Should Express 5.0 require a minimum of Node.js 4?

[dougwilson]

This is a discussion regarding having Express 5.0 drop support for Node.js 0.10. One of the reasons for the delay in Express 5.0 was the announcement of the official merging of Node.js and io.js, and we were looking forward to it's outcome to determine what we should do with Express 5.0.

Here at Express, we value very long-lived major versions, allowing users to confidentially build their new server on Express and not have to worry about needing to upgrade across a major, breaking change for years. Express 4.0 has been out for over a year now and Express 3.0 was supported for over 3 years !!

When Express 5.0 comes out, Express 4.x line will continue to be fully supported, delivering our users bug fixes, new features, and more!

To this end, we have been carefully watching io.js/Node.js in relation to Express 5.0 such that we can continue this great support history without accidentally locking us into the past for a long time.

Please share your thoughts here.

[jimmywarting]

If the only benefit was syntax, we can use Babel to transpile to old versions. What do you think?

The way i see it is: It's only meant to run on the backend, It doesn't have to have to work for multiple clients like it's on the web. If the minimum requirement is version x, just update you node version it's not that hard... therefore using babel and transpile it to worse code is a unnecessary step and make it more complicated and just adds up more time waiting for it to compile durning developing and auto testing.

I really wish node has some kind of auto update so that we don't have to make it backwards compatible cuz some ppl never update 😠

I would not mind seeing a error message that it requires version 7. I would gladly update my node version.

[wesleytodd]

I am in support of upping the min to 4.0, but I am completely against using babel or any transpilers in the core packages, and am also against changing the syntax in core package for the "sake of change". That being said, there are some perf and readability improvements we can make if we start using some of the new stuff where appropriate.

It's only meant to run on the backend

Not true, I am running, or plan to run, most of this code in the browser.

I would not mind seeing a error message that it requires version 7. I would gladly update my node version.

This is NOT the feeling of the rest of the ecosystem. Upgrading node versions in production is something we try to avoid doing more than every few months. And an important package like Express cannot force this.

[dougwilson]

P.S. I like everyone's use of the emoji reactions. I feel like it actually adds to the conversation when reading it without too much text noise.

[matheuslc]

@dougwilson I agree with you. The focus is users, but, we are users too. For contributors, it's fun to play in a updated code base (actually, Express code base, in my opinion, it's really awesome).

I agree with @jimmywarting, in this case, if anyone have to use some older Node version, they can use an older version of Express. If they want the newest things, they should to update their Node version. With this, we are pushing Node & Express forward.

[wesleytodd]

it's fun to play

I agree, but please do not "play" in the code that powers the website that pays my bills. I recommend you take a look at the work being done in pillarjs and jshttp, and just build your own "play" project.

That being said, I am in support of the min version change to node 4.x, so don't construe my comments as against the main point of this issue.

[yawetse]

Out of curiosity, why Node 4.x and not 6.x? Would it be possible to keep the releases of Express in sync with LTS versions of Node?

[wesleytodd]

@yawetse Express supports 6. In this case we are talking the minimum supported version. And 4.x is still widely used. So the main changes that would be based on this discussion would actually start using features not present in <4.x. So chancing this discussion to <6.x is pretty much out of the question because of the broad usage.

** If you look above, the main core team is not even fully in support of dropping 0.12, cant imagine going even further :)

[yawetse]

@wesleytodd got it, makes sense. I apologize for not reading the full thread previously.

I know Express supports 6, but I think if you're starting a project today, then you might as well start on Node LTS, and by that logic, if you're building a new Express app today, then it should have on its min requirements Node LTS.

If you have an existing Express app that's working for you, nothing would force you to migrate to Express 5. But given what you said about the state of the current conversation, this seems extremely unlikely.

[matheuslc]

@wesleytodd You are being literal. Currently, I'm using this project in production, so, I want the best for it and I want to contribute too. I don't use any word of your comment.

[wesleytodd]

@yawetse I think the concern is that if we do not continue supporting the older versions, it takes even longer for users to all get upgraded to 5, and the team then has to continue to support the old version of Express. So the goal is to get the largest adoption as quickly as possible, users of old Node included. FWIW, I totally agree about starting a new project, but that is not what Express core is.

@matheuslc Sorry if I miss-understood your intent with the above comment. I just meant there is a difference between learning new features of the language, and supporting an important, widely used and deployed project. And this is not the place to try out new features IMO.

[matheuslc]

@wesleytodd Sometime we have to do it. Why not now? I'm not saying that we have to use the latest Node version, but we have to start it anytime. Node was in the version 7, maybe version 4 it's a good start point. The longer we take to do this, the worse it will be in the future.

[dougwilson]

@matheuslc I don't disagree that we are not some kind of user persona as well, but an issue that we would have to contend with is the fact that we are going to support Express 4.x for at least an entire year after Express 5.0, so if the code bases diverge too greatly, performing the merges from 4.x into 5.x will become more and more painful. The argument to use an older version of Express is valid, and is certainly why we are going to maintain it for years to come, but if we make maintaining Express 4.x itself a burden that we cannot merge & maintain, then the argument to "just use an older Express" is not a valid one to make, since it's not being maintained.

My assumption has been that once Express 5.0 came out, the 4.x/5.x dual support would work exactly how the dual support for 3.x/4.x worked: all new features continues to land in the older version as long as they are possible there and they are simply merged up into the new version. This is especially important for bugs, since bugs are the primary thing we would be doing in 4.x.

I hope that makes sense at least where my mind is at. I think that the discussion for rewriting the internals of Express in ES6 is certainly related to the discussion of bumping the min version of Express, but not exactly the same discussion, because even if Express bumps the minimum to 4 or 6, that still doesn't mean we would rewrite the internals in ES6, as that is a separate discussion, which needs to take into account things like what exactly is the support story of how Express 4 continues to work when the code between the two are so different they are unmergable.

[matheuslc]

Awesome guys. Let's do it!

[kibertoad]

@dougwilson I presume that accumulating opinions for 3 years was quite enough :). Was there any decision in the end? Also if any help is needed to convert some of the old code to ES6, I absolutely volunteer :).

[dougwilson]

Hi! Thanks for volunteering! You can see my thoughts on a ES6 rewrite in my previous post above. If you can help make some proposals on how to overcome the issues brought up above, that would be the first please to start.

[kibertoad]

@dougwilson Would it be an option to use Babel for Express 4 to transpile distributed code into something 0.10 would understand? Unrelated question: is there any work towards Express 5.0 that could be picked up by someone new to Express codebase?

[dougwilson]

I'm not familiar with Babel, so can't say either way, but it would be if you know it is, haha. All the Express 5.0 code is on the 5.0 branch.

[kibertoad]

@dougwilson Idea behind Babel is transpiling JS code that is written in newer JS syntax (e. g. ES2017 or ES2016) into equivalent JS code in older syntax. Its main purpose is compatibility with older browsers (cough IE), but it should work fine with Node.js as well. If you think this is a viable way forward, I can work on PR for an npm script that would put transpiled code into /build folder. Npm publishing configuration will also have to be adjusted to only publish the transpiled code, but I would need your assistance with that as I obviously have no means to test Express publishing pipeline :). Yeah, I understand that Express 5.0 code is in its branch, I'm mostly wondering if there is some work that is currently lying around unassigned and would speed up 5.0 release if taken :).

[dougwilson]

The issues are labeled with 5.x label. Keep in mind that many people require files in Express module directly, so that needs to work after whatever you're talking about. For example require('express/lib/utils') needs to continue to work on 4.x releases, it cannot suddenly become require('express/build/lib/utils') or it will break existing 4.x apps.

[kibertoad]

@dougwilson Yes, I understand that. Published module needs to retain exact same structure as it does now. Since NPM doesn't natively support that, I'd have to get creative, but it appears to be doable: https://stackoverflow.com/questions/38935176/how-to-npm-publish-specific-folder-but-as-package-root

[jimmywarting]

I don't want it to be transpiling with Babel. I rather want it the way it already is then. Transpiling means it get harder to debug and it and the over all size, compile time and complexity gets larger.

I think we should follow nods LTS.

The issue started with dropping support for node < 4 and now you want to add Babel for compatibility with older version...! A bit of track if I may say so.

Code that runs with Babel are actually slower and I don't want that for a server that needs to handle many connection. Newer features brings micro optimization and mimic what it dose with Babel is not as good

[mansona]

Not to be controversial or anything but Node LTS for v4 is due to end on 2018-04-30 as described on the Node release schedule

If we don't think that v5 of Express will be released before then I would be up for dropping support for even node v4.

Now it's unlikely that we would get much support if we did that, but I think ☝️ this kind of thinking should at least draw the line under all pre-v4 versions of node. They are out of date and anyone who wants to use Express with them should be comfortable locking to express: ^4 in their package.json.

[dantman]

Publishing a transpiled ES5-only build of expressjs also kind of feels pointless. We're not browser bundling express, so we always have the option of including both the ES2015+ source compatible with the current node LTS and the transpiled version compatible with older node.js and just using feature tests to require the correct version for the environment /* ???.js */ module.exports = <supports 8.x features> ? require('src/???') : require('build/???');.

[mansona]

I think it is a really bad idea having any "official" transplied version of express, because if it is official then it needs to be supported.

Don't forget that Node 0.12 was End of Life over a year ago now, and as the LTS documentation suggests it is no longer getting any security patches. If we release anything that is specifically to support versions that have reached EOL then we are in a way complicit in encouraging people to still use versions that they really shouldn't be using in production.

I understand that there are legacy concerns for enterprises etc but in those cases, our default position should be "Lock your package.json to v4"

[kibertoad]

@jimmywarting @mansona @dantman Please read https://github.com/expressjs/express/issues/2755#issuecomment-279887674. While I myself would approach this in a more straightforward deprecation way, it is ultimately maintainer's call to make, and he has made it. According to the latest statistics, 0.10 makes around 20% of all Node.js installations, and decision was made not to abandon them. Hence our question is not "Drop or not drop 0.10 for 4.x", our question is "How do we get ES6 in 4.x at all". Speaking of performance - do you have any benchmarks to reinforce that claim? Older Node.js versions are kinda terrible at optimizing ES6 code execution and it used to perform consistently worse than ES5, so I wouldn't be surprised if certain code would actually work faster after transcompilation. Debug concern is definitely valid, though. I'm thinking that it might be possible to "pseudo-transpile" original unmodified code into something like /dist-es6 folder with modified package.json that would be published as a separate package so that whoever wants it could opt-in into ES6 4.x version, but that's something I would have to discuss with @dougwilson.

[kibertoad]

@dantman Dynamic imports with feature tests is definitely an interesting idea, though, I'll definitely consider it in implementation, as that would simplify publishing process a lot.

[LinusU]

I think that dropping support for Node.js 0.x is absolutely the right thing to do for Express 5. But that doesn't mean that we have to rewrite it in ES6 just because it's fun...

We need to continue support for Express 4 for a long time, and Express 4 can never drop support for Node 0.x (that would breaking and then it would be Express 5).

In order to be able to easily backport patches from Express 5 to Express 4 we want to keep the codebase as similar as possible. While one way to do that is to rewrite both to use ES6, and then babel the Express 4 code before sending it to npm, I don't really see the benefits with that...

Apart from how express looks on the inside, would there be any benefit to the consumers of express should we rewrite it in ES6?

[igor-savin-ht]

@LinusU ES6 is not meant for consumers of express, it is entirely for the benefit of express developers. So the benefit of consumers would be increased productivity of developers and decreased amount of bugs (due to stricter variable scope/mutability checking, less boilerplate etc)

[LinusU]

The thing is, I don't it will be less work for us since the work for backporting patches to Express 4 will be much more than otherwise.

Still, I like ES6 as much as the next guy, and I think that we should get there eventually. But Express is a really big project and has a ton of users.

In this case, I think it's better to be a bit conservative and focus more on the consumers of the library then the developers.

just my 2¢

[igor-savin-ht]

@LinusU Hence the plan to use Babel in Express 4. Then no additional work for backporting patches would be necessary at all.

[LinusU]

Yeah, that could potentially work. Although I personally don't think that the increased complexity would be worth it...

[wesleytodd]

Sorry I am a bit late to the discussion here, but here are my thoughts:

Dropping support for node versions in 5.0.

We should officially drop support for everything before the current LTS version at release time. Older versions will probably still work, but that doesn't matter, we will not officially support it. It looks like that will probably mean everything before node 6 at the current pace.

Transpiling with Babel

I think this is very bad path, and we should avoid it for all express modules and dependencies. It introduces bloat, difficult debugging and increased chance of buggy code. This opinion comes from having deploy and supported servers transpiled with babel, not just speculation.

Goals for introducing ES* into Express

We should take it slow, and only implement thing that are better for users. This would include things like:

• Performance improvements (if a new feature is faster)
• Security improvements (if we have to change something because of a security issue and there is a good es next way to do it)
• Better user facing API (for example, promise/async/await support)

General thoughts on these kind of changes

I think it is a real shame that so many people are being taught that "using ES6 is better" without taking any time to think about WHY. I am with @LinusU when I say that I like ES6 as much as the next person. There are a TON of features in the language now which are great, and we should be focusing on being relevant. But more importantly we should focus on the service we provide to our users, which is being a reliable and stable server. So lets stick to doing that, not rewriting code as an "academic adventure".

Also, people keep saying things like "es6 is more maintainable" & "write es6 because it is better for the developers". But in most cases the things people are doing to "improve developer experience" is adding complicated tooling (like suggesting Babel). Which does the opposite of improving developer experience.

[igor-savin-ht]

@wesleytodd So what you are saying is "No ES6 before Express 6", right?

[wesleytodd]

No, 5.0 will probably drop during the LTS for node6. And node6 has a ton of es2015 features. So IMO, the outcome of this issues discussion should be: start using node6 compatible es2015 features in your PR's to express projects. But I would like to hear @dougwilson's opinion on that statement.

[wesleytodd]

For reference: http://node.green/

[wesleytodd]

Also, I should have specified:

With my above stance, we will have to do a small amount of back porting work. I think this is an acceptable consequence for staying relevant. But where work is too far divergent, we should reign in usage of new features to keep that amount of work small and manageable.

[LinusU]

@wesleytodd Agree 100% with all you are saying 👍 thanks for taking time to write it all down.

I just have one small thing that we should think about:

Older versions will probably still work, but that doesn't matter

I'm quite sure that this actually happened before with express (maybe with 0.6, need to look it up, anyhow...). We didn't officially support it, but it still worked. At some point, we introduced a commit that broke 0.6 compatibility, and released it in a patch release.

Now, we didn't officially support 0.6, but people were still using it, and thus they opened issues complaining. I don't remember how we solved it, I think we fixed the compatibility.

In the end, we don't want to break the end user, and unfortunately I don't think that people read, but rather just install. So if it works on Node.js 4 when we release it, I think that people will both use it, and complain when we break it.

I think it would be smart to add some guard that would hard fail it straight from the beginning, just to prevent people trying to use it without reading which runtimes we support...

[wesleytodd]

I think it would be smart to add some guard that would hard fail it straight from the beginning, just to prevent people trying to use it without reading which runtimes we support...

I like this idea. And fully agree with were you are coming from on it. Couldn't we also use the package.json engines field?

[igor-savin-ht]

@wesleytodd This directly contradicts what @dougwilson was previously saying. I'm not arguing with you, I would prefer more aggressive migration stance as well, but I make an assumption that this is something that maintainer is supposed to make decision on.

[wesleytodd]

I can see how @dougwilson and my opinions differ, but I think "directly contradict" is a bit strong :)

And that is why I said "I would like to hear @dougwilson's opinion on that statement". I am in favor of a slightly more aggressive migration path than we are currently using. But there is a difference between "more aggressive" and "re-write it all in ESnext".

[igor-savin-ht]

@wesleytodd True :)

[dougwilson]

Hi all, sorry I am traveling today so my access is off and on. I read through all the comments and will definitely write up my thoughts when I'm at a computer soon :) The thoughts in https://github.com/expressjs/express/issues/2755#issuecomment-365011388 from @wesleytodd most closely align to my thoughts and is nicely worded. I will provide further clarity on my thoughts later today when I don't have to type them on a phone, but was hoping this would at least help a little in the meantime.

[kibertoad]

@wesleytodd Btw, there was an idea voiced earlier about dynamic Express.js imports based on feature checks - then those who are using more modern Node.js and do not rely on direct imports would get the proper non-transpiled version. Do you see any problems with this plan?

[wesleytodd]

Do you see any problems with this plan?

Yes I do. It is more code to maintain, and unless we were exposing a different interface to the user, they wouldn't even get any benefit. So there is no upside to doing such.

[boneskull]

It's my hope the Express team will drop support for unmaintained versions of Node.js as soon as is feasible. Mocha has already dropped support for v0.10 and v0.12, and will drop support for v4 ASAP.

FWIW, "dropping support" does not imply "rewriting"; it can be as straightforward as removing the version from the matrix in .travis.yml.

[dougwilson]

We already confirmed we are dropping support for them in 5. What still needs to be clarified?

[boneskull]

@dougwilson Sorry, it sounded like it was somewhere short of "official"--I saw v0.10 and v0.12 were dropped already, but not v4. But if that's the plan, then great! 👍

[dougwilson]

When 5.0 is released it will support down to the LTS version at that time.

[sam-github]

xref: https://github.com/expressjs/generator/pull/244#issuecomment-562680659

its not clear what

When 5.0 is released it will support down to the LTS version at that time.

4052c15c7f10b79fb7c54f3837ffe118f7a99811 was first alpha, in 2014... but 5 is still in alpha, in 2019, and at this moment the only supported Node.js version are 8.x (until January 1st), 10.x, 12.x, and 13.x, see https://github.com/nodejs/Release#release-schedule

Is it possible for 5.x to drop support in the middle of the multi-year alpha process?

Should 5.x be left in alpha, perpetually, and 6.x be the new alpha, with only support for 10.x and later?

These are questions larger than whether the default express-generator output installs a version of pug with security vulnerabilities, so this is likely a better place to discuss.

[dougwilson]

Is it possible for 5.x to drop support in the middle of the multi-year alpha process?

Sure, why not? Is there some reason why we couldn't do this?

Should 5.x be left in alpha, perpetually, and 6.x be the new alpha, with only support for 10.x and later?

No.