Clojure Deref (Mar 8, 2024)

Clojure Deref (Mar 8, 2024)

08 March 2024
Alex Miller

Welcome to the Clojure Deref! This is a weekly link/news roundup for the Clojure ecosystem (feed: RSS). Thanks to Anton Fonarev for link aggregation.

From the core

Last week CVE-2024-22871 detailed in GHSA-vr64-r9qj-h27f was filed. I’ve added the relevant info to the latter link so read there for the details. The important takeaway here is that you should never read serialized objects from an untrusted source (usually this is via ObjectInputStream.readObject() if you’re grepping your source code). There are an open-ended number of ways an attacker can craft malicious objects using a variety of languages and libraries.

Today we released Clojure 1.11.2 and 1.12.0-alpha9 with a fix for the specific problem identified in that service advisory - the change is small (converting some infinite loop cases to throw instead). Along with this, there is a new version of the Clojure CLI that defaults to Clojure 1.11.2, and new versions of some contrib libraries.

We have been working hard on the last remaining feature pieces for Clojure 1.12. Due to some useful feedback on prior alphas, we found an issue with the new class array syntax (e.g. String*) - while this is an invalid class name in Java, it (and literally any name) are valid class names in the JVM, and in particular, Clojure deftype is an example way that you can create such a class. We considered a wide range of options but we have settled on an alternate syntax, with array classes ending in ::N (where N is the dimension). :: is not valid in Java class names, and not (until now) valid in Clojure symbol names, so there is no chance of conflict with this syntax.

With method values, we heard all of your feedback regarding reflective support for uniform method symbols. I think we’ve found some interesting new angles on this that will allow us to support reflection in many cases, which I will save for another post. For those interested specifically in avoiding reflection, we will address that more directly in a future release. And finally, we are zero-ing in final work for implicit function conversion. All of this work is past the planning and deep into implementation, and it should start to land soon.

Finally, this is not really Clojure core work but a result of some LLM explorations at Nubank, but I’ve submitted a patch to the MultiPL-E LLM coding benchmark to add support for Clojure. We’re starting to use this ourselves in evaluating Clojure capabilities of different models, and hopefully others can get use out of it as well.

Blogs, articles, and projects

Libraries and Tools

New releases and tools this week:

  • fireworks 0.1.1 - Fireworks is a color printer for Clojure, ClojureScript, and Babashka

  • futurama 1.0.2 - Futurama is a Clojure library for more deeply integrating async abstractions with core.async

  • clara-rules 1.4.0-SNAPSHOT - Performance focused forward-chaining rules in Clojure

  • clojure-lsp 2024.03.01-11.37.51 - Clojure & ClojureScript Language Server (LSP) implementation

  • llama.clj 0.8.2 - Run LLMs locally. A clojure wrapper for llama.cpp

  • clojure 2024-03-03 - Practicalli Clojure REPL Driven Development

  • deps-try 0.11.1 - Try out Clojure libraries via rebel-readline

  • honeysql 2.6.1126 - Turn Clojure data structures into SQL

  • template-processor - Clojure library which provides StringTemplate-like functionality

  • dinodoc 0.2.0 - Docusaurus-powered documentation system for Clojure and other languages

  • Clojure-Sublimed 3.6.0 - Clojure support for Sublime Text 4

  • nbb 1.2.187 - Scripting in Clojure on Node.js using SCI

  • overarch 0.12.0 - A data driven description of software architecture based on UML and the C4 model

  • clj-kondo 2024.03.05 - Static analyzer and linter for Clojure code that sparks joy