Node.js Creator Blasts Node.js, Offers a Secure TypeScript-Based Alternative – InApps Technology 2022

Like Dr. Frankenstein aghast at the monster he’d built, Node.js creator Ryan Dahl voiced some deep misgivings about his server-side JavaScript runtime engine at the JSConf.EU conference earlier this week in Germany.

Dahl created Node for improving the event-driven JavaScript I/O between servers and browsers, and in that regard, it has worked well, Dahl said of his popular open source software. But many parts of the architecture suffer from some naive decision-making on his part, including security and how modules are managed, he admitted.

“Using Node is kind of like nails-on-chalkboard for me,” Dahl said. “I see the bugs that I introduced that aren’t really bugs at this point they’re just how it works but they are bugs and there were design mistakes made that just cannot be corrected now because there’s so much software that uses it.”

But, as any good engineer, Dahl just didn’t simply bitch about something without offering some sort of solution. He introduced a new software project, called Deno, a secure TypeScript runtime on V8 JavaScript engine that sets out to correct some of the design flaws in Node.js

Dahl left the Node work about 2012, just when it appeared to be in a good point of maturity. He was doing work on fast server software, and was using Go, because “Go was a better language for fast servers, and so there was no reason for me to be using Node,” he said. He returned to it only in the last six months, and quickly became mortified by what he experienced.

“It offends my sensibilities. It could have been much nicer,” he said.

While he likes how Node does I/O overall and enjoys its “Unix-y”-like syntax, he has other grave misgivings, particularly around how modules are handled, which was, he admitted “an afterthought.”

His biggest regret was not using promises, an abstraction for working with asynchronous, or parallel, computing tasks. Promises were actually included in an early version of the language but were stripped out soon thereafter, casting countless devs into callback hell.

“I often wished that I had left that in,” he admitted. “It was a rash decision.”

Another regret Dahl had was not thinking about more about security. JavaScript offers a very secure sandbox environment, though Dahl had missed some opportunities for implementing server-side guarantees. But there are cases where you want to run something outside the browser, but not access the local disk. Code linters, for example.

Dahl’s biggest regret, however, is the build system for modules, GYP. “It’s a very funky interface. It’s like a JSON file, but it’s in Python. It’s very terrible. There is just so much unnecessary complexity there,” he said, admitting it is a difficult problem to solve.” He also regrets forcing everyone to compile their modules, against the advice of Joyent Chief Technology Officer Bryan Cantrill, among others.

He candidly addressed other issues as well. Installing Node modules in individual project directories? That was Dahl’s idea. He regrets it. The algorithm for resolving module names? “It’s wildly complex,” Dahl admitted, noting the environmental variable approach adopted by Python and others would have worked just fine.

“It deviates greatly from how browsers do stuff and it’s my fault and I’m very sorry and unfortunately it’s unpossible[sic] to undo now,” he said.

Dahl’s new creation, Deno, was built with all the lessons he learned from Node. He admits that Deno is still in early prototype mode and shouldn’t be used for actual work yet.

Like Node, Deno does event’ed I/O. By default, it does not allow any network or disk access, though users can opt into those options. But unlike Node, all system calls are done through message passing. There is only a single entry-point in and out of the virtual machine, making it much easier to track what is happening. The module system has been greatly simplified, compared to Node.

Best of all, in Dahl’s view, is that it runs TypeScript, Microsoft’s superset of  JavaScript for static type checking. “I love Typescript. It is the best thing. It is very pragmatic and well done and approachable,” he said, noting that it can range from casual projects to highly-structured programs.

“So yeah check it out maybe,” he said of Deno. “I think I’m mildly happy with it.”