You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We used to think having "full stack" JS was a "good idea" ...
"one language everywhere" is an incredibly tempting https://en.wiktionary.org/wiki/siren_song
In practice however, we soon realised that "JS Everywhere" was a recipe for "death by a thousand cuts" because its almost impossible to ensure code quality/consistency in a team beyond 2 people!
Requires on Specific (Ancient) Version of MongoDB: 2.6.10
if you read their .travis.yml file, you will see that Apostrophe requires a specific
There is no comment or "Docs" anywhere in the project indicating why this is the case.
MongoDB just released 4.0 https://www.mongodb.com
Which means that Apostrophe has "pinned" a Datatabse version that is two Major versions behind without a clear reasoning (which there undoubtedly is...!)
What this means in practice is that a user (developer using apostrophe for their CMS) will install the latest version of MongoDB and think that "everything just works"
only to discover (usually in production) that there is an obscure feature of MongoDB 2.6.10 that is required by the CMS and now you need to take your site offline in order to downgrade the version of your database to avoid the constant crashing. 😞
How do you know...?!
Anyone who has spent more than a "bootcamp" worth of time writing software, will know that making this kind of claim is naive at best.
What part of the Apostrophe "stack" is secure?
How are they actively and automatically testing it?
Who is responsible for maintaining the security of every part of the system?
Is it "secure by default"? e.g: will the content editor page fail to load if the protocol is not HTTPS?
After reading the "Apostrophe is Secure" nonsense I completely lost interest in doing further research into this platform.
Top tip to Developers who are starting out their career:
When any software claims to be "secure" without being specific,
e.g: We run automated tests for the "OWASP Top 10, implement "security by default" principals and have multiple CISA/CEH/WCSD certified people on the QA team who regularly review the codebase, so that you have "peace of mind" throughout the lifecycle of your project. Run Away as Fast as You Can!!!
This looked promising. But no.
The text was updated successfully, but these errors were encountered:
Apostrophe is an Open Source Node.js based CMS: https://apostrophecms.org
https:/apostrophecms/apostrophe
100% JavaScript ...
100% unpredictable ...
Requires on Specific (Ancient) Version of MongoDB: 2.6.10
if you read their
.travis.ymlfile, you will see that Apostrophe requires a specificThere is no comment or "Docs" anywhere in the project indicating why this is the case.
MongoDB just released 4.0 https://www.mongodb.com
Which means that Apostrophe has "pinned" a Datatabse version that is two Major versions behind without a clear reasoning (which there undoubtedly is...!)
What this means in practice is that a user (developer using apostrophe for their CMS) will install the latest version of MongoDB and think that "everything just works"
only to discover (usually in production) that there is an obscure feature of MongoDB 2.6.10 that is required by the CMS and now you need to take your site offline in order to downgrade the version of your database to avoid the constant crashing. 😞
Security?
There is a https://apostrophecms.org/support/security page which boldly states:
How do you know...?!
Anyone who has spent more than a "bootcamp" worth of time writing software, will know that making this kind of claim is naive at best.
What part of the Apostrophe "stack" is secure?
How are they actively and automatically testing it?
Who is responsible for maintaining the security of every part of the system?
Is it "secure by default"? e.g: will the content editor page fail to load if the protocol is not HTTPS?
After reading the "Apostrophe is Secure" nonsense I completely lost interest in doing further research into this platform.
Top tip to Developers who are starting out their career:
When any software claims to be "secure" without being specific,
e.g: We run automated tests for the "OWASP Top 10, implement "security by
default" principals and have multiple CISA/CEH/WCSD certified people on the QA team who regularly review the codebase, so that you have "peace of mind" throughout the lifecycle of your project.Run Away as Fast as You Can!!!
The text was updated successfully, but these errors were encountered: