Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Node.js' success exposes its weaknesses

Paul Krill | Jan. 13, 2017
The server-side JavaScript juggernaut's complexity and vulnerabilities still bedevil many devs

Node.js has been a revelation. Initially received as a curiosity, the server-side JavaScript platform has become a juggernaut, in use by tens of thousands of organizations in more than 200 countries, according to the Node.js Foundation. But for some, the Node.js glass remains half-empty, thanks to several frustrating weaknesses.

Take Gavin Vickery, CTO of web app builder Input Logic. Vickery made the switch to Node.js from Python in 2015, mostly for web back ends. But he soon grew dissatisfied with the promise of Node.js, writing early in 2016 that Node.js was “easy to learn,” especially for those who know JavaScript, but “impossible to master.” He described the Node ecosystem, particularly NPM, as constantly moving. “You’ll never master something that moves at breakneck speed, not to mention the potential of dependency instability.”

Node’s error-handling is also an issue, Vickery said. And callbacks presented problems, with promises lacking a single standard to implement them. “I spent a year trying to make JavaScript and more specifically Node work for our team,” he said. “Unfortunately during that time we spent more hours chasing docs, coming up with standards, arguing about libraries, and debugging trivial code more than anything.” He does not recommend Node for large projects, but feels the platform is adequate for use on back-end servers deploying WebSockets or API relay.

Another critic, consultant Paul Shan, of the Void Canvas blog, has found issues with Node being single-threaded. “You really have to design your devops things very well to use your server machine properly. I think this is the biggest problem with Node.”

Meanwhile, the company Snyk is building a business tending to vulnerabilities in Node.js and Ruby apps. Here, Tim Kadlec, Snyk’s head of developer relations, sees Node’s issues as similar to those of other open source platforms.

“Companies are pulling in code that [is] written by people that they don’t know and code that they are not familiar with,” says Kadlec, referring to NPM and Yarn JavaScript packages. RubyGems have a similar problem, he adds. “I would say that Node potentially has a little bit higher risk just because of the way JavaScript runs,” being event-driven, he says.

Vickery describes the NPM ecosystem as “huge and dead easy,” meaning the ease of publishing packages adds to package noise.

“Anyone can submit a trivial amount of usually untested code as an official package. As soon as it has a decent amount of downloads per day or stars on GitHub, it’s now been vetted and ready for production, apparently,” Vickery says. This leads to the rise and fall of heavily used packages at a ridiculous pace, he adds. “Our team found we often had to switch packages halfway through a project due to development stalling and issues being fixed in a new-and-improved package.”


1  2  Next Page 

Sign up for CIO Asia eNewsletters.