: requiring base classes or reading from imported variables that have not been initialized yet.
    25. as soon as you have a (indirect) circular dependency, you might be interacting with a half loaded module in your code.
    26. we will work with an artificial application that pretty prints object trees into a YAML like format
    1. first sighting: use of superscripts like this

      I like it. Nice and concise and understandable.

      • s¹  critical
      • s²  important
      • s³  nice to have
      • s⁴  low
      • s⁵  inconvenient

      But in other cases, the abbreviation is quite unclear and ambiguity:

      Like, what does "pr" mean in these cases?

      priority? Doubt it.

      • pr¹  chore
      • pr²  docs
      • pr³  feature
      • pr⁴  fix
      • pr⁵  performance
      • pr⁶  refactor
      • pr⁷  style

      Pull Request? Doubt it. But maybe?


      For axes that are quantifiable, like severity, using a number makes sense. But what benefit is there in including a number in these (platform?) labels?:

      • p¹ ⋅ browser
      • p² ⋅ linux
      • p³ ⋅ mac
      • p⁴ ⋅ windows

      I think this would have been better and clearer (in that fewer people would be like huh? and wonder what it means):

      • platform: browser
      • platform: linux
      • platform: mac
      • platform: windows
    1. Doing so also means adding empty import statements to guarantee correct order of evaluation of modules (in ES modules, evaluation order is determined statically by the order of import declarations, whereas in CommonJS – and environments that simulate CommonJS by shipping a module loader, i.e. Browserify and Webpack – evaluation order is determined at runtime by the order in which require statements are encountered).

      Here: dynamic loading (libraries/functions) meaning: at run time

    2. Specifically, since Root, Rule and AtRule all extend Container, it's essential that Container is evaluated (and therefore, in the context of a Rollup bundle, included) first. In order to do this, input.js (which is the 'gateway' to all the PostCSS stuff) must import root.js, root.js must import rule.js before it imports container.js, and rule.js must import at-rule.js before it imports container.js. Having those imports ensures that container.js doesn't then try to place Root, Rule or AtRule ahead of itself in the bundle.
    3. This PR replaces nested require statements in files in vendor/postcss with import declarations, so that they can be properly resolved at build time.
    4. Replaced nested `require` statements with `import` declarations for the sake of a leaner bundle. This entails adding empty imports to three files to guarantee correct ordering – see https://github.com/styled-components/styled-components/pull/100
    5. import './at-rule'; // break cyclical dependency deadlock
    6. Would you mind adding it to the vendor README.md with a note to this commit so we remember?
    7. I realise all this sounds a bit brittle and hairy, so would understand if you decided to call time on this whole experiment!
    8. Unfortunately something along these lines will always be necessary when handling these sorts of pathological cyclical dependency cases without using require.
    1. For simpler patterns, such as A -> B -> A, refactoring may be necessary. Perhaps the modules that live in B could be moved to A. Or, necessary code could be extracted to a C that both A and B reference.
    1. Make sure all information necessary to reproduce the problem is included
    2. Don't sacrifice clarity for brevity when creating a minimal example.
    3. Restart from scratch. Create a new program, adding in only what is needed to see the problem. Use simple, descriptive names for functions and variables – don’t copy the names you’re using in your existing code.
    4. Divide and conquer. If you’re not sure what the source of the problem is, start removing code a bit at a time until the problem disappears – then add the last part back.
  2. www.kickstarter.com www.kickstarter.com
    1. Gavin McGruddy of MyAutoma has uploaded a great browser-based demo of the Cascadia Solo Mode, so that you can try it out for yourself

      someone other than publisher developing adaptation of a game

    1. The following roles are used to support the WAI-ARIA role taxonomy for the purpose of defining general role concepts. Abstract roles are used for the ontology. Authors MUST NOT use abstract roles in content.
    2. There may be times that required owned elements are missing, for example, while editing or while loading a data set. When a widget is missing required owned elements due to script execution or loading, authors MUST mark a containing element with aria-busy equal to true. For example, until a page is fully initialized and complete, an author could mark the document element as busy.

      "busy" here seems to = "loading" in most other programming contexts

    3. Abstract roles are the foundation upon which all other WAI-ARIA roles are built.
    4. Abstract roles are provided to help with the following: Organize the role taxonomy and provide roles with a meaning in the context of known concepts.Streamline the addition of roles that include necessary features.
    5. Informative data about objects that are considered prototypes for the role. Base concept is similar to type, but without inheritance of limitations and properties. Base concepts are designed as a substitute for inheritance for external concepts. A base concept is like a related concept except that the base concept is almost identical to the role definition.
    6. Typically, platform accessibility APIs do not provide a vehicle to notify assistive technologies of a role value change, and consequently, assistive technologies may not update their cache with the new role attribute value.

      It's too bad they couldn't just allow role to be changed, and assistive technologies would just have to be updated to follow the suit.

    7. Roles are element types and authors MUST NOT change role values over time or with user actions. Authors wishing to change a role MUST do so by deleting the associated element and its children and replacing it with a new element with the appropriate role.
    1. Note that these are not hyperlinks; these URIs are used for identification. This is a machine-readable way to say “this is HTML”. In particular, software does not usually need to fetch these resources, and certainly does not need to fetch the same one over and over!
    2. You might think something like “don’t request the same resource thousands of times a day, especially when it explicitly tells you it should be considered fresh for 90 days” would be obvious, but unfortunately it seems not.
    3. Don’t fetch stuff unless you actually need it Judging from the response to our 503 errors, much of the software requesting DTDs and schemata from our site doesn’t even need them in the first place, so requesting them just wastes bandwidth and slows down the application. If you don’t need it, don’t fetch it!
    4. Any software that makes HTTP requests to other sites should make it straightforward to enable the use of a cache.
    5. We have identified some of the specific software causing this excessive traffic and have been in contact with the parties responsible to explain how their product or service is essentially creating a Distributed Denial of Service (DDoS) attack against W3C.
    6. But many of these systems continue to re-request the same DTDs from our site thousands of times over, even after we have been serving them nothing but 503 errors for hours or days. Why are these systems bothering to request these resources at all if they don’t care about the response?
    7. A while ago we put a system in place to monitor our servers for abusive request patterns and send 503 Service Unavailable responses with custom text depending on the nature of the abuse. Our hope was that the authors of misbehaving software and the administrators of sites who deployed it would notice these errors and make the necessary fixes to the software responsible.
    8. Yet we receive a surprisingly large number of requests for such resources: up to 130 million requests per day, with periods of sustained bandwidth usage of 350Mbps, for resources that haven’t changed in years.
    9. Handling all these requests costs us considerably: servers, bandwidth and human time spent analyzing traffic patterns and devising methods to limit or block excessive new request patterns. We would much rather use these assets elsewhere, for example improving the software and services needed by W3C and the Web Community.
    10. use an intercepting proxy server with a built-in cache
    11. Take responsibility for your outgoing network traffic If you install software that interacts with other sites over the network, you should be aware how it works and what kind of traffic it generates. If it has the potential to make thousands of requests to other sites, make sure it uses an HTTP cache to prevent inflicting abuse on other sites.
    12. Identify your user agents When deploying software that makes requests to other sites, you should set a custom User-Agent header to identify the software and provide a means to contact its maintainers. Many of the automated requests we receive have generic user-agent headers such as Java/1.6.0 or Python-urllib/2.1 which provide no information on the actual software responsible for making the requests.
    1. I’ve not once in 20 years seen a situation where the confusion between URI or URL actually mattered.
    2. A URI is an identifier.A URL is an identifier that tells you how to get to it.
    3. When communicating, being more specific is usually better, and a “URL” is a specific type of URI that provides an access method/location.
    4. And then, if you’re not yet completely confused, it also says…My emphasis.Each URI begins with a scheme name
    5. A URL is special type of identifier that also tells you how to access it, such as HTTPs, FTP, etc.
    1. Venn diagrams are a more restrictive form of Euler diagrams
    2. An Euler diagram (/ˈɔɪlər/, OY-lər) is a diagrammatic means of representing sets and their relationships. They are particularly useful for explaining complex hierarchies and overlapping definitions. They are similar to another set diagramming technique, Venn diagrams. Unlike Venn diagrams, which show all possible relations between different sets, the Euler diagram shows only relevant relationships.
    1. Every URL is a URI; Every URN is a URI; URI and URL are NOT interchangeable – a URL is a URI, but a URI is not always a URL; URLs always contain an access mechanism.
    2. if you’re just the casual web surfer type, learning about Internet terminology might not be of much real use to you
    1. Also known as an intercepting proxy, inline proxy, or forced proxy, a transparent proxy intercepts normal application layer communication without requiring any special client configuration. Clients need not be aware of the existence of the proxy.
    2. Intercepting proxies are commonly used in businesses to enforce acceptable use policy, and to ease administrative overheads since no client browser configuration is required.
    1. It is not appropriate to use these document types for live content. These are made available only for download, to support local use in development, evaluation, and validation tools. Using these versions directly from the W3C server could cause automatic blockage, preventing them from loading. If it is necessary to use schemata in content, follow guidelines to avoid excessive DTD traffic. For instance, use caching proxies to avoid fetching the schema each time it is used, or ensure software uses a local cache, such as with XML catalogs.
    1. Taxonomy A hierarchical definition of how the characteristics of various classes relate to each other, in which classes inherit the properties of superclasses in the hierarchy. A taxonomy can comprise part of the formal definition of an ontology.
  3. react-spectrum.adobe.com react-spectrum.adobe.com
    1. In addition, this example shows usage of the isPressed value returned by useButton to properly style the button's active state. You could use the CSS :active pseudo class for this, but isPressed properly handles when the user drags their pointer off of the button, along with keyboard support and better touch screen support.
    2. Sometimes you might need to use an element other than a native <button>. useButton supports this via the elementType prop. When used with an element other than a native button, useButton automatically applies the necessary ARIA roles and attributes to ensure that the element is exposed to assistive technology as a button.
    1. Also, as a reminder to everyone, this thread is soft-locked and I will be marking as spam any comments that don't meet the criteria I described above.
    1. In a browser, deep-diff defines a global variable DeepDiff. If there is a conflict in the global namespace you can restore the conflicting definition and assign deep-diff to another variable like this: var deep = DeepDiff.noConflict();.
    1. A simple rule of thumb: the name of the updated variable must appear on the left hand side of the assignment. For example this... const foo = obj.foo; foo.bar = 'baz';...won't update references to obj.foo.bar, unless you follow it up with obj = obj.
    1. Buy Endless Legend™ - Emperor Edition SPECIAL PROMOTION! Offer ends October 22 -75%$29.99$7.49 Add to Cart

      Buy Endless Legend™ - Emperor Edition SPECIAL PROMOTION! Offer ends October 22

      -75%$29.99 $7.49

      Add to Cart

    1. Longstanding controversy surrounds the meaning of the term "hacker". In this controversy, computer programmers reclaim the term hacker, arguing that it refers simply to someone with an advanced understanding of computers and computer networks[5] and that cracker is the more appropriate term for those who break into computers, whether computer criminals (black hats) or computer security experts (white hats).
    2. Subgroups of the computer underground with different attitudes and motives use different terms to demarcate themselves from each other. These classifications are also used to exclude specific groups with whom they do not agree.
    1. Self-concept also differs from self-esteem: self-concept is a cognitive or descriptive component of one's self (e.g. "I am a fast runner"), while self-esteem is evaluative and opinionated (e.g. "I feel good about being a fast runner").
    2. Self-concept is distinguishable from self-awareness, which refers to the extent to which self-knowledge is defined, consistent, and currently applicable to one's attitudes and dispositions.
    1. Could you please explain why it is a vulnerability for an attacker to know the user names on a system? Currently External Identity Providers are wildly popular, meaning that user names are personal emails.My amazon account is my email address, my Azure account is my email address and both sites manage highly valuable information that could take a whole company out of business... and yet, they show no concern on hiding user names...

      Good question: Why do the big players like Azure not seem to worry? Microsoft, Amazon, Google, etc. too probably. In fact, any email provider. So once someone knows your email address, you are (more) vulnerable to someone trying to hack your account. Makes me wonder if the severity of this problem is overrated.

      Irony: He (using his full real name) posts:

      1. Information about which account ("my Azure account is my email address"), and
      2. How high-value of a target he would be ("both sites manage highly valuable information that could take a whole company out of business...")

      thus making himself more of a target. (I hope he does not get targetted though.)

    2. Comments for: https://blog.rapid7.com/2017/06/15/about-user-enumeration/ (they were in iframe there)

    3. Another thing you can do is to add pain to the second part of it. Attackers want the list of valid usernames, so they can then try to guess or brute force the password. You can put protections in place with that as well, whether they are lockouts or multi-factor authentication, so even if they have a valid username, it's much harder to gain access.
    4. That is certainly a good use-case. One thing you can do is to require something other than a user-chosen string as a username, something like an email address, which should be unique. Another thing you could do, and I admit this is not user-friendly at all, to let them sign up with that user name, but send the user an email letting them know that the username is already used. It still indicates a valid username, but adds a lot of overhead to the process of enumeration.
    1. How would you remediate this? One way could be to have the application pad the responses with a random amount of time, throwing off the noticeable difference.
    2. Sometimes, user enumeration is not as simple as a server responding with text on the screen. It can also be based on how long it takes a server to respond. A server may take one amount of time to respond for a valid username and a very different (usually longer) amount of time for an invalid username.
    1. Customizable mitigation policies provide multiple response options including block, rate limit, geo fence, or deception. Using deception allows you to send a custom response to the attacker, effectively putting guardrails around their activities.
    1. When I'm prototyping components I like to manage the data where it appears, and not send it back and forth if there is no reason for it. I also don't like to be forced by a language to do things a certain way.
    2. Guidelines do very little. Developer discipline is not a reliable method of encouraging best practices, they have to be enforced to be reliable.
    3. Instead of calling prepare twice to get value from data.
    4. If something isn't a great idea, the tools should support that approach

      should => shouldn't

    5. Adding an API for something is an endorsement of that approach.
    6. Svelte forces you do to do all kinds of things in a very specific way (as does every other framework/library), those constraints generally make for a better experience.
    7. This is basically a design goal at this point, even though it has evolved organically.
    8. In some cases, I could also create a component without any <script> tag at all. So in that way, I could actually bulk up the logic in one place if I could get some help from the #with block.
    9. One of Svelte's advantages, for me, is that I can test out ideas with relatively few lines of code. the #with feature could save me from adding a separate component for the content of an #each loop. I get frustrated when I have to create a new file, move the content of the #each clause, import it as a component, and add attributes and create exports for that, and implement events to send messages back, and event handlers, when I just wanted to test a small feature.
    10. I vote for calling it let Could be used like this {#let foo = initialValue}. It's closer to javascript
    11. my second preference would be for let, probably #let expr as name for consistency with #each.
    12. {#with someExpression as someVariable} <p>{someVariable}</p> {/with}
    1. the events emitted at various points in bundle.js are strictly for dev tooling
    2. Oh man, Svelte uses bitmasks? That is the first time I have seen someone use them in prod. A bitmask is a compact way to store N boolean flags in a single N-bit integer.
    1. Returns a Promise<?Object> that resolves with no value on success or resolves with an Object of submission errors on failure. The reason it resolves with errors is to leave rejection for when there is a server or communications error.
    1. Warnings, in this example, are defined as: suggestions to the user, like validation errors, but that do not prevent submission.
    2. Note that the <WarningEngine/> component must be at the bottom of the form to guarantee that all the fields have registered.
    1. this.txtQueryChanged .debounceTime(1000) // wait 1 sec after the last event before emitting last event .distinctUntilChanged() // only emit if value is different from previous value .subscribe(model => { this.txtQuery = model;
    1. With Angular 2 we can debounce using RxJS operator debounceTime() on a form control's valueChanges observable:

      What's the React/Svelte equiv. pattern for this?

  4. Oct 2020
    1. Listening for External Changes By wrapping a stateful ExternalModificationDetector component in a Field component, we can listen for changes to a field's value, and by knowing whether or not the field is active, deduce when a field's value changes due to external influences.
    1. Another example:

      const expensiveOperation = async (value) => {
        // return Promise.resolve(value)
          // console.log('value:', value)
          await sleep(1000)
          console.log('expensiveOperation: value:', value, 'finished')
          return value
      }
      
      var expensiveOperationDebounce = debounce(expensiveOperation, 100);
      
      // for (let num of [1, 2]) {
      //   expensiveOperationDebounce(num).then(value => {
      //     console.log(value)
      //   })
      // }
      (async () => { await sleep(0   ); console.log(await expensiveOperationDebounce(1)) })();
      (async () => { await sleep(200 ); console.log(await expensiveOperationDebounce(2)) })();
      (async () => { await sleep(1300); console.log(await expensiveOperationDebounce(3)) })();
      // setTimeout(async () => {
      //   console.log(await expensiveOperationDebounce(3))
      // }, 1300)
      

      Outputs: 1, 2, 3

      Why, if I change it to:

      (async () => { await sleep(0   ); console.log(await expensiveOperationDebounce(1)) })();
      (async () => { await sleep(200 ); console.log(await expensiveOperationDebounce(2)) })();
      (async () => { await sleep(1100); console.log(await expensiveOperationDebounce(3)) })();
      

      Does it only output 2, 3?