Another critic, consultant Paul Shan, of the Void Canvas blog, has found issues with Node being single-threaded. “You really have to design your devops things very well to use your server machine properly. I think this is the biggest problem with Node.”
Meanwhile, the company Snyk is building a business tending to vulnerabilities in Node.js and Ruby apps. Here, Tim Kadlec, Snyk’s head of developer relations, sees Node’s issues as similar to those of other open source platforms.
Vickery describes the NPM ecosystem as “huge and dead easy,” meaning the ease of publishing packages adds to package noise.
“Anyone can submit a trivial amount of usually untested code as an official package. As soon as it has a decent amount of downloads per day or stars on GitHub, it’s now been vetted and ready for production, apparently,” Vickery says. This leads to the rise and fall of heavily used packages at a ridiculous pace, he adds. “Our team found we often had to switch packages halfway through a project due to development stalling and issues being fixed in a new-and-improved package.”
Input Logic has not found Node to be successful for use in long-running tasks with a heavy amount of disk I/O. The company’s primary back-end services, APIs, and worker queues have been moved to Python.
But the Node.js Foundation is quick to defend Node, especially around security.
“The Node.js Project takes security very seriously,” foundation community manager Mikeal Rogers says. “Node.js has one of the most secure out-of-the-box SSL configurations, and we take pride in our security process. We were one of the first open source projects that went through and passed the Core Infrastructure Initiatives best-practices badges program from the Linux Foundation.”
Node has proved its ability to scale at organizations such as Walmart and Uber, Rogers says. It also can be used for CPU-intensive tasks, stresses David Mark Clements, a Node working group member and an architecture and performance consultant.
“In practice, Node.js performs well for CPU-intensive tasks, but when a bottleneck occurs there are thousands of C/C++ libraries that Node.js can connect with to perform at the best possible speed,” Clements says.
Moreover, Node.js fits cloud deployments nicely, he adds. “In an application, there is often a group of servers to handle the HTTP requests, and a group of servers to handle the CPU-intensive tasks. Both groups can scale automatically based on demand.”
Addressing NPM dependency issues, Node apps can total hundreds of dependencies, which Matteo Colina, Node Core collaborator and consultant, called a “great” thing.
“Node.js has an unprecedented level of code reuse through projects and throughout the whole ecosystem,” Colina says. “This is often one of the main reasons why people choose Node.js: It has a vast module ecosystem, so developers don’t have to continually reinvent the wheel. If we developers can reuse code, we can develop new projects quicker.”
That said, NPM suffered a calamity last year when the removal of a 17-line NPM module caused others to fail. Node services vendor NodeSource is working to curate modules to prevent situations like this.
Even Vickery gives Node a nod, albeit with reservations.
“Node can be superhelpful for some things, NPM build scripts come to mind, but I find most of the products we build quickly outgrow its other use cases,” he says.
Shan lauds the Node community. “The community has a hell lot of modules and packages, which makes development supereasy for the developers. Even beginners are being able to write very handsome code.”
Kadlec sees Node security getting better. “The awareness is improving and the tooling is improving.”
- Inside NPM: Building and sharing NPM packages
- Free course: Get started with AngularJS