[glenjamin]

Something this articles glosses over is that some of these approaches, especially the way 'All builds are “locked”' is achieved with minimum version selection, and “A little copying is better than a little dependency” are tradeoffs against an alternative security model, where transitive dependencies are automatically updated to pick up security fixes.

Part of the churn and noise in the Node.js dependency ecosystem actually stems from security-related issues being noted in a low-level module, and the ripple effects caused by that when a bunch of maintainers have to go around bumping lockfiles and versions.

[bigdubs]

There is a deeper strategy here with go vs. node; having a standard library maintained by professionals.

I would rather build on a common set of libraries secured by people who are paid full-time to maintain them, and maybe have slightly worse ergonomics, than have a community of libraries that come and go and have inconsistent quality.

This standard library approach yields fewer dependencies, fewer changes over time, and better consistency between projects.

[kelnos]

The downside of the standard library approach is that things tend to ossify. While I agree that slower change can be a good thing sometimes, putting things like a HTTP server in the standard library means less experimentation around different ways of doing things, and more difficulty getting performance and other improvements into the hands of language users.

Sure, people can make a third-party module that implements a HTTP server, but the incumbent default that's shipped with the language has an inherent (and often unfair) advantage and a lot of inertia behind it.

I don't really care about the whole "professionals" bit. Sure, I don't want to be relying on something mission-critical to me that's maintained by one person doing it in their spare time. But there is a world of possibilities between that and having a dedicated paid team. Consider, also, that the Go team is only funded so long as Go is important to Google's corporate strategy. Once it isn't, funding will start to dry up, and Go will have to look for a new funding and governance model. That's not necessarily a bad thing, and I'm sure Go would still succeed despite that. But that's kinda my point: this whole "maintained by funded professionals" thing doesn't really matter all that much.

[hrns]

Isn't Node API an equivalent of go standard library?

[jgod]

Yes but it's super barebones. Its successor, Ryan Dahl's second attempt at JS runtime, Deno, has a much fuller standard library (inspired by Go).

[tormeh]

I wish we'd stop trying to make broken languages work. This feels like hill-climbing into the strangest local optimum possible. JS is not the best example of an interpreted language. Wouldn't it be better to put Python in the browser than to put JS on the server? Can't wait for WASM to be a first-rate citizen on the web so we don't have to deal with this anymore.

[coder543]

I think you would be surprised to learn that more developers love TypeScript than Python these days, according to one popular survey.[0]

All of this is subjective, of course. WASM isn't going to make Python the language of choice for browsers any time soon.

[0]: https://insights.stackoverflow.com/survey/2021#section-most-...

[tormeh]

I don't think the comparison is entirely fair since one of the main attractions of TS is that it runs in the browser. Python can unfortunately not fill the same role right now. So I'd keep that in mind while looking at that ranking. But yes, I see many people like it. Maybe I'm missing something, but it's still too JavaScript-y for me.

[gmfawcett]

> Wouldn't it be better to put Python in the browser than to put JS on the server?

I think that's a categorical "no", because Python isn't an objectively better language than JavaScript. I'm saying this as a Python developer since v1.5 (>20 years).

Subjective opinions are a different matter.

[bigdubs]

Yes Node.js ships with what is effectively a very thin standard library for some low level things like interacting with the file system, the process model, some security features like TLS.

[tgsovlerkhgsel]

The Fetch API, supported by browsers for over 5 years now, is only now making it into the official Node API https://blog.logrocket.com/fetch-api-node-js/

[maple3142]

Node.js had `http` in its standard library for a long time though.

[dezren39]

so, cathedral vs bazaar

[typical182]

> tradeoffs against an alternative security model, where transitive dependencies are automatically updated to pick up security fixes.

One thing to keep in mind is that Go doesn't stop you from updating.

For example, its common to do 'go get -u ./...' or 'go get -u=patch ./...' from your project root to update all of your direct and indirect dependencies.

The built-in tooling & language server give you nudges, and if desired it can be automated via things like dependabot or otherwise.

In practice, it means it is often a slightly slower cadence for typical projects in the Go ecosystem compared to say the Node.js ecosystem, but the upgrades still happen. That slightly slower pace I think has worked out so far, and was a conscious choice[1]:

> Many developers recoil at the idea that adding the latest B would not automatically also add the latest C, but if C was just released, there's no guarantee it works in this build. The more conservative position is to avoid using it until the user asks. For comparison, the Go 1.9 go command does not automatically start using Go 1.10 the day Go 1.10 is released. Instead, users are expected to update on their own schedule, so that they can control when they take on the risk of things breaking.

[1] https://go.googlesource.com/proposal/+/master/design/24301-v...

[svnpenn]

> transitive dependencies are automatically updated to pick up security fixes

Does Node do this? That seems like an awful idea. People should be manually updating dependencies, never automatically. Stuff like dependabot need to die.

[coder543]

Dependabot gives you an easy way to review every single commit that went into a dependency update before you merge it.

Dependabot is by far the most convenient way that I’ve seen to actually check that your dependency updates are not overtly malicious.

It's not some tool that just removes your lockfiles behind your back, as you seem to be implying.