Lmst

☝️Unpopular opinion: most Gophers should (re-)read @joshbloch's Effective Java book. Much (though not all) of the wisdom it contains is transferable to #golang.

@ck I concur! Especially since Go 1.22's enhanced routing patterns and Go 1.25's support for cross-origin protection.

https://tip.golang.org/doc/go1.22#enhanced_routing_patterns

https://tip.golang.org/doc/go1.25#nethttppkgnethttp

Difficult to disagree with this post by Efron Licht: Gin, #golang's arguably most popular Web framework, is pretty bad and should be avoided at all costs. 🙅

https://eblog.fly.dev/ginbad.html

Your weekly reminder to migrate from rs/cors to jub0bs/cors. 😇

https://github.com/rs/cors/issues/198

jub0bs boosted:

Monotonic Collections: a middle ground between immutable and fully mutable

This post covers several topics around collections (sets, lists, maps/dictionaries, queues, etc) that I’d like to see someone explore more fully. To my knowledge, there are many alternative collection libraries for Java and for many other languages, but I’m not aware of any that provide support for monotonic collections. What is a monotonic collection, I hear you ask? Well, I’m about to answer that.

http://neilmadden.blog/2025/11/11/monotonic-collections-a-middle-ground-between-immutable-and-fully-mutable/

@neilmadden Bloch states this principle in his classic 2007 talk entitled "How to design a good API and why it matters":

https://www.youtube.com/watch?v=heh4OeB9A-c&t=6m

Effective Java doesn't contain the exact same maxim, but you could argue that several of its items (e.g. "Design and document for inheritance or else prohibit it") convey a similar idea.

"A good API should be, not only easy to use, but also hard to misuse." (Josh Bloch)

https://github.com/rs/cors/issues/197

#golang #CORS

Productivity tip: don't have kids; don't have cats. 😬

jub0bs boosted:

The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! https://www.youtube.com/watch?v=zr5y6Bapbnw&list=PLoX0sUafNGbEkK0ai5P_DB2HDnljRAJyZ&index=1

"Bonjour. Je suis Nicolas Sarkozy, et j'ai le grand plaisir de lire 'Le temps des oranges' pour Audible." 😂

CVE-2025-10630: REDoS in Zabbix plugin for Grafana dashboard (fixed in v6.0.2)

To anybody relying on some PCRE engine (such as github.com/dlclark/regexp2): either forbid users to submit arbitrary patterns or enforce some reasonable timeout on matching.

#websecurity #golang

https://youtu.be/Z_mYyBYP4ZI

🤦 #AIslop in action! Grafana's fix to CVE-2025-10630 in v6.0.0 of their Zabbix plugin happened to be way off base, but this AI tool fails to figure it out and happily lulls Grafana users into a false sense of security.

https://www.miggo.io/vulnerability-database/cve/CVE-2025-10630

💡 Judiciously ponder the design of a function that operates on user input and returns a slice or a map, lest it constitute a denial-of-service vector. If you're not careful, a single malicious request may cause a huge spike in allocations.

http://cwe.mitre.org/data/definitions/405.html

#golang #websecurity

@jakebailey fixed the issue at the root: https://go-review.googlesource.com/c/go/+/701216

👏

@alex This is so satisfying when it happens.

jub0bs boosted:

This variety of catastrophe is why I disagree with the default policy to be to download the latest version. Newer is not always better, especially in an industry rife with scammers.

https://cyberplace.social/@GossiTheDog/115169390397282254

When the stars align, a one-character change can have a surprisingly significant impact on performance. 🤩

In this case, omitting a superfluous index in a slice expression was enough to make the enclosing function inlineable. ⚡

https://github.com/golang/go/pull/75269

#golang

⚡ If you find yourself implementing an iterator on some recursive data structure, do check out the doc comment of https://golang.org/x/tools/gopls/internal/analysis/recursiveiter. Very useful performance tip by Alan Donovan! #golang

jub0bs boosted: