why node.js makes me uncomfortable
I've always programmed with php for the web and during that time I've never needed to download packages (like npm) and update them. When I needed a specific function, like sending emails, uploading files or making my application drier, I just had to look at the documentation and implement it. But with node.js it doesn't work like that, and that bothers me. If I'm wrong, please correct me
You’re not wrong. Dependencies pulled directly from other developers get very little oversight compared to a language’s standard library. They introduce more opportunities for failure and increase the attack surface in your software. (The latter is at the core of the so-called supply chain attacks that have been in the news lately.)
To be fair, the problem is not unique to Node.js. Rust has it too, as does every other platform that encourages developer-to-developer library sharing.
The lesson is to be judicious with your dependencies. Look for the functionality you need in your language’s standard library first, and then in the standard software archive maintained by your target OS. (Packages that are officially part of the major Linux distros, for example.) If you can’t find it in either of those places, consider whether you truly need it, or whether writing a minimal implementation yourself would make sense.
In cases where you really must use some random person’s library, look for one that’s widely used, responsibly maintained, and ideally, small enough that you can keep track of its changes between versions. The responsibility for protecting your users is yours.
Programmers who don’t use pre-made modules make me uncomfortable. You’d have to spend a lot of time to get a good, well-written and fully test-covered implementation of most things to work - copying functions from PHP documentation comments pretty much guarantees some issues that you don’t know about.
Of course you have to vet your dependencies, but e.g. Symphony modules in PHP are pretty good, no reason to write a worse version yourself.
Node just doesn’t have as many batteries included as PHP does. Sometimes that means PHP is easier to use, other times it’s much harder.
If you need to do something that isn’t in the built in libraries in PHP, now you’re installing packages just like in node. In my experience having worked a lot in both, in bigger projects you’ll be using a lot of third party packages in either language. That being said, I think Node has a bigger, richer ecosystem of packages to choose from.
You’ve never had to do something outside of what is included in the PHP standard library? You’ve never used composer or included a third-party library?
You must dedicate a lot of time to writing things from scratch, things that are already solved (almost certainly better than you or I can ever do ourselves) and can be utilised by using a third-party library / module / package etc.
Node does take things to the extreme sometimes, but often packages are saving you hundred or thousands of hours a year, so you can focus on overall logic rather than creating an already existing tool for sending high-volume templated email, for example.
Add comment