Could you elaborate on the htmx security holes? I only know about xss attacks, and for those it's trivial to sanitize in the backend.
I too gravitate towards just templating for static or simple interactivity, but for pages that need SEO and interactivity I'm still wondering what's a good solution that doesn't involve SSR and a js framework. For a recent project I had I generated the html in php and sent a lot of pure js for dom manipulation
I'd say that PHP allows you to write very bad code (and makes that the default). It's a language feature.
For example Java has a lot of NullPointerException because it was designed with null and without mechanisms to detect & prevent these errors. Any method can return null and cause a NPE. It's just easy to ignore them. Modern languages like Go, Rust or Zig force you to handle null errors, and make it easy to do so. NPEs are a lasguage feature in Java.
In the same way PHP allows you to write any ugly code you want. There are no checks, no safety. People can write bad code, people can be lazy, people can be stupid. PHP allows it and empowers them.
I used to think that php was a bad language until recently (used php5 when i was just learning to program, cooked some delicious spaghetti). But after 5 years I had to use PHP at work. The language has improved a lot, but I think a lot of the bad parts are still there.
Like, why does stdclass exist? Why not just use associative arrays? Why are there warning, error, fatal errors, exceptions? Some functions throw exceptions, other raise errors, others return false, other fail silently and you have to call another function to check if there was an error (last_json_error). Why do find functions return false instead of -1? Like every other language? Why can't I use strings with numeric values as maps keys? (I can't have ["001" => value], it gets casted to ["1" => value].
There are no generics, you have to use mixed everywhere. The stdlib is an inconsistent mess, some_snake_case, someCamelCase, verb_noun, noun_verb, functions are not namespaced, everything is global. A lot of duplicates: die vs exit, print vs echo, etc. You are forced to use PSR & autoload to be able to use namespaces in a tolerable way, not including_once everywhere. No UTF-8 support, only ascii. You have to manually use mb_ functions. Variable scoping is weird. Variable variables? Why?
And all that is just comparing it to the average language. If compared to a modern language like Rust, Zig, Swift, php is light years behind.
It's not hot garbage, but I wouldn't call it "good". There's laravel, but not much more. PHP still makes you shoot yourself in the foot by default, unless you spend a lot of time learning its edge cases. Just like javascript.
I find that the only reason for SSR existence is to be able to just move a JS frontend to the backend for SEO/client performonce reasons with almost no effort. If the frontend really needs to be highly interactive then yeah, a FE framework makes things easier. But then you are locking yourself to using JS in the backend. Voluntarily locking yourself to use an objectively bad language.
Then there are the react/angular/other people, who build everything in these frontends.
I really hope tools like htmx gain traction, since it looks like a model able to solve the current JS madness.
I don't think that's the case. My country is also big, cities are apart by hundreds of km. But our cities still are dense, there are (almost) no suburbs, and roads are not giants. In my city (2nd largest in the country) the largest roads have 6 lanes. There is only 1 street with 8 lanes. A lot of important busy streets have 4 lanes. Most streets have only 2 lanes.
There are still sidewalks (many streets even have more sidewalk than road), there aren't huge parking lots everywhere, public transportation is everywhere.
I really like donoteat's video for why this is a problem
https://piped.araozu.dev/watch?v=rseaKBPkRPU
It's not about the 'feeling' claustrophobic or not having green areas, it's about the US's obsession with cars and it's consequences in the people
At least it's not a giant macro
Like, downloading the video files with yt-dlp and then uploading them? Or streaming, like what Piped/LibreTube do?
I personally have my own piped server, and don't enter to youtube for anything. The only 2 things it can't do are post comments and see live streams comments. No ads, no tracking, i can do whatever i want without google's permission
Deezer+Deemix -> Jellyfin -> Symfonium
Just to provide counter examples, in arch I can't use the native steam package and play games with proton. It just doesn't work. I think proton expects some ubuntu libraries or something (found something like that while spending 5 hours debugging nfs heat). And even if I manage to fix it, next time I update the system it'll be broken again.
I use flatpak, and everything just works.
However, in arch if something is in the official repo or the AUR i prefer those.
In ubuntu I installed krita and gmic, but it doesn't work. For some reason krita doesn't find the gmic executable. Instead of debugging krita and gmic for hours I just installed the flatpak version, and it just works.
And yeah, app startup went from 5 to 7-10 seconds in krita, and from 1 to 2-3 seconds in firefox. It's not snap, it's 2023, we have SSDs.