[neya]

One thing that is not stressed enough, is Rails enforces good code patterns early on. If you follow the docs, you will know where model code should be, helpers should be, controllers should be. After all, it is an MVC framework.

However, modern day JS frameworks don't care about this at all. Most of them love flaunting about their raw performance numbers. Security? Fuck that. Not even basic form CSRF protection. A lot of times, there is not even SQL injection prevention in them.

Compound this with someone who just vibe codes their app on top of these frameworks - that's how you end up getting hacked. Every week there is an incident. That's why good frameworks like Rails are very important. People who actually care about writing secure, good quality software are on the decline, but thank God rails still exists as an option in 2026 despite the fact.

[dalemhurley]

The difference between JS frameworks and RoR/Laravel is the ecosystem cohesion. RoR and Laravel ecosystems employ the RoR or Laravel way of doing things and everything works together very smoothly.

JS solutions are loosely coupled, lots of good reasons to do so, but comes at a major complexity cost.

[neya]

I agree. Opinionated frameworks are better in this regard.

[BoorishBears]

Eh, there's NestJs and AdonisJs if you want opinionated MVC with lots of built-ins like CSRF and ORMs.

But you can also pick tight packages that do one thing well. Something like oRPC + Drizzle that lets you pipe data from your database to frontend with full typing and cross-boundary go-to-definition while covering most of what Nest and Adonis do with better focused APIs.

And in terms of security, I'll take Typescript with a strong compiler config anyday. For example, I disable: `any`, non-null asserts (no `!`), floating promises without `void` for explicitness, no unnecessary conditions, and a bunch of other strict rules. I also use Branded Types liberally. All of that makes logical errors that can become app-specific security issues (and are thus less readily detected) much less likely to happen. And as a bonus you get really reliable code too.

[jeppester]

Give AdonisJS a try, it's pretty much the JS sibling of Laravel and RoR.

[e12e]

Adonis is nice, but still young and lacking features. And in my experience very verbose compared to rails.

That said, absolutely worth a look.

[pcthrowaway]

Adonis is over 10 years old... that's like 3 generations in software years, and 20 generations in web/Javascript.

The reason it's lacking features is because it's not very popular and hasn't gotten much outside contribution... I seem to also recall something about the founder being too hostile to outside ideas/suggestions also, but I could be misremembering

[neya]

Thanks! Never heard of it, definitely will check it out.

[slopinthebag]

Javascript frameworks just do SSR + Express-style api routes. They don't handle SQL injection prevention because they don't deal with databases at all. CSRF prevention is less important in todays world tho.

[apsurd]

it's like you're saying SQL injection happens if you're running sql on the client so if it's on the server you're fine.

that's not how it works. and i'm fairly sure most all apps deal with databases, unless they're explicitly static pages.

edit: sql injection is about hacking the parameters used in a query. they almost always in some way come from external sources, user input. so they have to be sanitized. it sounds straightforward but bounties are paid all the time on hackerone with documented cases of injection. people are very clever.

i've had to patch some verified cases where the hacker used the name field to pass code in and alter links in emails to make it look like they came from our (household name) company.

[chuckadams]

SQL injection is prevented by using database APIs properly, not sanitizing. Put all the malicious SQL you want in a query string, if it's passed as a bound parameter to a prepared query, it's only ever going to be a plain string.

You might sanitize for different reasons like business logic, but if it's your first line of defense against sql injection, you're already on the losing side.

[slopinthebag]

I don't get your point, I'm not saying sanitising user input isn't important, I'm saying these JS frameworks are only concerned with server rendering and routing. They don't provide any tooling for databases like Rails or Laravel do.

[apsurd]

JS frameworks are very much in the "full-blown app" category.

As an example, the "react" is just a view layer is a purest pov, to me (or whatever the given framework in question is). Nextjs, Vercel, supabase, lovable, and so on down the line all empower millions of people to ship full-blown apps. We might get carried away with which specific layer is in question, but it doesn't matter if they're always used together to ship millions of (in)secure apps.