Article directory
The JavaScript runtime helps you build advanced, server-driven JavaScript projects that don't depend on the user's browser to run.
There are several runtimes to choose from, with the established supremacy of Node.js being challenged by Deno and Bun. Deno is the latest project made in 2009 by Ryan Dahl, the developer who originally created Node.js. Deno aims to improve its security with fine-grained access controls and provide more modern features such as native TypeScript support and better web compatibility.
Bun, meanwhile, is the latest upstart, offering blazingly fast speeds and significantly better than its competitors. However, it is still in beta and has some gaps that need to be filled before it can fully go into production (version 1.0 is currently released on September 7, 2023).
Why Choosing the Right JavaScript Runtime Matters
The JavaScript runtime allows you to run application code outside of the browser. This means you can deliver your site as a hosted application. Alternatively, you can choose to use the JavaScript runtime for generic scripts.
The runtime you choose will have a significant impact on the performance of your application, with request processing and database access speeds varying greatly. It also affects ease of development and scalability.
In addition to the different features available and how they impact performance, developer experience is also important. Your team's preferences, such as their experience with the runtime and their willingness to experiment, will determine which runtime is right for you. Do you prefer stability or speed? Would you like native TypeScript support to have a richer runtime or a more customizable environment? These are just a few examples of questions you might ask yourself when deciding on a runtime. Understanding what each runtime offers can help you make the most informed decisions.
Introducing the JavaScript runtime
Before comparing these runtimes in terms of performance, stability, and security, let's give a basic overview of each:
Node.js
Node.js is the reigning JavaScript runtime champion and was named the most popular web technology in 2023 by Stack Overflow developers . It was created by Ryan Dahl and launched in 2009. To be fair, it revolutionized what you could do when JavaScript entered the market. With it, developers can create advanced backend-driven applications using JavaScript.
Today, there is a huge Node.js-centric ecosystem with rich resources and libraries. But as with any runtime or technology, there is always room for improvement. This is where Deno and Bun add options to the JavaScript runtime environment.
Not
Deno is a Rust-based JavaScript runtime. Like Node.js, it was created and launched by Ryan Dahl looking to improve upon what was offered in Node.js. You can see and hear more about Ryan's motivations behind Deno in his recorded talk at JSConf EU .
One of its main focuses is improving Node.js security . In Deno, file, network, and environment access must be explicitly enabled so that security issues typically caused by these areas are less likely to occur. It also aims to have better support for JSX and TypeScript, as well as be more oriented towards web standards. To simplify deployment, it provides the application as a single contained executable file.
Deno also provides an ecosystem of tools around it, allowing developers to jump-start their projects. Fresh is a web framework built for Deno and Lume is their static site generator.
Bun
Bun is the latest runtime vying for your attention. Powered by Zig, it aims to be an all-in-one runtime and toolkit focused on speed, bundling, testing and compatibility with Node.js packages. One of its biggest draws is that its performance is significantly faster than both Node.js and Deno. If it could achieve all of this, it would become a very attractive proposition.
Regarding its performance, the Bun maintainer provides an example benchmark running an HTTP handler that uses React to render a server-side page. This caused Bun to handle about 68,000 requests per second , while Deno and Node.js handled about 29,000 and 14,000 requests, respectively. This is a big difference. Jarred Sumner regularly provides updates on Bun development and recent benchmarks on Twitter , so be sure to follow him to stay up to date.
Bun also includes bundling and task running capabilities for JavaScript and TypeScript-based projects. Similar to Deno, it provides a single binary with built-in Web API support. It also supports some Node.js libraries with npm compatibility.
Compare JavaScript runtimes
Now, let's take a closer look at the differences, focusing on performance, support and community, stability, security, and additional features.
performance
Let’s get straight to the point, Baozi wins. We previously looked at its performance capabilities, i.e. how many requests per second it can handle, which is pretty impressive. In terms of database operations, the situation is similar. When loading SQLite's Northwind database using Bung's benchmark example , the average queries per second are as follows:
In another comparison between Node.js, Deno, and Bun , Bun was the fastest at handling concurrent connections. It also has a pretty high number of requests per second. For example, with 10 concurrent connections, Bun achieves 110,000 requests per second, while Node.js achieves 60,000 and 67,000 requests for Deno. This trend continues as the number of concurrent connections increases and the performance of each runtime increases.
While there is some debate over the validity of the scenarios used for performance testing , Bun is still the winner. Node.js ranked last in all comparisons, doing particularly poorly in database speed. Deno and Node.js are usually not far apart, Bun is far ahead of both of them. Although Node.js lags behind in this area, Yagiz Nizipli is leading performance improvements in several areas of Node.js. For example, improve URL parsing speed by ~80-90% .
Bun's speed has been the main focus of its developers, and uses JavaScriptCore in Safari. And Deno and Node.js use the same V8 JavaScript engine as Chrome. There are plans to further improve Bun by removing dead code in compiled binaries (so far, it has been partially implemented).
In addition to running quickly, Buns are designed to start quickly - with the goal of maintaining performance when spinning up multiple instances. This makes it a good choice for dynamically scaling applications. If you experience a sudden traffic spike and need to create instances quickly, Bun is designed with this in mind to make your service available as quickly as possible.
Community
Every year there is a survey of developers called The State of JavaScript. Among them, there was a question around the runtimes that participants frequently used, with nearly 30,000 respondents. The results of the latest 2022 survey also paint Node.js as the clear leader, with Deno trailing with 5.3k votes and Bun with around 1.2k votes. This is to be expected, and it will be interesting to see how these numbers change in the upcoming 2023 survey results. Maybe we'll see some new trends in Deno and Bun.
- The official Node.js documentation includes various guides, a large API reference, and getting started information. There is also information available about its dependencies.
- Deno's website includes a very detailed manual to help you get familiar with the runtime and start using it in your projects. Its homepage puts installation and access to documentation at the forefront, so newbies don't have to hunt around for help. There is also some information about the standard library that developers can use out of the box. The Third-Party Modules page is a convenient way to understand what's available in the ecosystem. It contains over 6,000 modules (as of August 2023) and some sample code.
- Bun's homepage prominently links to its Discord, docs, and GitHub pages. Documentation has improved significantly since it was first provided. They now have a comprehensive dedicated site with information covering a variety of topics such as getting started, using the bundler and test runner, and API reference. It even now has guides showing how to use Bun to accomplish common tasks.
stability
An established player, Node.js offers proven performance, powering 2.1% of the world's websites. It's a known quantity, and a product on which a large number of projects depend. If you do have a problem, there's a good chance someone knows how to fix it.
Version 1.0 of Deno was released in May 2020 and is considered the first stable release. However, adoption has been slow, perhaps because there is no "user-perceived" differentiator to win collective support from developers. Since its 1.0 release, it has made great strides in improving the developer experience while maintaining stability with each release so that developers can upgrade with little to no impact.
At the time of writing this article, Bun has released version 1.0 in September 2023. As such, its stability and coverage of the Node.js core API has improved significantly since the beta release, and it will likely continue as more and more people in the community look to adopt it in their projects .
Safety
Security can be a weak point when using npm for dependency management, and that extends to general application security pitfalls when building on top of Node.js. Creating a more secure runtime was one of the driving factors behind the creation of Deno, which revolves around fine-grained access controls to sensitive APIs, such as network requests, filesystem operations, and other core functions. Node.js is not far behind in this regard. Node.js 20 introduces a permissions model that allows for similar security aspects to Deno.
There are many resources to help you learn security practices, such as the Node.js Security Best Practices article and the OWASP Cheat Sheet, among others. Educating developers about common mistakes can help you build secure Node.js applications.
Deno eliminates some of the security issues inherent in Node.js by requiring explicit permissions for certain operations in a running application. For example, in order for your application to have access to reading from the file system, you must start it at startup with the --allow-read flag. You can see a full list of these in their permissions documentation. You can also interact with this permission system at runtime, which enables you to request and revoke permissions programmatically. Be careful with child processes when using the --allow-run flag, as spawned child processes do not have the same security restrictions as Deno processes, and may invalidate Deno's security sandbox, resulting in privilege escalation.
Bun is still very new and information about its safety is hard to come by. Its relative immaturity means you should use it with caution and pay close attention to security patch updates and announcements. There are plans to introduce security audits once it becomes more stable.
Additional features
Node.js has recently introduced features that bring it more in line with what Deno and Bun do. It now has a built-in test runner, and built-in TypeScript support is actively being discussed.
Deno includes a dependency checker and code formatter. Its ability to deploy to a single executable is also a plus. When setting up a server with Deno, the basic approach described in its documentation involves pulling code from elsewhere. The code doesn't look much more complex than Node.js, but since dependencies are loaded via URLs, it feels a little different.
Here's a condensed example of the code:
import {
serve } from "https://deno.land/[email protected]/http/server.ts";
const handler = async (_request: Request): Promise<Response> => {
const resp = await fetch("https://api.github.com/users/denoland", {
// The init object here has an headers object containing a
// header that indicates what type of response we accept.
// We're not specifying the method field since by default
// fetch makes a GET request.
headers: {
accept: "application/json",
},
});
return new Response(resp.body, {
status: resp.status,
headers: {
"content-type": "application/json",
},
});
};
serve(handler);
Other features of Bun include a transpiler and a package manager. As the name implies, it also includes bundling, giving you functionality that would otherwise require other tools, such as Snowpack or rollup.js. It also features dead code elimination through its JavaScript simplifyer.
If using Bun as a task runner, its speed can be a big advantage. It claims it takes ~5ms to start, whereas Node.js takes ~25ms. This doesn't seem like a significant difference, but when you combine it with multiple tasks that need to run over time, it can have the effect of speeding up your development workflow.
summary
All earlier features should be considered when deciding which project to use. Your priorities will vary based on your use case and project needs.
Bun is the clear winner for speed, but since it's still so new, there are risks to using it. Will it develop the stability of the other two? Maybe. Either way, if you're a disruptor looking to make waves by outpacing your competition, the Bun offers that opportunity (in most cases).
The biggest strength of Node.js is its maturity and the size of the ecosystem. You'll find a lot of developers who understand it. However, Deno and Bun have newer appeal that always gets developers excited.
Deno also has many advantages over Node.js, its feature set makes development smoother and makes it easy to build high-quality complex projects. It's secure, but while faster than Node.js, it's a bit slow compared to Bun.
Generally speaking, Node.js is still the safest choice and has a track record of success. Deno has a lot to recommend it, and its modern features make it a good choice for developers looking to build something new. If speed is your primary concern or you just want to stay on the cutting edge of new technology, Bun is the tool of choice.