Deno.js in production

The security model is a big one for me. If they could extend the permissions system to work for individual dependencies, they could solve one of the biggest security issues facing developers right now. <i>Especially</i> if policies could also be applied to node packages.<p>Are there any plans to move in this direction? It seems like if you can do it for the full app, you should hypothetically have the capability to make it library-specific. Or perhaps there are non-obvious blockers that make it too hard?<p>If there <i>are</i> plans to do this, isn&#x27;t it better to do it sooner rather than later? Better to get library authors in the habit of specifying permissions&#x2F;policies now while the ecosystem is still small. If you wait too long, it will be a ton of work to retrofit all the existing libs.

I haven&#x27;t had the same success with Deno that I expected. At first, I was shocked by how good the tooling is, and I was super happy with its dependency management. All of the problems started once I started getting into actual business logic.<p>`redis` and `ioredis` `npm` packages don&#x27;t work with Deno, even with the Node compat layer (I tried). So you have to use the Deno driver for Redis. But you look up the library for this, and it&#x27;s experimental: <a href="https:&#x2F;&#x2F;deno.land&#x2F;x&#x2F;redis@v0.25.5" rel="nofollow">https:&#x2F;&#x2F;deno.land&#x2F;x&#x2F;redis@v0.25.5</a><p>Same deal with Postgres. `pg` would not compile at all. Knex also didn&#x27;t work (this was an older project). I&#x27;m assuming this is because these two packages use native Node.js plugins.<p>I like Deno a lot, and the out of the box TypeScript support is a gamechanger, but I had a really tough time working with it and actually being productive.

In the security model section it doesn&#x27;t mention workers. In Deno, workers can be given different permissions. The article suggests having different permissions per file. I think it might be nice to have both but if I could only have one I would want separate permissions per worker. Files aren&#x27;t always split along the same lines that permissions should be split. I would like to be able to control permissions by url prefix though - so some library doesn&#x27;t do more than I want it to. It might mean setting up a worker if I want to make sure it doesn&#x27;t indirectly use more dependencies.

I hoped this article would provide more info than it actually did.<p>For me, a javascript developer that mainly use Node.js for work, Deno is interesting and I want to use it but the hosting part is what prohibits me from using it. In node it&#x27;s easy to run production code with pm2, you can cluster it and it&#x27;s super easy to configure it so that it will run one node process per available core.<p>With Deno, you can&#x27;t do this because there is no clustering available so you kind of have to run it on single core machines to get maximum performance out of your hardware. In other words, on cloud solutions like Deno deploy or a Kubernetes cluster configured to run it on single cpu docker containers.<p>I am not interested in that and as long as it is that way, running Deno is unfortunately a waste of my hardware. Sure there are web workers and they are great for stuff but if my process dies for some reason I don&#x27;t want that to halt the application.

I&#x27;ve been using Deno for a large compiler project I&#x27;ve been working on over the last couple years, and for the most part it&#x27;s been a dream<p>Of course that&#x27;s not the most representative example, because a compiler can almost entirely dodge the ecosystem problem, but I thought I&#x27;d offer it anyway

node.js nowadays is a total disaster. I&#x27;ve been able to hold down the fort with turbo repo, but even then it&#x27;s been a touchy strategy. I want to switch to Deno, and I&#x27;m interested in articles like this. Either that, or, because of the state of nodejs&#x2F;NPM modules, and it&#x27;s ever-increasing surface area of doom and resume driven development node modules, either somehow switch to deno or go back to just HTML and vanilla js. I just can&#x27;t get any work done. I&#x27;m saying this as a developer with 27 years experience and who has written my own server side spidermonkey solution pre-nodejs.

The title is very misleading. Deno is not written in JavaScript and is never referred to as Deno.js in any official sources. Deno is written in Rust.

I&#x27;m surprised the included library wasn&#x27;t front of mind. Perhaps it is implied by comparing to golang.

&gt; Node.js is too easy to get started. This means that the pool of available programmers is not the highest quality. Runtimes like Go or Deno are still havens for the ‘connoisseur’ programmer.<p>wat<p>(Deno seems worth checking out though!)

&gt; ‘Deno’ (like ‘Node’ but backwards)<p>Yeah, no.<p>I wonder if more people just assume that to be true, heh. I kind of was expecting it, weirdly enough.<p>Hint: &quot;node&quot; is &quot;edon&quot; backwards. Not sure if that name is taken for something Javascripty ... * goes to check * yeah, I found [1] which seems to be 4 years old, tagline &quot;Run browser JS in the terminal&quot;.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;dbkaplun&#x2F;edon" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;dbkaplun&#x2F;edon</a>

It is disappointing to see this message as the basics of what the software is on their site (<a href="https:&#x2F;&#x2F;deno.land&#x2F;" rel="nofollow">https:&#x2F;&#x2F;deno.land&#x2F;</a>):<p><pre><code> Deno is a simple, modern and secure runtime for JavaScript, TypeScript, and WebAssembly that uses V8 and is built in Rust. </code></pre> Only to have that immediately followed by really poor practice of suggesting this as the installation method:<p><pre><code> curl -fsSL https:&#x2F;&#x2F;deno.land&#x2F;install.sh | sh </code></pre> This is not strictly related to Deno -- lots of software does this -- but if you&#x27;re going to suggest your thing is more secure than the other guys&#x27; thing (which is implied by calling your thing secure), you shouldn&#x27;t then be immediately throwing that credibility away.<p>Yes, the page offers a link to the &quot;Releases&quot; page at their github repository. However, anyone familiar with any kind of UX will understand immediately that this is effectively burying the link and subtly makes the statement that you don&#x27;t really want to bother with that other way of doing things. They also don&#x27;t provide a gzipped&#x2F;bzipped tarball for the linux install but a zip file instead, adding an additional barrier&#x2F;dependency.<p>I understand this is an area where security is losing the tug of war to ease of distribution&#x2F;access but it pains me to see it on any project, let alone the potentially good ones.