Related post: https://medium.com/@fullscript-engineering/fullscript-become...
Readit NewsjohnnyAghands commented on Fullscript Joins the Rails Foundation rubyonrails.org/2025/8/6/... · Posted by u/johnnyAghands
johnnyAghands commented on Fullscript Joins the Rails Foundation rubyonrails.org/2025/8/6/... · Posted by u/johnnyAghands
Stoked! The developer culture here is superb! A (so-far) hidden gem!
Yes! The EXIF data includes the full plantuml used to generate it, under the Plantuml tag.
https://www.plantuml.com/plantuml/uml/VPBFQXmn3CRlynGYzzdUXn...
Wow! That's pretty slick. I've only thought of EXIF data in the context of my digital camera.
That particular diagram seems to have been generated by https://plantuml.com according to the image's metadata
wow! didn't even think to look at that! ty!
Ok unrelated, but I'm looking for a tool for making diagrams like that, anyone know what was used on this post? ty
johnnyAghands commented on Next.js and the corrupt middleware: the authorizing artifact zhero-web-sec.github.io/r... · Posted by u/ash
While you are generally right here I wonder how common this is with middlewares. Many have order dependencies and there are normally no loops involved. I don’t think I have come across this for middlewares at least. Kinda curious about the particular motivation here.
Yeah that was my understanding as well —- but I’m not a framework author so wasn’t sure if this was a common practice.
Trade-offs aside, I personally find the idea of re-running the request through the stack a bit hacky.
johnnyAghands commented on Next.js and the corrupt middleware: the authorizing artifact zhero-web-sec.github.io/r... · Posted by u/ash
Can someone tl;dr: why there is even logic to bypass middleware in the first-place, I feel like I'm missing something obvious here...
johnnyAghands commented on Next.js and the corrupt middleware: the authorizing artifact zhero-web-sec.github.io/r... · Posted by u/ash
The lag & missing key details
Ah ok, yeah.. unfortnutely this type of lag/mismgmt is pretty common once a company gets big enough. Often times the right people don't get involved on first-pass... even at tech-first companies like this -- though at that point perhaps you're no longer tech-first :/
johnnyAghands commented on Next.js and the corrupt middleware: the authorizing artifact zhero-web-sec.github.io/r... · Posted by u/ash
Timeline is interesting
Timeline:
02/27/2025: vulnerability reported to the maintainers (specifying that only versions between 12.0.0 and 12.0.7 were vulnerable, which was our understanding at the time)
03/01/2025: second email sent explaining that all versions were ultimately vulnerable, including the latest stable releases
03/05/2025: initial response received from the Vercel team explaining that versions 12.x were no longer supported/maintained (probably hadn’t read the second email/security advisory template indicating that all were vulnerable)
03/05/2025: another email sent so that the team could quickly take a look at the second email/security advisory template
03/11/2025: another email sent to find out whether or not the new information had been taken into account
03/17/2025: email received from the Vercel team confirming that the information had been taken into account
03/18/2025: email received from the Vercel team: the report had been accepted, and the patch was implemented. Version 15.2.3 was released a few hours later, containing the fix (+backports)
03/21/2025: publication of the security advisory
What is intersting?