Mar 13, 2020 newsletter

Jamstack goes full stack with Redwood


RedwoodJS announced the launch of a new open source full-stack development framework. Dubbed “Rails for the JavaScript age,” Redwood could redefine how developers build the web.

What is it? According to the development team: "Redwood is an opinionated, full-stack, serverless web application framework that will allow you to build and deploy JAMstack applications with ease."

Like Rails, Redwood includes simple conventions and helpers to improve the developer experience when building a database-backed web app. It is highly opinionated—adding a predefined structure to your components, layouts, pages, APIs, and services.

Redwood offers a functioning setup out of the box by bundling together React, GraphQL, Prisma, Babel, Webpack, CDN, functions, and databases. That makes Redwood completely edge ready—handling content delivery, serverless functions, and database management.

Why it’s a big deal: Developers spend considerable time integrating frontend frameworks, backend tooling, database services, and more when building an application. Redwood manages all of these things for you.

Moreover, Redwood represents the next phase of growth in the Jamstack ecosystem. As the Jamstack grows in popularity, frameworks will extend beyond static site generators into full-stack frameworks. That’s why Redwood acts as a framework for an entire Jamstack-based application.

It’s backed by big names. Redwood was developed by Tom Preston-Werner, a cofounder of GitHub and current board member at Netlify—a leader in Jamstack application development and deployment.

Redwood, according to its creators, is still a “young sapling.” While currently focusing on websites, Redwood plans to expand to support mobile apps, desktop clients, CLIs, and more under the Redwood umbrella.

Building a CLUI: a cross between a CLI and a GUI

CLUI, an online IDE that lets developers write and run code in the browser, revealed a new developer tool called a CLUI that blends together CLIs and GUIs. With 500,000 weekly active developers and 2 million users, hopes to reinvent how developers interact with their tools.

What’s the problem? CLIs are incredibly powerful tools. Complex CLIs, however, require users to memorize commands and workflows—which is both tedious and inefficient.

Unlike CLIs, GUIs are easier to learn and include helpful visual cues to new users. Scalability, however, is a massive issue. As GUIs grow, they can become overwhelming and convoluted.

What’s the solution? CLUIs combine the strengths of both CLIs and GUIs. Developers still type text-based commands, but the interface is mouse-friendly, highly discoverable, and compatible with rich media.

Developers can type in what they want and get suggestions for relevant commands. Once developers enter a command, the CLUI can pull up a relevant interface, like a clickable run or view button. CLUIs can also add interactive elements—like a data entry form—once you enter a command.

CLUIs work like a flowchart or decision tree. That makes them easy to scale when adding new commands. Users can also send a command URL—a list of commands—that work as a complete executable CLUI command.

Is it the start of something new? is working to make its entire online IDE accessible through CLUIs. The company also open-sourced its CLUI code—and a working demo—with the goal to inspire other developers to explore how they might use it.

Most security flaws are never fixed

Security debt

Veracode, an application security company, released its 10th annual State of Software Security report. Veracode tested more than 85,000 applications across its customer base to learn more about the prevalence of security flaws and debt.

More apps have issues, but they’re less severe. According to Veracode, 83% of applications have at least one security flaw. That’s up nearly 10% since Veracode’s first report was released ten years ago. Only 20% of applications, however, have high-security vulnerabilities, down from 34% ten years ago.

Many issues are fixed quickly; others not so much. The median time to fix a security flaw is 59 days—unchanged from nearly a decade ago. Average time to remediation, however, has jumped up to 171 days, compared to 59 days just ten years ago.

Why the jump in average time? While many issues are rapidly fixed, development teams are increasingly letting other low-priority flaws fester for a long time—often months or years. That creates a long-tail of issues that increases the average remediation time.

According to the report, 30% of closed issues were closed in the first two weeks and 50% were closed in the first two months. Yet half of current open findings have been open more than 180 days.

Security debt is a mounting problem. Roughly 70% of development teams are keeping pace or pulling ahead in fixing security flaws—leading to a net reduction in issues. That means nearly 30% of teams are actively accruing security debt.

All told, just 56% of software flaws eventually get fixed—officially known as the fix rate. With so many unsolved problems, security debt seems unlikely to disappear any time soon.

Twitter's API renaissance

Twitter devs

At a time when many large platforms have severely limited their developer APIs—including Facebook and Gmail—Twitter hopes to recapture developer mindshare with a new set of revamped developer policies.

What’s changing? In short, Twitter’s policies are easier to understand and more clear.

New policies allow greater freedom for academic research. Researchers now have clearer guidelines and can more easily share data sets for academic purposes.

For app developers, Twitter is streamlining its use-case approval process—where developers want to use Twitter data in a new way and need to reapply for approval. And, if you want to build a bot, Twitter is embracing their usefulness by making it easier for developers to officially register their bots.

Twitter wants to get more developers more data. Twitter is revamping how it engages with the developer community. In 2018, Twitter introduced a new developer review process to expedite and streamline how developers build on its platform. Since then, it’s reviewed nearly 1M developer applications for API access.

Twitter is in the midst of an API renaissance. It’s building out its next generation API, with the goal of being more open and transparent. The company even launched Developer Labs, a new program for developers to test its APIs and provide feedback.

With new API policies in place, Twitter hopes to foster a healthier developer community—one that can extend, rather than threaten, its platform.

Small bytes

  • TensorFlow Quantum is an open-source library for the rapid prototyping of quantum machine learning models. The framework provides quantum simulators and primitives that are compatible with current TensorFlow APIs. Google hopes to encourage developers and researchers to explore the intersection of machine learning and quantum computing. [GOOGLE]
  • Twitter is working to better predict user engagement on its platform and develop a state-of-the-art content recommendation system. To get help from the developer community, Twitter is releasing a dataset containing 200 million public engagements—including likes, replies, and retweets—for its RecSys 2020 Challenge. Winning teams will take home $15,000. [TWITTER]
  • MuleSoft released its 2020 Connectivity Benchmark Report detailing how technology companies are integrating their applications. IT leaders said that roughly 80% of companies use public or private APIs and, on average, 31% of their company’s revenue is generated from APIs. [MULESOFT]
  • Google surveyed 645 developers on their experience with TensorFlow.js, its JavaScript-based machine learning library. Most developers said they felt uncomfortable using machine learning libraries because they fear they lack knowledge of advanced mathematics. TensorFlow APIs, however, are designed to be used by developers of all backgrounds. [GOOGLE]


  • Zoxide is a new cd alternative that keeps track of the directories you use most frequently, and ranks them to find the best match [GITHUB]
  • MyDrive is an open source Google Drive clone built with Node.js, Express, React, and MongoDB [GITHUB]
  • is an IDE for building reusable web components [WC.DEV]
  • Shorthand is a free and open source CSS framework, that allows you to make unique and modern design without writing any CSS [SHORTHAND]
  • Proji is a powerful cross-platform CLI project templating tool [PROJI]
  • Google Open Source lets you search all open source Google projects for code or files [GOOGLE]
Never miss the big news

Every week, our team will send you three of the most important stories for developers, including our analysis of why they matter. Software development changes fast, but src is your secret weapon to stay up to date in the developer world.

Featured articles
Made with by Software. Read more about our mission.