DEV Community

loading...

Discussion on: Say yes to Deno?

Collapse
vincenthavinh profile image
Vincent Ha Vinh

What’s up with the sandbox security problem ?

node was designed to ”leverage” javascript as a real language that can interact with the system.

By saying node opened a security breach, you re just saying every computer language is flawed.

Collapse
romfrolov profile image
Roman Frolov

I think it's less about criticizing Node.js or any other programming language, and more about highlighting a problem that Deno team addresses.

Collapse
sewangco profile image
Saji Wang Author

What I meant with the problem with node and security is that when we use NPM to install a package for our node app, we are not always aware of what is happening. It can in a sense do something unauthorized.
There has in the past been a scandal with NPM packages. If you want to read more on that: javascript.plainenglish.io/the-big....

Meanwhile, Deno does not rely on NPM at all.

Collapse
strottos profile image
Steven Trotter

Potentially you could say this is a problem with all modern languages that Deno at least partially fixes. I mean how do I know if I run some random Python thing from github on my machine that it won't just remove all my documents on my computer other than it never has happened to me personally? Bad things have happened in Node though I understand, whether it's their fault or it's the fault of open source software doesn't matter. I could read all the code thoroughly but that's still no guarantee I'll catch everything (or even anything). Maybe Deno is genuinely breaking new ground here as with Deno I could deny it the security required to do so. Just because none of the other languages have acknowledged it doesn't mean it isn't a problem.

Collapse
soremwar profile image
Steven Guerrero

It is not a thing that Node introduced, but it has been one of the most affected by far, with increasing numbers of malitious packages being published to NPM

The reality is that when using third party libraries nobody guarantees they are safe to use, so at least the sandbox gives you the option to debug these issues, something no other system (that I know of) has allowed you to do before