State of the Web: Deno (opens in new tab)

(byteofdev.com)

147 pointsmarkhaslam4y ago114 comments

114 comments

Think of it as Node.js + Typescript, but you don't have to think about configuring the typescript compiler, linter and formatter as everything is bundled in the `deno` binary.

Don't think about syncing that formatting/linting/import aliases configuration with VSCode, all you need is the Deno plugin and you'll get all the benefits of working with TS on VSCode.

Packages are obtained (and heavily cached) from any URL instead of relying on a centralized repository. Obtain your dependencies as you want, whether it's Deno's proxy, directly from raw.githubusercontent.com, your own http server, or any other thing accessible thru an URL.

At the end, the permission system is the least interesting part of the project imho. It's useful, because if you're doing a CLI that just receives stdin, processes it, and prints to stdout, you can block any disk and network access, but apart from that it's really limited because the nature of JS itself. (Maybe for the next trendy language we could think about the Object-capability model before it's too late. https://en.wikipedia.org/wiki/Object-capability_model)

The thing I value the most is consistency and having a fully working development environment out of the box to be productive.

Zababa4y ago

> Maybe for the next trendy language we could think about the Object-capability model before it's too late. https://en.wikipedia.org/wiki/Object-capability_model

There is an object-capability model in the upcoming OCaml 5.0, however it's only in the Eio library, that deals with IO https://github.com/ocaml-multicore/eio#design-note-object-ca.... There's also Emily, a subset of OCaml based on POLA (Principle of Least Authority) https://www.hpl.hp.com/techreports/2006/HPL-2006-116.pdf. I'm unaware of any plain to extend OCaml in that direction though.

synergy204y ago

nice to have ts+linter+formatter together, it took me one or two hours to set up with my own vim(using vite/volar), so it saves me some time.

what I really like a new Node.js(e.g. deno) is actually its module system, I don't like the `npm i` in node.js pulls hundreds of modules, a standard library that contains most commonly needed modules is the key. If deno does not do that, I probably will never try that(as I can have the bundle of tooling done myself in one-or-two hours, vite/volar now makes this even simpler).

In short, I will prefer gold-quality set of modules or APIs(e.g. glibc) to the 100% flexibility "you pull whatever you want freely now even over http URL", for security and stability reasons.

dmitriid4y ago

> I don't like the `npm i` in node.js pulls hundreds of modules

Because modules/packages routinely have dependencies. And their dependencies have dependencies. And...

Deno changes nothing in that regard with one single exception:

> a standard library that contains most commonly needed modules is the key

^ This is the bane of Javascript, yes. But this doesn't mean that having a standard library somehow prevents modules having multiple dependencies and subdependencies.

> "you pull whatever you want freely now even over http URL", for security and stability reasons.

- If you pull your deps from a random URL and that URL goes away, how do you solve that?

- If your deps pull other subdeps from a random URL and that URL goes away, how do you solve that?

- For security, how do you vet what your dependencies keep on pulling from random URLs?

For node, the answer is: run your own registry, and don't load anything from outside. That's how many companies operate. How can this be solved with Deno?

_jplc4y ago

In Deno's case, there are two things:

Deno API, which comes bundled with Deno and is present globally, always, without importing: https://doc.deno.land/deno/stable. Includes basic stuff like stdin, stdout, stderr, file management... etc and standard Web APIs like Fetch API, web assembly interoperability, localStorage, FormData, TextEncoder/TextDecoder, etc.

Deno std lib, an official library that presents what you could expect from a standard library, based on Deno API: https://deno.land/std@0.120.0, but you need to import it, because it's no different than any other module in the wild. Mime types, more encoding options, extended file system management, etc.

2 more replies

andrew_4y ago

That built in linter leaves a lot to be desired. If you're a big big fan of being told how your code should be formatted, then it's a good fit. however, if you're the slightest bit opinionated, you still have to implement ESLint and jump through those hoops.

_jplc4y ago

Right. Personally, I don't think any opinion is more correct than any other in regards to code formatting, so, consistently and collectively choosing one and going forward with it is the way.

goldsteinq4y ago

Deno’s permission system is broken, you shouldn’t rely on it. Deno developers consistently ignore security issues, high priority bugs take months to fix.

https://github.com/denoland/deno/issues/11964

https://github.com/denoland/deno/issues/9750

API-based access control can’t possibly work because it’s nearly impossible to predict the effect of any single permission. For example, “permission to run specific command” makes no sense without checking the integrity of the binary, controlling the environment for LD_PRELOAD-like hacks and evaluating the code of this command for possible escape hatches. If you want to isolate a program, you need to do it on the OS level.

e12e4y ago

I'm not overly concerned that allow-run leads to possible elevation, I'm more interested if:

  > deno run --allow-read=./assets

works as intended - preventing most execution of local code, and prevents writing to disk. I think it's a useful real-world use-case, that is complicated to copy with nodejs.

That said, I think one should still be wary of running random code - but at least deno makes it a little easier for honest authors to adhere to principle of least privilege?

goldsteinq4y ago

Read permission for a specific (non-system) directory is probably fine.

keyKeeper4y ago

So, If I understand it correctly the security issues are at architectural level and not simply bugs?

Is there an alternative tool you can suggest, to allow us securely run arbitrary JS? I was looking at Apple's JavaScriptCore to run JS and and if it happens that I need any level of access to the system(i.e. files) simply handle that in Swift and pass the file to the JS. Would that be a secure approach?

goldsteinq4y ago

Yep, trying to restrict the access to a system on the API level instead of the OS level will inevitably lead to problems like these (Deno is doing worse than it could though).

If you want to isolate your program, you should use an OS-level sandbox like bubblewrap or a lightweight VM like Firecracker. I’m not familiar with Apple’s JavaScriptCore, but if it doesn’t provide any access to the system (and instead relies on passing arguments from Swift code), it might also be a viable approach.

1 more reply

lewisl90294y ago

Re: the first linked issue, does it only affect scripts that require the --allow-run permission in some form? Are the other permission types (--allow-read/write/net/etc) also affect by this or similar issues somehow?

The 2nd issue does seem concerning to have taken so long to resolve.

goldsteinq4y ago

Yes, it exploits `--allow-run=whatever` + `--allow-write=whatever` to execute arbitrary code outside of the sandbox.

The problem with the Deno security model is that it’s hard to predict how granting any specific permission would affect overall security. For example, it may seem to be kinda reasonable for an application to ask for `--allow-write=~/.config` to create config directories & files, but it’s probably exploitable to escape the sandbox. Is `--allow-env` + `--allow-write=whatever` dangerous? I don’t know. If Deno runtime spawns a subprocess at some point, it could be used to execute arbitrary code via `LD_PRELOAD`. Is there a guarantee that Deno runtime will never spawn subprocesses? There is no way to know.

1 more reply

skinkestek4y ago

So, I have a highly upvoted answer below but I'm going to humble myself a bit (smart anyways when I'm wrong and definitely better than having others do it).

I read through your bug reports now.

These are sound and very very useful.

I must admit I pattern matched on your language and answered based on that below and therefore my answer even if it is maybe somewhat(?) correct is extremely wrong in tone and what it implies.

Sorry.

I still think that it would be better if you were somewhat more specific. All in this thread seems to be related to subprocesses, which is a scary thing anyways for anything internet facing, isn't it.

killingtime744y ago

As a non-js dev, is it better than Node?

goldsteinq4y ago

It’s arguably worse than Node because Node doesn’t pretend to provide any security. With Deno you may be tempted to think that permission to run specific command actually means that program can’t run some other command (it can, and doing this doesn’t even require _clever_ hacks: Deno uses binary name instead of the full path in it’s permission system, so you only need to change $PATH for the child process).

1 more reply

eyelidlessness4y ago

> V8 is a sandboxed language

False, V8 is a JS runtime with sandboxing built into its core design. It’s not a language and it doesn’t guarantee sandboxing the JS runtime.

> that makes it impossible

False, breaking out of the sandbox is trivial in environments which allow native addons.

nexuist4y ago

I am very interested in this. Are there existing exploits for deno? Using a stock out of the box configuration, can you execute some code that breaks its permission model?

Has deno undergone some kind of security audit to verify its claims irt security?

EDIT: I see some referenced issues in comments down below involving the --allow-read/write flag. I'm not interested in that. I'm interested in if anyone can prove that with no permissions granted at all, they can break out of the sandbox and achieve ACE.

eyelidlessness4y ago

I think you’d need to either grant permissions (eg allow-ffi) or find a privilege escalation bug in V8 or Deno’s Rust bindings. The latter is less likely for sure. But being realistic, most people using Deno are granting some privileges, because most use cases at minimum do some I/O.

I’m academically interested if there are other such exploits, too. But I’d expect if they’re found they’ll be patched before they’re disclosed (or they’ll be exploited in the wild).

cookiengineer4y ago

Technically correct.

Most Browser exploits these days use Heap Spraying attacks that try to corrupt the state of the sandbox in between bindings and native libraries (or their data structures that are transferred between contexts). So technically, a JIT VM always leads to possibilities for breakouts when there is a discrepancy between the optimizer and deoptimizer's assumptions (e.g. in regards to callstack, garbage, memory ownership etc).

Also: There's a legacy navigator.plugins C-Bridge based API which hasn't been maintained or redesigned/refactored since the late 90s yet it is still active in most Browsers.

pjmlp4y ago

Deno is an interesting experiment, but I don't see it ever replacing nodejs, beyond the nodejs ecosystem eventually adopting it.

It is the usual case of worse is better, and nodejs for better or worse, does it job.

codeptualize4y ago

You are probably right. It would be nice if node adopted it, I agree that it's unlikely to replace, but I do hope it can at least coexist.

I use Deno mainly for simple scripts with Typescript. In nodejs I always find myself having to configure the environment, while in Deno it mostly just runs.

I also like the Deno standard library.

tmikaeld4y ago

I beg to differ, Deno adds some fire to quality modules becoming the better norm for javascript on the server-side, smaller, faster, purpose-made modules and frameworks that don't rely on thousands of dependencies.

Of course, it's up to each and every developer that contribute, but looking at some of the most up-stared Deno modules, that's the direction it's heading.

Griffinsauce4y ago

> smaller, faster, purpose-made modules and frameworks that don't rely on thousands of dependencies.

This isn't necessarily enforced by Deno itself right? That seems like more of a side-effect from the self-selection of its users. Once the ecosystem grows and the all the "normies" come in, this doesn't seem guaranteed at all.

1 more reply

forty4y ago

My understanding is that one of the goal of deno is to be more compatible with the Web. As a backend only dev I don't find that great, I rather have clearer separation between quality backend modules and shitty 100-dependencies web modules ;)

Also I don't want smaller modules. I want bigger and better maintained modules with few dependencies. Small modules is what makes npm ecosystem not that great.

4 more replies

dmitriid4y ago

"smaller, faster, purpose-made modules" directly leads to "thousands of dependencies".

pjmlp4y ago

My relevant stars are what IT decides to install on devenvs or is part of RFPs technical requirements.

forty4y ago

Exactly. I think whatever actualy good idea deno might come up with will eventually be adopted by nodejs, which will make deno less relevant.

tomxor4y ago

NodeJS's ecosystem looks like more of a liability and less of an asset to me each passing day.

This perspective is making Deno feel easy for me to jump to for my next backend project, now that I'm actively fighting against dependencies.

pjmlp4y ago

On my own private projects, I just do classical SSR inclusion of JavaScript libraries in Java and .NET frameworks and SCRIPT tags.

I don't even care nodejs exists.

wruza4y ago

I'd like to use some modern common ground for js/ts development, but the entire toolchain is not ready for this, somehow turning it into chicken/egg problem. Typescript, webpack, babel contribute to that. For last 10 days I tried to pull my generic project as much to the top as I could^, but modules are still commonjs, because to use imports I have to "type":"module" in package.json, which makes webpack.server.config.ts fail because typescript is not ready for type:module until 4.6. I can't even recall now what's with Babel, I guess the same issue, since I'm using it to strip types in development builds. And then there are modules from ESM movement which are incompatible with this state of things. I understand their idea that nothing will move if not kicked further, but I hate it in real production where I can't upgrade because the author said so. Once ESM transition will be done, Deno will get much more modules, I believe. But right now the friction is unbelievable. Idk why they can't just allow all of the things like imports, requires, sync/async, side effects thing at least for a while, to cooperate. It's a matter of a form, not of a content. And there is no reason seemingly why nodejs couldn't make main.js async by default — sync modules would return a resolved promise. There is so much circus in all of that, which makes you pull hairs for weeks of a setup process.

^ I'm bundling server-side for hmr/watch functionality in a monorepo with many cross-side shared code/modules.

nikanj4y ago

I tried doing Advent of Code in Typescript, and spent entirely too many hours googling circular problems like "I can't use type:module because then ts-node can't load .ts files anymore, but if I don't use it, then require-statements are broken, but ...."

I don't even remember the details, but I remember it all feeling very rickety. I'd never push anything that fragile into production, it didn't even survive 25 days of doing small puzzles without constant nursing

wruza4y ago

Yep, the same experience and conclusions. I'm afraid of using this in production, because chances are some of the major players would say "well, I'll just kick the can down the road", and I will be dependency-deadlocked for all the time it's in the air.

Meanwhile guys like node-fetch and chalk ask us why don't we just adopt ESM.

jcelerier4y ago

Reading that makes me so happy to just have to open QtCreator, hit "new project" and get rolling

wruza4y ago

You can do that with nodejs too, e.g. edit package.json and main.js in vscode, hit hotkey to npm install hit hotkey to run node ./main.js. This is what I'm doing at the day job.

What I'm trying to do there is to have a client and server in the same ./src, hot-reloaded module-wise on "save" only when a relevant part changes, and vscode to typecheck both at the same time. The language similarity is also a goal. It's a little more than just a traditional lazy-compile-restart cycle.

Non-monorepo non-ts-only guys do not experience my issues, because they only have one environment per project (or per src-<target>), and don't try to make their build configs incompatible with other parts of a build system. I tried to push it as far as it could go to evaluate the state of things for writing non-standard slightly different web apps. To make a ts-react app, they just use CRA, for a backend they just use node main.js.

But anyway this shows how interdependent this ecosystem is, instead of being full of orthogonal possibilities.

pier254y ago

I still miss being able to do that with Flash.

u-rate4y ago

Love Deno. So much much more intuitive and simple than Node. I highly recommend you giving it a try, if you used Node before, Deno will be a super easy to learn tool.

numlock864y ago

> So much much more intuitive and simple than Node.

Can you elaborate?

u-rate4y ago

- No package.json or other config files - web compatible where possible (es6 import, fetch…) - native ts/js/tsx/jsx

Overall, it just makes sense. It feels like you’re using one syntax for front and backend instead of having to use two different ones.

bartkappenburg4y ago

Offtopic but this webpage disables my bottom navigation bar on mobile safari, their own navigation on top re-enables this. Has anyone else experienced this?

dmitriid4y ago

I experienced the same issue

andrewmcwatters4y ago

Now instead of npm packages abusing SemVer unless you use non-default --save-exact behavior as an attack vector, we can import modules from URLs without subresource integrity unless you use non-default lock file behavior! Great! We learned nothing!

Soremwar4y ago

Hence why developers always recommend to use immutable sources when importing modules

andrewmcwatters4y ago

The web isn't immutable.

1 more reply

Waterluvian4y ago

Deno’s import system is near at first until you are repeating yourself everywhere, so you do what they suggest and make a file of import URLs and now you have your own package.json format.

a99c43f2d5655044y ago

Node.js fully supports ECMAScript modules as they are currently specified and provides interoperability between them and its original module format, CommonJS. Authors can tell Node.js to treat JavaScript code as ECMAScript modules via the .mjs file extension, the package.json "type" field, or the --input-type flag.

dmitriid4y ago

Mentions security and then completely glosses over security in the section on "yeah, we load random modules from URLs but it's okay because most Deno registries are immutable and we cache files"

norman7844y ago

If you care about security you will have setup your own node package registry with a curated/audited list of dependencies, then you need to point to the registry for the dependencies and maintain the registry.

With deno it should be easier to do this, you setup your own cdn, just upload plain js files and point it from your import map[1], the browser will take care of download/cache them all.

[1] https://wicg.github.io/import-maps/

dmitriid4y ago

> If you care about security you will have setup your own node package registry with a curated/audited list of dependencies, then you need to point to the registry for the dependencies and maintain the registry.

Exactly. And it's quite easy to do.

> With deno it should be easier to do this, you setup your own cdn, just upload plain js files and point it from your import map

I was waiting for the inevitable just.

- Just set up your own CDN.

- Just upload a plain js file there (where do I get those files from?)

- Just point to dependencies using a feature that, quote "is not a W3C Standard nor is it on the W3C Standards Track"

- And then the browser... record scratch who said anything about a browser?

lucacasonato4y ago

And we have lock files to verify integrity. This is no different to module loading in Node. If you don’t trust your registry, you should not be loading code from it!

dmitriid4y ago

> And we have lock files to verify integrity.

Where do you et these lockfiles files from?

> This is no different to module loading in Node.

This is very much different from module loading in Node: https://news.ycombinator.com/item?id=29871936

> If you don’t trust your registry, you should not be loading code from it!

So you immediately pinpointed the difference: with Node I can run my own registry and easily set up npm/yarn to never load packages from anywhere else. Deno loads code from random urls.

3 more replies

afiori4y ago

there is not really a difference between a url to a registry and a npm package name.

the different approach would be yarn's saving zipped versions of packages, I don't know if deno supports it

dmitriid4y ago

> there is not really a difference between a url to a registry and a npm package name.

There is. For starters, I can run my company's registry and make sure all npm packages are downloaded from there since resolution mechanism for npm/yarn is well known.

How do I tell deno to download <random-url> from my own registry?

Looking at how deno "solves" this I can't stop laughing [1]

--- start quote ---

In Deno there is no concept of a package manager as external modules are imported directly into local modules. This raises the question of how to manage remote dependencies without a package manager. In big projects with many dependencies it will become cumbersome and time consuming to update modules if they are all imported individually into individual modules.

The standard practice for solving this problem in Deno is to create a deps.ts file. All required remote dependencies are referenced in this file and the required methods and classes are re-exported. The dependent local modules then reference the deps.ts rather than the remote dependencies...

With all dependencies centralized in deps.ts, managing these becomes easier.

--- end quote ---

Are you for real?

[1] https://deno.land/manual/examples/manage_dependencies

greggman34y ago

There is one difference. I know npm keeps published versions. I don't know that random URL keeps versions. Caching locally doesn't help. I expect my code to work for others. Of course using any source is nice. node also allows this, just put a git URL as your dependency.

1 more reply

Kiro4y ago

I prefer CommonJS. It's so simple. You assign the dependency to a variable and that's it. I still need to look up the syntax every time I use ESM.

tehbeard4y ago

> You assign the dependency to a variable and that's it

erm, how is that any simpler than `export const/function/class $defintion` ?

I guess if you only touch JS once in a blue moon it's difficult to remember?

Also CommonJS has some acknowledged issues around cyclic dependencies, and being incredibly fudgeable at runtime that makes static analysis and linting a pain.

afiori4y ago

it is simple to write, it is not simple at all how strings are converted into paths.

honestly tough, esm is more complex than it should (especially regarding how live exports happen)

galaxyLogic4y ago

Why is it that ES6 modules load only asyncly but Node.js CommonJS modules only syncly?

I find sync is often simpler to code for.

eyelidlessness4y ago

Because the ESM standard specifies that modules are loaded by URL and themselves might initialize async. Once anything is async the whole call stack into it is. See also various discussions of “colored functions” which have made the rounds again recently.

wtfrmyinitials4y ago

This is inaccurate, or at least misleading. Your code doesn’t begin executing until all of the modules are loaded so it doesn’t “make the call stack async” just because of the import system. Module loading that’s async from the point of view of user code is also supported, but it’s use is rare.

1 more reply

wruza4y ago

Why doesn't nodejs just make modules async?

  // main.js
  const fs = require("fs")
  const foo = await require_async("foo")

  await foo.sleep(1000)

  // other.js
  require("./main.js")

  // RequireError: main.js returned an unsettled promise, use require_async()

Wouldn't that be better of both worlds?

1 more reply

jsmith994y ago

Node modules are usually on the local filesystem and load quickly, whereas loading an ES6 module in a browser requires a network trip.

galaxyLogic4y ago

Right. Working with Node.js I assume all dependencies are on the local disk. And that makes it simple and straightforward to use "require" in Node.js.

But sometimes I'd like the same code to work also in the browser. Then I should be using ES6, but it doesn't work very smoothly with Node.js and I fear there may be complications if I have to wait (or "await") for the modules to have loaded.

The ES6 "dynamic imports" add more considerations to the mix. Surely their exports can not be used until "await" is over?

I think it would simplify things if I didn't have to choose between module-systems when I really just want to choose between sync and async.

minroot4y ago

Wanted to install deno via cargo. It failed due to having low amount of memory while building V8.

lucacasonato4y ago

How much memory do you have? It should use a prebuilt version of V8 by default to speed up the build process.

minroot4y ago

I think it did that, if i remember correctly, the error message was from the linker.

minroot4y ago

My laptop has 4GB of memory and 4GB of swap space on a 1TB of harddisk.

j / k navigate · click thread line to collapse