Golang vs Node Packages

2019-06-18

I was recently listening to a javascript jabber and there was a brief discussion about how golang and nodes npm packages work. Since I have an opinion and observations I’ll put those in this post.

Node

I am mainly a javascript/typescript developer so will start with the thing I know better of the two.

package.json

One of the things you will see in most of the javascript projects is package.json, even Ryan Dahl creator of node says he [regrets it]dahl slides. While it might look like a convenient way to work in node projects at first, soon you might hit some issues like:

  1. Node scripts, they seem convenient at first, but you can’t really put comments there or multiline scripts. In the end, there are far better tools for that, make (add link) would be one of them.

  2. A lot of noise, things that are npm specific.

  3. Tool configurations create even more noise. Most popular tools allow to include their configurations in the package.json what can create even more noise.

Repository is not a source of truth

Some time ago David Gilbertson posted and [article]npm hacking about how it is possible to add malicious code to npm package in a way that would be really hard to find by just scanning.

This article shows one of the biggest weaknesses of npm and centralized registry. The source in the repository is not the same code in the registry and even the code in node_modules can be transpired and mangled quite often.

Golang

I have way much less experience in golang, but after working with it for a bit anyone would see that the ecosystem is way more pragmatic. Some of the benefits:

  1. Golang src is the source of the library which you can inspect.
  2. No dependency on external URL once it’s there. It’s just stored in your GOPATH.
  3. There is a mentality of copy and paste in golang which is good. If you need a single function it might be easier that way
  4. Dependencies are resolved and put into module file if you are using golang modules, rather than doing it by hand.
  5. no tools neede for monorepos, you can just point to the repositories folders.

One of the biggest complaints about golang packaging was the GOPATH usage, but that it’s finally solved with golang modules.