Book: TypeScript Essentials Also by me: The TypeScript Library — the 5-book collection My project: Hermes IDE | GitHub — an IDE for developers who ship with Claude Code and other AI coding tools Me: xgabriel.com | GitHub You open a file in the orders service you have not touched in two years. There is a function called monthlyRevenueByCategory. It is thirty-two lines. The first eight dec
Book: TypeScript Essentials — From Working Developer to Confident TS, Across Node, Bun, Deno, and the Browser Also by me: The TypeScript Library — the 5-book collection My project: Hermes IDE | GitHub — an IDE for developers who ship with Claude Code and other AI coding tools Me: xgabriel.com | GitHub You have a list of 50,000 users. You want the names of the first 10 active ones. You wr
Book: TypeScript Essentials Also by me: The TypeScript Library — the 5-book collection My project: Hermes IDE | GitHub — an IDE for developers who ship with Claude Code and other AI coding tools Me: xgabriel.com | GitHub You're three weeks into a feature. Production gets a new version of an upstream service. A webhook lands in your handler that looks roughly like the one you tested again
In web development, there is one golden rule: Never trust user input. Whether it is a login form, a search bar, or an environment variable, unvalidated data is a leading cause of bugs and security vulnerabilities. For a long time, developers relied on manual if/else checks or complex Regex to validate data. But then came Zod. Imagine you have an endpoint that receives a user profile. Without a sch
I shipped a fix to my MCP server last week for LinkedIn's ProseMirror composer. It worked. Two days later, every LinkedIn post automation broke. This is the post-mortem of what changed, how I figured it out, and why "automate the platform" stories almost always end this way. The symptom was specific. My MCP server's safari_fill tool — which dutifully filled ProseMirror by walking React Fiber and c
Why Another Wheel? There are already some Vite packing plugins out there — vite-plugin-zip-pack, vite-plugin-compress, etc. They work, but they always feel like they're missing something. Most of them only support ZIP and offer fairly limited functionality. In real-world projects, the build packaging step is rarely that simple: Multiple compression formats 🗜️ — ZIP for sharing with colleagues,
Este es un resumen. El análisis completo — walkthrough de la causa raíz, payload íntegro, framework de explotación, artefactos forenses y patch diffing — vive en blog.deviannt.com. TL;DR: El deserializador Flight de React evalúa como Promise cualquier objeto que tenga un método .then, independientemente de su tipo real. Un atacante envenena Object.prototype.then mediante un POST multipart manipula
This is a summary. The full analysis — root cause walkthrough, complete payload, exploitation framework, forensic artifacts, and patch diffing — lives at blog.deviannt.com. TL;DR: React's Flight deserializer evaluates any object with a .then method as a Promise, regardless of its actual type. An attacker poisons Object.prototype.then through a crafted multipart POST, forcing the server to execute