What is wrong with JavaScript? We are still using it!

A very interesting interview (in German) with Douglas Crockford, the guy behind the JSON specification and many books on JavaScript, after his address as the “WeAreDevelopers” conference in Berlin.

c’t: You have written several books on JavaScript. When you look at the language with your knowledge today, what disurbs you the most?

Douglas Crockford: On JavaScript? That it still exists. 20 years ago, JavaScript was the most hated programming language in the world. It was also the most misunderstood programming language. I belonged to those haters and and misunderstanders. But through the circumstances, at some point, I was forced to take a closer look at the language. I discovered that it did actually have something brilliant about it. And then JavaScript has become one of the most important programming languages in the world.

c’t: And that is bad?

Crockford: That was 20 years ago, a generation ago. We shouldn’t still be using JavaScript, we should have moved on long ago. Bjarne (Stroustrup, of C++ fame) in his address this morning spoke about the things he didn’t implement in C++, because Dennis Ritchie had implemented them in C. Dennis Ritchie hadn’t implemented them in C, because his computer at the time only had 16 Kilobytes of RAM. He had to leave out a crucial function, simply because it was too big. We are still suffering, because of design decisions that were made, when computers only had 16KB. An average computer today has a million times as much memory. We are still restricted by thinking from the early 70s. It is time to get rid of that and to start again from scratch. With a new language that takes modern programming problems into consideration.

A really interesting interview and very thought provoking.

I’m not a software developer, but isn’t there something to be said for having a lean software stack? Just because we have more memory should we be trying to fill it up as fast as possible with as many fringe functions as possible? Micro-latencies add up and have a real impact on user experience.

That wasn’t the point. It isn’t about filling memory, per se, but that the languages we use today have their roots back in the days of limited memory, slow clock speeds and very simple processors and a lack of security worries, so they are heavily compromised.

A modern language can include those functions that were thrown out, because they were too big or too processor intensive back when they were conceived. A modern language can also include a lot of the lessons we’ve learnt over the last couple of decades.

JavaScript is a very problematic language, but it is a language that many people have picked up. But few who program in JS know much about programming and they use libraries that they include randomly on the internet, without understanding what they do, let alone checking to make sure it isn’t compromised.

If you want to see what is bad about JavaScript, just look at all the bloated Electron apps that are cropping up these days, they use way too much memory, are way too slow and they constantly need patching because of all the security problems in the underlying Chromium platform.

JavaScript is a scourge on computer science, in my opinion.
All of the bad rules around type coersion alone are too much.
http://charlieharvey.org.uk/page/javascript_the_weird_parts

An article written 2 years ago described why Javascript remains not just “in use”, but the language having the most employer demand.

“#1. JavaScript caters to beginner, intermediate, and advanced developers. JavaScript does not need any environment setup; just open a browser.”

“#2. Omni-platform. JavaScript can run everywhere.”

“#3. Open standards and community.” This is further supported by open source languages coming in right behind Java in terms of demand, Python and HTML/CSS. Proprietary languages are much further down the list.

“#4. Modern frameworks Rect, Angular and Vue.js have stabilized and are being optimized for better performance. Most frameworks are very developer-friendly with good community support.”

“Full-stack development and the modern frontend framework continue to help JavaScript cement its position as one of the most popular programming languages.”

STI’s are popular (as in prevalent) because sex is popular, not because the STI’s are desirable.

Actually, they’re not popular with anyone. There is no “demand” for diseases. Maybe the word you’re looking for is prevalent, which may apply within some specific subcultures. These are two different words with two different meanings.

Yes, and I used both, but perhaps you missed that. Must have been blinded by your Javascript fanboism maybe?

JavaScript is a horrendous language to learn, as a beginner or an experienced programmer. It does so many things wrong, it is a very poor environment to teach programming principles, because it teaches you to do things badly or just plain wrong.

There are many languages over the years that have done that, which were better languages, like Java itself, but they all fall down, because being omni-platform means they are all equally bad on every platform. Java is a very nice language, in principle, but it is an absolute pig at runtime, because it is so big and bloated - but it is still more efficient than JavaScript, which took the general syntax of Java and threw out all the good bits in the name of expidiency, because it was an interpreted language running on underpowered systems.

But Java isn’t JavaScript. Java is a proper language, well controlled and defined, if a little heavy. JavaScript has a modicum of control, but browser makers have always gone their own ways, defying the standards body or implementing things their own way. A lot of site that have to cope with different browsers have to have directives in them, saying “if IE run this code, else if Firefox run this code, else run this code for Chrome.” It has gotten better, but it is still a pain, even today. HTML/CSS is not a programming language it is a descriptive layout language.

There are very few proprietary languages, these days. Even C# is controlled by a standards body. C, C++, Java (as opposed to JavaScript), COBOL, FORTRAN, Ruby, PHP, Python and dozens of other languages all have their standards bodies and there are core implementations that are open.

They are a major weakness in the writing of proper, secure code. There have been several pipeline attacks agains the frameworks (and Ruby as well, it isn’t just JavaScript that is a security nightmare) in recent months.

The frameworks are so complex and intermingled, that a security flaw somewhere flows through the whole framework. Finding the maintainer is difficult and not everybody uses the latest code and those that use the code rarely bother to perform tests on it, because they assume that it has already been thoroughly tested and any changes added are controlled. This is a dangerous, and false, assumption, as has been oft demonstrated, especially in recent months, with code being slipped in to attack Russian developers, for example.

I’m not saying attacking Russian developers, in the current situation, is good or bad. The point being, the attacks could easily be targeted at American developers, Christian developers, Muslim developers, anyone who the writer of the module has a grudge against.

If a developer walks away from his module, nobody is left to maintain it and ensure it works properly, but it is still used by millions of websites. Again, this problem has cropped up a few times in the last 12 months, with modules suddenly stopping working and bringing the rest of the framework crashing down with it.

With controlled projects, with proper testing and controls, with finished code being thorougly tested, before it can be released, this is less likely to happen and problems will be flagged up earlier. These JS frameworks are called in real time, if someone posts faulty code, it is diseminated very quickly, with no central control on its release.

On the other hand, some sites make local copies of the frameworks and don’t update them, when severe security vulnerabilities are disclosed, leaving their sites vulnerable.

There is no perfect way of doing this, even in other languages, but the current situation of websites being written by inexperienced programmers with no experience about writing secure code, using frameworks and libraries on blind trust is a recipe for disaster.

This is a fundamental issue for the industry as a whole, but the proliferation and lack of control in JS, along with its very poor security credentials means it is a huge risk for everyone. This is one of the main reasons why Crockford was saying JS needs to be replaced by a modern language, designed to cope with modern problems - especially security - and building on the lessons learnt about everything wrong with languages built 20-30 years ago.

JavaScript isn’t full stack, though, it still needs HTML and CSS, and it still needs a back-end written in a suitable language.

JavaScript is fine for quick and dirty programming for simple solutions, but it really isn’t the sort of language that is really suited to modern, complex web frontends.

I say that as a developer with over 40 years of experience with languages from direct machine code, through various assembly languages, DCL, bash, REXX, AREXX, BASIC, COBOL, FORTRAN, Forth, Brainfuck, 1-2-3 Macros, Excel Macros, 4th Dimension, Pascal, Delphi, BCPL, C, C++, C#, ObjectiveC, Swift, VisualBasic, VBA, VBScript, SQL, Java, JavaScript, Ruby, Python, PHP and many others I can’t remember off hand.

All languages have their good points and their bad points. Some languages are fun, some useful for low level, fast and efficient acces, others for quick prototyping, but not for complete systems. JavaScript was a quick and dirty language, knocked up in a week as a proof of concept and released by Netscape against the developers will, as he believed it was incomplete. It has been continually patched up to get it working better ever since.

“JavaScript is a horrendous language to learn, as a beginner or an experienced programmer. It does so many things wrong, it is a very poor environment to teach programming principles, because it teaches you to do things badly or just plain wrong.”

While everyone’s entitled to their opinion, coding experts routinely list Javascript among the easiest languages to learn. A language that helps you get a job as easily as Javascript is, by definition, a very useful language.

It’s kind of like other topics taught by schoolteachers. They often prefer to teach things not useful in the job market. That’s why many college graduates have $250,000 in student loan debt but can’t find a job that actually requires any of the knowledge they learned in their major. Meanwhile, there are 18-20 year olds getting hired to program javascript based on what they learned in high school, learned in some community college classes, learned using web-based tutorials or taught themselves.

" The 11 Easiest Programming Languages To Learn According To Developers:

1. HTML

2. CSS.

3. Javascript: As a full programming language, Javascript handles programming loops and make logical decisions based on input, such as when you hover your mouse over a menu or when you type something into a search box. And because JavaScript can output HTML and CSS code, it’s able to make web pages interactive and dynamic.

But that’s not all JavaScript can do. Through project environments like Node.js, it’s possible to run JavaScript outside of a web browser and on the back end.This allows web applications to run using a single programming language from the screen to the server.

Who uses JavaScript? As the third of the web page design trio of languages, Front-End Engineers and Full-Stack Engineers should master JavaScript along with HTML and CSS. Also, since it’s functional on the server-side with environments like Node.js Back-End Engineers can benefit from learning JavaScript too.

Why JavaScript is easy to learn

While it’s more involved than HTML and CSS, JavaScript is one of the easiest true programming languages to learn. It’s an interpreted language and can easily be embedded with languages like HTML. Another thing that makes JavaScript easy to learn is that you can write complex snippets of code and test them in the web browser as you go. Also, if you already know HTML and CSS, then you’ll have a head start in learning JavaScript

4. Python (another open source language)"

“They are a major weakness in the writing of proper, secure code.”

Anything using a public-facing webserver is inherently high risk from an IT security standpoint. There are numerous vulnerabilities that can be exploited by state-sponsored hackers beyond the language. You see relatively low-skill amateur hackers defacing websites of major corporations and governments routinely. That’s often because someone failed to update their software with the latest available security updates. Javascript frameworks are usually the least of the security problems on public facing webservers.

“With controlled projects, with proper testing and controls, with finished code being thorougly tested, before it can be released, this is less likely to happen and problems will be flagged up early”

This appears to be commentary on open source development in general. Major corporations routinely leverage open source projects as a means of developing software they need, rather than trying to develop it in-house. The pace of development, and thoroughness of testing, is better when you have a large number of people outside the core development team assisting as occurs with open source projects. Android, Chrome, ChromeOS and the Apple Darwin code underlying its operating systems are just a few corporate projects using open source:

https://www.chromium.org/developers/

https://www.chromium.org/chromium-os/

https://opensource.apple.com/

How thorough testing is depends on those running the project, regardless of whether it’s an in-house proprietary software development project or an open source project. New open source software usually gets far more testing in the real world than closed source proprietary software.

Erm, 1 and 2 aren’t programming languages. They are Layout Definition languages, they have nothing to do with programming.

That a language is used, doesn’t mean it is good, which is the basis of Crockford’s interview. At the current time, it is the only option for web front ends, with WebAssembly a possible exception. Because so many people have to use the language on the front end, is has been abused to make a backend stack.

Likewise, Electron apps. This makes large, unwieldy and insecure “local” applications, not because it is the best language for the task at hand, not because it is a good language for the solution, but purely because it is the language web developers know.

Absolutely not. I’ve worked on several open source projects over the years, also in a testing capacity.

Well run projects, whether open or closed source, can be secure and they are well controlled, it just requires discipline and organisation.

Javascript is used by front end developers in the same way that, say English, is used to write books (for English readers.) You don’t really have a lot of choice, so you have to use what you have to use. That most certainly doesn’t mean that it was the best choice for front end development, but it was the first suitable solution (given that Java applet support was poorly implemented and Flash was no better (was poorly secured.))

Javascript is frequently used for trivial/silly things like web page animations and layout and the like, where there is a lot of monkey-see monkey-do trend following. Saying it’s easy to learn, most probably means that it’s easy to find example code to copy, because you can go to any site you see doing something interesting, and just steal code they used. That doesn’t mean that most front end devs are particularly good at coding, they’re just pasting a bunch of unmaintainable garbage together. If you ever look at the console log of a browser while it’s loading the average web page, you’ll see a fair number of errors logged. This tells you all you need to know about quality in the land of Javascript. It’s about the only language I know that ignores errors and keeps running rather than making the developer make more robust and intelligent code.

Javascript is the epitome of garbage in–garbage out.

BASIC was easy to learn. Doesn’t make it good. And it really doesn’t make it a good choice for beginners.

Coders complaining about JavaScript are usually not very talented coders. It’s not that difficult of a language. It’s actually an entry level language taught to high school kids.

The utility of Javascript is proven by Google, YouTube, Facebook, Wikipedia, Yahoo, Amazon, eBay, Twitter, and LinkedIn all choosing to use Javascript. They have the resources to choose other options. Google’s developed entire languages intended to replace JavaScript. They still use it.

The users of a language pick the winners. Coding purists and academics picking “the best” languages is a lot like “The King’s Speech” winning Best Picture at the Oscars in 2011. It made a small fraction of what Iron Man 2 made and the Tony Stark character was back in theaters 7 more times after that. It’s not a perfect analogy, since JavaScript never died and there’s no sign of it even declining in usage.

Regarding pholder’s irrational and highly emotional attack on Javascript, I can only assume something went very wrong in his career possibly due to his inability to use Javascript. Coding well is difficult. Life’s too short to take a job you’re not any good at.

That sounds like the unqualified opinion of an untalented person to me. How many operating systems, drivers, or firmware systems are written in JavaScript. Exactly none. A scripting language is not meant for serious development, it’s mean for quick one of scripts, or very little takes like managing a web UI.

Google and Microsoft hate Javascript so much they replaced/enhanced it into better languages, namely Dart and TypeScript. This is targeting the “VM” that runs Javascript with “compiled” code in the form of Web Assembly. Near as I can tell, as a mostly outsider to those platforms, the reason they had to build something better is because Javascript is too difficult to maintain for real projects.

In any case, it’s time to stop being a Javascript apologist. We’ve heard your opinion, it’s not well supported here, so let it go… move on and go make your code in whatever language and platform floats your boat.