Ali Shuja’s Post

When legacy exposure, trust assumptions, or weak validation meet real-world infrastructure, the blast radius grows fast. GitHub advisory GHSA xq3m 2v4x 88gg and Endor Labs' technical write up show that attacker controlled protobuf definitions can be turned into arbitrary JavaScript execution when vulnerable applications compile and decode those schemas at runtime. That is why clear operational guidance matters as much as the headline itself.

⚡Zod v4 — The TypeScript Validation Library Just Got a Complete Overhaul 🚀 The most popular TypeScript validation library just shipped a major rewrite — and it’s a game‑changer. Zod v4 is 3× faster, smaller, and introduces a Valibot‑style pipe API that makes complex validations feel effortless. 💡 Highlights: ⚙️ 3× faster parsing and leaner bundle size 🌐 New z.string().url() and z.email() primitives 🔗 Functional pipe API for cleaner composition 🧩 z.toJSONSchema() for OpenAPI and Swagger integration 🧠 Improved TypeScript inference and runtime performance 🧑💻 Whether you’re building APIs, forms, or full‑stack apps, Zod v4 makes validation smarter, faster, and more expressive. 👉 Dive into the full deep‑dive guide with benchmarks, migration tips, and real‑world examples: “Zod v4: The TypeScript Validation Library Just Got a Complete Overhaul” #Zod #TypeScript #WebDevelopment #Validation #Frontend #Backend #JavaScript #DevTools #Programming #Developers

I’m excited to share a recent third (3)contribution to the OpenClaw codebase addressing a subtle but impactful concurrency issue in the Discord gateway integration. A pull request titled “fix(discord): clear stale heartbeat timers in SafeGatewayPlugin.connect()” has been merged into the main branch. This fix improves the stability and reliability of the Discord gateway connection layer by addressing a race condition in heartbeat initialization. The core problem was that stale heartbeat timers were not being properly cleared during the reconnect lifecycle inside SafeGatewayPlugin.connect(). As a result, intermittent uncaught exceptions could occur, leading to gateway process crashes and disrupted in-flight responses. This type of issue is particularly difficult to reproduce because it manifests under timing-sensitive conditions in asynchronous execution. The solution introduces a controlled override of the connect flow, ensuring that any previously active heartbeat intervals are explicitly cleared before establishing a new connection. This eliminates overlapping timers and prevents inconsistent state transitions in the gateway lifecycle. Key impact of this change: - Improves gateway stability under reconnect scenarios   - Eliminates race conditions in heartbeat scheduling   - Prevents unexpected crashes caused by stale interval execution   - Enhances reliability of real-time communication handling  This is a good example of how small lifecycle management issues in asynchronous systems can cascade into production-level instability, especially in distributed event-driven architectures. Overall, the fix strengthens the robustness of the Discord integration layer and contributes to more predictable system behavior under load and reconnect conditions. Hashtags: #OpenSource #GitHub #SoftwareEngineering #BackendDevelopment #SystemDesign #DistributedSystems #Concurrency #AsyncProgramming #NodeJS #TypeScript #Debugging #BugFix #ReliabilityEngineering #DevOps #EventDrivenArchitecture #CodeQuality

My first npm package is live now. 🚀 Previously shared how I built a CLI that automates ESLint, Prettier, Husky, commitlint setup — one command, done. Now you can just run: `npm i -g @subratamondal/project-init` No clone. No setup. Just install and go. 📖 Full details in my previous post: https://lnkd.in/dMQruJ4w More Details: https://lnkd.in/dikNzbbi #BuildInPublic #CLI #npm #TypeScript #DevTools #OpenSource #DeveloperExperience

I've been using the new Docker Sandboxes, sbx, for a while now, and I just put together a hands-on guide to help others ramp up faster — here's what it covers and why I built it the way I did. For me concepts click faster when I use a new tool, but getting hands-on with all the pieces takes some ramp-up time. The guide walks through most sbx features using real-world scenarios: secrets management, branch mode (Claude on its own Git branch while you keep working), running multiple agents in parallel, port forwarding live services out of the sandbox, and locking down network access. All the exercises use a full-stack Next.js + FastAPI issue tracker with real bugs and unfinished features baked in — so you're working with something that has a bit of complexity and allows you to practice working with coding agents in general. If you've been curious about agentic coding and want a structured way to get up to speed, this is for you. 🔗 https://lnkd.in/dNDzNd4M 📖 Docs: https://lnkd.in/gHN_KSts

Real talk: You’re debugging for hours because you guess instead of checking. No logs. No clear errors. Fix: - Log important actions - Print actual error messages - Check logs before changing code Stop guessing. Start seeing. #Debugging #WebDev #DevTips #Backend

Just published v0.2 of jump_credo_checks with 2 new features: - Igniter installer (H/T Britton Broderick 🎉) - A new check to detect Ecto migrations that define separate `up`/`down` callbacks but could instead take advantage of Ecto's automatic reversibility by using `change/0` Details (with updated installation instructions) here: https://lnkd.in/gMcMY_Hx #ElixirLang

Not even a nitpick, just an FYI…! That’s how the comment started on my PR today, and honestly, it turned into one of those small moments that actually shifts how you think. Shoutout to Connor Young for this one. I’ve been using Zod mostly for validation, and right next to it, I’d manually define my TypeScript types. It worked… but I was basically maintaining the same logic in two different places. Then this came up: 👉 Why not just let Zod be the source of truth? ❌ What I was doing before interface RequestParams { id: string; } const paramsSchema = z.object({ id: z.string().uuid(), }); ✅ What I’m doing now const paramsSchema = z.object({ id: z.string().uuid(), }); type RequestParams = z.infer<typeof paramsSchema>; Why this actually matters • No more duplicating types and validation • No risk of things going out of sync • One change updates everything • Your boundaries become much more reliable My takeaway This wasn’t just a small tip. It’s a shift from “making things work” → to designing systems where things stay correct over time. And honestly, that’s where the real value is. Curious, are you using z.infer in your projects, or still defining types and schemas separately? #SoftwareEngineering #TypeScript #Zod #CodeReview #CleanCode #DeveloperTools #SystemDesign

If your commit history looks like this: ""fixed bug"" ""updated css"" ""it works finally"" ""wip"" ...it tells a team that your code might be hard to maintain in an asynchronous, remote environment. How to write a pro commit message: Use the imperative mood (as if giving an order) and explain the why, not just the what. ""Fix navigation menu overlapping on mobile screens"" ""Add user authentication to the checkout flow"" ""Refactor pricing component for better readability"" Good communication is just as important as good code. Start practicing professional commits on your personal projects today! #Git #GitHub #SoftwareEngineering #DeveloperTips #EntryLevelDev #CodeNewbie

I thought my CLI was hanging. It wasn't. npm was running perfectly. I just couldn't see it. I spent way too long staring at a frozen spinner while building Authenik8, convinced something was broken in my install logic. The actual problem? One line: stdio: 'ignore' I had silenced all npm output to keep things "clean." So when installs ran (sometimes 30+ seconds) there was no output, no progress, nothing. Just a spinner that felt like a lie. The fix was embarrassingly simple: stdio: 'inherit' Now users see the actual install output. It's noisier. It's also honest. This taught me something about CLI design that goes beyond the bug: A spinner tells users "something is happening." Visible output tells users "here's exactly what's happening." When your process is silent, users assume it's broken. Trust is built through visibility, not polish. If you're building CLI tooling, let your processes breathe. Don't hide output just to look clean. Building Authenik8, an open-source auth infrastructure generator for Node/TypeScript backends. Sharing what I learn along the way. 🔗 https://lnkd.in/gwR2HKTU #buildinpublic #nodejs #typescript #cli #opensource #devtools