_panva Profile Banner
Filip Skokan Profile
Filip Skokan

@_panva

Followers
650
Following
78
Media
32
Statuses
441

Identity, OpenID Connect, OAuth 2.0, SSO, Authorization, Authentication, Technical Standards. Node.js core collaborator and TSC member.

Czech Republic
Joined March 2019
Don't wanna be here? Send us removal request.
@_panva
Filip Skokan
4 years
Software's conformance to standards and its certification is not the pinnacle to shoot for. It is the absolute lowest bar.
0
2
15
@_panva
Filip Skokan
23 days
Having users keep a list of ESM-only dependencies to ignore "transform" on is the, as advertised, delightful Jest experience? As a maintainer of ESM-only modules I am not delighted being the support channel for @jestjs_ users who struggle to use web-compatible ESM modules.
Tweet media one
1
0
6
@_panva
Filip Skokan
1 month
FWIW the WebCryptoAPI in Node.js had these since August 2022.
0
0
1
@_panva
Filip Skokan
1 month
WebCryptoAPI Ed25519 and X25519 algorithms are finally unflagged in Chrome 137, Edge 137 will follow shortly after and then these are available in all browsers. This is long overdue and is arguably might be seen as DOA given we're now shifting our focus to PQC algorithm support.
1
0
3
@_panva
Filip Skokan
2 months
RT @_rafaelgss: A warm welcome to our newest Node.js TSC member: @_panva . Happy to see you onboard!.
0
5
0
@_panva
Filip Skokan
2 months
jsr recently added download stats to the UI which also shows user adoption is nearing 0 even for very popular projects. Apart from bug fixes and less punishment for module authors, what's missing? For users? For module authors? Incentive for one, what else?.
0
0
0
@_panva
Filip Skokan
2 months
Reality is that its doc generation drops doc inherited from the "implements" keyword, doesn't support full github flavored markdown, it punishes lack of useless interface docs with score deductions, lacks support for undeclared type dependencies necessary for a plugin ecosystem.
2
0
0
@_panva
Filip Skokan
2 months
jsr seems intended to be super convenient for module authors who already adopted typescript, it build js, generates docs, incentivises inline docs using tsdoc, generally avoids having to setup much tooling.
1
0
0
@_panva
Filip Skokan
2 months
There's a reason for those constant time checks. As flawed as they may be with eager optimizations done by js engines they still serve a purpose.
1
0
1
@_panva
Filip Skokan
2 months
I've seen recent code changes that dealt with the buffer-equal-constant-time mishap in Node.js v24.0.0 by replacing it with the buffer-equal module via package manager overwrites. Please know that doing so makes your code vulnerable to timing attacks.
1
0
1
@_panva
Filip Skokan
3 months
Did you move off of Node.js v18.x yet? 2 days 'till EOL
Tweet media one
0
4
31
@_panva
Filip Skokan
4 months
Thank you @ItsAndreKoenig for sponsoring me on @github. You can join them and discover my other standards-related projects at my sponsors profile:
@ItsAndreKoenig
André König
4 months
At the moment, I’m working extensively with JSON Object Signing and Encryption. I’m glad I discovered the jose library by @_panva. It provides a smooth and intuitive API—highly recommended. An area which we should also cover in the standard library of.
0
0
4
@_panva
Filip Skokan
4 months
RT @satanacchio: Node.js v20.19.0 is out 🤩. This is a special minor release ✨.Although v20 is in maintenance mode, meaning only patch are e….
0
43
0
@_panva
Filip Skokan
5 months
JSR still has a long way to go to be taken seriously by maintainers, at least from the experience I'm having. Does anyone believe it'll ever become THE registry to use?.
0
0
1
@_panva
Filip Skokan
5 months
There is no reason for this code to throw because of a polyfill being in place. globalThis.process?.getBuiltinModule?.('node:buffer')?.Buffer. That's wrong and to the detriment of end users. getBuiltinModule in the polyfill should either not exist or always return null.
0
0
1
@_panva
Filip Skokan
5 months
Mind you this is the intention behind that API. "ES Modules that need to support other environments can use it to conditionally load a Node.js built-in when it is run in Node.js". Blocking this API with an always-error polyfill goes against what the API is for.
1
0
1
@_panva
Filip Skokan
5 months
FWIW because it's unlikely to be understood as a rant, this should not be a vulnerability/issue <redacted> users ever see and even if so it's not high severity.
0
0
0
@_panva
Filip Skokan
5 months
sigh. Severity: High.Short Description: Package can be replaced with a <redacted> optimized override.
1
0
3
@_panva
Filip Skokan
6 months
Great job!.
@gmta_nl
Jelle Raaijmakers
6 months
Thanks to @devgianlu and many others, @ladybirdbrowser now passes 99.6% of the WebCryptoAPI WPT tests - the highest score of any browser!. This API can be used for encryption and decryption, key generation, signature verification and other useful security features.
0
0
1
@_panva
Filip Skokan
6 months
ELTS (Extended Long Term Support) every three even-numbered majors. Paid for by enterprises who value stability and don't want a Node upgrade team on standby every year. One can only wish. I brought the idea up on the collaborator summit in Dublin late last year. Didn't stick.
0
0
1
@_panva
Filip Skokan
7 months
Tweet media one
1
0
1