Back to News
9 min read

Node.js Digest #12: State of JavaScript 2023, Node.js vs Bun, Leaky NPM

Node.js Digest #12 by Oleksandr Zinevych

Hey, community! Oleksandr Zinevych here, Engineering Director at Avenga. It's time for a new digest. The heat outside is absolutely unbelievable, so let's dive into some fresh news from the world of Node.js 👇

Key Highlights

🔹 The usual updates Node.js v22.4.1, Node.js v20.15.1, Node.js v18.20.4 — sometimes it's hard to keep up 🙂

🔹 The pnpm team added their own analog of Yarn Workspaces in the new 9.5 version, called Catalogs.

🔹 Vercel is adding Streaming support for all Node.js Vercel Functions by default.

🔹 Deno v1.45.0 update. You can review all the changes in detail here.

Finally — State of JavaScript 2023

6 months — enough time to hold elections in France, host the Olympic Games, or develop a Covid vaccine (only to recall it a couple of years later, heh). That's exactly how long it took the State of JavaScript 2023 authors to tally the results, draw pretty charts, and share with the community that (SPOILER) JS is alive and well, but there's less and less joy about it 🙂

Since JavaScript is predominantly used for frontend development, many questions focused on that experience. But the server-side wasn't left out either. You can check out the full results at this link.

Among the interesting and expected findings is, of course, what developers dislike most about JavaScript. The undisputed leader here is the lack of static typing. This is quite expected given how popular TypeScript has become. The current situation with ESM and CJS modules and working with dates also adds some pain for developers.

Among hosting services, AWS leads, with Vercel and GitHub Pages gradually catching up.

On the backend, Express is still the leader among all frameworks in use. In my opinion, the reason is that a lot of code has been written using this framework and it's a great fit for smaller applications. Express is flexible enough on one hand, and on the other — over all the time it has existed, the community has done an incredible job catching and resolving various issues, stabilizing and optimizing it.

Node.js remains the primary JavaScript runtime, surpassing even the browser, which is expected given the drift toward various architectural solutions that use the server. Whether Bun overtook Deno because of hype or because it's genuinely a better tool — we'll see in the next survey 🙂

As of today, Bun is the runtime generating the most interest in the community. It had the most mentions in the detailed responses left by respondents.

TypeScript is incredibly popular and is used significantly more often than plain JavaScript. This is a fairly expected answer that most of the community already observes on their projects today.

These are just some of the facts that caught my attention. On the same topic, you can also watch a brief overview of the results from Theo Browne: Every Framework Sucks Now

SQLite Built-In

As I mentioned in previous digests, all the new server-side JavaScript runtimes may not conquer significant market share, may not gain the same popularity among the community that Node.js has held for a long time. But they will certainly bring new ideas and solutions to server-side JavaScript that all others, including Node.js, will potentially adopt. A discussion has begun on the official Node.js GitHub repository about whether it's worth replicating what's already implemented in Bun and adding full SQLite support. After a lengthy discussion, nobody voiced any clear and strong objections. As of today, this PR with the corresponding changes has already been merged — in the comments you can see that the feature is still raw and needs further work. But progress is being made, and in the near future we'll see full SQLite support in Node.js.

A New Round in the Bun vs Node.js Showdown

It's no secret to most readers that one of the main marketing pillars of Bun has been its incredible performance compared to Node.js. When the first production-ready version of Bun was released, examples started appearing on both their official website and other platforms showing how fast Bun is and predicting that Node.js would soon die.

After some time, different information started emerging with examples showing that Bun isn't nearly as much faster than Node.js as claimed. Sometimes the performance was only slightly better, sometimes it wasn't significantly different, and sometimes it was even worse. Time goes on, and the Bun developers keep focusing on optimization and performance. Then on X, Daniel Lemire described an interesting case where Bun demonstrates significantly better performance than Node.js, but with an interesting nuance.

The author decoded a Base64 string and compared the performance of both runtimes. Bun turned out to be several times faster than Node.js, despite the fact that under the hood both use the simdutf library (authored by Daniel Lemire himself) for decoding. What's interesting here is that Node.js is slower due to the specifics of interaction with V8 and the additional layers of abstraction that slow things down but are built into the architecture. An interesting case with interesting thoughts from the author on this topic.

How to Make Money the Right Way?

I won't give you the answer to this question, but the author of the ua-parser-js library might, having suddenly decided to change the licensing and make some money from those 12 million weekly downloads. Matteo Collina has already managed not only to write about this in a blog post but also to fork the library so it can continue to be used for free. Overall, this library is used by many, and such a sudden change will affect a large number of projects, so get ready to update 😉

Leaky npm

Writing about security issues in npm has become a good tradition for my digests. Usually, these are problems with specific packages and developers who don't pay close attention to what they use. But this time the situation is a bit more interesting.

The Lupin & Holmes team found a vulnerability that could potentially make any npm package temporarily unavailable. GitHub thanked them for this and gave $500 for the finding, with the comment that GitHub already knew about this npm vulnerability. Whether they knew or not, even if some popular npm package becomes unavailable for a short time, it would cause a huge chain of problems for many projects. You can read more about the finding and why it matters here.

Something to Read

🔹 Haven't worked with Vercel Functions and don't quite understand how it works and what it's for? The official Vercel blog published a post with a brief overview of this service.

🔹 Many of you are familiar with approaches to building distributed systems, but it's always a good idea to refresh your memory on things you don't encounter directly every day 😉

🔹 Have you heard of PASETO? How does it differ from JWT? If not, it's time to find out.

🔹 I always enjoy reading about technical challenges and how large companies solve them. This time it's about how Slack fought compromised cookies.

🔹 While Express is the leader among server-side frameworks, in some areas it doesn't satisfy every need of projects and users, leading to a need to switch to another framework. In his blog, Tom MacWright shared Part 1 of his story about why they switched to Fastify.

🔹 It looks like ESLint is gaining momentum and has started moving in a new development direction. You can learn about what has changed and what will change in the official company blog.

🔹 Eric Allam talks about his team's battle with Event Loop lag.

🔹 Waldek Mastykarz writes in his blog about how to create an npm module with CommonJS, ESM, and TypeScript support.

Something to Watch

🔹 Luca Mezzalira talks about how to think correctly in the Serverless paradigm:

🔹 Is npm safe? A new video from Theo Browne:

🔹 Concurrency and Parallelism — do you understand these concepts well? In a short video from ByteByteGo, the author explains the essence of both concepts:

🔹 A sort of reality show about what app you can build with 30 minutes for planning and 4 hours for development. It's not directly about the Node.js world, but the format is interesting:

🔹 A bit about the Polyfill attack that shook the web community. I highly recommend watching this short overview of what happened and why it's so important to pay close attention to what you use in your applications:

🔹 Modern cloud-based services and the features they provide offer many advantages, but there are also significant drawbacks. Some thoughts on this topic in the following video:

🔹 A bit about Drizzle ORM on Web Dev Cody's channel:

🔹 Some more about System Design, specifically about Distributed Priority Queue:

Library of the Month

This month we have a library again — and not just any library, but one that delivers excellent performance. How often have you needed to convert JSON to a plain string? Of course, for typical everyday tasks you can use JSON.stringify(), but what if performance is critical for you? In that case, the fast-json-stringify library comes to the rescue. You can read about why this library is great and why you might want to start using it today, for example, here.