Some guy made a toy for kids who like playing in the “back”. It became so popular and widely played that when he realized the flaws in the first version of his toy, he moved on to make another toy instead. This one is more secured so kids don’t get hurt while playing. It uses the same mechanism used in toys for kids who like playing in the “front” yard, to connect toys together. It comes with other cool features and now kids who have the first version are questioning themselves should they move on too.Nguyễn Việt Đức
How does TypeScript and ES Modules work with Deno?
When node came out, it used commonJS, so you had to use modules from npm. You’d need to download/install it using
const react = require('react');).
This is a non-standard way to require modules from 3rd parties. With ES6 we were able to use import and export (ie
import react from 'react';). Node allows the use of ES6 now but still has to support the commonJS method.
In Deno, you can import directly from a URL. This has massive advantages in development time.
Head over to https://deno.land/std/examples/welcome.ts
It’s a simple TypeScript file that has a single line of TypeScript that looks like this:
console.log("Welcome to Deno 🦕");
If you were to create a file in a deno project directory and use an import statement you can run it directly in your terminal. See my demonstration below:
I know you are thinking “woah this is really not safe”, and I’d generally agree until you find out about security in Deno.
How Secure is this, really?
Deno paves the way for a new security model on servers where everything on the server only has access to specifically what it needs and nothing more and could allow the use of specific servers or scripts for specific rights and permissions. We can have fine grain control for a micro-service architecture.
When your linter is requesting access to files on your computer, you’ll know something is up.Ryan Dahl (not word for word)
In node, you can run any npm package you want and there is nothing stopping it from accessing anything outside of where you installed it. This is a security problem for obvious reasons. NPM packages can have vulnerabilities.
Deno on the other hand has to be given explicit permissions. Here is an example from https://deno.land/std/examples/echo_server.ts
In the same file you created before, change the import url to the link above and then run it.
When you run it, you will see that an error occurs:
error: Uncaught PermissionDenied: network access to "0.0.0.0:8080", run again with the --allow-net flag at unwrapResponse ($deno$/ops/dispatch_json.ts:42:11) at Object.sendSync ($deno$/ops/dispatch_json.ts:69:10) at Object.listen ($deno$/ops/net.ts:51:10) at Object.listen ($deno$/net.ts:155:22) at echo_server.ts:4:23
Deno creates a sandbox for every import. You’d need to run the command with the flag
--allow-net in order to run it. You can see in the example below that it runs without issue:
Basically, it uses a zero-trust model environment and requires you to allow everything to run outside of it’s provided sandbox similar to docker or your browser. This isn’t something you ever think about with Node.
There is nothing on node stopping a package you downloaded from stealing your environment variables, your SSH keys from your computer, etc.
Instead of just trusting a file we downloaded from npm as safe, we can just assume it’s not. When your linter is requesting access to files on your computer, you’ll know something is up. (Partially quoting Ryan Dahl here)
If you navigate to the deno repo’s CLI where the permissions errors would come from (https://github.com/denoland/deno/blob/master/cli/js/permissions.ts) You’ll see a ton of exports for permissions but specifically on line 4 you’ll see a listing of the permisions we can give:
export type PermissionName = | "read" | "write" | "net" | "env" | "run" | "plugin" | "hrtime";
This alone is a rather robust topic that I’ll be diving much further into in future articles but deserves a decent explaination.
Where do you find Modules/packages for Deno?
Since we can use import statements to pull scripts into our code from a URL, we no longer need a centralized location to download and install then import our scripts.
Microsoft owns NPM and while it does a fairly good job, it controls the registry of packages. Anyone can host a file now and that file can be imported directly from a URL which has a lot of great implications.
There is an index listing of community written modules here: https://deno.land/x
I know you are thinking… “how is this different from npm though?” and the answer is that no one organization is able to control how you can download/import these modules and they aren’t centrally maintained.
Does Deno have a Standard Library?
Yes like most languages, deno does.
“These modules do not have external dependencies and they are reviewed by the Deno core team. The intention is to have a standard set of high quality code that all Deno projects can use fearlessly.” (source: https://deno.land/std/README.md)
You can access that library here: https://deno.land/std
How is the tooling different?
Deno comes with built in tooling – with node, you’d need tooling installed from npm such as nodemon, bootstrap, prettier, jest, etc…
A really great part about this in my opinion is that you can share code online and it work exactly the same as the end user. How many of you have taken a course and the course material requires you to use an npm package at a specific version such as
npm i [email protected]?
This completely eliminates the issues revolving around having a package manager and will only get better!
In future articles I’ll discuss more about the various tooling that is available from formating to file access.
Why does Deno have a browser compatible API?
In node we don’t have access to “window” however it does have global. Deno strives to have a browser compatibility API so you can run window.object in deno to access the window just like in your browser.
global doesn’t work in your browser.
Anything that can be done in the browser can be done in deno using
window.obj which is great for front end developers due to compatibility.
fetch is also available in deno (not in node).
By using these web standards, it ensures it’s future in the webspace.
What is the benefit of deno as a single executable?
Over on my first article about deno I shared with you how you can find the executable file for deno which can be shared. I’ll put it here to save you the trouble of clicking over.
Open up finder and press
⌘⇧· to view hidden folders and navigate to
/usr/local/Cellar/ chances are this is also where node is installed. Navigate to
deno directory, then the version number folder (in my case its
1.1.2 at the time of writing this) then open the
bin directory and you should see an executable file called “deno”. Open that up.
When you do, this will open up the command line utilities for deno.
You are now in a “REPL” (Read Eval Print Loop) just like if you ran node or were in the console of your browser.
I hear that Deno handles async and returns promises?
Node sometimes returns a promise but may need help from packages and sometimes it doesn’t but it’s not built in since node was created before Async was released.
Anything that runs a promise in deno, will be offloaded to rust using it’s “rust futures” (basically the same thing as promises in rust). My Last article covered this in detail (http://drewlearns.com/2020/07/01/deno-under-the-hood/).
In the deno documentation it actually has a style guide for creating modules. This didn’t really exist previously through npm where anyone any how can publish a package.
If you gleaned anything from this article – it should be that deno is more secure than it’s predecessor and that there are a ton of advantages that may actually make it worth looking into for certain use cases like banking for example.
In my next article we will talk about deno permissions.
If you found this article helpful, give me a shout on twitter – I’d love to hear from you. @codingwithdrewk. As always, if you found any errors, just highlight it and mash that “R” button on the right side of the screen and I’ll get those fixed right up!