This show is supported by you. Cup This o' Go for 04/24/2026. Keep up to date with the important happenings in the Go community in about twenty minutes per week. I'm Pawel. I'm a Go developer, and, I've been listening to this show for a while.
Shay NehmadAnd I'm Shay, and you're not John. What's going on? Give me my Jonathan back.
I'm not John. Yeah. I was supposed to actually be doing this with John, but I was at a conference, so I couldn't. And I moved to next week, and that's why we are here.
Shay NehmadAwesome. Well, welcome on the show. You know, if you watch Frasier, that, old sitcom, not a lot of people watch it. So first of all, you should watch it. It's really good.
I know it. I haven't watched it.
Shay NehmadKelsey Grammer is a star, but it's like he's a radio psychologist. A lot of people call him and are like, well, first time caller, long time listener. This is basically you. So welcome, welcome, welcome. We have tons of news to get through actually. We have a lot of links, but let's start with this new proposal about the build version build flag. I actually don't know what it is, but it sounds exciting. What what's what's up with that?
So, there's a proposal, to add another build flag into into the Go build stack, let's say. And, it's about adding a a build version, during the for package managers, so that they could add a globally defined version into into the build. So to say the truth, I'm not really a big fan of this proposal because we already have the build VCS flag.
Shay NehmadSo it's actually Filippo Valvassori Bolg, which we had on the show in the past, the crypto open source person. I'm Filippo Valvassori Bolg. I've been, maintaining the Go Cryptography Standard Library since 2018. I've done that first at Google as the lead of the Go security team, and these days I'm doing it as an independent open source maintainer.
Okay, so Filippo Valvassori has proposed to add this build version flag to let the build process that know the version provided to the CMD go. I am not necessarily a fan of this because, like, I am a proponent of limiting the scope of an of the Go Build Builder, as much as possible.
Shay NehmadLike, the more flags there are, the more complicated it is to use, is what you're saying?
Yes. Exactly. And it's like, we have ways to introduce the version inside the Go binaries, and we have done it for a long time. I've been doing Go since 2018, and, like, there are so many ways to do that that I don't think we we need another one.
Shay NehmadSo what's the scenario for me even wanting the build version? Like, why would I want it? Because I just go go install from like the the URL, and if I want the version, do like at and the git version. What's the what's the reason of sort like to have this, you know, version like stamping or or whatever? Is it just I don't want the build to be based on the version control system because the tag can move? Good question.
Yeah. That's that's true. But I'm I'm thinking that if you had a naming convention or, like, a versioning convention that, is different from what you have in your repository, then maybe that would work and maybe that would be useful. But to say the truth, I'm I'm not really sure. Interesting.
Shay NehmadBut the the generally, there is a freeze coming up pretty soon for 01/27. It's like April. So if we wanna get 01/27 out in, like, August normally
Mhmm.
Shay NehmadIt's gonna be tough to get this reviewed in time. So it was actually pinged to, like, hey, let's review this quickly. So if you have any thoughts about making this happen, because this is not a new proposal. This is from 2025, but it's, like, in the active column now. So actually looking at this, you know, if it affects you in any way, like using the the Go Build version or whatever, you should jump on this discussion.
I'll just say from the side, anything that will help me manage supply chain security better, I welcome, even if it's more I feel like, I dunno, maybe it's the mythos release, maybe it's just what's happening. But I feel like in the last month, the number of security vulnerabilities I have from supply chain has, like, doubled at least. So if I can pin even, you know, package managers to know which version they're building using this build version flag, I would be very happy, even if it makes everything more complicated. Alright. I have a short blog post.
The blog post itself is honestly not that difficult to understand, but then a sort of a discussion. To background that discussion, you said you've been doing Go for a while, And right now, you said you're working, before we started recording, mostly on, like, back end stuff.
Yeah. Definitely. So
Shay Nehmadyou are familiar, of course, with the concept of validating input. Right? Yep. You get a request like an HTTP request or whatever, and you need to validate it to make sure it's correct. Like, might be a string, but the string might not be in the correct format, and it might be a number, but the number might be too small or too big or whatever.
Yeah.
Shay NehmadHow do you, do, like, the data validation? Do use a library? Do you just implement it ad hoc?
Yeah. I usually implement it ad hoc. There was little use for me to have a defined interface to do that. Although, I heard you don't use generics too much, but I'm starting to use generics more and more, and that would actually work for me to have interfaces being implemented by the types I am using in a generic setting. So this I don't
Shay Nehmadknow what what is it that Jonathan was able to do to my public image as, like, public enemy number one of generics? It's just I don't use them that much.
Yeah. Yeah. I can understand. I can completely understand that sometimes it might be that they are not really needed. But I think for mundane tasks and the ones that we can generalise something around the type and we shove everything inside the same structure that is generic, and we don't have to worry about implementing all of the types. That's that's quite useful.
Shay NehmadSo I I agree. For validation specifically, there is a pretty nice idea where you because it's so simple, you might want to just implement, you know, a low validation code yourself instead of bringing in a heavy library or whatever, which is normally what I do. I either I use a data transfer language that has validation built in. So let's say I use ProtoBuff, then I'll use PGV, like the ProtoGenValidate thing. But as long as I'm not using anything too complicated, I do just want to have pretty simple validation.
And there is a blog post by Filippo Winter here, Validating Data in Go, which is based on a different blog post, Matt Dreyer's, on validating data, which is just have a validator interface that has a single function called validate, and it returns a type called problems, which is just a map from a string to a string. And then when you implement that interface, you know, you let's say you have a struct in this blog post, it's task create request, Right?
Mhmm.
Shay NehmadAnd it has a few fields. You're like one of the task fields is like interval or deadline, and you check that the interval is positive and you check that the deadline is positive, and you make sure that the deadline is after the interval. Right? Or something like that. And then you whenever you fail one of these conditions, you just like, oh, problems dot add, add a problem Mhmm.
Is required. This is kind of boilerplate y, but honestly, it's very simple to understand. The only thing I don't like about this is the struct and the validation rules are not in the same line like you get with But this is very simple. It's a good pattern. It's actionable.
You know, you get very easy errors. It's like perfect. The blog post ends with an interesting question that I wanted to bring up with you. Where should you validate? Because theoretically, you can call this validate function at the beginning of every function on all your parameters or something like that. But that obviously doesn't make sense. You don't want to call it at the
beginning and end of every function. So, assuming, you know, a Go program with a web API follows, like, controllers, service, repository, path, something super ubiquitous in the in the architecture Yeah. World. Where do you where do you put the validation?
So, actually, if I can, I prefer to to not create objects that are not, yeah, objects that are not valid? So the constructor is usually the place I try to do all my validation. And if for some reason the user input would be modifying this data type, I I would prefer to actually create a new one, not mutate the existing one. This has saved me quite a lot of times, already, and it fails quickly and very loudly. So So, like, in the new that's interesting.
Because that means that if you read data from the DB, let's say Mhmm.
Shay NehmadAnd you prepare you modify it or you create new versions of it, every time you call new, you call validate?
Yeah. Basically, that's that's how it would work. So, there is little little use for me to mutate the the objects, and there is a little overhead if, if I just create a new one. Although, with pointers, there is an issue with pointers, of course, because then you'd have to either instantiate everything from the top and if it is a high frequency, low latency application, then that might not work actually.
Shay NehmadMhmm. And also, you don't really know. Right? You hold the pointer and then it might get mutated and you wouldn't know because you hold the address.
Exactly.
Shay NehmadSo I I I don't bake it into the, like, object life cycle or anything like that. I used to do it in the controller input. Mhmm. Like, you get an HTTP request, that's where you validate, and then inside your software, you assume that validation has passed for this specific field. This is a string, but if your validation rules say it's a email Mhmm.
You can send it to an API that accepts emails, and because you validated it at some point, it says okay. And I had a recent discussion about whether to validate outgoing requests as well, not just the incoming requests. Because your API says, here's what I'm returning. Mhmm. And there are various tools to validate that. One or or, I guess, test it. One is a wiretap. We had Dave Shipley on the show.
Hello, everyone. My name is Quobix, and I'm the founder of, a company called Princess Beef Heavy Industries or PB three three F for short. It's actually it's shorter when you say it, you know, versus typing out. Anyway.
Shay NehmadYeah. So we had, Dave Kobix on the show, and he's working on various API tools that'll help you do that. But I thought it would make sense to validate on output as well, and maybe not crash the software, but just, you know, put a warning or whatever, so you know. But then I got a a lot of pushback on that on that design. People didn't really didn't like it. They were like, oh, this is the function is returning. Why do you need to validate that as well?
Yeah. So I would think that, it would be useful in a situation where you, you have a contract on the API, meaning that you should be very strict and deliberate in what you return. And if there's a chance that, this might not be, the correct type or, like, not a valid output, then do not break your clients for the API. It's better to just check it and and verify. But I'm I'm also thinking that we usually when we create APIs and the outputs are usually based on, something very specific, a specific type, and there's usually one way to render that type into a response, let's say JSON.
Then, yeah, I understand the I understand the arguments for not doing that on the output.
Shay NehmadYeah. There there are a lot of, like, there's a lot of, argument to be had on both sides, but definitely, you know, Filippo knows what he's talking about with this very simple interface, I feel. And before you incorporate any library or any framework or any whatever, just start with this, design pattern and then see how it goes. Let's do a little bit of meetups. You wanted to share about this community that, y'all have over, at Poland.
Oh, yeah. So, we've got a community in, Warsaw called ETH Warsaw, which stands for Energy Technology and Hackathons, and actually it's for Ethereum. It means, we are we have a blockchain, centered community that is that was created four years ago right now. And we started doing a conference and meetups, and this has been really a wild ride, I was I must say. And we meet from time to time in our new hub because we also created a hub called called Collective three.
Like, Web three is the is the the blockchain, stuff, and we have Collective three, which means, that it's connected to to blockchain technologies and, not trading. Like, we don't do that. Like, we are very interested in all the technologies that can be used to improve the systems that we have right now. Blockchain, especially in the era of AI that we are in right now, blockchains are very well suited to be to be connected with AI because the AI agents can do stuff on the blockchains and and can be let go and without even human supervision. So, yeah, we've got this we've got this community meetups in the hub.
Anyone in in Poland, visiting Poland, come see us. And we've got a Luma calendar where anyone can check what events we are doing. So
Shay NehmadYeah. We will have that link in the show notes as well, but it's luma.com/eatwarso. Exactly. Not eat warso, which is the foodie community.
That would be the foodie community. ETH Warsso. Actually, we had very great reviews about the food, our at our conferences. I, myself, am a vegetarian, and we had very good vegetarian food. And, yes, we sometimes jokingly say it's eat Warsaw. Nice.
Shay NehmadActually, some ever since moving to America, food food and meetups has been, like, either a complete disaster. These like brands that you've heard of Mhmm. Living outside of The US, like Papa John's or whatever. I don't wanna name any ones that actually suck. So maybe Beep, the name I just said, Filippo.
But like various name that you may have heard of, it's just horrible. Mhmm. And sometimes they get, like, some local food or whatever, it's just amazing. Yeah. But generally, good food in meetups is highly appreciated.
Yes. Of course, what I realized a while ago is that we are not doing a catering meetup. So we want to provide some something, some sustenance as one would call it, but it's better to have less, food but good quality than, like, a lot of junk food.
Shay NehmadSame for code, but for some reason, are still running 20 agents at the same time, Turning out slop. Exactly. At the topic of meetups, there is a Go meetup in San Francisco as well with the Go SF community that I usually host. This time, I won't, yeah, because I won't be there. But there are already 30 attendees, so you should really, really sign up. It's hosted by METER in San Francisco, May 13. I will not be there, but you can if you ever wanna enjoy the meetups without me. Alright.
Yeah. So we are in the middle of the show. So let's cut to the outbreak and we'll do the next section here because it is about middleware. So Jubobs has created CORS library middleware, for Go that is, easier to use and harder to misuse than existing alternatives.
Shay NehmadNice. And we'll talk about that right after the ad break. As Pablo mentioned at the top of the show, this show is supported by you, our listeners. This is a hobby. We do it for fun and to learn. I don't know how much you've learned this week, Pablo, but I've certainly learned quite a lot. But it does cost a little bit of money. It takes a little bit of time. So the best way to support us is to hop over to our Patreon and sign up. Just a few bucks a month, and it really shows your support.
We have few new members since we last talked, so we really appreciate all of y'all joining, including Corbin Staban and Akshay Shah. Hey, Akshay. What's up? I didn't know he joined. You didn't have to do that. Thank you. If you wanna find that link, and also find our Slack channel where Pawe hangs out, and you can talk to him because he's, a long time lurker.
Yes. I'm a lurker. Yes.
Shay NehmadAt the gopher slag, hashtag cup o go, kabob case with hyphens, or email us at news@cupogo.dev, find past episodes, find our swag store. You can find all of that at cupo'go.dev. That is our website. Another way to support the show is, to help us, like, spread it out. We recently crossed 200,000 listens.
Woah.
Shay NehmadOh, yes. This is crazy. That's great. It's a crazy number. And we never paid to advertise or anything like that.
This show is just like word-of-mouth, people telling other people about the show. So if you can do that either by leaving a review on Spotify or Apple Podcasts or wherever you listen to your podcast or telling the show, telling, you know, your friends, your coworkers, your co students, other gophers in your city, other foodies in your city about the podcast, that we would really, really appreciate it. This is such a crazy number that I don't even know how to, like, Wow. Yeah. I don't know what to do with it.
It's just a big number, and we like big numbers.
Yeah. It's big. That's what she said. This
Shay NehmadThat's what she said. This is a a pretty cool month because we I was supposed to be on vacation, so we got all these guest co hosts, Paweva, of course, you Yeah. And two other co hosts that filled in for me in the this last month. And it's been really cool to have, like, a a month of what feels like community appreciation or community participation. Mhmm.
It's just a good it it stands really nicely with the fact that we got to over 2,000 200,000 listens just by, like, people talking about the show. Really cool. So thanks, everybody.
It's just organic growth, like my food, so I like it.
Shay NehmadYeah. Organic non GMO podcast listening. Exactly. Farm to Table podcast episodes. Alright, I want to talk about CORS, so let's get back to that.
Alright, so CORS. What is CORS? Cross Origin Resource Sharing. That's what the definition says. It's mainly about a situation where you need to source data from different domains and you need to just control the access to that so you don't allow phishing through your website.
And we've got a new opinionated, as it says, course library, Amidware Forgo by Joobobs. And this library is advertised as being hard to misuse, which is actually a good feature of any library in Go or anywhere else because, there's a saying that, if someone if something can happen, it will happen. So and people, always find a way to use all of the the whole the whole surface of your API. That means if you allow something to go wrong, for any reason or by mistake, someone will find a way to use it. Not necessarily on purpose, but it will just happen.
So it's actually a good, good thing that JubOps is trying to create a library that, makes it harder to misuse it.
Shay NehmadYeah. I, I really like this library. It also, comes along with, a blog post, he wrote called, they wrote, I guess, called, Fearless Course. I definitely feel like there's a lot of possible mistakes when you're trying to configure this stuff.
Oh, yeah.
Shay NehmadAnd normally, like, it doesn't work for a client and then someone who's maybe less informed about what it does, let's say your coding agent is like, oh, let's just add, you know, star as allowed, domains. Yeah. Always. Star. Basically, meaning this is this is completely useless. Exactly.
Yeah. It's it's hard it's it's hard
Shay Nehmadto do. Opinionated yeah. Opinionated libraries are are good if they're coming from people whose opinion I respect.
Yeah. That's true. Yeah. It's always hard with, with this, CRS because it sometimes get very gets very cumbersome to configure it. And if you have dynamic domains for some reason that change all the time, then you need to do dynamic course as well. So, yeah, a good thing.
Shay NehmadYeah. So a cool library. It is pretty new, already 200 and whatever stars. I don't know if that's a metric that's worth anything. But definitely next time I need course in a in a web app, that's the that's the library I'm gonna reach, towards because it seems very simple to use, and with a lot of thought behind it.
So I but it is important to note even though it's like opinionated has a lot of thought behind it, whatever, seems like the most brain dead simple thing to configure ever. You just like new middleware. These are their origins. These are their methods. This is their request headers. Let's go. Like, very, very simple.
I actually prefer convention, over configuration. So if someone has an opinion and I deem it worthy, then I prefer to use that than being able to configure everything because, there's a lot of things that can go wrong if you have too many, dials to
Shay NehmadYeah. Too many foot guns that are possible, especially with security. Exactly. In what will, I think, be the last item of the day, because we've been talking for a while, there is a new blog post from Microsoft announcing TypeScript seven dot zero beta. Wait. Why am I talking about TypeScript? This is a Go program. What the hell?
Why? Why would you do that that to us?
Shay NehmadSo, two things can be true. There are two wolves inside you. You know? One of them is dynamic programming. Anyway, so TypeScript seven is the new TypeScript, like, transpiler slash compiler.
TypeScript, if you've been living under a rock, is a Microsoft language that sits on top of JavaScript. JavaScript is a vulnerability delivery mechanism built into all browsers. This also accidentally helps the websites be the, you know, dynamic and helps us build web apps and whatever. Cynicism aside, I actually think Microsoft pulled something really impossible with TypeScript and made JavaScript actually a relatively elegant language compared to like how horrible it is to to start with. And the TypeScript transpiler, the thing that takes TypeScript code and and transforms it into a JavaScript code, they call it a compiler.
I'm not sure it is a compiler, but whatever, is was written in TypeScript, which makes a lot of sense. Right? But because it's actually reading a lot of source code and doing, you know, a lot of parsing and it wants to be efficient, running it on JavaScript was pretty problematic. And the new TypeScript seven implementation, which again, what it does, it takes TypeScript and and compiles it to JavaScript, is written in Go.
I love that. I love that, for TypeScript. I'm happy for them very much.
Shay NehmadYeah. It's like, how anybody who's been working with the Python ecosystem doesn't realize, but almost a 100% of their tooling is in Rust now, like UV and Tye and all the linters, whatever, they're actually all implemented in Rust. I think it's a similar sort of situation where it's time to move to a native, language. And I tested Unlike a lot of blog posts and whatever that we share and are like, oh, test it and let us know how it goes. I actually tested it and I wanna share my recipe on how to have like a successful Yeah.
Testing time with TypeScript seven, if you have a TypeScript code base like I do in production. So don't change your current flow. This is still beta. I really don't wanna put this in production yet. I mean, this blog post is from April 21. Right now it's April 24. Like, a second. You can wait on the on the upgrade. I do wanna say that, yes, the compile times are crazy. They in the in the blog post, they say, oh, it's 10 times faster.
I got 18 times faster on my machine. So super significant. It is legitimately gonna change my workflow in the sense that, I don't know, if I have a background agent running like a Claude session, I'm gonna tell it after every change, run TypeScript compilation. Don't wait until the end and then fix all the errors. Just do it while you're working, like typos or whatever.
For a simpler package, it was like only five times faster, which is still a lot faster. For the more complicated ones, it's almost 20. And the way I did it in a non disruptive way is I added a new which is, by the way, how you're supposed to do like go new Go releases checks as well, is I added a concurrent CI check that uses TypeScript seven instead of TypeScript, like TypeScript six, that doesn't fail, but does print warnings. And I'm gonna have that stick around for a couple of weeks and see if the build fails and the test fails on like the, you know, the advisory TypeScript seven approach. And to make that work, I had to set up a new config.
So a new TS configured another file, and it actually forced me to fix like a few TypeScript errors where I did like conversions and the new TypeScript version doesn't know how to deal with them.
So it wasn't a completely smooth transition, but actually most of the fixes were very, very minor. Like, they didn't matter almost at all. It was just like move a variable from here to there, define it a little bit more clearly because the new compiler has a little less ability to, like, derive what is a type automatically like the six has. So it forces you to be more explicit, which as far as I'm concerned is, like, it's not a bug.
It's a feature.
Shay NehmadSounds great. You're forcing me to and it is faster. So if you are like me, unfortunately, stuck in TypeScript land to make money, you can still inject some Go into your life by upgrading to TypeScript seven. And I highly recommend not upgrading yet because there are some sharp edges, but I do think it's time to put it in your CI. So in two or three weeks time, the upgrade is like very obvious and everybody already has it on their machine and, you know, in your team and whatever.
That's how I'm doing it right now. And I guess in a month, in the episode, you know, May, I'll update if it worked or if the migration didn't work. Because right now, it's just, you know, an open PR, and we'll see how it goes.
But did you know that you can compile TypeScript with TinyGo. You can you can I did not? You can use TinyGo, the latest version 0.41, compile TypeScript in into JavaScript, but they the the both both teams have worked together apparently. It's possible to to use TypeScript to to use TinyGo to work with this compiler.
Shay NehmadIf you got to I don't know. TinyGo is for, like, embedded or whatever. Why not just write the normal Go? But I understand it. If you have one piece of like TypeScript and you just want to use, you know, somehow compile it into Wasm or whatever, that that makes a lot of sense.
Cool. Cool. Cool. So this is just my experience from using TypeScript seven. I've been pleasantly surprised that it just sort of worked, it just required a few configuration changes and a few tiny fixes on a relatively big code base that I'm maintaining, but I wouldn't put it in production yet. Just wait for, like, a second. That's my that's my review so far.
Would you wait one minor version, like someone proposing Go? They tried to force it on us.
Shay NehmadI don't know. It's just so fast. It's really fast. It's really fast. Alright. I think that does a show. We've been talking for a while. Pavel, thank you so much for joining, and co hosting with me. If people wanna find you, like, online other than the Cup o' Go Slack channel, where where can they find you? Where can they follow you?
That might be an an unpopular opinion, but I deleted my LinkedIn a few years ago. But now everyone is, around me is trying to force me to subscribe again, so maybe I will. But you can find me on Twitter. My handle is complicated, so probably it's better that it's linked in the show notes. It's t e g h n e t, which means t e g h h o t. If someone knows what that is, hit me up. I would be glad to hear from you, even if you don't. Wait. T e g t e g h net, n e t. No, no hyphens, no anything.
Shay NehmadAlright. Link is in the show notes. Although, you know, Twitter is relatively divisive. I'll send you
oh, that's me. Exactly. Okay. The the picture shows exactly why. It's T. L. Greyhai T. I'm an engineer, and Star Trek I I was Star Trek is a big part of my life, actually.
Shay NehmadWell, I will, say I want to cap off the show with live long and prosper, but there is a specific way there is a specific way we cap off the show, which is program exited. Thank you a lot, Pablo, for coming. Goodbye.