Pooya Parsa
@pi0.io
Building opensource stuff ◦ @unjs.io ◦ @nitro.build ◦ @nuxt.com
🌱 github.com/pi0 ❌ x.com/_pi0_
🌱 github.com/pi0 ❌ x.com/_pi0_
Reposted by Pooya Parsa
Universal cache adapter (based on @unjs.io) for @drizzle.team just hit the shelves: drizzle-uncache
github.com/dschewchenko...
github.com/dschewchenko...
GitHub - dschewchenko/drizzle-uncache
Contribute to dschewchenko/drizzle-uncache development by creating an account on GitHub.
github.com
December 15, 2025 at 12:04 PM
Universal cache adapter (based on @unjs.io) for @drizzle.team just hit the shelves: drizzle-uncache
github.com/dschewchenko...
github.com/dschewchenko...
Haarlem! We should go for a drink sometime!
December 12, 2025 at 11:44 PM
Haarlem! We should go for a drink sometime!
Hold tight! Nitro v3 βeta is coming 👀
December 12, 2025 at 1:10 PM
Hold tight! Nitro v3 βeta is coming 👀
Phew, it was a tough year. Nice⭐ stars, though!
Thanks, ❤️ @jangholi.bsky.social, for being patient and supportive through busy days and nights.
I tried to keep two lines free. I’ll do better next year, hopefully finally learn to speak 🇳🇱 Nederlands!
Thanks, ❤️ @jangholi.bsky.social, for being patient and supportive through busy days and nights.
I tried to keep two lines free. I’ll do better next year, hopefully finally learn to speak 🇳🇱 Nederlands!
December 12, 2025 at 12:57 PM
Phew, it was a tough year. Nice⭐ stars, though!
Thanks, ❤️ @jangholi.bsky.social, for being patient and supportive through busy days and nights.
I tried to keep two lines free. I’ll do better next year, hopefully finally learn to speak 🇳🇱 Nederlands!
Thanks, ❤️ @jangholi.bsky.social, for being patient and supportive through busy days and nights.
I tried to keep two lines free. I’ll do better next year, hopefully finally learn to speak 🇳🇱 Nederlands!
I get the feeling this was left like this intentionally to push local publishers to migrate to CI.
All my release scripts break unless I log in manually first. The publish command does not even prompt for login.
All my release scripts break unless I log in manually first. The publish command does not even prompt for login.
December 12, 2025 at 8:20 AM
I get the feeling this was left like this intentionally to push local publishers to migrate to CI.
All my release scripts break unless I log in manually first. The publish command does not even prompt for login.
All my release scripts break unless I log in manually first. The publish command does not even prompt for login.
In the next Nitro v3 release, you can easily unit-test code that depends on the Nitro runtime.
github.com/nitrojs/nitr...
github.com/nitrojs/nitr...
feat: mock runtime virtual imports by pi0 · Pull Request #3861 · nitrojs/nitro
Nitro runtime depends on generated virtual modules that only work during the build phase.
This makes unit testing and writing shared code difficult when project code imports nitro/runtime, nitro/st...
github.com
December 11, 2025 at 5:28 PM
In the next Nitro v3 release, you can easily unit-test code that depends on the Nitro runtime.
github.com/nitrojs/nitr...
github.com/nitrojs/nitr...
Open libraries in @unjs.io and H3.dev power millions.
Maintenance is tough and largely unmanned compared to the projects built on top of them.
Huge thanks to the silent, selfless heroes who fix issues before I even notice them. You’re the reason I still keep doing open source. ❤️
Maintenance is tough and largely unmanned compared to the projects built on top of them.
Huge thanks to the silent, selfless heroes who fix issues before I even notice them. You’re the reason I still keep doing open source. ❤️
December 10, 2025 at 9:47 AM
Reposted by Pooya Parsa
After a few months of targeted attacks on our ecosystem, followed by a confusing and rapidly changing response from @github.com, we wanted to put together some guidance for maintainers on how to help us all secure our supply chain together.
Here is that guidance 👇
Here is that guidance 👇
With npm supply chain attacks on the rise, secure publishing practices are becoming a pressing concern for anyone maintaining npm packages. ⚠️
We've released updated guidance to help maintainers reduce exposure, strengthen release processes, and protect the ecosystem: openjsf.org/blog/publish...
We've released updated guidance to help maintainers reduce exposure, strengthen release processes, and protect the ecosystem: openjsf.org/blog/publish...
Publishing More Securely on npm: Guidance from the OpenJS Security Collaboration Space | OpenJS Foundation
The OpenJS Security Collaboration Space has been working closely with GitHub’s npm team to understand how new security features affect projects and maintainers, especially as threats and tools keep ev...
openjsf.org
November 14, 2025 at 4:21 PM
After a few months of targeted attacks on our ecosystem, followed by a confusing and rapidly changing response from @github.com, we wanted to put together some guidance for maintainers on how to help us all secure our supply chain together.
Here is that guidance 👇
Here is that guidance 👇
Reposted by Pooya Parsa
🧨 “Gaps in design and implementation with the new OIDC Trusted Publisher workflows leave maintainers open to novel and increasingly difficult to detect gaps in their publishing setups. We do not recommend critical projects move to this new workflow..." - @notwes.bsky.social
npm has revoked classic tokens for publishing, pushing maintainers toward OIDC trusted publishing or granular tokens. But @openjsf.org warns trusted publishing still has risky gaps for critical projects. What maintainers should do next:
socket.dev/blog/npm-rev... #NodeJS #JavaScript
socket.dev/blog/npm-rev... #NodeJS #JavaScript
npm Revokes Classic Tokens, as OpenJS Warns Maintainers Abou...
GitHub has revoked npm classic tokens for publishing; maintainers must migrate, but OpenJS warns OIDC trusted publishing still has risky gaps for crit...
socket.dev
December 10, 2025 at 6:03 AM
🧨 “Gaps in design and implementation with the new OIDC Trusted Publisher workflows leave maintainers open to novel and increasingly difficult to detect gaps in their publishing setups. We do not recommend critical projects move to this new workflow..." - @notwes.bsky.social
Reposted by Pooya Parsa
Amsterdam (NL in general) has the best dev community!
Change my mind!
(With @thealexlichter.com @pi0.io @yannbf.bsky.social)
Change my mind!
(With @thealexlichter.com @pi0.io @yannbf.bsky.social)
December 8, 2025 at 9:39 AM
Amsterdam (NL in general) has the best dev community!
Change my mind!
(With @thealexlichter.com @pi0.io @yannbf.bsky.social)
Change my mind!
(With @thealexlichter.com @pi0.io @yannbf.bsky.social)
Try Nitro v3, you will love it (and it is way faster with compiled router!)
December 6, 2025 at 9:46 AM
Try Nitro v3, you will love it (and it is way faster with compiled router!)
Have you tried with Nitro v3 and Vite? What are you missing?
December 5, 2025 at 8:29 PM
Have you tried with Nitro v3 and Vite? What are you missing?
Reposted by Pooya Parsa
IPX is super cool tool for self-hosting websites with optimized images. Webstudio is using it for docker export.
This means docker images will get even smaller and cold start can be faster.
This means docker images will get even smaller and cold start can be faster.
Was debugging a nasty ESM issue and ended up optimizing unjs/🖼️IPX from 99 dependencies down to 6 (26 MB → 2 MB).
Available in the v4 nightly builds with the same features as before!
Available in the v4 nightly builds with the same features as before!
December 4, 2025 at 8:42 PM
IPX is super cool tool for self-hosting websites with optimized images. Webstudio is using it for docker export.
This means docker images will get even smaller and cold start can be faster.
This means docker images will get even smaller and cold start can be faster.
Was debugging a nasty ESM issue and ended up optimizing unjs/🖼️IPX from 99 dependencies down to 6 (26 MB → 2 MB).
Available in the v4 nightly builds with the same features as before!
Available in the v4 nightly builds with the same features as before!
December 4, 2025 at 7:38 PM
Was debugging a nasty ESM issue and ended up optimizing unjs/🖼️IPX from 99 dependencies down to 6 (26 MB → 2 MB).
Available in the v4 nightly builds with the same features as before!
Available in the v4 nightly builds with the same features as before!
Sticky: One time 2FA can be used for multiple actions within a short period of time.
December 4, 2025 at 12:41 PM
Sticky: One time 2FA can be used for multiple actions within a short period of time.
In v3, we’re pushing it even further — only a handful of external dependencies, a much smaller supply-chain surface, isolated module graphs via @vite.dev multi-environment API, and only the features you actually use get compiled into the bundle.
December 4, 2025 at 12:33 PM
In v3, we’re pushing it even further — only a handful of external dependencies, a much smaller supply-chain surface, isolated module graphs via @vite.dev multi-environment API, and only the features you actually use get compiled into the bundle.
Nitro’s split between SSR and server concepts was already a strong design choice, and I’m glad we stayed committed to it.
With everything going on, zero-trust is the only security model that makes sense.
Everything is exploitable 💣 — accept it. All we can do is reduce the damage surface through separation and isolation.
Everything is exploitable 💣 — accept it. All we can do is reduce the damage surface through separation and isolation.
December 4, 2025 at 12:33 PM
Nitro’s split between SSR and server concepts was already a strong design choice, and I’m glad we stayed committed to it.
With everything going on, zero-trust is the only security model that makes sense.
Everything is exploitable 💣 — accept it. All we can do is reduce the damage surface through separation and isolation.
Everything is exploitable 💣 — accept it. All we can do is reduce the damage surface through separation and isolation.
December 4, 2025 at 12:21 PM
With everything going on, zero-trust is the only security model that makes sense.
Everything is exploitable 💣 — accept it. All we can do is reduce the damage surface through separation and isolation.
Everything is exploitable 💣 — accept it. All we can do is reduce the damage surface through separation and isolation.
Haha not (yet?) but delegating more to rolldown is same i suppose 😃
November 26, 2025 at 6:07 PM
Haha not (yet?) but delegating more to rolldown is same i suppose 😃
Over a week into rewriting the Nitro external resolver/tracer plugin. Only ~100 LOC, but tiny details have a big impact on performance and build stability. In large projects, resolver hooks may be called thousands of times, doing less really matters.
November 26, 2025 at 4:59 PM
Over a week into rewriting the Nitro external resolver/tracer plugin. Only ~100 LOC, but tiny details have a big impact on performance and build stability. In large projects, resolver hooks may be called thousands of times, doing less really matters.
November 24, 2025 at 11:37 AM
“one” added dep and node_modules turns into a pile of extra crap.
Try: npmgraph.js.org
WARNING: Once you see it, you can’t unsee it.
Try: npmgraph.js.org
WARNING: Once you see it, you can’t unsee it.
npmgraph - NPM Dependency Diagrams
Graph / visualize of npm dependencies
npmgraph.js.org
November 5, 2025 at 2:34 PM
“one” added dep and node_modules turns into a pile of extra crap.
Try: npmgraph.js.org
WARNING: Once you see it, you can’t unsee it.
Try: npmgraph.js.org
WARNING: Once you see it, you can’t unsee it.