Node.js rival Deno emphasizes security

news

Jan 31, 20203 mins

JavaScriptProgramming LanguagesSoftware Development

Built on V8 and Rust, the Deno JavaScript and TypeScript runtime requires explicit permissions for file and network access

runner hurdle jumping racing challenge challenges for 2020 by paul bradbury getty 130409478

Deno, a secure JavaScript and TypeScript runtime devised by Node.js creator Ryan Dahl, is close to a 1.0 release, Dahl said this week. Dahl also elaborated on features in the works for Deno.

Intended to provide a productive, secure scripting environment for the modern programmer, Deno arose from Dahl’s dissatisfaction with the popular Node.js JavaScript runtime, particularly in regards to security. The only major feature still missing is debugger support, Dahl said, adding that the project aims to draw on Chrome Devtools for debugging.

The to-do list for Deno 1.0 includes the following items:

Correct loading and execution of modules, either JavaScript or TypeScript.
Support for the Import maps standard for JavaScript via a command line flag.
Dynamic import.
Support for d.ts files.
A mechanism to call into the Rust language.
Faster speed for the web server.
Loading of TypeScript dependencies in parallel.
The addition of signal handler APIs.

Like Node.js, Deno uses Google’s V8 JavaScript engine. While supporting TypeScript, Deno maintains a philosophy of being JavaScript-first, which means Deno does not pass through the TypeScript compiler. The platform thus far has been used only in experiments. Node.js makes more sense for business concerns, said Dahl, who now is co-lead on engineering for Deno.

Dahl suspects the transition to Deno will be akin to the transition from GCC (Gnu C Compiler) to Clang/LLVM, where LLVM saw little usage until it offered feature parity with GCC, and then everyone switched.

The module system represents the most radical change in Deno, Dahl explained. When he built Node, JavaScript did not yet have a module system. Then the web caught up and adopted ECMAScript modules. However, ES modules do not use the NPM package repository as a way to look up module specifiers. The only way to import code when using ES modules in browsers is by specifying a URL.

With Deno, the plan is to use web standard ES modules for modules outside the browser. A side effect is that Deno does not require a package manager; third-party code can be imported via HTTP. Thus Deno aligns server-side JavaScript modules with web standards and allows modules to be hosted on any web server, not just in NPM. The result is that Deno is less monolithic than Node.

The Deno development team publishes internal parts of Deno, which was written in Rust, on crates.io, the Rust package registry. In addition to a deno-core crate there is deno-typescript, which allows developers to compile and “snapshot” TypeScript code. Deno developers also have built a crate featuring raw V8 bindings in Rust.

Weekly Deno releases are made available for Mac, Windows, and Linux.

by Paul Krill

Editor at Large

Follow Paul Krill on X

Paul Krill is editor at large at InfoWorld. Paul has been covering computer technology as a news and feature reporter for more than 35 years, including 30 years at InfoWorld. He has specialized in coverage of software development tools and technologies since the 1990s, and he continues to lead InfoWorld’s news coverage of software development platforms including Java and .NET and programming languages including JavaScript, TypeScript, PHP, Python, Ruby, Rust, and Go. Long trusted as a reporter who prioritizes accuracy, integrity, and the best interests of readers, Paul is sought out by technology companies and industry organizations who want to reach InfoWorld’s audience of software developers and other information technology professionals. Paul has won a “Best Technology News Coverage” award from IDG.