Ryan Dahl’s Node.js regrets lead to Deno

What might the Node.js server-side JavaScript runtime look like today if founder Ryan Dahl could build it all over again? With his Deno project, a secure TypeScript runtime built on the same Google V8 JavaScript engine as Node.js, we get an idea.

Open source Deno, which is not explicitly compatible with Node.js, is a minimal take on server-side JavaScript. One key difference between Deno and Node is Deno eliminates the need for a package manager. (Node.js uses the popularNPM package manager.) “There are no packages even,” Dahl said. “You only link to JavaScript files—like you do in the web.” Deno also cannot run Node scripts. It does use TypeScript, which Dahl views as being well-done and approachable. Dahl recently described Deno as being in an “extreme prototype” stage of development and cautioned against all but the most-diehard technical people from trying it.

In a recent presentation on his regrets about Node.js, Dahl cites security as a missed opportunity to make a server-side runtime that could be secure in certain situations. With Deno, there are several security goals:

• Use the fact that JavaScript is a secure sandbox. By default, a script should run without file system or network write access.
• Opt-in access is enabled via flags: --allow-net and --allow-write .
• Security capabilities let users run untrusted utilities, like a linter.
• Arbitrary native functions are not to be bound into V8.
• System calls are done by message passing
• There are two native functions: send and recv.
• Easier auditing is enabled.

Binaries for Deno are in development and are expected in a couple of weeks. The prototype of Deno was built inGo, but Deno is being redone inRust, to avoid potential conflicts between garbage collectors in Go and V8. Deno also has a C interface .