
Show HN: Zero – A fast, zero-configuration server for React, Node.js, Markdown - asadlionpk
https://zeroserver.io/
======
q3k
> File-system Based Routing: If your code resides in ./api/login.js it's
> exposed at [http://<SERVER>/api/login](http://<SERVER>/api/login). Inspired
> by good ol' PHP days.

> Auto Dependency Resolution: If a file does require('underscore'), it is
> automatically installed and resolved. You can always create your own
> package.json file to install a specific version of a package.

This sounds like a security nightmare.

EDIT: to be clear, I don't meant he combination of both is a security concern,
that each one of them separately is problematic.

~~~
q3k
Putting my money where my mouth is - use this to leak any file accessible by
the running user of zero from the filesystem:

    
    
        # curl -v --path-as-is 127.0.0.1:3000/../../../../../etc/passwd
        root:x:0:0:root:/root:/bin/bash
        [...]

~~~
asadlionpk
Thanks for pointing this out. Fixed this particular bug!

~~~
wesleytodd
Seems like your fix[1] for this is a bit fast. You are already importing
`path` in that file. Also, you can do this with just one `path.relative`.
Lastly, the url package method you are using is deprecated[2].

[1]
[https://github.com/remoteinterview/zero/commit/b4af5325c388e...](https://github.com/remoteinterview/zero/commit/b4af5325c388e21a9bba4c9305c9a61693c73578)
[2]
[https://nodejs.org/api/url.html#url_legacy_url_api](https://nodejs.org/api/url.html#url_legacy_url_api)

~~~
hombre_fatal
A simpler fix might be to canonicalize (i.e. no "..") the public folder path
and the requested file path and then ensure the public path is a prefix of the
other.

~~~
Kalium
Any fix also needs to be sure to resolve any symlinks before doing a prefix
check.

------
joshstrange
My first thought is it doesn't have enough features or too much magic BUT that
is EXACTLY why it shines. I'm not going to build the next FAANG company on
this but it will let me get a backend up and running VERY quickly to test out
an idea. The number of ideas of mine that have been killed in the cradle by
decision paralysis is higher than I would like...

~~~
asadlionpk
Exactly this. One of the aims to start this project was to reduce one more
friction when testing an idea. Project configurations and set up is a big time
suck.

~~~
joshstrange
Thank you for creating this! I often find I had an idea and then spend 1-2
hours doing NOTHING towards the idea trying to future-proof what I'm writing
to the max. That is a trait of mine I need to work on by itself but "zero"
should help let convince me to "just try it with zero before you setup
TypeScript/Angular/Vue/React/Cordova/Express/etc...". I saw your other comment
about making it Apache/PHP level easy and as someone who came from that
background and when I first saw a query param displayed in the response from
the web (ie: localhost?name=Josh -> Hello Josh!) I was hooked (you can imagine
my reaction when I learned what a database was ).

In that vein do you think TypeScript is on the horizon for support? It's not a
dealbreaker by any means but it would be nice to just write .ts files and have
them automatically compiled (transpiled?). I can write JS just fine but TS's
types are a nice sanity check for me.

~~~
asadlionpk
Thanks! I will def move .ts up the list. It should be easy to add.

~~~
mac_was
Great work, if you need any help with it just add requestes on github and tag
as help needed.

~~~
asadlionpk
I just added typescript support. Check it out!

------
BinaryIdiot
"Zero configuration"

But, you can install express, copy paste the getting started code and be up
and running at a similar level in 5 minutes. I...guess I don't understand why
I should trade something super simple and easy to use for this additional
level of abstraction magic.

There is such a thing as too much abstraction.

~~~
franciscop
No, you cannot, not in an easy way. I've taught many people Node.js/express
and they always struggle with all of those copy/pasted configuration bits. Now
if I add them, I tell them something along the lines _This is just magic, copy
/paste it to make your app work. Some day you will understand_.

Once you get used to them it's easy, but to get started it's a nightmare. I
started with PHP back in the day, and even though it's hated around here the
bar to getting started there is amazingly low in a good way.

~~~
Waterluvian
That feeling of discomfort and tinge of frustration means you're learning. I
feel like this is helping people to skip over a really useful lesson.

~~~
franciscop
It means you are getting frustrated, evaluating your life choices and whether
Node.js is really for you. The lesson they get is that Node.js is not for
them!

I prefer those who are new to any webdev to get started by creating a simple
CRUD, not with the grunt details like parsing a JSON body or what is this
session stuff. Those IMHO should be optional optimization details to apply
later on if you wish, but not mandatory for everyone.

------
tathougies
Rule 35: Every year, someone somewhere will reinvent PHP or CGI or some
combination of the two.

~~~
MarvelousWololo
Where can I find the other rules?

~~~
SahAssar
These will carry you over until the "real" ones appear:
[https://spacecraft.ssl.umd.edu/akins_laws.html](https://spacecraft.ssl.umd.edu/akins_laws.html)

~~~
yowlingcat
I want to print these out and share them with past teams I've worked on.

------
rekshaw
This is exactly what I needed. However with great abstraction comes great
responsibility: you are now the gatekeepers of keeping things efficient in the
backend. If I write "require('moment')", will you blindly require, or will you
require, tree-shake, minify, etc?

I guess my question is: can I trust Zero to always strive for optimum
efficiency, or is it just convenience?

~~~
yodon
If your requirements include "optimum efficiency", you almost certainly are
not in the sweet spot for a general purpose zero configuration product.

~~~
rekshaw
I guess optimum/optimal efficiency is a lot to ask for, of anyone, let alone a
convention over configuration framework, but you get my point!

------
marcrosoft
Zero configuration... read "We made choices for you, just trust us. Read our
documentation to see what your missing. Oh, also since you didn't configure it
we'll change (the defaults) on our next release".

~~~
Vinnl
> Oh, also since you didn't configure it we'll change (the defaults) on our
> next release

That doesn't really matter, since I'll only use the next release for my next
release, and the previous prototype has either been thrown away or turned into
a proper stack.

~~~
lotyrin
I wonder if this what the people who made the things I have to inherit and
patch and secure believed.

Current app is EOL Framework Release in an EOL Language Release running on an
EOL Distro Release on an unmonitored server without any patches applied... so
business as usual.

------
franciscop
I did something very similar but arguably with even less configuration,
[https://serverjs.io/](https://serverjs.io/)

    
    
        const server = require('server');
        server(() => "Place your Node.js API here.");
    

However my project doesn't have the automatic routing/installing/React, which
looks great! Keep it up, I like the direction where this is going.

~~~
tazard
Hey, that looks cool too. Thanks for sharing it!

------
electrotype
Make a RealWorld.io implementation or it doesn't exist!

[https://github.com/gothinkster/realworld](https://github.com/gothinkster/realworld)

~~~
yowlingcat
This is wonderful. Great antidote to toy framework fatigue.

------
insulfrable
Minimalism has a cost.
[http://npm.broofa.com/?q=zero](http://npm.broofa.com/?q=zero)

~~~
asadlionpk
Standing on the shoulders of giants :)

You will eventually be adding all those packages when you develop a
production-grade React / Node app anyway.

~~~
insulfrable
Perhaps this should be done gradually and thoughtfully, rather than pulling
half the internet into each minimalist app out there.

~~~
progx
Welcome to the world of node.

~~~
wesleytodd
This is nothing to do with node. This is poor programmer decision making. You
can build great node apps with a real minimalist approach. Holding up projects
which pull in half of npm as "the world of node" is like holding up a hot and
ready 5$ pizza and saying all Italian food is bad.

~~~
SahAssar
I think the point is that this is almost encouraged in the node ecosystem,
while in most other language ecosystems I know of it wouldn't be.

~~~
wesleytodd
Encouraged by who? I see the same people which used to install jQuery or
WordPress plugins and were able to get janky but working sites. But prolific
module authors and node core contributors don't promote these approaches.

Maybe if you listen too much to twitter "thought leaders" you might get this
impression, but we are all aware of the problems with social media
platforms...

~~~
SahAssar
Well, considering the amount of dependencies in popular projects like CRA that
was highlighted here a few days ago I don't think it's unreasonable to
extrapolate to the general ecosystem. Of course there are module authors and
devs doing it differently, but in general most node projects I see are more
dependency-happy than projects I see in other languages.

~~~
wesleytodd
Give people a useful tool (npm) and they will muck it up. This is both the
best and worst part of the general node ecosystem. The issue is people saying
things like "that's just node". It is not node, it is the ease of use and
popularity meaning there will be more of these examples. If you care to make
high quality use of the platform and tools you can, but that means not
following the crowd.

~~~
SahAssar
Agreed, but for whatever reason it seems more prevalent in the node ecosystem
than in others (even when comparing high-profile projects).

------
wesleytodd
Wow, I love that people can wrap express and many of its components and end
with something so different from its foundation. That being said, this level
of "batteries included" approach has a cost.

In this example, it is the complexity of this file[1] and the fact that if you
were to write this as a single express middleware you could probably write it
in less than 20 lines.

Guess this is just not my cup of tea?

[1]
[https://github.com/remoteinterview/zero/blob/master/packages...](https://github.com/remoteinterview/zero/blob/master/packages/core/lib/router/index.js)

Edit: also looks like the author decided to wrap their own multi process
model?
[https://github.com/remoteinterview/zero/blob/master/packages...](https://github.com/remoteinterview/zero/blob/master/packages/core/lib/router/index.js#L140-L182)

~~~
progx
Yes, writting an express backend is really simple, some plugins, error-
handling etc. and you can run it in less than 1 hour.

But the Frontend with webpack needs definitely more time, hours and hours to
fiddle webpack to your needs. This project has a definded strucutre and
support defined modules (react), so it could save you a lot of webpack config
time, but you can not do everything with it. You have to use it as it is.

~~~
wesleytodd
Lol, if the setup on the FE takes hours to fiddle something is wrong with the
choice of tooling. I don't use webpack, so I guess I am just spoiled?

~~~
asadlionpk
The alternative is using parcel. Zero is a server equivalent to Parcel (and
uses parcel internally)

------
joshstrange
People in this thread are way overly negative. I understand this tool as
something to be used for prototyping and locally-only but everyone is jumping
on how insecure it is or how it's got a bunch of dependencies, or it's just
express, etc. None of that matters if you aren't exposing this to the
internet. This is a really neat project that lets you play with something
right away and a lot of you all are bashing the author for things not even in
the scope of the project.

Lastly this has so many upvotes and is #1 on the front page because it's cool,
fun, and perfect for a little prototype or POC. There are a number of positive
comments buried at the bottom but the highest comment is about how this is a
"Security Nightmare".

Edit: Typo and I wanted to add: Not everything posted on HN has to be battle-
tested, scalable, parallelizable, profitable, cloud-ready, secure, etc. It's
the kind of attitude in this thread that keeps people from posting their own
work at all. No one want's to get torn apart, back off and provide
constructive criticism or keep quiet. (Note: advice I have not always
practiced in the past)

Edit 2: Show HN rules
([https://news.ycombinator.com/showhn.html](https://news.ycombinator.com/showhn.html)),
I think this makes my point better than I can.

Show HN

> Show HN is a way to share something that you've made on Hacker News. The
> current Show HNs can be found via show in the top bar, and the newest are
> here. To post one, simply submit a story whose title begins with "Show HN".

What to Submit

> Show HN is for something you've made that other people can play with. HN
> users can try it out, give you feedback, and ask questions in the thread.

> A Show HN needn't be complicated or look slick. The community is comfortable
> with work that's at an early stage.

> If your work isn't ready for people to try out yet, please don't do a Show
> HN. Once it's ready, come back and do it then.

> Blog posts, sign-up pages, and fundraisers can't be tried out, so they can't
> be Show HNs.

> New features and upgrades ("Foo 1.3.1 is out") generally aren't substantive
> enough to be Show HNs. A major overhaul is probably ok.

In Comments

> Be respectful. Anyone sharing work is making a contribution, however modest.

> Ask questions out of curiosity. Don't cross-examine.

> Instead of "you're doing it wrong", suggest alternatives. When someone is
> learning, help them learn more.

> When something isn't good, you needn't pretend that it is. But don't be
> gratuitously negative.

~~~
freedomben
I agree with you about the over-negativity, but I have to disagree about the
value of the "security nightmare" comments. Nowhere on the marketing page
(that I saw) does it say, "prototype/development use only!" In fact I got the
opposite impression. It seems to want to be a new framework. It's critically
important to surface security issues early and often.

There's already a cultural anti-pattern in the js world of just `npm
install`ing stuff and shipping to prod without auditing well (I've heard a
number of times, "well it has like 60 stars on github").

If the project marketed itself as a "development only" or non-production
framework then I'd agree with you 100%. However as it stands it's dangerous
and could lead to extreme compromise of a system if it gets deployed to a
production environment.

That said security-minded people are often inconsiderate and horribly
untactful in their approach. That needs to change. You don't need to be overly
negative to point out a security issue. Something like, "Cool start, but might
want to point out that it's not meant for production!" would be a lot better
IMHO.

~~~
joshstrange
> That said security-minded people are often inconsiderate and horribly
> untactful in their approach. That needs to change. You don't need to be
> overly negative to point out a security issue. Something like, "Cool start,
> but might want to point out that it's not meant for production!" would be a
> lot better IMHO.

Agreed, and I also agree that maybe it should have a tagline about "not
production ready" or even "never production ready". Not sure what the end
goals of Zero are. I will say I thought it was pretty evident that this was
not for production (if only to the sheer amount of "magic" inside) but maybe
that's just me and it should have a disclaimer to that effect.

~~~
insulfrable
Maybe security people are getting tired of inconsiderate developers that keep
shipping bazillions of insecure packages all over mission critical
applications.

Devs need to change their culture. This behavior is actively harming end-users
through repeated data breaches.

~~~
joshstrange
Do you honestly think it is developer's "inconsiderate" behavior that the root
cause or even a main factor in the "repeated data breaches"?

~~~
insulfrable
Partly yes. They certainly have a professional responsibility to write
applications that resist well known attacks, such as directory traversal, xss,
sqli, etc.

This isn't new, and not knowing how to deal with it is like a builder not
knowing how to safely stand up a wall.

------
mighty_bander
My God, the people on this thread. There are people out there, working as
software "engineers," who think that if they can't personally find a vuln in 5
seconds, the system must be secure. How is this #1 on the site right now?

~~~
asadlionpk
I thought that was ‘banter’ in your username.

------
laurent123456
That's pretty cool to quickly put together a POC app. There should be an
"eject" command that would export everything to a "real" Node application,
with package.json and so on, so that the POC can be converted to a real app
easily.

~~~
brillout
Check out Reframe:
[https://github.com/reframejs/reframe](https://github.com/reframejs/reframe)

It's a web framework like Zero Server and Next.js but everything is ejectable.

~~~
bschwindHN
Or alternatively, check out re-frame: [https://github.com/Day8/re-
frame](https://github.com/Day8/re-frame)

It's a web framework with a well-thought-out architecture that you don't need
to "eject" from.

------
miki123211
As others have said before, I think this is amazing for small one offs and
maybe for beginning programmers. I'm afraid that, like all frameworks, people
will start to misuse it eventually. Someone will make a little app with that,
because it's so fast, simple and amazing, right? Later, however, the app will
grow and it will become a maintainability nightmare. The only good thing about
it is that you can easily get out of this framework and migrate to managing
express/node/react yourself, or so it seems. It isn't like rails, where if you
get into it, your app is so highly coupled to it that any escaping is
impossible, even if your app becomes very complex.

~~~
asadlionpk
Escaping and writing a custom node+express+React SSR server for a zero-based
app should be easy. But zero isn't a 'platform' anyway. It's just an
abstraction on common config and some glue code, all open-source so you can
easily fork and improve.

------
IceDane
Who is this for? Is the goal to enable people who don't know what they're
doing at all to make applications?

Maybe at a glance that is a laudable goal, but surely there is a point where,
if you need so much handholding, you should consider either sitting down and
learning what you need or making someone else is build it for you.

Newbies? I guess that is possible, but I personally think that actually
learning to use your tools and the libraries that are available should be the
goal. Handing the control of everything to some 3rd party component is
eventually going to leave the beginner with issues they have no way of solving
because they've never had to learn anything.

~~~
jarvuschris
There's a lot of value in removing all the plumbing you typically find at the
start of node project to handle basic things like routing. I'm a big fan of
moving all that "outside" the app

This might seem silly if all you're use to is working on some startup's big
app with a dozen other people, but for small orgs that need to run small
programs for a long time it's a mess to maintain that stuff over the long term
and to count on lone coders in small engagements to get right.

> Handing the control of everything to some 3rd party component

In the cases I describe, this ^^ is a great idea. Keeps maintenance of the
common stuff in a common place. Everyone freaked out in this thread about
there being a way to get at files outside the project root. Well the author
fixed that in one place and now it's fixed for everyone. How many times does
an error like that come up and go undetected and uncorrected when even an
experienced node coder has to copy pasta so much stock plumbing for the 1000th
time to spin up a small service for a small org?

------
photonios
I think this is really nice for when I want to hack together a quick front-end
for something. Once I have a working React/Node.js set up I can really quickly
build something, but what usually stops me is the dozens of packages and
things I need to wire together before I can actually start building something.

`create-react-app` is also pretty good, but this seems to do a bit more. I
really like the simplicity of the set up and the fact that you can also just
whip up an API call or something.

~~~
sametmax
I find that the best thing about create-react-app is the eject feature.

It's an instant tutorial on how this damn mad hatter of an ecosystem works.
They heavily commented the thing too !

Honestly, any lecture on react should have a part where people ejects and read
the source code.

------
coolgoose
I am so confused why the 'good old days' of php is a good example of how to do
application development.

Every php framework got away from that for really good mesure, including not
having your logic in the server document root.

~~~
slim

      Every php framework got away from that for really good mesure, including not having your logic in the server document root.
    

IMHO unless you are building a http daemon, "your logic" should probably not
include routing http requests. Using directory tree, url rewriting or
generally leaving the controller part of your logic to the underlying httpd is
probably fine in most php projects. Note: php frameworks can't do
microservices

------
gjmacd
Why is this any different than say, next.js?

~~~
dzek69
server is down (yay for proof of scalability ;)) so i can't tell for sure, but
it looks like it's derived/based on next.js and comes from the same authors

~~~
dzek69
server is up again and it wasn't the case.

the page and code styling misleaded me

------
xxandroxygen
this is impressive! I would absolutely reach for this first when scraping
something together quickly. I'd be super interested in seeing numbers for just
how far this can scale before falling over.

~~~
asadlionpk
Currently this is as scalable as a normal node+express app. The aim for now is
to improve development experience for now.

~~~
xxandroxygen
Love it, that's what I figured, and I agree with the aim!

------
blunte
Not to sound adversarial, but configuring a web framework tends to be one of
the last difficult or time consuming parts of building a web app or backend in
my experience.

~~~
brillout
If you need SPA then yea it's easy. But when you need SSR it becomes a whole
different story.

Now imagine you want parts of your app to be SPA and some other parts of your
app to be SSR. This becomes super complex. Frameworks like Reframe allow you
to do that. (I'm Reframe's author
([https://github.com/reframejs/reframe](https://github.com/reframejs/reframe)).)

Admittedly, mixing SPA and SSR views in one app is uncommon today but that's
because people are not aware that they can do that. This will change.

------
davish
Looking through the code on github found a .py file handler in the works:
[https://github.com/remoteinterview/zero/blob/master/packages...](https://github.com/remoteinterview/zero/blob/master/packages/handler-
python/handler.js)

Any idea of a timeline on this feature? I think it could be really awesome to
be able to prototype with python in addition to js.

~~~
asadlionpk
The js part (React, MDX, Node) is almost complete. I will put out a basic
handler for python ASAP if that's going to be useful to you :)

~~~
brillout
Reframe author here
([https://github.com/reframejs/reframe](https://github.com/reframejs/reframe)).

This is super interesting, what are you plans regarding this? Super curious.

------
dstroot
Supports the new hotness MDX. JSX/React components _inside_ markdown. This is
awesome for standing something up quickly. Thanks for creating this!

------
gumbo
This is very cool framework and I will certainly use it for small to medium
sized apps or website. However, just going through the doc there doesn’t seems
to be a way to split components since any file is assumed to be a page. Any
way around that?

Lastly, it’s a shame that the doc link points to github. The doc, as layed out
in github is a perfect use case for zero.

~~~
bryanlarsen
It seems to me that you should have a folder (www?) that is served by zero,
and a folder (lib?) that isn't. Then files in the www folder can import from
the lib folder.

------
sjroot
Is there any way to "ignore" specific files or directories? For example, I
want to reuse React components across different routes (exposed as jsx files).
However, I don't want `mysite.com/components/Container` to be a valid
endpoint.

~~~
asadlionpk
Yes. It's not written in docs yet but any file or folder starting with _
(underscore) is not exposed publicly. This feature spec is still open for
discussion as on how to tackle it the best.

~~~
sjroot
Check my reply to this comment. The underscore idea was one of the first
things to come to mind too, but I think having a specific file makes it clear
to others who might not understand Zero internals.

~~~
asadlionpk
You are right. A .zeroignore file seems like a good idea.

~~~
jermaustin1
Would that not count as a configuration file though?

~~~
shadofx
You can still configure zero conf frameworks, it's just not explicitly
required for it to function

------
awb
For markdown based sites, why not statically generate the site? Why render it
on each request?

~~~
asadlionpk
As markdown can be dynamic in this case. (see
[https://mdxjs.com](https://mdxjs.com)). Static 'export' can be a good feature
though.

------
giancarlostoro
The time example reminds me of WSGI for Python. Neat that it supports
templates too.

------
miki123211
> Zero reads credentials from environment variables. Zero also loads variables
> from .env file in your project root, if it's present.

Security nightmare? Can I do myapp.com/.env and read the credentials from the
wider internet?

~~~
chickenfries
Why would you assume that they have this bug? If you’re actually curious if
the bug exists go read the code or try it yourself.

~~~
ozten
Another common on this page documents this bug on their production website.

------
PerryCox
Having Markdown rendered as HTML is basically all I want when I'm standing up
a single web page or a small website. This is definitely something I'll
bookmark for later.

~~~
scrollaway
Caddy also has native Markdown functionality, by the way.
[https://caddyserver.com/docs/markdown](https://caddyserver.com/docs/markdown)

------
metalrain
While I embrace less configuration, you can't really avoid TLS these days.
There is always configuration, many of configurations. Some implicit, some
explicit.

------
html5web
Great job! Took 2 minutes to install and run.

------
benhowdle
Maybe a silly question, but is there anything one needs to consider before
deploying this to, let's say, Heroku?

~~~
dammod
As others have pointed out, make sure to mark files that are not supposed to
be exposed to the client by prefixing them with a underscore, otherwise you'll
have a bit of a security issue. Otherwise, you're good to go.

~~~
benhowdle
Ace! but in terms of running it, how would Heroku know how to, ie. if there's
no `package.json`, there'll be no `npm run start` defined?

~~~
asadlionpk
This should help: [https://github.com/remoteinterview/zero#running-on-
cloud](https://github.com/remoteinterview/zero#running-on-cloud)

------
hipjiveguy
I for one think this looks great! Keep up the good work and don't get
discouraged!

~~~
arispen
I agree. Fun idea and keep up the good work!

------
leowoo91
So cycle repeats, PHP reborn?

------
renton
I thought we moved away from this sort of structure as an improvement?

------
desmondl
Are there any plans to make this support Typescript in the future? :)

~~~
asadlionpk
Yes. Should be easy! As we are not a typescript shop yet, we might need a hand
with that. Otherwise, I will try to figure it out soon.

------
ihassann
Nice work bro. Seems pretty solid. Congrats from fellow Karachian :)

------
scottmf
Apart from the security concerns this actually looks awesome.

------
LoSboccacc
Weird how does it knows what certificate to get for https

~~~
asadlionpk
You probably need nginx in front of this.

------
didip
Where have I seen this before... CGI scripts?

------
revskill
How to override default routes, then ?

~~~
asadlionpk
Can you give me an example of a rewrite? Zero already does some rewrites:
[https://github.com/remoteinterview/zero#route-
rewrites](https://github.com/remoteinterview/zero#route-rewrites)

------
gyvastis
How's this different from Koa?

------
openbasic
So... 2019's PHP?

------
lugg
At quick glance. Cool. Dig the idea, going to have to take a deep dive to see
how things work later.

I still have to have a giggle at the similarities between what you produced
and what is essentially a PHP/Dom/Apache setup.

The Async wait for initial props before what is essentially a template render
just drove it home.

One key thing missing is an easy wrap around running tests. What would it take
to add this?

~~~
asadlionpk
I started with PHP / Wordpress themes myself and the aim here to bring back
the simplicity of web development. Def inspired by PHP/Apache setup.

