Node.js rival Deno emphasizes security

Built on V8 and Rust, the Deno JavaScript and TypeScript runtime requires explicit permissions for file and network access

Node.js rival Deno emphasizes security
Paul Bradbury / Getty Images

Deno, a secure JavaScript and TypeScript runtime devised by Node.js creator Ryan Dahl, is close to a 1.0 release, Dahl said this week. Dahl also elaborated on features in the works for Deno.

Intended to provide a productive, secure scripting environment for the modern programmer, Deno arose from Dahl’s dissatisfaction with the popular Node.js JavaScript runtime, particularly in regards to security. The only major feature still missing is debugger support, Dahl said, adding that the project aims to draw on Chrome Devtools for debugging. 

The to-do list for Deno 1.0 includes the following items:

  • Correct loading and execution of modules, either JavaScript or TypeScript.
  • Support for the Import maps standard for JavaScript via a command line flag.
  • Dynamic import.
  • Support for d.ts files.
  • A mechanism to call into the Rust language.
  • Faster speed for the web server.
  • Loading of TypeScript dependencies in parallel.
  • The addition of signal handler APIs.

Like Node.js, Deno uses Google’s V8 JavaScript engine. While supporting TypeScript, Deno maintains a philosophy of being JavaScript-first, which means Deno does not pass through the TypeScript compiler. The platform thus far has been used only in experiments. Node.js makes more sense for business concerns, said Dahl, who now is co-lead on engineering for Deno.

Dahl suspects the transition to Deno will be akin to the transition from GCC (Gnu C Compiler) to Clang/LLVM, where LLVM saw little usage until it offered feature parity with GCC, and then everyone switched.

The module system represents the most radical change in Deno, Dahl explained. When he built Node, JavaScript did not yet have a module system. Then the web caught up and adopted ECMAScript modules. However, ES modules do not use the NPM package repository as a way to look up module specifiers. The only way to import code when using ES modules in browsers is by specifying a URL.

With Deno, the plan is to use web standard ES modules for modules outside the browser. A side effect is that Deno does not require a package manager; third-party code can be imported via HTTP. Thus Deno aligns server-side JavaScript modules with web standards and allows modules to be hosted on any web server, not just in NPM. The result is that Deno is less monolithic than Node.

The Deno development team publishes internal parts of Deno, which was written in Rust, on crates.io, the Rust package registry. In addition to a deno-core crate there is deno-typescript, which allows developers to compile and “snapshot” TypeScript code. Deno developers also have built a crate featuring raw V8 bindings in Rust.

Weekly Deno releases are made available for Mac, Windows, and Linux.