Opensource Findings
4.81K subscribers
2 photos
716 links
Links and concise reviews on open-source tools, news, and talks about language-design, trends and fundamentals. Write-only.

If you like this project, you can sponsor it directly:
Download Telegram
to view and join the conversation
​​A static analysis tool for securing #go code

GoKart is a static analysis tool for Go that finds vulnerabilities using the SSA (single static assignment) form of Go source code. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe, which reduces the number of false positives compared to other Go security scanners. For instance, a SQL query that is concatenated with a variable might traditionally be flagged as SQL injection; however, GoKart can figure out if the variable is actually a constant or constant equivalent, in which case there is no vulnerability.

The motivation for GoKart was to address this: could we create a scanner with significantly lower false positive rates than existing tools? Based on our experimentation the answer is yes. By leveraging source-to-sink tracing and SSA, GoKart is capable of tracking variable taint between variable assignments, significantly improving the accuracy of findings. Our focus is on usability: pragmatically, that means we have optimized our approaches to reduce false alarms.
Rust Memory Safety & Undefined Behavior Detection.

Rudra is a static analyzer to detect common undefined behaviors in #rust programs. It is capable of analyzing single Rust packages as well as all the packages on

- Panic Safety (Unsafe code that can create memory-safety issues when panicked)
- Higher Order Invariant (Assumed properties about traits)
- Send Sync Variance (Unrestricted Send or Sync on generic types)
​​pdb++, a drop-in replacement for pdb (the #python debugger)

This module is an extension of the pdb module of the standard library. It is meant to be fully compatible with its predecessor, yet it introduces a number of new features to make your debugging experience as nice as possible.

pdb++ features include:
- colorful TAB completion of Python expressions (through fancycompleter)
- optional syntax highlighting of code listings (through Pygments)
- sticky mode
- several new commands to be used from the interactive (Pdb++) prompt
- smart command parsing (hint: have you ever typed r or c at the prompt to print the value of some variable?)
- additional convenience functions in the pdb module, to be used from your program

Personal opinion: I don't like pdb and debuggers in general. Whenever I open a debugger - it means that I have a really big problem. But, this one seems like the best solution (except PyCharm, of course).
β€‹β€‹βš‘οΈBreeaking news!

Big project, first public release! From the creator of FastAPI and Typer: SQLModel.

SQLModel is a library for interacting with SQL databases from Python code, with Python objects. It is designed to be intuitive, easy to use, highly compatible, and robust.

SQLModel is based on Python type annotations, and powered by Pydantic and SQLAlchemy.
SQLModel is, in fact, a thin layer on top of Pydantic and SQLAlchemy, carefully designed to be compatible with both.

The key features are:
- Intuitive to write: Great editor support. Completion everywhere. Less time debugging. Designed to be easy to use and learn. Less time reading docs.
- Easy to use: It has sensible defaults and does a lot of work underneath to simplify the code you write.
- Compatible: It is designed to be compatible with FastAPI, Pydantic, and SQLAlchemy.
- Extensible: You have all the power of SQLAlchemy and Pydantic underneath.
- Short: Minimize code duplication. A single type annotation does a lot of work. No need to duplicate models in SQLAlchemy and Pydantic.
​​Bubbleprof is a new, completely unique, approach to profiling your Node.js code

Bubbleprof is a completely new way to visualize the operation of your Node.js processes. It observes the async operations of your application, groups them, measures their delays, and draws a map of the delays in your application's async flow.

The size of each bubble represents time within a group of operations. These are grouped where the flow stayed within either your own code, a module, or node core. Tiny adjacent groups are also grouped to reduce clutter. The length of arrows connecting bubbles shows the delays while the flow moves from one group to another. Inner coloured lines indicate the mix of types of async operation responsible for this delay. Click to explore. Line lengths between and around the bubbles and numeric labels reflect the aggregated delay in miliseconds (ms).

​​Type4Py: Deep Similarity Learning-Based Type Inference for #python

Over the past decade, machine learning (ML) has been applied successfully to a variety of tasks such as computer vision and natural language processing. Motivated by this, in recent years, researchers have employed ML techniques to solve code-related problems, including but not limited to, code completion, code generation, program repair, and type inference.

Dynamic programming languages like Python and TypeScript allows developers to optionally define type annotations and benefit from the advantages of static typing such as better code completion, early bug detection, and etc. However, retrofitting types is a cumbersome and error-prone process. To address this, we propose Type4Py, an ML-based type auto-completion for Python. It assists developers to gradually add type annotations to their codebases.
Announcing post:
Paranoid Scientist is a #python module for verifying scientific software.

It provides:
- Runtime verification of entry and exit conditions written in pure Python, including hyperproperties.
- Conditions specified using pure Python refinement types, i.e. types are defined by predicates.
- Automated unit testing of individual functions.

It is inspired by contract-oriented programming, type classes, static type checking, and fuzz testing.

Paranoid Scientist is a tool to make sure scientific code is correct. Verification is extremely important for scientific software because, unlike most software, we don’t know what the output will be until we run the program. In fact, the program is written in order to examine the output. However, we have no robust way of knowing whether the output is due to a software bug. For example, code performing a complex statistical test could normalize the wrong column, an error which would likely go undetected.

Paranoid Scientist attempts to remedy this situation by providing some key tools from the software verification community to the scientific community. Traditional program verification asks the question, β€œIf I run my code, will it run correctly?” In practice, this is time consuming and requires highly specialized training. For scientific programming, it is acceptable to instead ask, β€œIf I already ran my code, did it run correctly?” In other words, it is not as important to know before executing the program whether it will run correctly. Paranoid Scientist is already in use in scientific software.
​​Livebook is a web application for writing interactive and collaborative code notebooks for #elixir, built with Phoenix LiveView. Inspired by Jupyter and Deepnote.

It features:
- Code notebooks with Markdown support and Elixir cells where code is evaluated on demand.
- Shareable: notebooks are stored in the .livemd format, which is a subset of Markdown with annotations and KaTex for mathematical formulas. This means your notebooks can be saved, easily shared, and play well with version control.
- Interactive widgets via Kino: manipulate Vega-Lite charts, tables, and more.
- Rich code editor through Monaco: with support for autocompletion, inline documentation, code formatting, etc.
- Reproducible: Livebook ensures your code runs in a predictable order, all the way down to package management. It also tracks your notebook state, annotating which parts are stale.
- Custom runtimes: when executing Elixir code, you can either start a fresh Elixir instance, connect to an existing node, or run it inside an existing Elixir project, with access to all of its modules and dependencies. This means Livebook can be a great tool to provide live documentation for existing projects.
- Persistence: persist your notebooks to disk or any S3-compatible cloud storage.
- Collaboration: multiple users can work on the same notebook at once. It works out-of-the-box either in single-node or multi-node deployments - without a need for additional tooling.
​​Dataframes for #elixir

Explorer is a dataframe library for Elixir. First and foremost, Explorer is an API for data manipulation. Its high-level features are:
- Simply typed series: :float, :integer, :boolean, :string, :date, and :datetime.
- A powerful but constrained and opinionated API, so you spend less time looking for the right function and more time doing data manipulation.
- Pluggable backends, providing a uniform API whether you're working in-memory or (forthcoming) on remote databases or even Spark dataframes.
- The first (and default) backend is based on NIF bindings to the blazing-fast polars library.

The API is influenced heavily by Tidy Data and borrows much of its design from dplyr.

The aim here isn't to have the fastest dataframe library around (though it certainly helps that we're building on one of the fastest). Instead, we're aiming to bridge the best of many worlds:
- the elegance of dplyr
- the speed of polars
- the joy of Elixir

That means you can expect the guiding principles to be 'Elixir-ish'. For example, you won't see the underlying data mutated, even if that's the most efficient implementation. Explorer functions will always return a new dataframe or series.
​​Ain is a terminal HTTP API client. It's an alternative to postman, paw or insomnia.

- Flexible organization of API:s using files and folders.
- Use shell-scripts and executables for common tasks.
- Put things that change in environment variables or .env-files.
- Share the resulting curl, wget or httpie command-line.
- Pipe the API output for further processing.
- Tries hard to be helpful when there are errors.

Ain was built to enable scripting of input and further processing of output via pipes. It targets users who work with many API:s using a simple file format. It uses curl, wget or httpie to make the actual calls.

Personal opinion: I don't like GUIs, they are harder to work with. So, any tools that can be replaced should be replaced.

​​Deno + React: No build, no bundle, all streaming

Ultra is a web framework that leans hard into your browser's native features. Embrace the future of ES Modules, Import Maps, and Web Streams. All while supporting some of the non-standards that many normal people love for some reason (JSX and TypeScript).

It's driven by the following hot-takes:
- ESM is non-negotiable in {currentYear}
- SSR is non-negotiable in {currentYear}
- Bundling is an anti-pattern in {currentYear}
- Data can be requested anywhere, and is accessible on the server, always
- Lazy routing with dynamic imports trumps FS routing
- Less magic in tooling and frameworks is a good thing
- Simplify your workflow and tech stack at all costs - life is too short
- Streams are neat

Personal opinion: this looks exciting! I am in deno's hypetrain for almost a year now and I love to see new cool use-cases.

#deno #react #js #ts
#rust 1.55 is here.

New features:
- Cargo deduplicates compiler errors
- Faster, more correct float parsing
- std::io::ErrorKind variants updated
- Open range patterns added
​​Automatically replaces jQuery for you in legacy codebases.

This CLI automatically finds jQuery methods from existing projects and generate vanilla #js alternatives.

> I've been working on removing jQuery dependency from multiple projects including lightGallery lately. Most of the projects use only 15% to 20% or less than 30% of the jquery methods And in most of the cases, I didn't want to support all the edge cases or legacy browsers. The hardest part was finding the jQuery methods in the existing project and writing the alternative vanilla js methods without making much changes in the codebase. So I wrote this library which automatically finds jquery methods in any particular JavaScript file and generates readable, chainable vanilla js alternatives. This can also be useful if you want to generate your own utility methods similar to jQuery.
​​TODOs you cannot forget!

In the Bad Old Daysβ„’, if you had a bit of code you knew you needed to change later, you might leave yourself a code comment to remind yourself to change it. For example, here's the real world code comment that inspired this method:

class UsersController < ApiController
# TODO: remember to delete after JS app has propagated
def show
redirect_to root_path

This was bad. The comment did nothing to remind myself or anyone else to actually delete the code. Because no one was working on this part of the system for a while, the continued existence of the redirect eventually resulted in an actual support incident (long story).

To use it, try replacing one of your TODO comments with something like this:

class UsersController < ApiController
TodoOrDie("delete after JS app has propagated", by: "2019-02-04")
def show
redirect_to root_path

Nothing will happen at all until February 4th, at which point the gem will raise an error whenever this class is loaded until someone deals with it.

​​Pyret is a programming language designed to serve as an outstanding choice for programming education while exploring the confluence of scripting and functional programming. It's under active design and development, and free to use or modify.

- Pyret has Python-inspired syntax for functions, lists, and operators
- Pyret makes testing a natural part of the programming process. Functions can end in a where: clause that holds unit tests for the function
- Pyret allows for concise, expressive, recursive data declarations. Type annotations are optional and can be added incrementally, to serve a variety of pedagogic styles and curricular needs
- In addition to where: blocks, which are attached to individual definitions (and hence usually contain unit tests), you can also write check: blocks at the top level, for general program testing

​​Miller is like awk, sed, cut, join, and sort for name-indexed data such as CSV, TSV, and tabular JSON.

With Miller, you get to use named fields without needing to count positional indices, using familiar formats such as CSV, TSV, JSON, and positionally-indexed. Then, on the fly, you can add new fields which are functions of existing fields, drop fields, sort, aggregate statistically, pretty-print, and more.

1. Miller operates on key-value-pair data while the familiar Unix tools operate on integer-indexed fields: if the natural data structure for the latter is the array, then Miller's natural data structure is the insertion-ordered hash map.
2. Miller handles a variety of data formats, including but not limited to the familiar CSV, TSV, and JSON. (Miller can handle positionally-indexed data too!)

#c #go #shell
​​Like jq, but for HTML. Uses CSS selectors to extract bits of content from HTML files.

​​Bash command line framework and CLI generator. Create feature-rich bash scripts using simple YAML configuration.

Bashly is a command line application (written in Ruby) that lets you generate feature-rich bash command line tools.

Bashly lets you focus on your specific code, without worrying about command line argument parsing, usage texts, error messages and other functions that are usually handled by a framework in any other programming language.

#ruby #shell
​​KDL is a document language with xml-like semantics that looks like you're invoking a bunch of CLI commands! It's meant to be used both as a serialization format and a configuration language, much like JSON, YAML, or XML.

- Node-based, you won't have to mess with identation to make it work
- Type annotations
- Implementations in different languages: #python, #elixir, #rust, #java, #js, #ruby, #php, etc
​​Automatically upgrade your Django projects.

django-upgrade is a commandline tool that rewrites files in place. Pass your Django version as <major>.<minor> to the --target-version flag and the fixers will rewrite code to avoid DeprecationWarnings on that version of Django. For example: django-upgrade --target-version 3.2 example/core/ example/

- Compatibility imports
- url() to path() migration
- HttpRequest.headers
- QuerySetPaginator
- Better tests
- And many others!