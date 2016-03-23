Hacker News new | comments | show | ask | jobs | submit login
Javascript is a buffet, not the enemy [video]
55 points by ezequiel-garzon 10 months ago



I haven't watched the 55-minute talk yet, but the 82 slides can be clicked through (ironically, the embed in the article didn't work for me on /any/ browser, but here's a direct link: [1]).

The slides channel an uplifting attitude; it's okay to try tools and solutions you end up not liking in the end; it's okay to experiment; we're all in this together, and the like. One thing that stood out is the inevitable reference to how JS is a multi-implementation environment and monoculture is bad, but sadly this is much less true now than it was five years ago.

Like it or not, this multi-implementation environment has coalesced (for various, sometimes bitingly valid reasons) around a very limited number of implementations, and that's just at the runtime layer; in the wider sense of environments that expose a JS engine and some APIs like Browsers or server-side runtimes, there's also not much choice left.

To play on the buffet metaphor, a bewilderingly diverse selection of frameworks, tooling, and quickly-spoiling userland shenanigans exist at the topmost layer, which is fantastic for user choice, but the Web APIs underneath are growing every year, surfacing previously nonexistent functionality in the browser that every website must then decide to ignore or implement. All the while, the language itself has exited the awkward 10-year stalemate, and is receiving yearly revisions with major features.

The meme that JS is an awful language needs to subside; the truth is JS is a now-mature language that is used in a rapidly evolving platform, whose APIs are hardly a bastion of stability. These days, that platform is largely driven by the whims of a single vendor, with dominant marketshare on the client, and a significant presence on the other end.

(edit: before it comes up, I'm aware JS is used in various, very different environments e.g. the GNOME desktop environment -- some of these criticisms don't apply to those, but then again, neither do most of the tooling and libraries. JS in terms of this talk does seem to mean 'The Browser', and not even Node)

[1] https://www.slideshare.net/slideshow/embed_code/key/ILjHOTLR...


I take issue with the last point: JS has matured like bread, not cheese. No matter the age or ingrained status of a language, we have to be able to admit its flaws, rather than go on with some learned helplessness over the whole ordeal.

We can be dismissive about "memes", but sometimes groupthink is also a thing people think in a group, because it's justified by common experience. JS has been developed and provided for out of extreme necessity, and I don't think it's fair to try and prop it up using the infrastructure that arose out of that necessity - in some sense, it is the ecosystem around a sewer pipe: important, but nothing worth building a national park over.

The day we stop asking "why aren't you using something other than Javascript?" is the day we collectively take a step back in terms of design thinking.


> JS has matured like bread, not cheese.

Considering that the language made huge strides forward with ES2015, ES2016, and ES2017, what does that mean?

> The day we stop asking "why aren't you using something other than Javascript?" is the day we collectively take a step back in terms of design thinking.

Spirited debates about JS vs. OCaml are implementation thinking.


It may be less awful, but I have a quite long list of languages that I would use rather than JavaScript. Luckily nowadays it is not that essential, thanks to all the languages that compile to JavaScript. Ages ago the only alternative was GWT with all his problems.


>Luckily nowadays it is not that essential, thanks to all the languages that compile to JavaScript.

Except at the end of the day, you're not actually using those languages to do anything besides generating javascript. So you're still using javascript, which means it remains just as essential as it ever was.

You could just as well write the javascript being "compiled to" after learning whatever idioms make it "safe" versus vanilla js, and cut out the middleman. Javascript-as-bytecode is an antipattern.


How you would make invalid state unrepresentable at compile time in vanilla JavaScript? How you would have an HM type systems? How you would not kill yourself in a simple app less than 100k LOC working alone? If you have an answer to all this questions then maybe I missed A LOT in the recent JavaScript evolution, but I really doubt it. And just to show how absurd is your way of thinking I can just say the following: "Except at the end of the day, you're not actually using those languages to do anything besides generating machine code. So you're still using machine code, which means it remains just as essential as it ever was. You could just as well write the machine code being "compiled to" after learning whatever idioms make it "safe" versus a normal language, and cut out the middleman. Machine code-as-another language is an antipattern.'


>How you would make invalid state unrepresentable at compile time in vanilla JavaScript?

>How you would have an HM type systems?

Let me ask you this - how do languages which compile to javascript manage to implement these features in javascript?

The answer is they don't. The javascript they generate may behave as if it were safe, but it's no more safe than any other javascript anywhere else, and no different.

Which means that it could just as well have been written that way to begin with because what's being enforced by the stricter language is idiom and style, not anything inherent to javascript itself.

>How you would not kill yourself in a simple app less than 100k LOC working alone?

I don't see how this is relevant to my point, and I don't think 100 KLOC apps represent the common use case for compile-to-js languages. I never argued that compiling to javascript wasn't useful in some way, only that it's still an abstract way to write plain old every day javascript. It's simply incorrect that compile to js language have rendered javascript less relevant because they compile to javascript.

>"And just to show how absurd is your way of thinking I can just say the following: "Except at the end of the day, you're not actually using those languages to do anything besides generating machine code Except at the end of the day, you're not actually using those languages to do anything besides generating machine code (...)

Well, no, and obviously not.

Because javascript isn't machine code. It's not bytecode. It's not assembly. It's a high level, loosely typed programming language.

However, if we were to accept your facile equivalence as true for the sake of argument, that javascript is no different than machine language, and that, therefore, compiling to javascript is no different than compiling to machine language, then it must also follow that writing javascript by hand is no different than compiling to machine language, and further that translating from any high level language to any other is the same as compiling to machine language.

If I were to transpile from any high-level language a to any other high level language b, would it make sense to then declare b equivalent to machine code? Of course not. If you took javascript and translated it to Python, is Python then equivalent to machine language? Of course not.

It's the model of treating javascript as a compile target that's absurd.

If you're going to try to construct a strawman out of my reasoning and knock it down, at least try a sturdier one.


how do languages which compile to machine code manage to implement these features in machine code? The answer is they don't. The machine code they generate may behave as if it were safe, but it's no more safe than any other machine code anywhere else, and no different.

At the end everything you write on a machine is translated to machine code and executed. Or do you really believe that the CPU executes directly JavaScript? Powerful type systems, HM inferences and all the other abstractions obviously don't exist at machine code level. It's the resulting machine code that behave producing the behaviour of these abstractions. Borrowing again your words: Which means that it could just as well have been written that way to begin with because what's being enforced by the stricter language is idiom and style, not anything inherent to machine code itself.

I would say that it is obvious that you can write them directly in machine code and have the same effects. Now how many people in the world do you think that believe it is a sane approach to manually write a complex application that uses powerful type systems directly in machine code? I don't think you can find anyone outside a mental institution.


>how do languages which compile to machine code manage to implement these features in machine code? The answer is they don't. The machine code they generate may behave as if it were safe, but it's no more safe than any other machine code anywhere else, and no different.

Merely replacing "javascript" with "machine code" and pasting my comment back doesn't constitute a rational argument or an effective refutation of anything i've actually stated, it's the intellectual equivalent of a small bird mimicking human speech.

>Now how many people in the world do you think that believe it is a sane approach to manually write a complex application that uses powerful type systems directly in machine code?

Except... writing machine code does not describe writing javascript in any meaningful way. Machine code is low level, concrete, and not easily human readable. Javascript is high level and abstract.

How sane is it to manually write a complex application that uses powerful type systems directly in machine code using C++? Why would you bother writing Java bytecode directly in Java source code? The metaphor of javascript as machine language breaks down so readily that, yes, I will question its utility, and whether fixating on it is pathological.

If you don't like javascript as a language, fair enough - plenty of people don't, for valid reasons. I understand perfectly well why developers generate javascript from other languages and why they might find it useful to do so. But to hearken back to my original point, doing so doesn't affect javascript's relevance or discredit its quality as a language. You're still developing in javascript by proxy.


When I look at what the front-end developers at the company I work for have had to go through with respect to package and dependency management to get an Angular application going, I cringe.

The problem isn't that JavaScript is a bad language (that's purely subjective), it's that it has a terrible ecosystem and a community that, apparently, is willing to accept very low standards in library and package management.


> …it's that it has a terrible ecosystem…

Two follow-ups if you don't mind: (1) "terrible" in what kinds of ways, and (2) compared to what, specifically? (Genuinely curious.)


For me it is a mix of zillions of libraries with broken package management (npm + gulp).

Compare to maven in java. Yes, you need to write XML, but it is not that hard, you mostly add <dependency>. And then it just works.

And with npm, I get - this doesn't work with that version of npm (which BTW has a funny versioning that is almost exponential, there are 0.x and x.x versions), but it doesn't say that the version is wrong, it just does not work and you are to figure out why.

More over, npm package locations, you can have three places, in project directory, in home directory and system wide. And to make matters worse you switch between those by using a command line switch. And it breaks, because once you downloaded a package into home dir (accident) and then your packages in current dir don't work, just because - build breaks and you are out of luck. I don't even count how many times I had to remove all npm directories to get rid of some package that was downloaded.

With maven you have simple system, that is constraint and because of that you have much fewer places where it will shoot you in the foot.

With npm (+gulp) you get wild west of package management, just like it was with ant days of java.

And don't get me started on the AngularJS - I thought that I won't see anything that complicated since the days of EJB < 3.


Yarn might solve a bunch of those problems. And at least here on HN there seems to be consensus (or at least a very large group) that considers AngularJS a particularly bad idea.

I don't disagree with you though; just saying.


Fragmentation, wheel reinvention, people using dependencies that are long-term unmaintained and or deprecated are a few that immediately spring to mind


Keep in mind that angular is not made for small, simple apps. It's designed to support large web applications and I think it does a great job doing that. Addiitionally, there are seed projects which you can use to avoid writing your own build tools. I agree that the build is complicated but it's much more complicated to make a large scale app without using the abstractions that the build tools provide you with.


> Keep in mind that angular is not made for small, simple apps. It's designed to support large web applications and I think it does a great job doing that.

My experience has been the complete opposite. Angular has been best for simple, straightforward apps. The larger the app got, the more convoluted the code grew, and the more I found myself fighting with the "angular way".

Maybe 2.0+ is different. I wouldn't know, and have no interest in finding out.


I have been developing in angular 2+ and this is absolutely true. It lets you build large scale apps pretty easily. It makes it simple to use design patterns.


I have similar feelings about Python.


I think JS ecosystem is an order of magnitude more unstable. I can still write a Django/Flask/Pyramid app in roughly the same way I did 5 years ago. The key libraries have longer and more consistent development. The whole environment is just easier to use. Maybe I am biased from nearly a decade of heavy Pyhton use, but I have written a non-trivial amount of JS code. Angular 1 is basically a relic. It just isn't a user friendly sandbox to play in. Python has its warts but we build and use tools in Python and it seems much easier than JS.


You can still write an Express, Jade, haml, whatever app like it is 2011. The js world moves fast, but the old libraries are still out there. Plenty of people writing jquery or knockout code.

Web dev has a fast cycle time, mainly (imo) because products are created and used and discarded quickly - lots of websites are short-lived one offs. So, naturally, there's churn.

And as to what my sibling commenter said, I agree. I'm starting to move from angular 1 to 2, and 2 is better. It has some downright amazing features, and the tooling is quite excellent. That's why, personally, I'm learning the new thing.


I'm starting to move from angular 1 to 2, and 2 is better.

Angular 4, you mean (or just "Angular").


I'm still in the Rails/Bootstrap/jQuery camp. When you need something quick, that will function, and not look like shit - you really can't beat this option. It's also easy to teach junior developers, and they strengthen on the fundamentals first.


Needing something quick is subjective honestly. Personally I could build you a service worker that makes your app offline capable and throw in React components on whatever pages you need, or setup a whole React / vue / vanilla js / whatever app structure in 30 minutes thanks to the time I've spent investigating good packages to use. So I'd say there's many options that are great and it's sad to see people here in this thread (not you) complain that there's so much js churn when isn't the whole reason We are developers because we have a passion for constant learning and building cool things?


Very true. Yet as a manager leading a team of mainly backend engineers who don't have lots of interest in front-end development - we need a toolchain that is easy to pick up, easy to understand the fundamentals, and easy to train interns or junior devs on.

Of course - it also helps I understand that tech stack enough to efficiently explain it to younger engineers. That said - these three technologies have a LOT of material on the web and consensus on that tech has helped my folks build things "more right" more often, without having to do all the nuanced consideration themselves.

When it comes to X resources, Y time, and Z goals, it's all about the right tool.

I think many people give JS shit because it isn't always the right tool - but people choose it anyway due to hotness/hype/vague advantages.

So I'd agree its a mix of skill, resources, and goal. Arguably another manager with amazing React skillsets could do the same thing with a different stack. I'd love to see that guy in action, especially if he can have a more productive team for the choices.

But for us - most UI Frontends are fancy buttons on backend service APIS, or stupid CRUD. Rails does this with confidence.


It is true and you are correct t but as a JS novice it is very hard to know which things are good and which are just new junk.I love learning and mastering things as much as the next individual. (BTW I have moved to Vue when I need a fancier front end and Love it). I guess my complaint, if you can call it that, is that it is hard to find the good stuff and easy to spend hours fighting node packages and Packers and get nowhere.


It keeps coming down to finding the right resources and not wasting time on the bad projects. And that's totally valid.

We need some sort of js beginner walk through that has a section for each step in the process and explains the solutions and differences between projects.

ex: step 1 is language fundamentals, step 2 dom manipulation step 3 bundlers and why you need them. Step 4 frameworks and libraries to build your frontend. Something like this would be useful but I don't know if anyone is building something like this for beginners :/


Is your complaint that JS development is getting better? People didn't ditch Angular1 because it was old, they ditched it because Angular2 is better.


That's not saying much though. I keep reading that Angular 2 is still a really bad idea (haven't gotten to using it myself though). What's your experience comparing Angular 2 to other frameworks you've tried?


I am just saying that the "newest" tools in Python are more stable and if you pick a popular framework or package in Python chances are good it will still be active years later. Whereas JS community seems to have ADHD and things like TypeScript come along in the JS world. The cost of learning and staying modern in JS and front end development in particular is high. It does create meaningful new ideas but it is a mess compared to investing in almost any other popular language.

So, I learned Angular 1 for a project. Some concept there really are everywhere (promises, DI), but you might as well not even call Anuglar 2 Angular. It is totally different and even getting started in it took so much effort I gave up. I have almost never done that as a hacker. But the sheer amount of stuff to install and learn just to implement Hello World was more than I was willing to deal with at the time.


It's not as high as you would think. Everyone here loves to complain how fast things come along but the following is true for any language. If you know the fundamentals of JS you can do anything. It's not hard to spend a Saturday trying out Vue or webpack or React and decide what stack is best for your company. If you can't spend the time to find the right tooling and your excuse is that things move too fast, it sounds like you're complaining about learning and using the latest technologies, which I don't get as a developer. I personally find it exciting how everything is going. It's also easy to stick to your stack thanks to yarn which will lock in your dependencies so you don't have to worry. Lastly, creating a hello world app in React or vue can be extremely simple. I haven't used angular much so I can't attest to it.

But after all that, I can see why some people would be frustrated.

Being on the inside and doing js for the past 3 years it's more exciting than looking in. We keep getting new awesome language additions as of late!


I do worry it's just a Python bias I have. But it clearly isn't just me. I have been using Go and can get things done there pretty easily. JS th language isn't any harder than Go or Python. It isn't the language. If I spent a few years my senses would be honed for avoiding traps -- but I feel I can do that in many other languages and ecosystems much easier as a novice. Maybe it is just the size of th JS world.


I second this. I'm tired of fighting to enable my AMD card on the MacBook Pro in theano. Maybe I will find a working solution one day, but I'm supposed to learn neural networks, not all the environmental problems when using a Mac with an amd card. And apparently at some point in time it used to work, albeit compiling stuff from the develop branch of some libs. Now it seems broken, at least with python 3.5 and/or with the stuff on my machine..


The language I use day-to-day in my current job (machine learning and data engineering) is Python, although I employ a smattering of C++ and, lately, Rust as well (the only one to use either of the latter, that I'm aware of, in the company). Python's virtualenv/pip system, for all its warts, is orders of magnitude better than any JS package management system I've seen.


> Python's virtualenv/pip system, for all its warts, is orders of magnitude better than any JS package management system I've seen

In terms of what? Can you please do a npm vs pip and a nvm vs virtualenv?

Thanks


> Python's virtualenv/pip system, for all its warts, is orders of magnitude better than any JS package management system I've seen.

I've had the complete opposite experience. Crates, composer, and npm are my go-to examples of good package mangers. Python is my go-to example for lack of a good package manager.


What problems do you run into? I've had good luck with a pretty vanilla virtualenv + requirements.txt files, and docker for packaging (great for c libs that my python packages call down to).


I've worked through most of my packaging and pyenv/virtualenv issues but I must say I found it much more convoluted and painful than any other language I've worked with in the past 6 years. The need for all the virtualenv's makes me sad, and I'm not a huge fan of the shim system. Working on multiple projects that need different versions of a dependency, particularly when your also working on that dependency, can be a pain still. This is very subjective but pipenv was just released THIS YEAR and has over 3k stars on github; clearly there is some general angst out there.

But I more meant the ecosystem in general:

A "batteries included" language makes me create my own UTC tzinfo implementation so I can get a datetime in UTC... Python's time situation is maddening and by far the worst I've worked with. I'm sure others feel this way because there are a bakers dozen of time libraries trying to fill the gaps.

I almost rage quit the industry trying to save and retrieve a UTC datetime from the database with sqlalchemy. Luckily I found Arrow and ArrowType and that's been working well enough for now.

On the subject of time this has been open for close to five years? https://bugs.python.org/issue15873 . I get the impression that lots of proposed improvements are languishing like this.

sqlalchemy and alembic feel like JUST ONE GUY is working on them. Massive achievement, but the gaps are visible.

The module system feels stale; a holdout of a system from different workflow times. Splitting stuff off into separate files for maintainability(including improving multi-dev workflows trying to reduce conflicts) creates some gross imports.

It feels like there is a reluctance to evolve the language itself; a lot of enhancements appear to be made via more magic metaprogramming and function usage. super(Cls, self).__init__() comes off as an artifact of this. Not really my cup of tea these days, but I can see how this is very subjective.

The propper way to handle generated members with pylint is supposedly a plugin; which almost no projects provide.

Type annotations are supposed to go a long way in 3.x, but the prevalence of metaprogramming and lack of tooling awareness has probably defeated more jedi than Darth Vader.

boto3 has no official async support even though lambda just released support for Python 3.6. Meanwhile the javascript sdk is shipping with TypeScript definitions and a new promise interface.

A lot of this is very subjective(other than perhaps the languishing of certain library areas) of course. To me though, after having worked with a lot of other languages, it just feels like Python is a bit of a ghetto these days. It's like the language world has built north and Python is.. Not living to the north.

EDIT: The pipenv announcement thread has some comments that go into more detail on package/project management situation: https://news.ycombinator.com/item?id=13459740 . sjellis and sametmax touch on most of the stuff I've run into.


I have for the longest time wanted to filter npm-search results by shared dependencies or licenses. Package management could be so much better.


After the left-pad fiasco[0] several people mentioned wanting to develop saner package management to replace npm, then of course nothing happened, because package management is hard.

[0]https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/


The made yarn, which is better, but didn't they fix leftPad?


Agreed.

I must be getting old and grumpy, but I really am tired of learning 'new' frameworks and ideas unless they actually provide some sort of benefit.

For example, I started using Docker here and there. There's a bit of a learning curve and I initially thought 'how is this all that much different than running a VM or two?' Only later, when a single docker compose file set me up with a full CMS, DB, NGINX, etc. stack did I understand just how cool it was.

To compare, I've spent a few years now on various projects where the front-end guys have added all sorts of bloat - bower, then grunt, gulp, Angular, React, Browserify, JSPM, onto Webpack. Hell, it looks like npm is now being replaced by Yarn - WTF?

And the vast majority of this crap is absolutely no better for the user than the old school MVC server side template apps+JQuery that worked for years.


"...vast majority of this crap is absolutely no better..."

Recurring amnesia.

It's because the industry (number of programmers) is grower faster than the rate of diffusion of knowledge (experience).

Also, easier communication mediums has greatly increased the noise to signal ratio. So maintaining our BS filters requires that much more effort.


I have written an angular app with just angular scripting script imports. No tooling or package management.


Yes but have you worked on that with 10 other developers and deployed it to multiple stages or environments for testing and then onto production hundreds of times for paying customers?


Yes and I would add that the ecosystem practically begs devs to do this. The language lends itself nicely to these ends as well. I wish there were more options for the web...


So why don't you write something better if the shortcomings are so obvious? I'm not saying that the current popular stack (npm, babel|typescript, webpack) is the end-all solution but it's miles better everything else that came out in the last 10+ years.


When the author of the best book on JavaScript programming says we need to "think of the children" and come up with something better, we probably need to come up with something better.


Here's a question. The latest versions of Javascript supposedly aren't so bad, but some legacy features of the language give problems. There's already "strict mode", which at least requires that variables be declared. Consider a "strict 2" mode, with more restrictions, intended for new, cleaner code. What features should "strict 2" disable?


I don't think you have to think much about strict mode these days. Most transpilers automatically compile to strict mode anyway (I think Babel and TypeScript do).


What, nobody writes JavaScript directly any more?


JS is compilation target for most modern x-platform UIs. Every big JS project is compiling some how: ES6/7/etc, TypeScript, Flow (ok, not exactly compiling), CoffeeScript, Elm, PureScript, Reason, GHCJS, ClojureScript, JSX, etc. etc.

And that is ok. Until WebAssembly matures, then those compilers will all just add it as a compiler backend.


To the detriment of the end desktop. You end up with an angry fruit salad that completely ignores the user's color, font, size, etc choices, and tends to have accessibility problems as well. Cross-platform javascript is just plain bad.


I'd say that at some point the accessibility options are better for website and webapps then for traditional desktop apps.

Color choices are the last of my worries, and we see that this is also greatly neglected in modern desktop apps (e.g.: Spotify and Chrome taking over the window title bar on most OSes).


There are reasons I try to avoid such "modern" desktop apps. Those choices make them much less usable and much less discoverable. Native widgets aren't some plague, they allow consistency and ease of use.


That will be interesting to watch


The thing I hate most about Javascript is that if I allow it in my browser, I expose myself to Javascript vulnerabilities. The other things I hate are ads delivered by Javascript and tracking enabled by Javascript.

If it weren't for this triumvirate of evil, as a user I wouldn't have a problem with Javascript at all.


I have Javascript off by default, and whitelist specific sites. (Tiny extension, one-button switch.)

I encourage folks to try it even for a little while, because it's shocking how much more quickly many sites will load and how much more responsive they are to things like scrolling or text searches. News articles and arbitrary google-results especially.


I've done the same and it's amazing (and depressing) to notice how different my experience is between 'no js/ads by default' on my laptop (uMatrix + uBlock), and 'regular' on my iPad/iPhone.

Even worse, the difference seems to be getting worse and worse. It's a pretty regular experience for me these days to end up on a website that barely works on iOS: ridiculously slow, stuttering scroll behavior, inability to scroll because there's an ad in the way, inability to close popups, fixed position elements taking at least a third of the screen, and so on. You know the drill.

There's one website that, if I don't use the 'add to instapaper' button within the first few seconds of loading, completely blocks safari.

Now I can understand how a website becomes bloated and shitty while still being somewhat usable; users either might put up with it, or it might be difficult to measure the negative impact of these 'thousand cuts'.

But it baffles me how websites can exist that don't work at all on mobile/iOS when it's relatively easy to fix (enough to make it shitty usable). Does nobody look at bounce rates?


> But it baffles me how websites can exist like this

They do so because of the economics of the web. No-one pays for content, but basic advertising is low revenue. So user experience is squeezed instead, with video ads and popups.

There are other factors too, of course. Businesses have strange priorities and can be quite myopic when they compare the value of a new feature with the value of leaving the site uncluttered. But the main reason scripting is slow is advertising.


Yes, I do get that (and said as much). What I don't get is websites that are literally unusable on mobile/iOS. There's no upside to that.


From my experience,

i) the people who push features don't actually use them;

ii) people overestimate the pain users will go through to reach their services;

iii) in a lot of businesses it's actually really _hard_ to advocate doing nothing - no new features, no further investment, no changes. So something is done because something seems better than nothing, and thuse the product slowly accumulates cruft.


Yeah, I've had similar experience. But never to the point of making a website entirely unusable on mobile (which is pretty easy to test for...).


Why not use an ad blocker for iOS? They've been supported natively for awhile.


> I have JavaScript off by default

So how do you pay for your content, if not for ads?

Do you expect people to give it to you for free? Do you do work for free?


What types of JS vulnerabilities are you encountering?


Some examples: [1], [2], [3], [4]

Bottom line: I just don't want to have to worry about this shit, so try to avoid Javascript like the plague.

[1] - https://news.ycombinator.com/item?id=13831906

[2] - https://news.ycombinator.com/item?id=13649178

[3] - https://news.ycombinator.com/item?id=13066825

[4] - https://news.ycombinator.com/item?id=10021376


1 - those are libraries with vulnerabilities, not JS itself. I.e. could be any language.

2 - this is a hardware vulnerability that you could take advantage of in multiple languages.

3 - this is a Tor + windows exploit that just happens to use JS.

4 - this is a Firefox vulnerability, not a JS vulnerability

There is nothing inherently wrong with JS from a security perspective and in many ways it is a much more secure system than most, since it is constantly exposed to the internet.

But like any large ecosystem with multiple implementations and lots of inexperienced devs, there will be vulnerabilities out there.

I do respect your decision to turn of JS, but I don't agree that JS is somehow special in how insecure it is. You should also avoid running any apps written in any language at all with that logic. I'd posit that JavaScript apps are more secure than c++ apps, since the runtime itself is hardened.


1 - Yes, but not any language is in my web browser. The language in my web browser is Javascript, and I would not be exposed to these vulnerabilities without it.

2 - See 1 above.

3 - See 1 above.

4 - It's a vulnerability in a part of Firefox that's written in Javascript.

"I don't agree that JS is somehow special in how insecure it is"

I never claimed that JS was any more insecure than any other language (though fans of "safe" languages and ones whose programs and compilers can be proven correct might in fact make that argument).

Javascript has the special distinction of being the only programming language in the web browser (if you exclude HTML). If it wasn't, then the argument of whether JS was or was more insecure than the other language(s) in the web browser would relevant. But that's not the case.

"I'd posit that JavaScript apps are more secure than c++ apps"

Completely irrelevant since I don't have the choice to run C++ in my web browser.


Why does it matter if it's in your browser or not? The browser is just a fancy runtime.


meta: it would be good if not every thread on HN about javascript devolved into unproductive complaining about how bad you think it is. It's really not interesting or enlightening to read, and javascript's various flaws are already thoroughly covered elsewhere.


Don't forget the threads on HN about Git that descend quickly into a celebration of how much Git sucks.

But contrary to your thinking, I see these consistent regular events as a deeply worrying symptom that somehow as an industry we have managed to wind back progress over the past decade and end up using a pile of sucky stuff.


I see it more as a worrying symptom that software as an industry is full of people who complain about things they don't understand and don't want to learn about. the complaining about javascript is very HN culture specific. there are certainly places where people do complain about it, but only here is it indulged again and again and again ad nauseum.

there certainly is room in the world for recognising the flaws in javascript or git and working to fix them, or building something better. but just whining about how bad it is achieves nothing and it is irritating to read.


[flagged]


I agree with you fully. I even started to write a book on it [1]. Unfortunately there is nothing else.

When I was a young man, I had IE as the primary target. I could chose between screwy looking Javascript that wasn't fully supported across the fledgling NS/IE browsers, or VBScript, which wasn't supported at all on NS, but did just fine on IE. Since IE was huge, I learned VBScript because it took my BASIC skills, which were basic, to the next level.

VBScript quickly fell away even though I was able to do neat demos that were cutting edge such as adding fog lamps to a car to get a quote when buying a new car (or changing the color). It fell because MS didn't make VBScript available as a common standard so Mozilla didn't implement it. By the time Chrome came along, it was a dead language like Phoenician.

All that said to bring home the point: there is nothing else. Shit is shit, but at least like shit you can generate energy with JS. You can make the page move. You can seamlessly update sections with new data. It is the only thing than brings a spirit to a page. This is what either the users or the developers want (within reason, which is different for both of those markets).

Even with WebAssembly we will probably stay on JS for years to come. Each browser has to implement support for a new language as well as stay standardize compliant with JS. I doubt will see multiple languages equally supported.

It's a huge turd. It's a huge turd that gets things done. It's essentially both the ball and the beetle. Simply screaming into the void won't help anything [2].

1 - https://github.com/virmundi/JSIsGarbage 2 - http://screamintothevoid.com


JavaScript is fine as a language. However, if it had never been allowed to run without user consent, it wouldn't be such a scourge as there would be minimal ads, minimal cross-site tracking and most sites wouldn't be able to justify a user prompt just to enable a useless animation.


JavaScript is a deeply flawed language. It has both undefined and null. You almost never use the == operator... except as a workaround to easily check if something is either null or undefined.

That being said, modern JavaScript is actually pretty nice, once you know where the pitfalls are.

But if JavaScript wasn't allowed to run by default, it would have never reached it's current level. It'd still be a deeply flawed toy scripting language.


"But if JavaScript wasn't allowed to run by default, it would have never reached it's current level."

I was thinking about that too but I'm not sure it's true. There are some real universally useful applications (e.g. maps; office suites; email; heck, even social media) that require some code to function and I think just about everyone would have been OK with having to grant permissions one time to use them. And all the companies currently making those types of applications helped make JS what it is. Although the most prominent one is the one that has made all it's money on ads and tracking so maybe that's not such a good argument. Anyway, now that we have JS in its current state, maybe we could think about starting to prompt by default, starting with JS from external domains :) (I know, fat chance).


I think you aren't quite understanding the point. It's not that some language wouldn't have dominated (in the interest of interoperability and functionality needs), but that it probably would have been a product by MS or some other homebrew language. Javascript being codified with the hackneyed ecmascript standard, was the death nell for efficiency in web apps for the last few decades. Without the standard, we probably would have seen a shift to other technologies (some of which would have failed like Silverlight) on emerging browsers, in hindsight.


Please post civilly and substantively on Hacker News:

https://news.ycombinator.com/newsguidelines.html




