Hello everybody and welcome to the Modernize or Die podcast.

Today is April 15th.

This is episode 231.

My name is Eric Peterson, happy to be with you and I'm joined by Mr.

Daniel Garcia.

Eric, how are you doing today?

I'm doing pretty great.

Weather's turning up here in Utah and I can send my kids outside and it makes me very
happy.

Do they stay outside or do want to come back in?

They do, they do.

And we enjoy going on family walks together in the evening.

So we like the nicer weather.

Of course, in Utah, it's gonna like get super cold again this week and then jump into the
90s.

So only a little bit of nice weather.

So it's also a tax day and I'm going to throw this out there.

So I've been doing at Ortus have a fun house and I've been putting dad jokes and I got a
dad joke calendar.

And today was a dad joke about taxes.

It says, I don't do my own taxes.

I'm just not into it.

Get it into it.

unfortunately unfortunately

that as a regular feature.

was just, it's tax day.

And if you haven't gotten your taxes yet, finish this episode then go do them.

Dad Joke Corner brought to you by Daniel.

Thank you, Daniel.

Well, let's jump into some Ortus news.

Into the box, just around the corner.

The end of the month, really.

I guess it's technically April, May, but consider it April.

No workshops are April 30th.

I like I should know this since I'm given a workshop.

April 30th is the workshop day.

Okay, it is end of the month.

So we only have 20 on-site tickets left.

So if you've been kicking the can down the road procrastinating, like stop what you're
doing, go to intothebox.org and order your tickets.

Workshops only available for our on-site attendees.

It looks like we have three spots left for our getting started with BoxLang.

And we have some other great options to consider as well.

Team packs are available, that's the only way to get early bird pricing right now.

Buy one, get one half off, or buy two, get one free.

me post these links.

you are not gonna be able to make it in person, we're really sad.

This is gonna be epic into the box, but you can get our virtual ticket.

Today is the last day to get Early Bird online ticket pricing.

We'll throw that link in our show notes.

If you don't buy today, you're up to the normal virtual price, but you can still pick
those up all the way up to the start of the conference.

fair, our normal virtual price is pretty reasonable.

Considering all the content you get, it's just if you want to be even more reasonable.

All of these prices are very reasonable for a conference, head over to those links.

Again, we hope to see you there in person.

And we'll tell you there's a big special reason why we'll get to later in this podcast.

Can't wait.

We have some product updates.

Daniel, do want to tell us about Command Box 6.2?

They do CommandBox 6.2.0.

That point zero is very important.

It was released.

We've got nine tickets with several bug fixes and some new features including the Jakarta
server support, which is important for BoxLang and ACF 2025 and Lucee seven.

Some new changes with those that we need to make sure that CommandBox box supports.

one of my new favorite features is a server warmup URLs.

So that way when you start the site, you can automatically kick off some URLs to hit till
I want the site so that when you start the site, I'll warm up the site.

So if you start your site and you need to run some initialization routines or do whatever,
it'll kick off these server warmup URLs and you'll be back in business.

a lot of times when you have to start your site manually, then you have to manually
remember to go back and click those links.

Well, here you just automate it all for you.

If you want more information, we'll go ahead and put that into the chat.

The server warmup URLs, all I can think of with that is hibernate ORM, how when you hit
your site, it has to crawl all the different entities and metadata and load everything,

and you just want that to be done before anybody actually has to hit it.

or if you've got like a lot of cache queries where you want to make sure they get
initialized in cache before anyone does anything.

Yep, that's another good idea.

So that's CommandBox 6.2 out right now.

Next, let's talk about the ColdBox Vite plugin.

So Vite is, we're talking JavaScript land.

It's a module bundler.

You know what?

I haven't done enough JavaScript to know the terms I use now.

What I do know is if I want modern JavaScript frameworks like Vue and React to run, Vite's
the way I choose to do it.

because it's super fast.

In fact, the other day I was doing some development on the site that used Coldbox Elixir,
the old webpack bundler.

And I'd save a change and it would take maybe a second to reload and compile.

And I was like, this is garbage.

Vite does this in 10 milliseconds.

What's going on?

So I almost ripped it out and put Vite in.

And then I realized that wasn't my job at the moment.

So next time.

But the ColdBox Vite plugin is the easiest way to hook into your ColdBox site so you can
add in modern JavaScript with your existing ColdBox server rendered site.

It has support for the latest Vite and all the goodies there.

You can also get started quickly with our template using the CommandBox box.

You can do a ColdBox create app and pass in cbtemplate-vite.

Get everything you need to get started.

I got to do some work with Quick version 11.2.

I got to meet with a client and as usual, performance issues in Quick come down to not
eager loading relationships.

So eager loading's the idea that if you have a blog post and you wanna get the author to
get the author's name, you

could mistakenly load 20, 40, 50 blog posts in one database request and then proceed to do
50 single database requests to load the author for each post as you're looping through it.

Eager loading instead will go grab all those at once and stitch them together for you.

So it's huge on performance but also can be easy to miss.

Well, I finally jumped in and added a way to disable all lazy loading.

in development, you can do it per environment so that you're in development and it will
throw an exception at you and tell you like, hey, you tried to lazy load this, go you load

this and help you avoid those performance problems before they even get to production.

So that's out in quick 11.2.

It is.

Nice.

Nice, nice, nice.

Okay.

So this week's episode is sponsored by Ortus solutions.

Imagine that we want to feature CommandBox Pro if you haven't heard CommandBox Pro it's
CommandBox with a bunch of other really cool things that are definitely worth paying for.

obviously the most important one is support SLAs and trust from Ortus.

You get the service manager modules so that if you've got a server set up and you want it
to start automatically, will do that.

if you're just like any other service.

You do get a ForgeBox Pro account included with every CommandBox Pro license you purchase.

So if you want to do your own private packages and share that within your team, you can do
all sorts of cool things like that.

Multi-server features, you can do CommandBox multi-site, which allows you to pay us, it's
like doing virtual hosting, where if you want to have one CommandBox instance and host,

you know, multiple sites, dozens of sites for whatever, you can do that.

We also have the automatic JDK management and manager versions on each specific
application deploy as well as SNI support.

We're in multiple certs, SL certs on the same IP address.

So if you want to go check that out, go to the website for CommandBox Pro and we'll put
that in the link.

Let's go over to our BoxLang corner.

BoxLang 1.0 RC3 has been launched.

Let's tell you about some of the headline features here.

We kind of teased them last podcast, but performance, we've tested the runtime against all
our major libraries.

It's faster than Adobe 2021, 23, 25.

It's give or take with Lucee depending on the test.

So,

great work to the entire BoxLang team for just iterating and iterating on that
performance.

The BXORM module is out so you can integrate with Hibernate for all you poor people that
still have to do that.

That's obviously my opinion.

I should have prefaced that.

Virtual thread support.

This is a fun feature that I had to look up for Java 21, I believe, but just a lighter
weight thread that can be

Backgrounded similar to virtual memory so that when you do IO tasks in the thread, it
doesn't lock up the entire like CPU thread Scheduler so the if you've ever used the cold

box scheduler, which is incredibly powerful and intuitive You can do all that in box
laying.

In fact, that's replaces kind of the crazy scheduler UI that you can find in Adobe and
Lucee and My favorite little feature from here

You can run it from the CLI so you can without starting up your application go to BoxLang
schedule and then pass in a scheduler.

You don't have to run cron You have to do anything like that.

It will just run forever and run your tasks for you.

So then you can use all the nice BoxLang scheduling methods like saying run every day or
Every workday at 8 a.m.

Instead of having to figure out the random cron incantation for that

So that's BoxLang RC3 out now.

You can go please test your site because this is the last RC before the stable release.

When's the stable release gonna happen?

As hinted earlier, Into the Box 2025 we will be launching the stable release of BoxLang
1.0.

So you want to be there, Into the Box 2025, whether you're joining online or in person,
this is gonna be the conference that gets you up and running on BoxLang to start

supercharging your development fast and easy.

And now's the time to grab a BoxLang plan.

This is in your future, you want to save some money on it, they're 25 % off until Into the
Box.

So grab that, we'll see you there May 1st for the BoxLang stable release.

And then one more last important bit of box news BoxLang news are the virtual machines are
now on AWS.

So if you've been wanting to play with BoxLang and you've been waiting to for it to appear
at AWS as a VM, it's there, you can do it.

We're going to go ahead and post the link and go play with it.

Yeah, we announced last week or last podcast rather that we had them up on Azure and now
they're up on AWS.

How about some CFML updates, Daniel?

Do you want to tell us about the security updates that came out this last couple weeks?

So they're a big one for both Adobe and Lucee.

I think it's pretty much the similar, similar exploit.

There are security updates available for Adobe CF.

We'll get the links there in the chat.

Similar for Lucee.

It's where if you've got a certain condition on the server, somebody can take advantage of
an exploit where they can execute code remotely.

Now, if Lucee did say that if you're on a shared hosting environment, this is a little bit
more of an issue than if you're hosting privately.

But if you go through and kind of read through the docs, you can kind of see what it
handles.

You have to kind of decide if that's something you want to account for.

Now with Lucee, if you just want to update to latest Lucee, I don't think there's any
issues with that.

Just do it.

Why not?

Don't worry about it.

Yeah, was something about being able to write bytecode directly to the server and then
Lucee would run it, which I feel like if somebody can write files directly to your server,

you might have a bigger problem, but.

I was talking to Brad about it too when it came out and it's like if you can do this first
step, then you can do the second step.

But most people don't allow you to do the first step.

So you're probably okay anyway.

But definitely worth reviewing your code base and updating or just update anyway.

And for Lucee, you can also add an environment file to lock it down even further,
especially if you're using CommandBox or Lucee environment variables.

another big news is there a 6.2.1.112 RC final release candidate is out for you to play
with and test with and check out and make sure it all works the way you're hoping it

works.

Yeah, I'm looking at their server change log for that.

It looks like a lot of bug fixes, not really any new enhancements.

It's just kind of what you expect at this point in an RC.

give that a run on your Lucee servers and let them know if anything's still missing.

Let me post the link for that.

And I think there's some more blog posts or new blog posts we want to talk about this
week.

don't you take us to those, Eric?

Sure, let's highlight a few of them.

The first one, let's talk about PDF generation, bloat and optimization.

This is a blog post by James Moberg comparing and contrasting a few different ways to
generate PDFs using CFML servers.

Good old CF document, CF HTML to PDF and WK HTML to PDF, which if you haven't heard of
that one is actually a separate utility ran via the command line that can also generate

web pages based on WebKit technologies.

So you can go and check out all of his code and how he runs it.

I mean, the answer is WebKit HTML to PDF is faster and smaller file size and seems like
the clear winner to me.

Doesn't have a tag for it.

You can't just say CF blah, blah.

You know you say that, except there is a WK HTML to PDF module on Forgebox that you can
install a wrapper to use that service written by the in-league team, Sam Knowlton and

friends.

So if you're missing the I want one tag to do this, go check out that module.

I got you, Daniel.

I was setting you up.

I remember our team, man, over a decade ago, quickly found that CF document was not gonna
cut it and use that WKHTML to PDF.

And I feel like this falls right in James's wheelhouse as one of his last blog posts we
talked about was about using native CommandBox line tools instead of ColdFusion tags, if

you remember that.

So this just falls right into his wheelhouse, yep.

Thank you for that.

And yeah, use WKHTML2PDF probably.

We have another one from Ben Nadal about HTTP GET and HTTP POST are sufficient for me in
ColdFusion.

so, HTTP in browsers has two verbs, get or post your forms can get or post.

but there are more verbs defined by the HTTP specification, put patch, delete options,
some other ones as well.

the APIs tend to use and that applications can use as well, kind of spoofing it.

A cold box makes this really easy so that you can use all these different verbs and have

In my opinion, all this comes down to opinion, a really nicely tuned API, something that
looks really nice as far as the URL structure goes, organized.

Ben here argues that you know what, the browser can't handle it basically.

It's extra mental weight that you can't use.

It's kind of a leaky abstraction because your GET might mutate a last access date or
your...

delete might just be modifying the flag instead of actually deleting, so why are we
pretending this?

So you get a lot of, can get read for his opinions.

He makes a lot of good points, and I think the biggest point is, know, browsers can't
actually do put, patch, or delete or anything besides get and post, so everything after

that's kind of faking it.

But we also live in a world where APIs are king, and those can support all those verbs.

if you haven't caught on from the way I've been describing it.

I love all the HTTP verbs.

In fact, I have a video I want to throw in there that's one of my favorite talks that I've
ever seen, which is called Cruddy by Design by Adam Wavin.

So we'll throw that in there.

Obviously, this comes down to your organization.

and how you want to structure your application, right?

These HTTP verbs there to help you describe how you want to be organized, right?

One of Ben's posts was, if you need a router, I think you've overcomplicated things.

And for me, like the router is where I live in Coldbox apps.

Like I love that can go to one file and see everything that happens in the app.

So it's a bit of a difference of how you want to structure your apps.

And as he said, the one's not right and the other wrong.

but you can definitely look at both and think, how do I want to structure my app?

So we'll give you a little bit of both sides here.

fair.

I don't think Ben uses a ColdBox And so he might

his own self-built framework, if any.

And I will say early on when I started with Ortus, I've been an Ortus almost four years
now and early on I was working on a project and worth you Eric and you showed me this

cruddy by design video and it blew my mind.

As in of course we should do it this way.

Of course this makes sense.

Yeah, you know the fun thing is, like, I love that talk and I try to build things that way
and then sometimes I don't because it doesn't make sense.

So like, I think Ben had one about that where if you're doing a bulk operation of bulk
delete, you can't pass a body in the delete statement so you do a post.

That's not ideal.

That's what you do.

Sometimes you just, make your code work.

It's fine.

All of our code's held together with duct tape and string anyways.

Best practices are best, except when they're not.

There you go.

Okay, now we do have another blog article, getting the client's IP address using Lucee and
Confusion.

This is by Gregory Alexander.

Basically going through the poll showing different ways of extracting that IP address and
whether it's, know, using the getHttpRequest data, use the CGI variable, but it kind of

goes a little bit further because sometimes your server is behind a load balancer or a
proxy.

And so you can't just grab the IP address because you're grabbing the IP address of that
middle server.

And so you may need look for things like X forward for, because a lot of them will pass
that along.

And so he shows an example of how to grab that.

And then there's a couple others that he talks about, including if you're using X real IP,
some load balancers engine X use that instead.

Or if you have a CF connecting IP key, someone use that for cloud flare.

And so really some nice examples of all the different scenarios you might run into or for
grabbing that real IP address and not the proxied IP address.

I know a while back Gavin created something on Forgebox to kind of say get real IP that
kind of did this, but Gregory went way beyond what Gavin did and I kind of like it.

Basically if you use this, it'll catch every IP and all these different scenarios we
talked about.

And so it's a nice little utility there he's got, or example he's got.

Yeah, as described, it really depends on your technology stack, right?

If you got Cloudflare in there, Fastly in there, know, NGINX, what do you have and what
key it's using?

We have a utility that, you know, I've used because I felt like it was good enough.

Right inside CB Security, on the CB Security model, you can call get real IP and it will
go and grab

like the cluster client IP or the X forwarded for, and then finally the CGI variable.

But it doesn't have those, you know, Cloudflare ones, the Fastly ones.

So you might need to implement your own kind of function based on what is in your
technology stack.

Yep, that's the one I was talking about.

That's on Fordbox.

Gavin put that together.

And get real IP.

now it's, it might still be a Forgebox module, but it is now part of CB Security as well.

So you might not even need to install anything else.

I kind of feel like we should look at the other examples from Gregory and maybe add some
of those.

Yeah, I think the trickiest part will be deciding the order.

But then again, you're probably not using Fastly and Cloudflare, right?

So.

Yep.

And so if you're testing for it to exist and doesn't exist, you ignore it.

So yeah, you're probably not using multiple.

And if you are, then you got issues, I guess.

All right.

Well, thank you everybody.

This is not all of the CFML posts that were through this week, but we only have time to
highlight a few.

So let's move on.

We still have some events that we want to cover.

As mentioned, Into the Box Workshops, April 30th, Conference May 1st and 2nd.

BoxLang 1.0 stable is launching.

You want to be there in Washington, DC.

20 tickets left.

Go buy them, come visit us, we're excited for it.

And for all those that have already bought their tickets, who are speaking, we're very
excited to see you there, it's gonna be a blast.

CF camp a little bit after that May 22nd and 23rd.

This is in Munich Germany a new hotel, but still in Munich You can check it out CF camp
org I Know Luis is going to be there.

I believe Brad is going to be there as well So we have some Ortus representation and some
great talks on BoxLang We hope to see at CF camp if you are on that side of the world It's

a little easier to get to Munich than it is to DC

And finally, coming up in step two.

Cold Fusion Summit 2025, September 22nd, 23rd in Las Vegas with, I believe the 21st and or
the 24th being certification class days where you can go in and get certified.

And do we know if Ortus is doing a workshop around there?

We usually do.

I haven't heard yet.

It still might be a little bit way out.

think, I imagine we're probably waiting to get through ITB and just keep all our focus
there first before we, look beyond ITB.

And then of course CF Camp, Luis and Brad will be there a few weeks later.

So.

And there is a CF Camp Pre-Conference Workshop with Ortus that you can join.

I'll absolutely there be talking about BoxLang.

Yep, it's getting started with the BoxLang runtimes with Brad or Zero the Hero with
Coldbox and BoxLang with Luis.

Excellent.

Okay, that's probably it for our episode today.

thank you to all of our Patreon supporters.

We are grateful to all of those individuals and companies supporting our open source
initiatives like Command Box, Forgebox, and Coldbox, all the other great boxes out there.

Funding the cloud infrastructure that Forgebox runs on in our community site.

You can support us at patreon.com slash Orda Solutions.

You can see all of the sponsors that we have now at ordasolutions.com.

slash about dash us slash sponsors.

So don't forget we do have annual memberships available and pay for the year and save 10%,
which is great for everybody, not just businesses.

Bronze packages, you get a ForgeBox Pro account and the CFCast subscription as a perk.

You get your profile badge community website, private access on the community website and
a private channel on Box Team Slack.

Thanks everyone for joining.

We will see you, let's see, in a couple weeks.

It's going to be BoxLang into the box time.

Are we going to be podcasting from into the box, Daniel?

You know, we're figuring that out.

If we do, it's going be a special podcast.

Normally our next normal scheduled podcast would be May 6th, because we are going to do
the first and third Tuesdays of the month, not in every other week thing, first and third

Tuesday.

So we haven't finalized the box or the into the box schedule, we're hoping to do
something.

You know, maybe a one-off, but

But you don't have to worry about missing hearing us because you're gonna be at Into the
Box.

You're gonna be coming to our sessions.

You're gonna be hanging out at Happy Box.

You're gonna be full of all the time that you would want with Daniel and myself.

And probably more.

Yeah.

smell us, it'll all be good.

Hopefully not smell us.

All right, everybody.

Thanks and have a great rest of your day.

Thanks everybody.