Rafael Gonzaga
@_rafaelgss
Followers
5K
Following
4K
Media
148
Statuses
3K
Principal OSS Engineer at @NodeSource from 🇧🇷 | @nodejs TSC | @fastifyjs core | @nodeclinic maintainer 🏆 OpenJS Pathfinder Award for Security 2023
Worldwide
Joined December 2015
I'm pleased to announce that I've started as Principal Open Source Engineer at @NodeSource! I'll be working on Node.js core in areas including performance, security, and diagnostics. So... stay tuned! We'll build amazing things together 💚
23
9
211
🚨
With npm supply chain attacks on the rise, secure publishing practices are becoming a pressing concern for anyone maintaining npm packages. ⚠️ The OpenJS Security Collaboration Space has released updated guidance to help maintainers reduce exposure, strengthen release processes,
0
3
6
@npmjs implementation of Trusted Publishing is promising for #JavaScript, but it’s not ready for critical packages just yet https://t.co/jExYxKADEn
openjsf.org
The OpenJS Security Collaboration Space has been working closely with GitHub’s npm team to understand how new security features affect projects and maintainers, especially as threats and tools keep...
0
1
3
October’s security check‑in is here! 🚨 📌 Highlights: stronger threat modelling, npm Trusted Publishing risks tackled, new runtime features for secure‑by‑default apps. https://t.co/Xhwd1yjcp2
0
2
6
Too many @nodejs users are running old versions 😬 The team is exploring changes to the release schedule to fix that. @_rafaelgss shares all the details in our latest JavaScript Security Snapshot. Want to be a part of the conversation on releases? Check out this GitHub PR:
2
7
21
People who wonder if Node.js (JS Runtimes in general) is growing in usage need to look at some package downloads over the years. @UseExpressJS crossed its record with more than 52 million downloads just on October 19! See:
1
2
14
Ever wonder why @nodejs drops new versions like clockwork? Here’s the scoop. ⏱️ @_rafaelgss shares all the details about the Node.js release schedule in our new series, JavaScript Security Snapshot. Want to be a part of the conversation on releases? Check out this GitHub PR:
3
5
17
Busy week working on Node.js security, so no stream today. Security work stays private until patches are out, but I’ve been preparing solid content for the next session. Planning to be back next week. Stay tuned.
1
2
20
Just opened the meeting minutes from Node.js release cycle discussion at Node.js Collaborator Summit https://t.co/LXkfnX8xT9
github.com
Documented discussion notes from the Node.js release cycle meeting, including goals, identified problems, stakeholder feedback, proposals, and recommendations for future actions. cc: @nodejs/releas...
0
2
9
I have been using this for quite a while to run most of my benchmarks https://t.co/MmkkSYW3pt
github.com
Runs a provided script on either a fresh new dedicated instance or an already running dedicated instance. - Instant-Bench/instant-bench-agent
0
0
1
Maybe a --permission-audit might help in the permission model adoption... Let's see https://t.co/Ee2DKh8E7h
github.com
Refs: #59935 Still a draft. I believe sending a message through a diagnostic_channel would be better than emitting a warning. cc: @nodejs/security-wg
1
1
10
For those interested in how semver-major releases are done in Node.js, I did a live stream releasing Node.js v25.0.0. Check it on my YT channel @_rafaelgss
0
0
6
Did you know Node.js security team created a "Security Best Practices" document in 2023? We probably need to include a few more things, but it's still quite good https://t.co/VSwTzt374c
nodejs.org
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
1
11
93
Usually, when writing microbenchmarks, people tend to assert.ok(variable) to prevent the piece of code they are measuring from being optimised by the V8 dead-elimination process But it seems, this also works: // Prevents V8 from optimizing away if (Math.random() < 0)
1
0
9
Friday night tip: If you see a "benchmark" result without reproducible code: call it "benchmarketing"
1
3
29
We should try to schedule a Node.js security release on the Halloween date. It would be scary
1
0
6
Most Node.js microbenchmarks tell the wrong story. bench-node attempts to fix that - Statistically reproducible and built for microbenchmarks Check it out
github.com
A powerful Node.js benchmark library. Contribute to RafaelGSS/bench-node development by creating an account on GitHub.
2
3
33