Highly subjective, but still interesting:
I agree with most of this. I don’t think they are being very fair to Node.js. I think package quality is average. Concurrency in Node.js is also pretty good, considering you rarely have to think about it; plus async / await is pretty nice.
Likely not, as I’m very prejudiced against Node.js …
Some of my experiences:
- a customer built a large Node.js application (they contracted out the development) that they wanted to run on an embedded Linux system. It pulled in tons of packages, some of which required compiling C code, required Python to build, and a whole mess of dependencies. They required a certain version of Node.js which would only compile under one version of Yocto, but this version of Yocto would not run on their “golden” build server, which was managed by their IT department, so there was no flexibility there. This was the genesis of the Docker wrapper for Yoe, as this was the only way I could get Yocto to build on their server, so I guess good things came out of this experience. I could only get a npm install to work natively, so I ended up doing that on a Beaglebone black and tarring up the
.node_modulesand then using that in the Yocto build. Horrible hacks that could have been done better, but would have required more time than the customer was willing to fund. The end was result was an unmaintainable mess of a build system.
- even a few dependencies tends to pull in tons of NPM packages, and the resulting size is often quite large.
- over time, a package.json that worked at one time is often broken for various reasons.
- critical NPM packages have been known to disappear, or contain security problems. This is rare, and considering the size of the NPM ecosystem, probably statistically insignificant
- I’m not a fan of package repos separate from source. I think the Go method of using github URLs directly is probably more secure as you know exactly what is being used. However, there is always the risk of a Github repo being taken down.
My perspective is trying to get stuff running on embedded Linux systems, which is different from those developing web apps, etc. Node.js is difficult to wrangle on desktop systems, but in cross compiled embedded environments, it quickly becomes a monster. Anything can be hacked together and made to work, but implementing repeatable, maintainable builds over a 5-10 year life-cycle is many times more difficult.
Part of the value of software in modern systems is that it can be changed/improved over time. Thus, an important quality is how well this is supported. And this usually gets back to the tooling – compiler, build system, and package ecosystem.