-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deno vs Node.js #11
Comments
I felt like the readme gave me a pretty good idea of the differences between deno and node - is there something specific you were wondering about? |
The main difference is that Node works and Deno does not work : ) The README does give some technical specifics, but at a high level, Deno is about simplifying as much as possible in binding V8 to system APIs - which results in
Finally by using Golang instead of C++ as the binding language - it is much easier to add high-level functionality than it was in Node. EG http2.0 support shouldn't be more than adding some routing APIs and a few messages to the protobuf file. |
You will make it work, I believe in you! Someone creative and the master of all masters you are.. Two people I think they're Gods at small scale of this industry:
Thanks a lot and wish ya good luck! |
@ry Why golang and not rustlang? |
yeah, my question is same as @285858315 , why go not rust? |
It’s a good question - this is a prototype to see if the TS+ url import + message passing is viable. I’m currently evaluating rust and other tech for the next sprint. Update soon. |
If you do try rust. This may be a replacement for parcel. https://github.com/nathan/pax. |
@ry What is the difference between |
@shobhitg where to start... If you want to run TypeScript under Node.js without having to worry about transpiling, then Deno is a full binary runtime which uses V8 (the same as Node.js) but shares little else. By default it only allows read access to the file system and requires explicit permissions for any other access. It can load modules just based on URLs, etc... etc... It isn't Node.js + TypeScript, it is quite a bit different. |
Rust!!! |
Yea instead of go i think Rust is future 👍 Go is good language but for such purpose I think rust suits more. Update: Rust is used :) |
In case anyone comes across this, running TS in node should be done with |
@slikts but that requires webpack etc right? And ts node gives u error, warnings etc which is ignored by babel right? |
It just requires Babel, not webpack, and yes, typechecking would be done separately (by the editor and CI pipeline in a typical workflow). |
@slikts you can try my module https://github.com/kodhework/kawix/tree/master/core if you want something more like |
import { serve } from "https://deno.land/std@v0.36.0/http/server.ts"; Really? Will deno.land being hacked mean all of the server using it becomes ....infected? |
@wenq1 it should be cached and probably they uses hash of original file on lock file and should probably warn you before updating the version? |
@wenq1 Will NPM get hacked (again) everything will get infected? It did Difference is Deno won't let that malware get far because it will block it's access to the filesystem, network, etc, a thing Node doesn't do However simple solution for both cases: import only what you need and know what it does |
Yes, unless you use lock files (look in the manual). In node's case this is even worse: if npmjs.com gets hacked, all npm packages can be infected. |
@lucacasonato Oh yeah, forgot about having all the packages in the world in the same place problem |
I like your reply, but I don’t agree with “setting up permission prevents malware from spreading” thingy. Most developers will probably rely on system permissions to control access. I might be missing something but I don’t see the point of this security feature, not to mention it is slightly off the topic to my concern. Importing an arbitrary url inadvertently has actually got a name: injection attack. That’s why things such as CORS are invented. Voluntarily importing from arbitrary source makes a worse case imho, especially “decentralized” packages (urls) are the “recommended” |
Most developers don't have the knowledge or skills to properly control access of a runtime. When something like Node.js has full access to the file system, full access to the network, etc. without restriction, it becomes really hard to do.
You have been doing this with your browser for ever, though. You haven't gotten every website from the official Google server, where people publish register their websites. |
Everyday, hundreds of times a day you are importing JS modules and scripts from resources all over internet. How many times do you run in trouble with a webpage because it was serving an incorrect file or package? Most likely zero, and if it did happen, you probably didn't even notice. The reality is, Deno is removing an unnecessary "feature" (importing only from NPM) and then adding a layer of security Node didn't have. They might as well be unrelated, since Node doesn't make checks on what you download, it just blindly runs everything. Finally, yes you could serve Deno with a fake module that is intended to do damage to your system. That would have required you to:
And at that point It would be really clear who to blame when something goes wrong. |
It is not a right or wrong debate. Dev experiences are different. At least here in my office importing from random source (in virtually any language we use) will immediately trigger a red alarm, and insisting on doing so will likely result in a love letter.
In fact, nil time over the past 5 years of my experience using nodejs (from its 0.12 dynasty)
If you think simple ”-allow“ switches are you best friends rather the system permission that has been devised and implemented and improved and fine grained over the past decades, what can I say otherwise. |
I never said it was, I just wanted to elaborate on his idea.
As I pointed out, this is not an option in many systems. It won't either allow you to debug your code. Since those permissions are only check on execution time, while flags are check on the compilation step. This are not interchangeable functionalities, butrather some that can complement on each other. |
Do you use NPM? If so then you are indeed downloading from “resources all over internet`. Your package has thousands of dependencies made by random people.
How system permission can help with this incident in any way? |
Formats code according to Unicode Standard Annex #11 rules (https://crates.io/crates/unicode-width). This aligns `deno fmt` more with prettier.
Hi Ryan,
Thanks a lot for your contributions that changed the whole world! You're awesome man!
What is the differences between this runtime than Node.js for a user like me that uses TypeScript with Node?
Can you please write about this point?
Thanks,
Yours,
Islam
The text was updated successfully, but these errors were encountered: