Deno, a Secure Runtime for JavaScript and TypeScript - Ryan Dahl, Deno Land

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello hi I am feeling weird giving a virtual talk I guess I guess everybody's doing that these days though my name is Ryan I'm going to talk to you about this project adeno that i've been working on for the last two years now or so we have just released version 1.0 about a month ago and yeah I just thought I'd give you guys a bit of an overview about it and some demos and if I understand the program correctly hopefully you can ask me some questions at the end of it so first off just a just a bit of an overview so C++ and rust and go are really interesting developments in in computer infrastructure they're they're allowing us to more easily make machine code programs and it's getting better all of the time but the fact remains that most software is not CPU bound and it seems that most software is is done in dynamic languages like Python and Ruby and JavaScript these dynamic languages aka scripts are easy and succinct and they often are the most minimal way to describe certain algorithms and amongst these these dynamic languages Java Script is is arguably the fastest and has the largest community of programmers because it's the language of the web browser so with that in mind back in in 2009 I started the node project to bring JavaScript to to the server or out of the web browser that is and this turned out to be a really successful project it's essentially turned into the PHP s of the 2010 and has ubiquitous cloud support and is used by essentially all front-end frameworks and yeah I mean in in some way or another essentially every website is using node but since 2009 the JavaScript ecosystem has has improved very rapidly and has new features and systems that were not around back then so for example the array buffer is a system to allow accessing raw binary data and javascript that was not there when and we originally designed the the TCP system in node a single weight of course is is amazingly useful when you're dealing with asynchronous systems and most importantly the the es modules has has provided a way to provided a module system a standard module system in JavaScript and so Dino is is built trying to take take advantage of these new developments so in in many ways it's it's very similar to node you know it's it's a program for executing JavaScript outside of the web browser and it's a built on top of the v8 JavaScript VM and of Chrome and it's open source and MIT licensed but instead of C++ it's written in rust and yeah kind of the the a lot a lot of the utilities that provides are quite different so it has built in dev tools for testing and linting and formatting and Doc generation and it's been designed so that it can be embedded in other software and it tries to use web api's where it can with the idea that we want to we want this thing to be as broadly usable as possible so we really want to to kind of appeal to to developers you know I think the the web browser is kind of the largest developer base and by using those api's we we can appeal to the largest segment of the developer population so Dino is a bit different in that you know it's it's making use of these es modules and it has this this weird property where you can actually put a raw hgp URL into as give give give a raw HGP URL as the module specifier in import statements this is actually something that's that's possible in web browsers these days so it's it's a web compatible system and what this allows you to do is is basically import code directly from the internet and yeah this this has some some interesting properties so you know when you talk about importing code directly from the internet you quickly run into into I have some security questions right how do you know that you know you're just pulling from from a random URL I mean what what sort of trust can you have from that well I mean you know you're if you're if you're pulling from a random and p.m. package what sort of trust can you have from it either right not not much but you know this this kind of makes the the fact that you're pulling random code from the internet a bit more explicit not that you're not doing that already and with you know ruby gems or NPM packages you're certainly still pulling random code from the internet but because this makes it more explicit you know we we think that it's important to to make use of the fact that v8 is a secure sandbox and so so Dino by default also retains this security sandbox of v8 and so well let me let me jump into some demos and you'll see what I mean so first of all hoops I need to copy and paste this so I'm going to do first is show a gist program just is this github pasting server and essentially it's it's a way to paste code on the Internet and there's an API where you can you can basically post post a file and then send people get it get a URL and send it to people and so we've got this program and this program is a is a is a URL to a typescript file and if I enter it in my browser we've got this website where it displays the code and the interesting thing here is is that you know when you display it on get it through the web browser you get this this this website but if you curl it you actually get the raw raw text and the the way that we're doing this is is through the accept header right so so web browsers can send an accept header with with each request that says oh I want HTML and based on that we're we're able to either serve up the raw content the the raw text file or not anyway what we're going to do is dino has the ability to to download this program directly and run it and so what we that this program works if I just run it I'm going to get some permission error it says uncaught permission denied access to environmental variables run again with allow M flag so just in order to to paste a gist and if you look through the code you'll you'll see that that it's trying to get this environmental variable just token so that it knows how to which user to post ads on on just so you know we don't just allow anybody to have access to environmental variables we have to give it the allow M flag and you know it's it's going to also need to have a low net because it's going to be accessing some server but yeah let's let's just see that happen so right when we when we run it it's it's you know it's fetched my my secret just token environmental variable and now what we need to it's it's giving me this usage message because I haven't actually given it a file to to upload and so what I'm going to do is try to upload this this readme file that's in my current directory yeah to the gist server and when I run this I should get one more error which is that oh it doesn't have read access to the filesystem actually two more errors so we're going to have to give it - allow read and just skipping ahead we have to give it allow net as well because it's going to access just github.com and when I run this it says Oh success it's it's taken this file and it's given me some URL which if I go to it hopefully will contain this this Dino readme file right so this is kind of I I think the interesting thing about this is is that I didn't need to install anything right this is a command-line utility that you know previously you might have npm installed desk g to kind of get this this program but here i'm running it without without installing anything now we do have kind of an install version and the way this works is that if i I think if I so I'm taking out the the readme because ok so what I'm going to do is instead say dunno run I'm going say it's demo install and what this is going to do is it's basically going to create a little shell script oh it's it's airing out because I've already got it installed I'm going to have to do - - forced to overwrite my previous installation of Dino gist so it's created this little shell script and if I cap this shell script I mean essentially it's just copy and pasted this this command line into this shell script right and so so now I can do things like just read me and it will work like that so we have this very simple way to essentially create bookmarks - to command line scripts right so so this is kind of what I mean by it by a web browser for for command line utilities or even programs in general this next example is is a whole website actually so when I run this I think this is running a whole react website so you know obviously this is just program is pretty small but the claim here is that we can do kind of arbitrary complexity here and so what I'm going to do is Dino run allow net allow read and let's let's just take a look at what this what this program is you know it has some some relative includes it's it's including a or importing a TSX file starting some sort of server etc and it's I guess it's going to be listening on on port 3000 when I run this hopefully it will work see listening on port 3000 seems to have done it and let's go there it says hello demo land Dino land and has kind of this example react server you might have noticed that this started up really fast and there wasn't any downloading or anything happening that's because this this file here is is cached to my local my local machine and you can find out more about the cache information if you type Dino info oops there's a lot of output so when I type Dino info with with kind of the the entry point script I I can find out that it has kind of a locally cached version in in this directory and this is a typescript program and so it's it's been automatically compiled to JavaScript and it exists in in this location here and here's a source map file and then it even gives us a dependency tree all with all with valid URLs and so so this entry point depends on mod tsx which in turn depends on depth es which in turn depends on react from JSP m and so on right there's there's a lot of dependencies in here so yeah just just kind of as an example of a more complicated program so where's my slides right so even something more complicated here is this program which is also given as a URL and and I might as well show you this source code first so this is also displaying a little website but it's using this this web view and as you'll see it's it's kind of a little mini GUI application and it's going to create two windows really really simple thing with two - native windows right and the way that it does this is with with Dino's plug-in interface which is still unstable but essentially allows you to plug in to essentially allows you to load a DLL of that kind of can contain arbitrary native code and yeah so that that's why we need this unstable and just FYI this - capital a just means opt out of all of this security sandbox nonsense let's just let's just run it let's let's let's be crazy by the way if you're loading a DLL a plug-in as we call them you know kind of all your security bets are off because we we don't have you know if you're going into some some random rust code we can't control what what you're doing at that point so you know the okay so anyway I'm going to run this and as you see it's it's created these these two windows here yeah so anyway I'll you know I'll I'll leave this for you to play around with but just just kind of a sampling of what Dino can do and yeah I mentioned earlier that we have a bunch of tooling so let me do Dino help and you'll see that we've got all these sub commands so we have like bundling dock and format and install and lint so you know let me let me just give you an example here of let's say that just file or let's let's take this this entry point TS hopefully this works and haven't tried this yet but let's let's just try to bundle bundle this guy right so what it's going to do is it's going to create a single javascript file with with all of the dependencies bundled up in in here really crossing my fingers now that this actually works maybe seam it outputs it to standard out so yeah seems it seems to have worked I'd rather show you these other tools since bundling exists let me let me show you format so so Dino format is is essentially our version of prettier but implemented and rust and so much faster and what I'm going to do is just format some files I've got this directory here I'm actually in the Dino directory and this is some code that's kind of built into Dino we in in Dino itself in art internal stuff we actually don't use this Dino format yeah we use prettier still although hopefully we'll be changing this this soon but I'm just going to use this as an example of formatting a bunch of code right and giving you a sense of of how long it runs this is this is runs like that I guess not not dissimilar to not dissimilar to to prettier if I do a get diff it's not exactly the same as prettier but it's pretty close seems seems like Dino format likes trailing commas right whereas whereas prettier are prettier current prettier situation does not so let me reset that Deno dock is too fast too fast Dino dock okay so first of all here's here's some some server and some some code this is our HTTP server so you can you can throw this in the web browser and see the code here what we have is a we're able to parse the ast and kind of display documentation and so if you type Dino dock and give a URL or a relative path to some local source code we will print out a bunch of documentation for this so we can parse out the the J s stock comments and the typescript types and kind of display them and you know you can kind of narrow in on some of this stuff so maybe if you want to learn more about server requests you you give that as another argument and you can you can kind of see see some more of it and of course we have JSON output so if you want to have kind of do a structured display of this and I think this doesn't work with the second argument so I think I need to do that right so if I if I give this JSON argument here then we get the same output that was displayed previously but but in kind of a computer readable form and what's cool about this is that we've actually taken this and built a website around it and so in the Dino website here if you go to one of these these source code links and click view documentation will actually render out that JSON into into a file into a documentation that you can view online so yeah I mean essentially any any URL yeah and by the way if you go to Dino doc and you can put in any any random URL here right including things that are not on Dino land and it should be able to generate documentation for for that for that URL so one more thing Dino lint this has just now come out and this is essentially our version of our version of eslint it's unstable still so you have to provide that unstable flag but if I give it a directory of source code which I'm going to give this CLI tests unit this is a bunch of source code that has not been Lintott yet you will see that it runs very fast our our Dino Lent program you know is is not feed does not yet have feature parity with with with yes lint but we're making fast progress with this and we've clocked it in about two orders of magnitude faster than yes lint so do check this out and I should mention that Dino lint is distributed as a standalone rust crate that is potentially usable inside outside of Dino itself and so potentially this could be used for other four node projects so not necessarily denote specific all right so I'm going quite slow here gotta speed it up right so I should mention that you know we've we've designed this this thing a bit differently than node note is kind of this monolithic command-line application Dino is not you know is a set of crates and we've built it this way because we've seen that there's there's certain use cases where you might want to execute some JavaScript but not necessarily spin up a whole node process right and and you know all of the things that come with that install NPM packages and whatnot so for example databases often use JavaScript for MapReduce functions or serverless products like CloudFlare workers might want to execute some JavaScript on every incoming request or say electron style GUI applications where we're like vs code where you just need to you need some program ability but you necessarily want the whole Dino executable so with that we've we've provided this Dino core cream which is a very much trimmed down API of the Dino executable and so I encourage you to look at that Dino core actually depends on an even lower level crate which is called rusty v8 this is our wrapper around v8 that is relatively safe I'm not going to it's it's not 1.0 yet so I'm not going to say that it's it's a completely safe API but it's a it's very close to being a completely safe way to interact with an extremely complex VM so please have a look if you're interested in that internal design of Dino I'm just going to speed through this really quick we have we designed this quite similarly to an operating system and so inside of Dino we as we have this idea of ops which are equivalent to syscalls that's how you reach out of the the VM and we have something called like file descriptors these are called resource IDs to not confuse things and processes are essentially equivalent to web workers in Dino by the way we use the standard web worker API that you get in the web browser and the way that we organize all of this is that basically the only way to call in and out of the VM is is using un8 arrays array buffers and you might think that that this sort of serialization is is quite slow but we've put a lot of effort into this and you know essentially there's these are zero copy operations there's we're essentially point passing pointers back and forth from from JavaScript to to rust and yeah I won't go into any any more details on that so as I mentioned earlier Dino is at one point O and the Dino API is stable for the foreseeable future we are fixing bugs fixing bugs and going to be fixing more bugs we will releasing minor releases one point X releases on a monthly cadence 13th of every month and yeah there's a lot of interesting future work like op crates which allows basically splits up the the CLI into into more useful bits we are thinking heavily about adding GPU support through through web GPU or WebGL API is to enable machine learning applications there's also this feature that people are pretty interested in which is you know compile which would take some JavaScript and compile it to a binary not really it would package up the JavaScript and it would take a v8 and it would kind of bundle this all up but at the end of the day you would get in executable so that I think those things would be quite interesting please reach out if you want to get involved so thank you very much
Info
Channel: OpenJS Foundation
Views: 8,792
Rating: undefined out of 5
Keywords:
Id: doug6st5vAs
Channel Id: undefined
Length: 27min 39sec (1659 seconds)
Published: Thu Jun 25 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.