[devnexus 2022] typescript for the busy java developer

Speaker: Orlando Valdez


Link to table of contents



  • All JavaScript is legal Typescript
  • Developed/maintained by Microsoft. Other contributors like Google
  • tsc – like javac – transplies to Javascript
  • tsserver – for IDE and editor support language services. Standalone server
  • .ts extension
  • Type analysis system


  • Install from VS Studio or npm
  • npm install -g typescript


  • Version: tsc –version
  • Create project: tsc –init (creates tsconfig.json file)


  • target – JS language version
  • module – module name
  • rootDir
  • outDir
  • sourceMap – whether to create a source map for emitted JS
  • strict – whether to enable strict type checking. Recommended for new projects. If migrating from JS, can use more fine grained flags as make more typescript like


  • Can define same class twice.
  • Can create “any” type – discouraged for new projects. Used for migration. Prefer “unknown” type instead. Can’t use until type is known. Ex, casting: x as {a : boolean}
  • null is different than undefined
  • never determines a value is unreachable so can’t use
  • can use linter to follow team standard on semicolons (inconsistent in the talk and notes below)
  • Some unexpected things because valid JavaScript still works
  • If can return null show return type as X | null
  • flow analysis for determining if a type is known
  • Tag/discriminating property – constant literal with same name and unique value across types. Use tag if own object/API

Sample code

class Foo {
  x: String; 
  y: number = 12; // type is optional (can infer based on value)

let bar = new Foo()
const a - 40

const arr = ["hi", "hello"]
const tuple = { x: "y"}

function error(message: string | number): never { // never returns

if (typeof stringOrNumber === "string") {}

enum Foo {
 Up = "UP";

type ID = number // alias - lets use domain language. can use for more complex entities like  a tuple. can be alternative to create a class

type Bird = Animal & { flights: boolean } // intersection

interface Foo {
 name: string
 hi: () -> void /// function that takes nothing and returns void

interface Sub extends Foo {} 

interface Foo {  // can add properties to an interface that already exists by redefining it (even if don't have access. can also extend an enum
  color? : String // optional property
  readonly id: number
  status : "new" | "done"

type K - string | number | null //union type. can only use if shared properties. otherwise we need type guards (typeof check)

if ('id' in result) // checks if property is defined. also narrows down type so might be able to determine real time and not just that has id

obj['prop'] // don't know type or even if exists

function genericGetProperty<T, K extends keyof T>(obj:T, propName: K) { //keyof returns keys of all props in object. the generic function won't allow you to pass invalid property name. return type is known so variable assigned to is also correct type
  return obj[propName]

let str = `Template: ${language} // multiline and interpolations

type messages = // can use to generate all combinations of a parmeterized message
 | "learn X"
 | "learn Y"

My take

This was cool. A lot of info, but easy to follow. It built up in a way that I was able to read the code as more things got added. This was a great session!

[devnexus 2022] hacking the OSS supply changes

Speaker: Stephen Chin


Link to table of contents


Theme is security with sci fi references


  • Equifax data breah – from not patching Struts for at least two months
  • Solarwinds – hacked TeamCity instance injected
  • log4shell – zero day in log4j core. Affected almost all systems. Could send class file and having it excecute on the serer
  • spring4shell

Binary repos

  • Which do you trust?
  • npm, pypi, rubygems, maven central
  • Like picking up thumb drive off sidewalk and plugging into your production server

Dependency confusion attack

  • Sci fi – Matrix – agents disguised theselves as other people
  • package mining
  • npm has no security on namespaces
  • Can use same name as a company internal package and give it higher version number
  • If grabing latest version, pull mallicious package
  • When pull from npm, announcing what package you have
  • Artifactory resolves against internal repo first. Protects even if using virtual repo which mixes public and private content

Supply Chain Attacks

  • Sci fi: millinium falcon
  • Assume depedencies built on a clean system
  • Anyone can upoad to pipi
  • About 400 zero day volunerabiities in open source/cloed source/OS, embedded systems, etc
  • Sveder uploaded library to go to his website
  • JFrog scans looking for suspicious Python code behavior
  • noblesse – “optimizes your PC for python” – steals credit card/passwords and sends via dicord
  • pythatoras – supposed to help with calculations but does remote code executio


  • Sci fi: War games
  • Moscow – Russia and Idaho
  • St Petersburg – Russian and Florida
  • azure-core-tracing is proper name. Created core-tracing.
  • NPM took down once repored. At least 218 packages affected.
  • Stole personal data
  • Think bug bounty of test because minimal and not steaing credit cards


  • Scitfi: Avengers
  • Need automated (IronMan), trustworthy (Black Widow) and dependable (Captain America)
  • trusted binary network – secure by defaut, reliable inimal outages), open
  • peer to peer
  • multi-node verification
  • reproducabe build trust model


  • research.jfrog.com

My take

I hadn’t heard of all those attacks so learned about the Python ones. The sci fi element was a nice touch. As was the community picture with a ton of people on stage.

[devnexus 2022] the new excitement about the good old java

Speaker: Venkat Subramanium

Twitter: @venkat_s

Link to table of contents



  • Java is a passport to the world – spoke at 50 user groups in hoor of turnig 50
  • Celebrated Paris JUG’s anniversary in Eifflel Tower
  • Ukrainian flag slide


  • good to say that, now talk about what do
  • Hates word – Scrum-master – Agile Manifesto does’t say SM
  • Love ceremony and rituals
  • Easy to hide from what really do
  • Also hates word velocity – sustainable and producing results is what matter
  • TDD – ticket driven development
  • Agile is really feedack driven development
  • Cost of failure low if train leaves every 30 minutes vs plannig a flight


  • Java now evololving faster
  • Java 8 was game changer because of streams
  • “Java late to party but came with amazing desserts”
  • Releases used to be slow because targeted features to releases. Not agile. Want to adapt plan to reality
  • ”When will project loom be ready?” ”When it is ready”
  • Java is not being developed on a 6 month release cycle. It is being released on a 6 month cycle
  • People ask questions about feature while still remember writing it
  • Can learn and adopt technologies as they come out vs all at once
  • Less ceremony/redundancy

Live coding

  • pattern matching with if – smart casting
  • switch expression
  • pattern matching with switch including conditions
  • multi-line string with smart indentation (incidental whitespace
  • sealed interface – use but don’t implement

My take

I don’t think I learned anything new, but Venkat is an entertaining and engaging speaker, so that’s fine! Good coverage of the new Java features in live coding