Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Zero – A fast, zero-configuration server for React, Node.js, Markdown (zeroserver.io)
513 points by asadm on Feb 26, 2019 | hide | past | favorite | 245 comments



> File-system Based Routing: If your code resides in ./api/login.js it's exposed at http://<SERVER>/api/login. Inspired by good ol' PHP days.

> Auto Dependency Resolution: If a file does require('underscore'), it is automatically installed and resolved. You can always create your own package.json file to install a specific version of a package.

This sounds like a security nightmare.

EDIT: to be clear, I don't meant he combination of both is a security concern, that each one of them separately is problematic.


Putting my money where my mouth is - use this to leak any file accessible by the running user of zero from the filesystem:

    # curl -v --path-as-is 127.0.0.1:3000/../../../../../etc/passwd
    root:x:0:0:root:/root:/bin/bash
    [...]


Hah. Now that’s a Zero day Zero server exploit. :)


I don't think I would use any package that makes this classic mistake in 2019. Web services need to be at least vaguely secure and this destroys all my confidence of that.


You would've thought OP posting to HN should've considered security backlash. Unfortunately, damage is done for me too.


This was fixed literally the minute it was commented here. Securing any project is always a long-term and continuous effort.

This project is brand new, I posted the repo publicly this morning. I frankly think this subthread is an overreaction. I don’t get the hate.


I saw your comments fixing it - which is pretty awesome by the way (& I hope you've taken on board the other comments regarding securing it even further).

Due to PHP experience, this would've been something that I ensured was implemented properly from the outset. I know this to be true, because I've dabbled in the very space you're working in now, and it was one of the very first things I ensured: that no file could be served except from direct descendants. (I rethought my project and tossed the code)

For something like this you need to be absolutely sure about security. Have a look at the annals of PHP security issues - and most likely you'll see a lot of similarities that you'll need to make sure you address.

I'm sorry if you read hate in my words: definitely was NOT intended! I have nothing against you as a co-habitor of this wonderful planet! To me, the bug highlights that a few design considerations may have been overlooked.


> This project is brand new, I posted the repo publicly this morning.

Are you implying that you don’t think it’s ready for production use? If so, maybe you should do like a lot of projects, and warn about it loud and clear in the docs. It’s not clear at all that users should expect the type of blatant security problems that were discovered here.


If the bar to posting to HN was "I am finally confident this project is mature", rather than "I can post any link I want and if people thing it's cool, it'll get upvoted", HN would have a hell of a lot less cool shit on the front page on a daily basis.

People are allowed to screw up: it's how we learn. They got comments that pointed out flaws, they fixed them and posted a follow-up regarding that fix, why the hate? This person tried to make something cool, they learned important security lessons, and now have a deeper insight into what they made, and the world it operates in. How is this possibly a bad thing we don't want to have happen on HN?


But after reading the thread following your fix it seemed that the fix wasn't done properly. That, more than the security issue itself, kind of ruined my confidence as well, sorry to say.


Thanks for pointing this out. Fixed this particular bug!


You also need to report this to security@npmjs.com so they post an advisory [1] and mark the existing versions as vulnerable.

[1] - https://www.npmjs.com/advisories


Anyone, including yourself can do that.


Everyone's talking about it but nobody did it, so I did.


or, the person who should do it should do it and not rely on others to do their job for them?


it's not their job. there's a reason anyone can do it.


Seems like your fix[1] for this is a bit fast. You are already importing `path` in that file. Also, you can do this with just one `path.relative`. Lastly, the url package method you are using is deprecated[2].

[1] https://github.com/remoteinterview/zero/commit/b4af5325c388e... [2] https://nodejs.org/api/url.html#url_legacy_url_api


This fix does not even work on windows. You can still request data on a different drive.


A simpler fix might be to canonicalize (i.e. no "..") the public folder path and the requested file path and then ensure the public path is a prefix of the other.


Any fix also needs to be sure to resolve any symlinks before doing a prefix check.


can just put some logic to set the root directory where can start to include from?


Just like "good ol' PHP days!" as the docs say :D


I don't disagree that this doesn't seem necessarily secure and the auto dependency resolution is a bad idea for other reasons in my opinion, but I don't see the security aspect of it.

The moment I can upload files to the application folder that are executed, I can just `require('child_process').spawn("my_evil_stuff", [])`. In particular "my_evil_stuff" could be some npm install command. I don't see how automatically installing the dependencies makes this worse than it already is.

EDIT: While this is a different attack vector than I was envisioning here, jexco has provided a scenario in which there are additional vulnerabilities: Vulnerable dependencies that cannot be managed.


Where is the management of requirements? How do you force LTS versions? Or roll back if a version has a vulnerability? When things are automatic you are unable to stop bad things from happening.


Not that I was going to say this is a good idea in the first place, but rolling back vulnerable dependencies is an excellent point that I hadn't thought of. Thanks!


Well, for one giving the app the kinds of write permissions needed for this to work is not exactly ideal.


So the app would need write permissions to its own folder. That's obviously a bad idea in a production deployment. I guess I was thinking that the dependencies would be installed during a privileged one-time "deployment run" so you wouldn't need the permissions after. Maybe I'm giving the thing too much credit.


If security is a concern, this is probably a bad choice; this doesn't seem to be advertised as a bulletproof security solution to anything, rather a utility for small little one-off apps that might need _some_ backend functionality. Once you start adding features like file-uploading, youre obviously gonna want to pick a more robust option


> If security is a concern

At the risk of being presumptuous... When is security ever not a concern?


When all other layers are secure, like wearing a bulletproof west inside a bulletproof car inside a bunker that can withstand a nuclear blast. And add to that some security by obscurity, like a bunker in a secret location, only accessed via a tunnel.


That said, if security is top priority you also want to be ready if you get shot from within the car. But more importantly you need to define the most common scenarios and make sure you are protected from all of them. One scenario might be someone shooting you, but another scenario might be food poisoning which would require an additional, different solution.


You know it's always a concern, but context is everything.

> small little one-off apps that might need _some_ backend functionality

The security implications of serving a static website vs. a dynamic application that processes payment and queries the database are two different beasts


Student projects


Conversely though - doesn't that lead to bad habits?

If security is taught at the student level, by the time they get to junior developer they'll have an understanding of it / do it automatically.


Pretty sure student projects should teach you something other than `$ npm install`, no?

When I was a hiring manager and scoped out juniors from bootcamps I had a conversation with some candidates and they would say, "I built user registration and login". When I asked them to talk more about it they said, "well I installed auth0"... Any student project which doesn't teach them how something works is not really teaching anything of value, is it?


Expecting a student to learn how to code at all, not to mention code well, from an academic/bootcamp setting, is an expensive fool's errand for anyone that hires them.

Programming is not academic. It has more in common with plumbing and carpentry and electrician work: you learn only by doing, and you learn how to do it well by doing with critical supervision from a mentor.


The difference between engineering and trade work is that trade work, like the jobs you mention, either follows a plan written by an engineer, or prescriptive standards designed by engineers (and usually certified by governing bodies of engineers). Prescriptive standards allow skipping all the engineering calculations as long as the guidelines are followed and tolerances respected.

Software development (and a lot of hardware development, to be fair) is unique in that doing it well requires functioning as both an engineer and a tradesperson. One's skill has to cover a wide section of the spectrum.


That slight wobble in Earth's orbit we're experiencing, that's Dijkstra rolling in his grave.

All joking aside, programming should be treated a lot more like engineering and a lot less like craft. Yes, it does have aspects of both, but neglecting the engineering aspects of it is proving to be increasingly harmful to our end users.


> a lot more like engineering and a lot less like craft

I think the curve of diminishing returns plays an important role. A near hack job will often get you 90% there, in terms of fulfilling what was exactly requested. I don't think this is true for any other skillset. It's so easy to make something featureful and fragile in software. The time and cost above that can be very difficult to justify to customers/management.

In the words of a previous boss, after I pointed out we need more testing, "Everything is working, we'll fix the bugs as they come".


When you're learning, you need to also learn security implications of what you're writing. Insecure projects should never be allowed to pass.


I disagree somewhat. If the goal of a project is to teach a different skill and it may cause too much of a headache to add a real server this service might make sense. It’s like when you’re learning a new spoken language. It’s better to practice a breadth of situations and vocabularies and make mistakes (that get corrected over time) than to learn fewer things perfectly


Prototyping or proofs of concept


If you're ever running this, and you've left it open to a LAN or the internet, your entire system is vulnerable for use in whatever way someone wants. There are bots looking for stuff like this all the time.


Is this even a serious question?

Not everything runs online connected to the internet.


But almost everything does. Assumptions like this lead to ~40,000 unsecured MongoDB databases on the public internet [1]

1. https://www.information-age.com/major-security-alert-40000-m...


And printers. Although in the linked story the exploit already existed and the guy who did the printing sounds like basically a script-kiddie.

https://www.theverge.com/2018/11/30/18119576/pewdiepie-print...


> When is security ever not a concern?

Internal applications where the entirety of the userbase are trusted employees. (Preferably, the userbase is small, too.)

Nobody’s going to bother finding vulnerabilities in an application where, if they break it, their own job gets harder.


I agree with GP. Security is always a concern. I too used to think as long as it's behind the firewall, or a local only exploit, it doesn't matter. But it always matters. Small apps become big apps. Small user bases large ones. Someone gets onto your internal network and then your small userbase app for trusted employees becomes a jumping off point, etc.

Your sort of thinking is how you end up with Yahoo levels of account leaks.

Security always matters.


I think your comment about scalability is accurate. Small apps become big apps, and small user bases get bigger. I’ve seen it happen — but I’m not going to think about scaling to thousands of users when I just need a small application to share with my team. If I spent five days building it to the utmost standards, instead of spending one day on something that solves a problem immediately, I’d be laughed at. It is the same with security.

> Your sort of thinking is how you end up with Yahoo levels of account leaks.

I wouldn’t store any of my customers’ data on an insecure internal service! I know that’s mad!

> Security always matters.

The first part of securing a system is to come up with your threat model, isn’t it?


> I wouldn’t store any of my customers’ data on an insecure internal service! I know that’s mad!

I'm completely sure that you're right. You know that would be irresponsible and reckless with lots of very sensitive data.

With that said, how sure can you be of every other person writing a simple, small, business app for just a handful of their coworkers? I've encountered some people doing exactly what you've described without the same level of cool-headed risk-weighing as you.


At some point you will be outcompeted by businesses where they don't sweat stuff like this.


One of the key functions of GDPR and CCPA and PIPEDA is to make many businesses consider what kind of liability might be attached to things they might otherwise opt to not sweat.


None of those apply to internal software that isn't used to store customer data.


I really hope you don't work for our infosec department!


>_some_ backend functionality

Famous last words.


...why? I get that file-system based routing means you know the location of a source file on disk, but if anyone can access that file you've already lost.

And auto-dependency resolution also doesn't seem any larger a security concern, all it's doing is skipping an "npm install" command.


Because if you ever have a broken upload system that allows you to drop a JS file somewhere accessible by the file system routing, you have remote code execution. Additionally, you now have to write guards in every non-endpoint JS file so that it doesn't get executed just by a misplaced HTTP request.

And as for automatic dependency resolution, this means you're not even aware of what transitive dependencies you're pulling in, what version they are and have no way to vet anything - everything is hidden behind a wall of magic.


Make your application directory read-only to the user running the application, as it ought to be anyway.

Automatic dependency resolution however... Fantastic for experimentation, but that's a dealbreaker for production. Maybe it would be OK if it actually wrote the package-lock.json to the application directory, I'd have to think about that.


In this case the application also tries to auto-install dependencies, so making it read-only removes one of the stated features.

I think this framework hasn't been written with security in mind at all.


Whatever it's doing, it's not writing the packages into the application directory.


If it can write to the applications dependencies isn't that as good as writing to the application?


Probably having .htaccess / .env / database configuration / files that are not supposed to be public be exposed.

For instance, Rails has a public/ folder for files that are going to be served. And jekyll hides files by pattern-matching them[1].

Zero doesn't seem to have exclude folders by default. The solution would be to run Zero is a subfoler and require file in the parent folder which would act as the tree's root.

[1]: https://help.github.com/en/articles/files-that-start-with-an...


Currently, files starting with _ (underscore) are hidden in zero. This is still a feature spec we need to finalize as this can create confusion. Maybe a .zeroignore file (as suggested in another comment) would be a better idea.


Why not reverse that and use a whitelist instead. It’s a lot easier to decide what folders and files should be served than to think of all the things that shouldn’t.


Nextjs uses a pages/ subdirectory which gives you implicit routing, without having to compromise on the whitelist aspect. I think it's a better compromise.


So if an attacker already has access to your filesystem to modify your files, they can install stuff?

By this time it's already too late.


There's different levels of 'filesystem access' vulnerabilities.

Some classes of bugs that would be otherwise tame due to the constraints (eg., file upload that might be able to only create new files in some part of the directory tree, or a buggy routine that lets you create arbitrary symlinks, or leftover VCS/CM files that happen to end in .js and are not filtered out by the router) now become the most powerful kind, remote code execution.


Exploiting auto-downloading modules requires that the filesystem's already been exploited to the point where the app's code can be modified.

I could add `require('foo')` but I could also just require no third party code and have fun with the `process` module.


My first thought is it doesn't have enough features or too much magic BUT that is EXACTLY why it shines. I'm not going to build the next FAANG company on this but it will let me get a backend up and running VERY quickly to test out an idea. The number of ideas of mine that have been killed in the cradle by decision paralysis is higher than I would like...


It actually has a ton of magic. This is what's acting as the initial package.json:

https://github.com/remoteinterview/zero/blob/72ea1faaef51b92...

Custom file watcher: https://github.com/remoteinterview/zero/blob/72ea1faaef51b92...

Routing / workers: https://github.com/remoteinterview/zero/blob/72ea1faaef51b92...

Dependencies for using the react renderer: https://github.com/remoteinterview/zero/blob/72ea1faaef51b92...

And so on. The routing part is a bit funny - by spawning a new process per request this is actually very close to PHP/CGI :)


Exactly this. One of the aims to start this project was to reduce one more friction when testing an idea. Project configurations and set up is a big time suck.


Thank you for creating this! I often find I had an idea and then spend 1-2 hours doing NOTHING towards the idea trying to future-proof what I'm writing to the max. That is a trait of mine I need to work on by itself but "zero" should help let convince me to "just try it with zero before you setup TypeScript/Angular/Vue/React/Cordova/Express/etc...". I saw your other comment about making it Apache/PHP level easy and as someone who came from that background and when I first saw a query param displayed in the response from the web (ie: localhost?name=Josh -> Hello Josh!) I was hooked (you can imagine my reaction when I learned what a database was ).

In that vein do you think TypeScript is on the horizon for support? It's not a dealbreaker by any means but it would be nice to just write .ts files and have them automatically compiled (transpiled?). I can write JS just fine but TS's types are a nice sanity check for me.


Thanks! I will def move .ts up the list. It should be easy to add.


Great work, if you need any help with it just add requestes on github and tag as help needed.


I just added typescript support. Check it out!


the project's philsophy seems to be "use a bundler that works and don't reinvent it" so I bet adding a TS bundler would be a possibility, that'd be awesome


"Zero configuration"

But, you can install express, copy paste the getting started code and be up and running at a similar level in 5 minutes. I...guess I don't understand why I should trade something super simple and easy to use for this additional level of abstraction magic.

There is such a thing as too much abstraction.


No, you cannot, not in an easy way. I've taught many people Node.js/express and they always struggle with all of those copy/pasted configuration bits. Now if I add them, I tell them something along the lines This is just magic, copy/paste it to make your app work. Some day you will understand.

Once you get used to them it's easy, but to get started it's a nightmare. I started with PHP back in the day, and even though it's hated around here the bar to getting started there is amazingly low in a good way.


Exactly this! An experienced developer might take configuration and setup for granted.

I also teach sometimes and all this friction to get started just makes it harder to get into web development these days.


I'll echo this. I was hired by Atlassian to join and "make prototyping better". Part of this meant enabling designers to more easily create code based prototypes.

I learned very early on that if creating something in code means learning/entering cryptic code just to start (that is, before any work gets done), then you lose people very quickly. Inexperienced developers can easily express, "Hey if I click this button and a field has the word 'bubblegum', I want a popup to show", and likely can figure out the js necessary for it. But if you say, "Ok, before you write that javascript you have to configure a package.json and install all necessary pages, but also make sure your version of node is the correct version for our internal libs", their excitement to dive into a project is ruined.


That feeling of discomfort and tinge of frustration means you're learning. I feel like this is helping people to skip over a really useful lesson.


It means you are getting frustrated, evaluating your life choices and whether Node.js is really for you. The lesson they get is that Node.js is not for them!

I prefer those who are new to any webdev to get started by creating a simple CRUD, not with the grunt details like parsing a JSON body or what is this session stuff. Those IMHO should be optional optimization details to apply later on if you wish, but not mandatory for everyone.


You don’t need to teach all the hard lessons at the beginning. If that was the case, we should all be programming in Rust/Wasm from Web101.


Depending on what you need, setting up a React app is super complicated and time consuming. Especially when you need SSR.

There is a reason why frameworks such as Next.js, Reframe, and now this one are being used.

I'd actually say the opposite, it's tools like Webpack that don't have enough abstraction. I don't care how source maps are being generated, why on earth is it a good idea for Webpack to force me to dig into that? (If at least Webpack's default source map config would work out of the box but it doesn't.) Parcel hits the right abstraction level much better.

Disclaimer: I'm Reframe's author (https://github.com/reframejs/reframe).


there's already a very popular react (cljs) framework called reframe

https://github.com/Day8/re-frame


I wrote a shallow http.createServer abstraction for one of my projects that works directly from the terminal and takes a port number as its only argument. I just copy/paste this every time I need a web server. Its literally like 2 minutes of effort and has no dependencies.


Try doing the same for React (in the same express project). With SSR enabled :)


Rule 35: Every year, someone somewhere will reinvent PHP or CGI or some combination of the two.


Does this mean we need to update Greenspun's 10th rule "Any sufficiently complicated C or Fortran program contains an ad-hoc, informally-specified, bug-ridden, slow implementation of half of Common Lisp." to say "Any sufficiently complicated development environment contains an ad-hoc, informally-specified, bug-ridden, slow implementation of half of PHP?.


Where can I find the other rules?


These will carry you over until the "real" ones appear: https://spacecraft.ssl.umd.edu/akins_laws.html


I want to print these out and share them with past teams I've worked on.


awesome! thank you!


If you ever watched NCIS, I have just the thing: http://www.ncisfanwiki.com/page/NCIS%3A+Gibbs%27+Rules


I make them up as I go along!


In non-sequential order. :)


lol let me know if you ever compile them in a single place. love it!


Can I claim "K's rule"?

Every (web) technology will eventually be called a PHP reinvention.


That would be an insult (either to php or to the other project, depending on which).


Maybe.

But I read it so often in the last years.

Next.js? PHP! AWS Lambda? PHP! Zero? PHP!


I guess I agree : )


This is exactly what I needed. However with great abstraction comes great responsibility: you are now the gatekeepers of keeping things efficient in the backend. If I write "require('moment')", will you blindly require, or will you require, tree-shake, minify, etc?

I guess my question is: can I trust Zero to always strive for optimum efficiency, or is it just convenience?


If your requirements include "optimum efficiency", you almost certainly are not in the sweet spot for a general purpose zero configuration product.


I guess optimum/optimal efficiency is a lot to ask for, of anyone, let alone a convention over configuration framework, but you get my point!


I think that's a valid concern. We can certainly optimize and enable tree-shaking (zero uses Parcel to bundle React and HTML). The idea is to implement common optimizations so users don't have to. But also to provide enough escape hatches so advanced users can 'eject' and fine-tune themselves.


Yes please do, I just have a pet peeve against npm modules requiring mb's of files to only use a couple functions. Knowing that Zero does tree-shaking and general optimizations for me will make me happily use for most of my projects!


Zero configuration... read "We made choices for you, just trust us. Read our documentation to see what your missing. Oh, also since you didn't configure it we'll change (the defaults) on our next release".


> Oh, also since you didn't configure it we'll change (the defaults) on our next release

That doesn't really matter, since I'll only use the next release for my next release, and the previous prototype has either been thrown away or turned into a proper stack.


I wonder if this what the people who made the things I have to inherit and patch and secure believed.

Current app is EOL Framework Release in an EOL Language Release running on an EOL Distro Release on an unmonitored server without any patches applied... so business as usual.


I did something very similar but arguably with even less configuration, https://serverjs.io/

    const server = require('server');
    server(() => "Place your Node.js API here.");
However my project doesn't have the automatic routing/installing/React, which looks great! Keep it up, I like the direction where this is going.


Hey, that looks cool too. Thanks for sharing it!


Make a RealWorld.io implementation or it doesn't exist!

https://github.com/gothinkster/realworld


This is wonderful. Great antidote to toy framework fatigue.


Wow, that readme file is a github repo masterpiece.


Minimalism has a cost. http://npm.broofa.com/?q=zero


It's worth noting that (for now) npm.broofa.com includes `devDependencies` in it's graph. Zero doesn't have any production `dependencies`.


Ignore that. Apparently I don't know my own code. It just looks at `dependencies`. :-p

That said, it looks like the latest (not yet npm-published?) version of zero has moved all the dependencies to `devDependencies`.


It's not that bad since it's an application (not just a library) that basically exists to glue those modules together.


Standing on the shoulders of giants :)

You will eventually be adding all those packages when you develop a production-grade React / Node app anyway.


Perhaps this should be done gradually and thoughtfully, rather than pulling half the internet into each minimalist app out there.


Welcome to the world of node.


This is nothing to do with node. This is poor programmer decision making. You can build great node apps with a real minimalist approach. Holding up projects which pull in half of npm as "the world of node" is like holding up a hot and ready 5$ pizza and saying all Italian food is bad.


I think the point is that this is almost encouraged in the node ecosystem, while in most other language ecosystems I know of it wouldn't be.


Most other ecosystems inlcude more batteries (e.g. PHP). That is why you have to update this ecosystems with all their modules. The problem is, if the core has a bug, ALL apps in this ecosystem has the bugs.

node includes not everything and concentrate on the core. If modules have bugs, not all apps a compromised.

It is a fundamental design decision, if you not like it, don't use node.

You can include all dependencies manually and update them manually, nobody keeps you away. But have fun to update all your deps.


Encouraged by who? I see the same people which used to install jQuery or WordPress plugins and were able to get janky but working sites. But prolific module authors and node core contributors don't promote these approaches.

Maybe if you listen too much to twitter "thought leaders" you might get this impression, but we are all aware of the problems with social media platforms...


Well, considering the amount of dependencies in popular projects like CRA that was highlighted here a few days ago I don't think it's unreasonable to extrapolate to the general ecosystem. Of course there are module authors and devs doing it differently, but in general most node projects I see are more dependency-happy than projects I see in other languages.


Give people a useful tool (npm) and they will muck it up. This is both the best and worst part of the general node ecosystem. The issue is people saying things like "that's just node". It is not node, it is the ease of use and popularity meaning there will be more of these examples. If you care to make high quality use of the platform and tools you can, but that means not following the crowd.


Agreed, but for whatever reason it seems more prevalent in the node ecosystem than in others (even when comparing high-profile projects).


thank you...your comment is just awesome!!! i thought i was alone in understanding the real meaning of being a "minimalist" ;)


This is why we need tree-shaking and build-time optimizations to kill the unnecessary.


Wow, I love that people can wrap express and many of its components and end with something so different from its foundation. That being said, this level of "batteries included" approach has a cost.

In this example, it is the complexity of this file[1] and the fact that if you were to write this as a single express middleware you could probably write it in less than 20 lines.

Guess this is just not my cup of tea?

[1] https://github.com/remoteinterview/zero/blob/master/packages...

Edit: also looks like the author decided to wrap their own multi process model? https://github.com/remoteinterview/zero/blob/master/packages...


Yes, writting an express backend is really simple, some plugins, error-handling etc. and you can run it in less than 1 hour.

But the Frontend with webpack needs definitely more time, hours and hours to fiddle webpack to your needs. This project has a definded strucutre and support defined modules (react), so it could save you a lot of webpack config time, but you can not do everything with it. You have to use it as it is.


Setting up Webpack isn't even the time-consuming part, in my experience - it's getting the back-end and front-end to work together and having a comfortable development environment in which both live reload.


Exactly.

Only get them running is a thing of 2 minutes, but running with comfort and fit your needs is the hard part.


Lol, if the setup on the FE takes hours to fiddle something is wrong with the choice of tooling. I don't use webpack, so I guess I am just spoiled?


The alternative is using parcel. Zero is a server equivalent to Parcel (and uses parcel internally)


You never use it, or?

It is nothing wrong with the tool, the tool does what it does. I sayd to configure it, to fit exactly your needs, it take a long time.

Using an other tool will not change it.


People in this thread are way overly negative. I understand this tool as something to be used for prototyping and locally-only but everyone is jumping on how insecure it is or how it's got a bunch of dependencies, or it's just express, etc. None of that matters if you aren't exposing this to the internet. This is a really neat project that lets you play with something right away and a lot of you all are bashing the author for things not even in the scope of the project.

Lastly this has so many upvotes and is #1 on the front page because it's cool, fun, and perfect for a little prototype or POC. There are a number of positive comments buried at the bottom but the highest comment is about how this is a "Security Nightmare".

Edit: Typo and I wanted to add: Not everything posted on HN has to be battle-tested, scalable, parallelizable, profitable, cloud-ready, secure, etc. It's the kind of attitude in this thread that keeps people from posting their own work at all. No one want's to get torn apart, back off and provide constructive criticism or keep quiet. (Note: advice I have not always practiced in the past)

Edit 2: Show HN rules (https://news.ycombinator.com/showhn.html), I think this makes my point better than I can.

Show HN

> Show HN is a way to share something that you've made on Hacker News. The current Show HNs can be found via show in the top bar, and the newest are here. To post one, simply submit a story whose title begins with "Show HN".

What to Submit

> Show HN is for something you've made that other people can play with. HN users can try it out, give you feedback, and ask questions in the thread.

> A Show HN needn't be complicated or look slick. The community is comfortable with work that's at an early stage.

> If your work isn't ready for people to try out yet, please don't do a Show HN. Once it's ready, come back and do it then.

> Blog posts, sign-up pages, and fundraisers can't be tried out, so they can't be Show HNs.

> New features and upgrades ("Foo 1.3.1 is out") generally aren't substantive enough to be Show HNs. A major overhaul is probably ok.

In Comments

> Be respectful. Anyone sharing work is making a contribution, however modest.

> Ask questions out of curiosity. Don't cross-examine.

> Instead of "you're doing it wrong", suggest alternatives. When someone is learning, help them learn more.

> When something isn't good, you needn't pretend that it is. But don't be gratuitously negative.


I agree with you about the over-negativity, but I have to disagree about the value of the "security nightmare" comments. Nowhere on the marketing page (that I saw) does it say, "prototype/development use only!" In fact I got the opposite impression. It seems to want to be a new framework. It's critically important to surface security issues early and often.

There's already a cultural anti-pattern in the js world of just `npm install`ing stuff and shipping to prod without auditing well (I've heard a number of times, "well it has like 60 stars on github").

If the project marketed itself as a "development only" or non-production framework then I'd agree with you 100%. However as it stands it's dangerous and could lead to extreme compromise of a system if it gets deployed to a production environment.

That said security-minded people are often inconsiderate and horribly untactful in their approach. That needs to change. You don't need to be overly negative to point out a security issue. Something like, "Cool start, but might want to point out that it's not meant for production!" would be a lot better IMHO.


> That said security-minded people are often inconsiderate and horribly untactful in their approach. That needs to change. You don't need to be overly negative to point out a security issue. Something like, "Cool start, but might want to point out that it's not meant for production!" would be a lot better IMHO.

Agreed, and I also agree that maybe it should have a tagline about "not production ready" or even "never production ready". Not sure what the end goals of Zero are. I will say I thought it was pretty evident that this was not for production (if only to the sheer amount of "magic" inside) but maybe that's just me and it should have a disclaimer to that effect.


Maybe security people are getting tired of inconsiderate developers that keep shipping bazillions of insecure packages all over mission critical applications.

Devs need to change their culture. This behavior is actively harming end-users through repeated data breaches.


Do you honestly think it is developer's "inconsiderate" behavior that the root cause or even a main factor in the "repeated data breaches"?


Partly yes. They certainly have a professional responsibility to write applications that resist well known attacks, such as directory traversal, xss, sqli, etc.

This isn't new, and not knowing how to deal with it is like a builder not knowing how to safely stand up a wall.


> Agreed, and I also agree that maybe it should have a tagline about "not production ready" or even "never production ready".

That's a great idea! It should definitely be implemented.

With that said, what do you make of the point that things that are clearly not suitable for production (and sometimes labeled accordingly) have a nasty habit of making their way into production anyway? Do you think it has salience here? You're clearly a thoughtful person with your hear in the right place, so I'd very much like to hear your opinion.

Again, your point is both completely valid and absolutely correct. Purpose and labeling should be clear enough that no person could possibly miss them.


> With that said, what do you make of the point that things that are clearly not suitable for production (and sometimes labeled accordingly) have a nasty habit of making their way into production anyway? Do you think it has salience here? You're clearly a thoughtful person with your hear in the right place, so I'd very much like to hear your opinion.

I don't think I have a good answer. I'm currently serving a little over 6 million requests a month for a service I never advertised yet some non-zero number of developers copied code from stack overflow or wrote based on my github project to hit an endpoint that was just a demo. Since it was un-authenticated and I didn't notice the traffic until much later I have no good way to shut this down without pulling the rug out from under people. Eventually I will have to but since it's not costing my anything extra really I've left it.

Now I put a warning on it when I noticed the traffic but that was 3 years and 2 million requests less per month ago so...

I guess yes, we, as developers, should be better about putting warnings and the like on our projects but by the same (if not greater) token, people using existing code/services bear the responsibility to vet things they use. I don't know how to fix people to vet stuff better. Hell, I don't know how to make myself do that. That said you take risks every day, you risk your live when you get behind the wheel, you risk security holes when you don't vet code you use or build upon. I've weighed the risks of driving against the rewards and found the risk acceptable. For a lot of software I use I've made the same decision. I just don't have the time and energy to vet everything for myself and timelines and other pressures at work make it equally impossible there.

At what point do you say "Ehh, it's secure enough below this point"?

* npm library with 1000's of dependencies?

* npm library with no dependencies

* npm

* nodejs

* OS

* Hardware

I honestly don't know a consistent/standardized way to handle it.


As you so correctly and wisely point out, we take all kinds of risks every day. It's an inherent part of life. Yet we also generally accept that things that can be done in a safer way should be when reasonably possible.

At this point I'm leaning towards deprecating the idea that encouragement, positivity, and documentation will lead to developers making good decisions. As you've demonstrated, it's clearly insufficient, and I suspect your experience is an outlier but far from unique.

Increasingly, I think we may have to consider measures to get it right the first time. And we have to be sure our peers do too, because we're all living in the same environment and context. Otherwise, sooner or later, someone who didn't read a warning label is going to try to build a PII-handling business on Zero Server (or similar) and it's going to be a dumpster fire.

I would love a world where friendly encouragement, niceness, and documentation could scaleably do this. Sadly, it's perhaps possible that that world and this one could be slightly different.


Your conclusion seems to eschew the "honey" for? "Vinegar"? I'm not disagreeing, I'm just trying to figure out what this would look like.


Some might imagine it as eschewing heedless amateurism in favor of mature professionalism.

One starting point might be re-examining if all the negativity shown in reaction to Zero Server is actually excessive. Some of it surely is! It's also perhaps possible that some of it could be viewed as the horrified reactions of professionals who care about quality (and think about downstream effects) coming face-to-face with reckless engineering.


> Some might imagine it as eschewing heedless amateurism in favor of mature professionalism.

I don't fully understand what you're advocating, so I apologize if I am misinterpreting or mischaracterizing your position. But I can't imagine "mature professionalism" including berating or embarrassing another developer for creating a security hole. Some people do need that, but most don't. Many devs I've worked with are horrified when they find out they wrote in a vulnerability, and they try to grow and find out better ways. This is startup culture tho.

When I worked in enterprise type environments it was the opposite. There, you could send the dev a working exploit and most of them would groan and bitch about how "you security guys just want to tear things down and break things." I can understand being more of a dick in those situations, but I would still contend that's a venting of frustration more than a desire to actually teach. Most people just get defensive and put up walls when they feel attacked or embarrassed, and the learning is over at that point.


Berating someone is never helpful. Setting out to embarrass someone is never helpful. The goal should never be to blame someone. The goal should always to educate someone on what has happened, what exploits have been enabled, and how this could cause harm.

One issue is that full-throated encouragement coupled with suggestions of problems couched in uncertainty is the Dale Carnegie approach. I suspect you're using it now! It's well-suited to a great many situations, as documented in the man's seminal work.

Unfortunately, this suitability is not universal. It is fallible, and in security those failure can be quite dangerous. The Carnegie approach thus described makes it very easy for devs to notice the encouragement and ignore the suggestions of criticism. I have personally encountered this reaction in both open source and enterprise-y contexts, generally from developers who might be charitably described as highly enthusiastic. Including right here on HN!

I've also encountered the hostility you described in reaction to kind, generous, compassionate security reports of the sort you suggest. This has happened in open source, startup-type, and enterprise-y environments.

The key to what I'm advocating is this: you are not your code and the other person is not their code. Who wrote a vulnerability is not as important as that it exists. How it can be fixed, and how it can be prevented in the future, are what matter.

Professionalism means understanding the distinction between a craftsperson and what they have produced. It also means understanding the distinction between yourself and your work. It means understanding that ignorance isn't a character flaw, it's a temporary state of affairs that can be fixed.

It also means realizing that some who refuses to participate in fixing their technical ignorance is someone who is being unprofessional. Such a person might benefit from correction.


Ok, I think I understand your position better, and if so I agree.

> The Carnegie approach thus described makes it very easy for devs to notice the encouragement and ignore the suggestions of criticism.

This is definitely true, I've seen it too. Definitely something to watch out for.

I guess at the end of the day I think it comes down to "know your audience." Similar to the Principle of Least Privilege I like to follow (what I call) the Principle of Least Criticism. Don't use any more criticism than what is necessary, but (and I suspect this is where we will both agree) you need to use enough criticism that the person understands your point.


That's a wonderful idea! It's an ideal way to engage with people.

With that said there might be some significant limitations on the approach. The principle one is that it relies on knowing the individuals involved fairly well. This is easy in a close-knit and small startup environment! It could perhaps be more difficult in a sizable enterprise or open source context where you don't know the other party, don't have time to build a relationship, and/or can't rely on a long conversation to slowly build up to the least amount of criticism required. There's also the question of how to handle groups or meetings in which different people have different thresholds. When one person's minimum required might be someone else's excessive negativity and they're both in the room, there might not be a winning outcome with this approach.

Knowing your audience is an excellent and wise maxim to live by. It might not always be as simple to live by as could be hoped.


Wise words, I completely agree :-)

Thanks for the discussion


> That said security-minded people are often inconsiderate and horribly untactful in their approach. That needs to change. You don't need to be overly negative to point out a security issue. Something like, "Cool start, but might want to point out that it's not meant for production!" would be a lot better IMHO.

That's a wonderful idea! I'm absolutely certain that people will invariably respond quickly and reasonably to kind, compassionate, considerately made points. Especially ones that are very cautious to cough anything that might be taken as negative as a potential or a possibility.

For my own part, I've found this practice to be both exhausting to implement and highly unreliable in deployment. I'm absolutely certain that these just reflect my own failures. I'm similarly sure that you've seen infinitely better results!

After all, everyone knows that casually documenting something to the tune of "This code might not be as safe for production as it could be" will yield a reasonable level of caution in all developers.


The thing's brand spanking new, that's the biggest sign for "prototype/development use only!"


My initial reaction was, "that's fair" but then on more thought I don't think I agree. Firstly the npm package currently up is version 1.0.7, which doesn't imply "protoype/development/unstable/etc."

I've also been part of many open source projects and it's very common to not release/announce it until we've proven it ourselves in production.

So while I think one should definitely exercise caution with brand spanking new code, there's no way to know whether it was just ideated recently or has been in development for a while but just got released/opened for the first time.


Thank you! We only recently started working on this and ofcourse it’s not perfect.

All those concerns are very valid and will be addressed one-by-one. The project is open source under a decent license, I am VERY willing to accept any security PRs.


+1 on your positive approach to the negative comments. It looks like a great project: just remember not to loose your focus. :-)


>People in this thread are way overly negative.

That's most of HN these days, and why I never visit anymore.


For someone who doesn't visit, you are a pretty active participant


wah? He has commented 9 times in the last three months, you have commented 9 times in the last three hours. If he is active, what are you?


He's pretty active for someone who claims he never visits here.

I don't claim not to visit here.


Seems like it's been this way for at least a decade (that's about as far back as I've looked)


Your comment is here though, no?


I agree people tend to be overly negative on HN about projects like this, but the AFAICT the project does not state any caveats about the security and/or where it should or shouldn't be used.


I think any user should be responsible for vetting their tech choices. Why would the author put a disclaimer instead of fixing the issues?

In this case, the project is clearly too new/unstable/insecure to use in any real sense. It's presence as #1 on HN says more about the audience than the project itself I think.


IMHO a project with a trivial directory traversal vulnerability[1] is not ready for a shiny marketing site like this.

1. https://news.ycombinator.com/item?id=19256230


We can talk in generalities but since in this case we have more specifics let's go that route.

This is an open-sourcing of, presumably, an internal tool used at CodeInterview. It's "shiny marketing site" feels very cookie-cutter to me and I'd be shocked if that wasn't either a template or a very few handful of components from something like bootstrap/similar. And it was posted to "Show HN", which is important given the rules of Show HN [1].

> In Comments

[0] https://codeinterview.io/

[1] https://news.ycombinator.com/showhn.html


The website gives the impression of a polished product. It doesn’t come across as a POC. Therefore I think the security concerns are valid. Someone is bound to build something with this, get users and get hacked otherwise.


My God, the people on this thread. There are people out there, working as software "engineers," who think that if they can't personally find a vuln in 5 seconds, the system must be secure. How is this #1 on the site right now?


I thought that was ‘banter’ in your username.


That's pretty cool to quickly put together a POC app. There should be an "eject" command that would export everything to a "real" Node application, with package.json and so on, so that the POC can be converted to a real app easily.


Check out Reframe: https://github.com/reframejs/reframe

It's a web framework like Zero Server and Next.js but everything is ejectable.


Or alternatively, check out re-frame: https://github.com/Day8/re-frame

It's a web framework with a well-thought-out architecture that you don't need to "eject" from.


As others have said before, I think this is amazing for small one offs and maybe for beginning programmers. I'm afraid that, like all frameworks, people will start to misuse it eventually. Someone will make a little app with that, because it's so fast, simple and amazing, right? Later, however, the app will grow and it will become a maintainability nightmare. The only good thing about it is that you can easily get out of this framework and migrate to managing express/node/react yourself, or so it seems. It isn't like rails, where if you get into it, your app is so highly coupled to it that any escaping is impossible, even if your app becomes very complex.


Escaping and writing a custom node+express+React SSR server for a zero-based app should be easy. But zero isn't a 'platform' anyway. It's just an abstraction on common config and some glue code, all open-source so you can easily fork and improve.


Who is this for? Is the goal to enable people who don't know what they're doing at all to make applications?

Maybe at a glance that is a laudable goal, but surely there is a point where, if you need so much handholding, you should consider either sitting down and learning what you need or making someone else is build it for you.

Newbies? I guess that is possible, but I personally think that actually learning to use your tools and the libraries that are available should be the goal. Handing the control of everything to some 3rd party component is eventually going to leave the beginner with issues they have no way of solving because they've never had to learn anything.


There's a lot of value in removing all the plumbing you typically find at the start of node project to handle basic things like routing. I'm a big fan of moving all that "outside" the app

This might seem silly if all you're use to is working on some startup's big app with a dozen other people, but for small orgs that need to run small programs for a long time it's a mess to maintain that stuff over the long term and to count on lone coders in small engagements to get right.

> Handing the control of everything to some 3rd party component

In the cases I describe, this ^^ is a great idea. Keeps maintenance of the common stuff in a common place. Everyone freaked out in this thread about there being a way to get at files outside the project root. Well the author fixed that in one place and now it's fixed for everyone. How many times does an error like that come up and go undetected and uncorrected when even an experienced node coder has to copy pasta so much stock plumbing for the 1000th time to spin up a small service for a small org?


Prototyping, hobbyists, people who host a site about cats and don't need 1000 extra lbs of server side weight. Spinning up a simple API to learn a new client side library. Anywhere that tooling and configuration is getting in the way of someone learning something new. Seems perfect for some uses.


I think this is really nice for when I want to hack together a quick front-end for something. Once I have a working React/Node.js set up I can really quickly build something, but what usually stops me is the dozens of packages and things I need to wire together before I can actually start building something.

`create-react-app` is also pretty good, but this seems to do a bit more. I really like the simplicity of the set up and the fact that you can also just whip up an API call or something.


I find that the best thing about create-react-app is the eject feature.

It's an instant tutorial on how this damn mad hatter of an ecosystem works. They heavily commented the thing too !

Honestly, any lecture on react should have a part where people ejects and read the source code.


I am so confused why the 'good old days' of php is a good example of how to do application development.

Every php framework got away from that for really good mesure, including not having your logic in the server document root.


  Every php framework got away from that for really good mesure, including not having your logic in the server document root.
IMHO unless you are building a http daemon, "your logic" should probably not include routing http requests. Using directory tree, url rewriting or generally leaving the controller part of your logic to the underlying httpd is probably fine in most php projects. Note: php frameworks can't do microservices


It's for quick experiments and prototypes. PHP (without frameworks) was great for that.


Easier to create. With a path to scalability if ever needed.


Why is this any different than say, next.js?


Next.js does file-based routing for React pages. This does the same for your API functions too.


server is down (yay for proof of scalability ;)) so i can't tell for sure, but it looks like it's derived/based on next.js and comes from the same authors


server is up again and it wasn't the case.

the page and code styling misleaded me


this is impressive! I would absolutely reach for this first when scraping something together quickly. I'd be super interested in seeing numbers for just how far this can scale before falling over.


Currently this is as scalable as a normal node+express app. The aim for now is to improve development experience for now.


Love it, that's what I figured, and I agree with the aim!


Not to sound adversarial, but configuring a web framework tends to be one of the last difficult or time consuming parts of building a web app or backend in my experience.


If you need SPA then yea it's easy. But when you need SSR it becomes a whole different story.

Now imagine you want parts of your app to be SPA and some other parts of your app to be SSR. This becomes super complex. Frameworks like Reframe allow you to do that. (I'm Reframe's author (https://github.com/reframejs/reframe).)

Admittedly, mixing SPA and SSR views in one app is uncommon today but that's because people are not aware that they can do that. This will change.


Looking through the code on github found a .py file handler in the works: https://github.com/remoteinterview/zero/blob/master/packages...

Any idea of a timeline on this feature? I think it could be really awesome to be able to prototype with python in addition to js.


The js part (React, MDX, Node) is almost complete. I will put out a basic handler for python ASAP if that's going to be useful to you :)


Reframe author here (https://github.com/reframejs/reframe).

This is super interesting, what are you plans regarding this? Super curious.


Would be for me.


I'm interested


Supports the new hotness MDX. JSX/React components inside markdown. This is awesome for standing something up quickly. Thanks for creating this!


This is very cool framework and I will certainly use it for small to medium sized apps or website. However, just going through the doc there doesn’t seems to be a way to split components since any file is assumed to be a page. Any way around that?

Lastly, it’s a shame that the doc link points to github. The doc, as layed out in github is a perfect use case for zero.


It seems to me that you should have a folder (www?) that is served by zero, and a folder (lib?) that isn't. Then files in the www folder can import from the lib folder.


You are very right (and I did try that). I just wanted to avoid redundant docs for now. As it's a bit sparse and is continuously being updated.


Is there any way to "ignore" specific files or directories? For example, I want to reuse React components across different routes (exposed as jsx files). However, I don't want `mysite.com/components/Container` to be a valid endpoint.


Yes. It's not written in docs yet but any file or folder starting with _ (underscore) is not exposed publicly. This feature spec is still open for discussion as on how to tackle it the best.


seems like doing something like Next.js might be a better choice, aka have a main folder that exposes publicly accessible files, instead of having to add _ to each folders that should be private (it seems to me most folder/files would be private and not the other way around)


Check my reply to this comment. The underscore idea was one of the first things to come to mind too, but I think having a specific file makes it clear to others who might not understand Zero internals.


You are right. A .zeroignore file seems like a good idea.


Would that not count as a configuration file though?


You can still configure zero conf frameworks, it's just not explicitly required for it to function


Here we go. Zero conf :-)


I would propose adding support for a 'zeroignore' file to handle this. :)


For markdown based sites, why not statically generate the site? Why render it on each request?


As markdown can be dynamic in this case. (see https://mdxjs.com). Static 'export' can be a good feature though.


The time example reminds me of WSGI for Python. Neat that it supports templates too.


> Zero reads credentials from environment variables. Zero also loads variables from .env file in your project root, if it's present.

Security nightmare? Can I do myapp.com/.env and read the credentials from the wider internet?


Why would you assume that they have this bug? If you’re actually curious if the bug exists go read the code or try it yourself.


Another common on this page documents this bug on their production website.


Having Markdown rendered as HTML is basically all I want when I'm standing up a single web page or a small website. This is definitely something I'll bookmark for later.


Caddy also has native Markdown functionality, by the way. https://caddyserver.com/docs/markdown


While I embrace less configuration, you can't really avoid TLS these days. There is always configuration, many of configurations. Some implicit, some explicit.


Great job! Took 2 minutes to install and run.


Maybe a silly question, but is there anything one needs to consider before deploying this to, let's say, Heroku?


As others have pointed out, make sure to mark files that are not supposed to be exposed to the client by prefixing them with a underscore, otherwise you'll have a bit of a security issue. Otherwise, you're good to go.


Ace! but in terms of running it, how would Heroku know how to, ie. if there's no `package.json`, there'll be no `npm run start` defined?



Oh, never spotted this: https://github.com/remoteinterview/zero#running-on-cloud

Oops.

Couldn't see it on the main docs site (https://zeroserver.io/)


Nah


I for one think this looks great! Keep up the good work and don't get discouraged!


I agree. Fun idea and keep up the good work!


So cycle repeats, PHP reborn?


I thought we moved away from this sort of structure as an improvement?


Are there any plans to make this support Typescript in the future? :)


Yes. Should be easy! As we are not a typescript shop yet, we might need a hand with that. Otherwise, I will try to figure it out soon.


Nice work bro. Seems pretty solid. Congrats from fellow Karachian :)


Apart from the security concerns this actually looks awesome.


Weird how does it knows what certificate to get for https


You probably need nginx in front of this.


Where have I seen this before... CGI scripts?


How to override default routes, then ?


Can you give me an example of a rewrite? Zero already does some rewrites: https://github.com/remoteinterview/zero#route-rewrites


How's this different from Koa?


So... 2019's PHP?


At quick glance. Cool. Dig the idea, going to have to take a deep dive to see how things work later.

I still have to have a giggle at the similarities between what you produced and what is essentially a PHP/Dom/Apache setup.

The Async wait for initial props before what is essentially a template render just drove it home.

One key thing missing is an easy wrap around running tests. What would it take to add this?


I started with PHP / Wordpress themes myself and the aim here to bring back the simplicity of web development. Def inspired by PHP/Apache setup.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: