@develwithoutacause genuinely don’t think Node is capable of delivering the kinds of changes needed to fix its own ecosystem.

For such a long time JS has been the only game in town when it comes to building for the web and the difficulties of language interop were always incredibly frustrating which created a situation where JS started becoming a pretty normal decision for backends.

I wish Google had properly invested in gRPC-web both at a protocol and tooling level because it was one of the few things that probably had the chance to solve it. That didn’t happen though unfortunately.

But looking just over the horizon at things like WASM (especially with things like garbage collection, WASI and it’s emerging component model) we are starting to see a world where containing rather than expanding use of JS is not only possible but probably sensible.

When it comes to serialisation if gRPC-web isn’t going to take off there appears to be a sensible path forward through things like CBOR and it’s own data definition language. We are just missing the surrounding tooling to provide a protoc like equivalent.

But knowing all of this I am extremely hesitant to start building anything new in JS in general let alone Node. Still lots and lots of cases where it’s one of the only sensible choices though sadly but I wish we would build more tooling around changing that future so we can finally retire it in the not too distant future.

@mdh I feel like there could definitely be some meaningful progress here. A form of #CSP and a `--no-eval` sound straightforward.

I'm not sure how #gRPCWeb factors into this though. From a security perspective, how is that different from a traditional #HTTP #REST service?

@develwithoutacause I mention gRPC-web only because I think cross language interop was so painful that it forced many teams to adopt Node as the reasonable choice for a backend despite all its other flaws.

If we had a better choice rather than manually serialising untyped JSON data structures across multiple languages (of which gRPC is one potential solution) we would see a much smaller adoption of Node which has a lot of series security issues built into its very core that are going to be very difficult to fix from its non existent idea of permissions through to its supply chain issues.

I guess the argument I am making is that it sounds like it would be a better use of time to build reliable standards based solutions for building client / server web apps rather than continually putting bandaids on Node because that’s the most convenient DX for a lot of teams right now.