<3 Deno

Feb 12, 2023

Deno is a relatively new JavaScript runtime. I find quite interesting and aesthetically appealing, in-line with the recent trend to rein in the worse-is-better law of software evolution. This post explains why.

The way I see it, the primary goal of Deno is to simplify development of software, relative to the status quo. Simplifying means removing the accidental complexity. To me, a big source of accidental complexity in today’s software are implicit dependencies. Software is built of many components, and while some components are relatively well-defined (Linux syscall interface, amd64 ISA), others are much less so. Example: upgrading OpenSSL for your Rust project from 1.1.1 to 3.0.0 works on your machine, but breaks on CI, because 3.0.0 now needs some new perl module, which is expected to usually be there together with the perl installation, but that is not universally so. One way to solve these kinds of problems is by putting ~~an abstraction boundary~~ a docker container around them. But a different approach is to very carefully avoid creating the issues. Deno, in the general sense, picks this second noble hard path.

One of the first problems in this area is bootstrapping. In general, you can paper over quite a bit of complexity by writing some custom script to do all the grunt work. But how do you run it?

One answer is to use a shell script, as the shell is already installed. Which shell? Bash, sh, powershell? Probably POSIX sh is a sane choice, Windows users can just run ~~a docker container~~ a Linux in their subsystem. You’ll also want to install shellcheck to make sure you don’t accidentally use bashisms. At some point your script grows too large, and you rewrite it in Python. You now have to install Python, I’ve heard it’s much easier these days on Windows. Of course, you’ll run that inside ~~a docker container~~ a virtual environment. And you would be careful to use python3 -m pip rather than pip3 to make sure you use the right thing.

Although scripting and plumbing should be a way to combat complexity, just getting to the point where every contributor to your software can run scripts requires ~~a docker container~~ a great deal of futzing with the environment!

Deno doesn’t solve the problem of just being already there on every imaginable machine. However, it strives very hard to not create additional problems once you get the deno binary onto the machine. Some manifestations of that:

Deno comes with a code formatter (deno fmt) and an LSP server (deno lsp) out of the box. The high order bit here is not that these are high-value features which drive productivity (though that is so), but that you don’t need to pull extra deps to get these features. Similarly, Deno is a TypeScript runtime — there’s no transpilation step involved, you just deno main.ts.

Deno does not rely on system’s shell. Most scripting environments, including node, python, and ruby, make a grave mistake of adding an API to spawn a process intermediated by the shell. This is slow, insecure, and brittle (which shell was that, again?). I have a longer post about the issue. Deno doesn’t have this vulnerable API. Not that “not having an API” is a particularly challenging technical achievement, but it is better than the current default.

Deno has a correctly designed tasks system. Whenever you do a non-trivial software project, there inevitably comes a point where you need to write some software to orchestrate your software. Accidental complexity creeps in the form of a Makefile (which make is that?) or a ./scripts/*.sh directory. Node (as far as I know) pioneered a great idea to treat these as a first-class concern of the project, by including a scripts field in the package.json. It then botched the execution by running the scripts through system’s shell, which downgrades it to ./scripts directory with more indirection. In contrast, Deno runs the scripts in deno_task_shell — a purpose-built small cross-platform shell. You no longer need to worry that rm might behave differently depending on which rm it is, because it’s a shell’s built-in now.

These are all engineering nice-to-haves. They don’t necessary matter as much in isolation, but together they point at project values which align very well with my own ones. But there are a couple of innovative, bigger features as well.

The first big feature is the permissions system. When you run a Deno program, you need to specify explicitly which OS resources it can access. Pinging google.com would require an explicit opt-in. You can safely run

$ deno run https://shady.website.eu/caesar-cipher.ts < in.txt > out.txt

and be sure that this won’t steal your secrets. Of course, it can still burn the CPU indefinitely or fill out.txt with garbage, but it won’t be able to read anything beyond explicitly passed input. For many, if not most, scripting tasks this is a nice extra protection from supply chain attacks.

The second big feature is Deno’s interesting, minimal, while still practical, take on dependency management. First, it goes without saying that there are no global dependencies. Everything is scoped to the current project. Naturally, there are also lockfiles with checksums.

However, there’s no package registry or even a separate package manager. In Deno, a dependency is always a URL. The runtime itself understands URLs, downloads their contents and loads the resulting TypeScript or JavaScript. Surprisingly, it feels like this is enough to express various dependency patterns. For example, if you need a centralized registry, like https://deno.land/x, you can use URLs pointing to that! URLs can also express semver, with foo@1 redirecting to foo@1.2.3. Import maps are a standard, flexible way to remap dependencies, for when you need to tweak something deep in the tree. Crucially, in addition to lockfiles Deno comes with a built in deno vendor command, which fetches all of the dependencies of the current project and puts them into a subfolder, making production deployments immune to dependencies’ hosting failures.

Deno’s approach to built-in APIs beautifully bootstraps from its url-based dependency management. First, Deno provides a set of runtime APIs. These APIs are absolutely stable, follow existing standards (eg, fetch for doing networking), and play the role of providing cross-platform interface for the underlying OS. Then there’s the standard library. There’s an ambition to provide a comprehensive batteries included standard library, which is vetted by core developers, a-la Go. At the same time, huge stdlib requires a lot of work over many years. So, as a companion to a stable 1.30.3 runtime APIs, which is a part of deno binary, there’s 0.177.0 version of stdlib, which is downloaded just like any other dependency. I am fairly certain that in time this will culminate in actually stable, comprehensive, and high quality stdlib.

All these together mean that you can be sure that, if you got deno --version working, then deno run your-script.ts will always work, as the surface area for things to go wrong due to differences in the environment is drastically cut.

The only big drawback of Deno is the language — all this runtime awesomeness is tied to TypeScript. JavaScript is a curious beast — post ES6, it is actually quite pleasant to use, and has some really good parts, like injection-proof template literal semantics. But all the old WATs like

["10", "10", "10"].map(parseInt)

are still there. TypeScript does an admirable job with typing JavaScript, as it exists in the wild, but the resulting type system is not simple. It seems that, linguistically, something substantially better than TypeScript is possible in theory. But among the actually existing languages, TypeScript seems like a solid choice.

To sum up, historically the domain of “scripting” and “glue code” was plagued by the problem of accidentally supergluing oneself to a particular UNIX flavor at hand. Deno finally seems like a technology that tries to solve this issue of implicit dependencies by not having the said dependencies ~~instead of putting everything in a docker container~~.