
Is Express.js dying? - creamyhorror
https://github.com/strongloop/express/issues/2844
======
heyadayo
The thread actually represents a discussion between the most active maintainer
(dougwilson) and various employees of IBM who now own and oversee the project,
with a few confused third parties chiming in.

It looks like IBM is making some predictable mistakes, which have
disillusioned dougwilson to some large extent. Simultaneously they are being
fairly inflexible at fixing those mistakes and ultimately forcing abandonment,
at least by dougwilson. My prediction:

1) IBM continues with the typical corporate policies which are probably not
great for the sort of OSS project that involves independent contributors

2) dougwilson leaves permanently

3) the project sort of wallows a bit

4) IBM puts some resources on it, and claims it all worked out.

As to #4, they'll be sort of correct, assuming the goal was to see resources
and progress on express. They'll be wrong if the goal was to properly maintain
an open source community around the project.

NOTE: I don't know anything about this, but I've seen this play out many times
before. I chimed in here because the other comments in this thread seem to be
wildly off topic given the content of the github discussion.

~~~
nailer
This happened with node-inspector for a while: StrongLoop became the official
sponsor, and basic stuff like 'var x = 1; console.log(x)' returning undefined
was left unfixed for years while the company simultaneously used it as
advertising for how great their node contributions were.

~~~
STRML
I've been frustrated with their code on a few occasions. We've seen breaking
changes in patch versions on strong-remoting, PRs rebased out of patch
releases with no explanation (and nobody could figure out why/how), and
intentional abuse of npm's optionalDependencies to track users
([https://github.com/strongloop/loopback/issues/1079](https://github.com/strongloop/loopback/issues/1079)).

This tracking is not only unethical but exceptionally dangerous, as the
dependency is fetched over http, and as we know, npm modules essentially have
full user access as they can spawn any command via the `postinstall` hook. So
a mitm could pose as blip.strongloop.com and own any servers calling out to
it.

I've ended up forking every strongloop package we use to trim this tracking
abuse. I really shouldn't have to do that.

------
pavlov
Maybe there just isn't that much left to do? I've used Express a lot over the
years, and I can't think of anything right now that it's missing. I'll be
happy if it's going to be stable from now on, with no breaking changes.

More fundamentally, I feel the "web framework" doesn't need to be an exciting
piece of the stack anymore, like was the case maybe ten years ago. Routing
URLs and gluing together middleware doesn't need to be "interesting" or
"cutting-edge".

It's great that Express makes it easy, and I'm happy to keep using it
regardless of whether there's a version 5 and 6 and 7 in the works.

~~~
marricks
The discussion brings up that there is some core functionality that should be
added to just have Express keep pace, mainly implementing ES6 changes and
supporting HTTP/2 (which some say should just be a new framework).

Those are not easy maintenance things to do, and certainly are important.

~~~
pavlov
If it were up to me, I'd leave both of those to a different framework.

There's nothing in ES6 that warrants breaking Express's compatibility with
older runtimes. And HTTP 2.0 probably is better off in a new framework that's
designed from scratch for it. (I'm not a great fan of HTTP 2.0 and would
rather see Express unburdened by its complexity.)

------
tjholowaychuk
If done correctly I think this could have been great. Two full time employees
working on the project is far more than it has seen in its lifetime. I don't
there has ever been even a single full-time person working on it. Lots of
amazing contributions of course though. Hopefully things work out, still feels
a bit more dramatic than it should be.

------
LukeB_UK
While express isn't dying, that thread is a great example of corporate
sponsored/run OSS gone wrong.

------
spdustin
The public airing of their dirty laundry - especially the snark from so many
of the participants - would kill it in my mind. There's no good reason to have
this "open and transparent" conversation devolve into "let me bitch about IBM
here, but don't bitch back at me, keep to IBM-only channels". It's all very
childish. The whole thing should've been on the IBM back channels until they
got their shit together and could agree on some messaging, and if the
maintainer didn't agree with the messaging or how long it was taking to come
up with it, simply fork it into the expressjs org _and leave_. Shouting out
"I'm leaving! I'm going! I really mean it this time!" just seems like ... a
child running away from "mean ol' parents" rather than an open source leader
whose project work speaks volumes. It's tragic to watch this train wreck that
could've been avoided by both sides refusing to posture. Like my father used
to say, "shit or get off the pot, don't keep debating out loud if you're
really going to do it."

Compare it to Linus' openly-hostile dictatorship, which is universally both
reviled and excused by contributors, just for a moment: At least when it comes
to Linux kernel, shit gets done; nobody has to question the commitment of the
project's stewards; and Linus hasn't (that I recall) threatened to take his
toys elsewhere.

~~~
SwellJoe
Linux doesn't seem to be a fair analogy.

If Linux had been, somehow, acquired by a large company (or, at least,
access/edit rights to all of the code repositories and web presence and such),
and Linus had been removed from administrative roles on those repositories and
sites (or asked to remove himself and others), then the comparison would be
fair.

Admittedly, one answer would be to loudly fork the project. That's happened on
a number of occasions. Joomla forked from whatever it was called before a
similar story (Mambo, maybe?). Node.js itself forked into io.js over similar
disagreements (and then people worked those disagreements out).

I suspect some of the back and forth happening is people trying to figure out
if a fork is necessary _and_ if they actually want to be the people leading
the fork (sounds like Doug Wilson does not want to be a leader, but wants to
keep contributing). Contributing heavily to a project is not the same as being
a leader of a project, and it is entirely fair to not want to lead a project,
even if you care strongly about it, and have worked hard on it for a long
time.

~~~
spdustin
I think it is a fair comparison, because I think Linus WOULD loudly (and with
much profanity) fork it and go back to getting shit done rather than hit slow-
mo on a multi-car highway pile-up. EDIT: After further thought, I do see your
point. My comparison was purely hypothetical and has some logical flaws. I'm
literally guessing at how he'd handle losing control of the reins.

My takeaway was that Doug (who, I should clarify/add, I have a lot of respect
for as a hard working OSS guy, but lost a few brownie points from me for this
soap opera) actually did want to lead the community effort: "I ask them if I
can take over the project in order to be the leadership and ensure this gets
moved on," we're his exact words. I guess that is an exemplar of why committed
project stakeholders need to get their messaging straight before pointing
fingers: You and I had different interpretations of the actors'
motivations.Nobody wins when fingers are pointing everywhere. At least someone
wins when a stakeholder says, "screw you guys, I'm going to _do what I know is
right_ rather than _vent about what I know is wrong_." EDIT: And to his
credit, Doug did try to mitigate the problems he saw with the project. I don't
know why he didn't take that one last step of trading on his good name and
_fork the project_.

In my opinion, StrongLoop folks are hard working people, more than casually
invested in the nodejs community. Even the controversial npm tracking could be
argued to be a logical act, to help them understand more about how their
projects are used than npm can tell them. Politics (and an unfortunate exit)
got the best of them.

Doug is a hard working guy. And more than casually invested in the nodejs
community. Politics got the best of him, too.

I believe Doug will come to regret his participation in this drama, and will
quietly go back to writing great software and leading great projects, having
learned an important lesson: don't believe for a moment that BigCo gives a
tiny rat's ass about you or your community's sensibilities, just be the best
dev/leader you can be and don't hand the keys to anyone who isn't a trusted
driver. And if they take those metaphorical keys anyway, well then, that's
what forks are for.

~~~
SwellJoe
It's an issue in an issue tracker. Nobody's blogging about it, or doing
interviews in the media. I would consider this a reasonable level of drama for
an issue tracker conversation. Again, I think Doug is probably pushing this in
public (though not dramatically so, again it's an issue tracker which normally
would have a couple dozen readers) as a final last ditch effort to get IBM to
act right. Nothing wrong with taking things public if private conversations
are going nowhere fast, as tends to happen with big corporate takeovers. I
don't think he needs to worry about his messaging all that much; he's not a
marketer, and doesn't seem to be trying to sell anything or get elected to
anything. He's just explaining what's going on, and expressing his frustration
with it.

Anyway, that's how I read it all. I agree that we are interpreting things
differently, and I'm probably missing a lot of detail here. I scanned the
thread and missed some details you've called out. But, I tend to take an
optimistic approach to stuff like this. If someone has proven they're mostly a
"head down get shit done" kinda person, I'm not gonna sweat it when they pop
their head up and rant for a little while when things go pear-shaped. I'd
probably rant, too, if something I was working on was being killed by a
corporate overlord. _Then_ I might decide to fork the thing.

~~~
spdustin
That's a fair implication, that I didn't give Doug all the credit he's due as
a "head down get shit done" kinda guy, so let me correct that: Doug is an
amazing talent, and it's a raw deal that he got sucked into the politics of
this; I hope he's able to move on (FWIW I think his name carries enough weight
that a fork would get attention) and we can all forget the soap opera that
happened on that thread.

------
AustinG08
I've been building an app using Express over the past 9 months and this gives
me pause. It seems like IBM wants to have its cake and eat it too. Should be
interesting to see how it all plays out, but is building an app on Express a
liability? I have been contemplating switching to hapi, maybe this is a good
time to explore that option.

~~~
bryanlarsen
What's giving you pause? According to the link, Express is undergoing
extensive and active development...

~~~
AustinG08
After reading that entire thread, it seems to be that IBM/Strongloop wants to
maintain ownership of the project without contributing the resources. They
expect dougwilson to continue running the project but he doesn't want to
unless it is under the expressjs organization or something like that.

Apparently IBM threw a few guys into discovery on the project a few weeks ago
and they may actively get involved, but it is yet to be seen. Maybe IBM just
wants to own it and doesn't care what happens to the project one way or the
next. I have no way of knowing what IBM's intentions are, and I think that's
the concern of the maintainer, dougwilson.

~~~
ep103
If your comment isn't a good (microcosm-ish) description of IBM and all their
internal incompetency issues in general right now, I don't know what is.

------
yesimahuman
This sure doesn't look like death to me: [http://npm-
stat.com/charts.html?package=express&author=&from...](http://npm-
stat.com/charts.html?package=express&author=&from=&to=)

The project is incredibly popular. When it comes to community PRs, it's hard
for people to swallow sometimes but often a PR isn't _good enough_ or doesn't
fit the vision of the project. It's easy to break things in the process of
improving or fixing something, and perhaps Express has hit a bit of a
stability point which is great.

------
bhouston
Pull an io.js, fork it and publicize the fork as the maintain version for
active contributors and then if IBM/Strongloop step up you can re-merge in.

I do think there is increased competition though as well from other
frameworks.

~~~
sintaxi
Don't do this.

~~~
skeoh
Can you elaborate? I don't have an opinion but I am curious to hear why this
might be a bad idea.

------
ebbv
Popcorn aspect aside to the drama in this thread, this is a great example of
how companies should NOT behave in relationship to open source projects. They
simultaneously made the maintainer feel unvalued and like his role in the
project was being held hostage, while sending BS sounding mixed messages to
the community.

------
niftylettuce
Just use koa@next, it's awesome. ES6/ES7 with Babel, Flowconfig, and more.

~~~
LukeB_UK
Another good alternative is Hapi: [http://hapijs.com/](http://hapijs.com/)

~~~
onestone
Hapi might be an alternative to Express (both are outdated callback-style
frameworks), but it's in no way an alternative to Koa.

~~~
l1ambda
Koa middleware are generally more composable and more robust than Express. In
Koa, middleware flows down and up in a stack-like manner with the help of
generators. E.g., in Koa you set an X-Response-Time header like so:

[https://github.com/koajs/response-
time/blob/master/index.js](https://github.com/koajs/response-
time/blob/master/index.js)

The response time middleware records the start time, then yields to any other
middleware, and finally sets the header.

You just can't do that as nicely in Express. Here is the Express version:

[https://github.com/expressjs/response-
time/blob/master/index...](https://github.com/expressjs/response-
time/blob/master/index.js)

responseTime has to wait to be called via "on-headers". on-headers is a
separate module that monkey-patches response.writeHead.

The Koa version is 21 lines of code (really just 4 LOC), while the express
version is over 200 LOC.

------
api
Of course. It's the web, where we rewrite the entire stack every two years.

------
foldr
It's not the cool web framework for Node any more. I don't think it's going to
"die" in the sense that existing express applications are going to be
impossible to maintain any time soon.

~~~
brobinson
What is the current cool web framework for Node? (I'm not a node user at the
moment, but I've seen Express a lot)

~~~
warfangle
Koa is the new hotness.

------
morebetterer
The state of documentation of Express 4 is not great. You have to look at the
source code to see how it really works most times, or read someone's blog
about how it _used_ to work in Express 3 - but no longer does.

Whose decision was it to go from a "batteries included" web server module to
one where users had to assemble a bunch of ad-hoc third party components to
make a usable web server? I'm looking at you, body-parser.

~~~
spdustin
It seems to me that decision grew organically from a feeling of helplessness
over the future of the framework. Take some of the eggs out of the basket,
limit the loss.

Body-parser does have issues, though. :)

------
egroat
Well here is the answer from the guy who is still maintaining it:

[https://github.com/strongloop/express/issues/2827](https://github.com/strongloop/express/issues/2827)

The link is from the fifth comment.

When developing in node it makes a lot of sense to use lots of different
modules for the one project. At work I have a good dozen or so, it really
helps with iteration and testing.

~~~
hayd
> guy who is still maintaining it

without commit access...

------
joshka
We have source code licenses that govern what we can do with the source code
of an open source project. I wonder if it's time to start creating more
explicit licenses for repositories or projects that govern behavior and the
day to day activities of a project - ownership / releases / etc.

Linux would be under the 'Linus Project Governor' model or the LPG... ;)

------
ricardobeat
I'm curious, has this kind of takeover of an open-source project by a
corporation happened before? It is disconcerting to watch people who never had
any involvement start pouring in acting as project owners, considering the
fact that there is no real legal ownership.

------
qudat
I use expressjs with es6 and have zero issues with it. The only thing that is
required from my point of view is a small shim for catching promise errors.

What about es6 isn't compatible with express?

------
applecore
It's simple. Everyone has switched to either Koa (designed by the team behind
Express) or, more likely, a client-side framework like React.

~~~
pluma
I use express because it is the most barebones solution before vanilla
http/https. The middleware API is trivial and relatively agnostic (most just
expect node-style req/res objects and a `next(err?)` callback). The router
does what it is supposed to and allows nesting.

However I would likely chose something different if my needs were different.
If I wanted to implement REST APIs in Node I would use Hapi. If I wanted to
build more complex web apps I might look into Koa (although I don't think I'll
ever move back to classic server-only rendered apps).

Express is my JS equivalent of Ruby's Sinatra and Python's Flask. Nothing
more, nothing less.

Addendum: I wouldn't say "everyone" has switched to Koa. Koa was handicapped
by its conceptual overhead for most ordinary express users in its early days
(relying on a combination of generators and promises -- both not yet
sufficiently widely established and understood technologies at the time -- to
build coroutines, which even fewer people understood). It has improved and the
JS community seems to have caught up (just look what's going on with the Redux
ecosystem -- "thunks" and "sagas" (essentially built around coroutines) are
beginning to see some traction). But it didn't initially deliver the same
"read this tutorial, start building apps" experience express had.

------
jdauriemma
saved you a click: no

------
DrStartup
people still use Express? Koa is where it's at.

------
seivan
Express needs a collection of first party middlewares for logging, strong
params, cookie-jar and etc with extensible ORM ActiveModel for more than
regular SQL, e.g RethinkDB and MonogDB.

------
bovermyer
Well, that certainly seems to be a ton of drama. I don't want to bad mouth any
of the people involved, regardless of their affiliations, so I'll just say
that I'm not sure what good will come of this spat.

------
ctmkpp
Clickbait. Express.js is not dying. At all. It is being very much actively
worked on by some of the hardest working maintainers and contributors.

Express.js is actually a combination of various modules. If you want to see
the work being done, go to those individual modules.

~~~
DiabloD3
I actually have to agree with this. It seems like some semi-political debate
about how one guy left and they don't like the direction the project is
headed, but it is clearly not dying.

I've flagged it for mod review, I'm not sure if this should be on the front
page, it doesn't seem like it meets the requirements for HN.

~~~
quicklyfrozen
That one guy is the only one currently contributing code (a slight
exaggeration, but very slight).

That info by itself seems HN worthy as many of us have likely used Express as
the "safe" choice when starting a new project. Time to rethink that...

~~~
mikermcneil
Perhaps, but I can assure you that Express 3 and Express 4 are completely
safe. The interface set up by Express is depended on by far too many companies
and other frameworks for that to not be the case -- for instance, even though
Express 3 is officially unmaintained by Strongloop, the Sails core team has
committed to taking over critical patches.

As for the future of Express: I've only had the opportunity to get together
with Doug in person once, but we've talked about this a few times in the past.
I can guarantee you the last thing he wants is drama, so I'll leave the ball
completely in his court there.

I will say this though: keep an eye on Doug's federated projects (jshttp and
Pillar). Whether or not the various pieces are released as Express 5 or not,
the _code base_ is still improving and becoming increasingly standardized,
regardless of the monicker. More on that:
[https://github.com/balderdashy/sails/pull/3235#issuecomment-...](https://github.com/balderdashy/sails/pull/3235#issuecomment-170417122)

------
michaelmcmillan
Frameworks die. It is a fact. Death in this sense means discontinued support
and development. It is not difficult to see how this can render any software
that depends on a 'dead' framework unstable or even broken with time.

I have experienced exactly this multiple times. In fact, I am extremely aware
of this when I start a new project. Perhaps especially when I am dealing with
frameworks like Express, Django or Ruby on Rails.

If I recall correctly, Gary Bernhardt, said it well: "Treat Rails like a
disease and isolate yourself." You can replace "Rails" with any popular
framework. Yourself in this quote referes to the business logic of your
system.

~~~
JustSomeNobody
While I realize it may not be the case here, discontinued development doesn't
necessarily mean death. Sometimes it means "done". I don't think enough
developers get that.

~~~
matwood
Software can only be done if the environment it runs in remains static. Any
software dealing with the web can never be done as the environment it runs in
is constantly evolving.

