Echo JS 0.11.0

For those using React+Redux, you might want to look at connected-react-router for a similar use case.

First, the example as posted uses the same quotes for all three.

Second, since you can't control for external factors like garbage collection, task schedulers etc. It's not really a good test unless run *many* times.

Third, after a pass through the language parser, they're all the same anyway...

Max for a 32-bit signed integer value, IIRC some browsers have/do allow for negative values... don't recall the behavior of any, as nobody really does this in practice.

Tip: ~~VALUE will always give you a 32bit signed integer value from the VALUE... 0 when it's not a clean conversion.  Don't use this for Date, since it will overflow and cut off the value.

SheetJS is pretty awesome, I would suggest loading the library async when needed, because it's kind of heavy from what I remember.

Should probably start with var statement, then expand on closures, and note that undeclared variables are assigned global by default, and historically the only closure in JS was inside a function. Then expand into const and let as closure based declarations.

Interesting...

I do use a separate context for Theme (via Material-UI) as well as my localization (strings). I still use Redux as it solves more than just simple isolated/specialized state.  When you need/want more bits to state that don't fit well in an isolation model, doing what Redux does with context directly becomes more burdensome... not to mention the developer tooling around Redux is very good.

Understanding when to use environment variables (particularly for talking to other services in a system) vs. options or feature flags isn't always the most clear separation even for some experienced developers.

I can say on the config changing... for myself, usually only load at startup in a containerized service, or loaded via script from config/api service at startup for web-client.

What I'm using is pretty much wrapped around this: https://www.npmjs.com/package/@tracker1/config-merge

Supports rollup merging a configuration project including support for multiple language/strings variations.  I no longer use it out of the box cli, but am using the library directly either in the api or a dedicated config service.  Mostly configuration options as the software I work on gets deployed to different clients with slightly varying configurations.

I also inject CLIENT_* environment variables as part of a script output, that is the first script loaded into the web page, with a `__BASE__` global variable... in the application, I have a base.js that will do some normalization for access/testing, and also a language context in react that will set the current language/localization strings for use in the application.

I wish I could share more than the base library... trying to convince work to let me publish the config service and a docker image for said service...

Probably the main thing I would change would be to just use pbkdf2 as the hashing algorithm for passphrases.  Mostly because it's in the box for node 12+ and also because it's expressly spelled out in the NIST security guidelines.  I do use 100k iterations for salted passphrases, and 10m iterations for derived keys for other system encrypted data.

Also worth considering, is that login entry is an easy target for DDoS, so ip/user limiting mitigations are a good idea in practice, redis (sorted sets) is a really good option for this.

In addition, an invalid login attempt should usually have a random 2-3 second wait before returning the failed result, this will (usually) slow down any brute force efforts and mitigate timing attacks.

Not a fan of DI/IoC frameworks for JS in particular... it's not needed in most places and easy enough to wire directly in others.  For testing, module intercept/mocks are readily available.