Close

21.06.2018

Ryan Dahl’s Node.js regrets lead to Deno

Deno is an in-development secure TypeScript runtime built on the same Google V8 JavaScript engine as Node.js

What might the Node.js server-side JavaScript runtime look like today if founder Ryan Dahl could build it all over again? With his Deno project, a secure TypeScript runtime built on the same Google V8 JavaScript engineas Node.js, we get an idea.

Open source Deno, which is not explicitly compatible with Node.js, is a minimal take on server-side JavaScript. One key difference between Deno and Node is Deno eliminates the need for a package manager. (Node.js uses the popular NPM package manager.) “There are no packages even,” Dahl said. “You only link to JavaScript files—like you do in the web.” Deno also cannot run Node scripts. It does use TypeScript, which Dahl views as being well-done and approachable. Dahl recently described Deno as being in an “extreme prototype” stage of development and cautioned against all but the most-diehard technical people from trying it.

In a recent presentation on his regrets about Node.js, Dahl cites security as a missed opportunity to make a server-side runtime that could be secure in certain situations. With Deno, there are several security goals:

  • Use the fact that JavaScript is a secure sandbox. By default, a script should run without file system or network write access.
  • Opt-in access is enabled via flags: --allow-net and --allow-write.
  • Security capabilities let users run untrusted utilities, like a linter.
  • Arbitrary native functions are not to be bound into V8.
  • System calls are done by message passing
  • There are two native functions: send and recv.
  • Easier auditing is enabled.

Binaries for Deno are in development and are expected in a couple of weeks. The prototype of Deno was built in Go, but Deno is being redone in Rust, to avoid potential conflicts between garbage collectors in Go and V8. Deno also has a C interface.

Other goals for Deno include:

  • Import of only reference source code URLs. Remote code is fetched and cached on first execution and is not updated until code is run with the reload flag.
  • There is a single executable.
  • Browser compatibility.
  • Use as a library to build a JavaScript runtime.
  • Always dies on uncaught errors.

In thinking about how he would redesign a server-side JavaScript system, Dahl had been worried about disrupting the Node.js community. But he believes Node.js is stable enough these days that his actions will not affect it.

Where to download Deno

You can download the Deno code from GitHub.