This content originally appeared on dbushell.com (blog) and was authored by dbushell.com (blog)
I’ve been rather mean to Deno lately. I wasn’t kind in my review of Deno & JSR last year either. I think it’s only fair that I see if my criticisms were addressed. Despite my misgivings I still use the Deno runtime itself.
I previously wrote about Deno’s homepage redesign which was a lovely lick of paint. Can I muster up a few kind words for JSR? This gets very interesting!
JSR Search
The primary UI for finding JSR packages is still a search box. When I criticised JSR search last year it was in an embarrassing state. There was no sugar coating that. The question is: after one year has search improved?
When Hono arrived on JSR it was a big announcement. Hono is great!
Let’s search for “@hono” on JSR.
Oh dear.
The Hono package appears on the second page. 26th position overall. If I didn’t already know Hono was definitely on JSR, do you think I’d check page two?
Searches for both “@hono” and the at-less “hono” return the same results.
Well we at least know the full package name is “@hono/hono” now. Surely a search for that will return Hono in pole position?
Fourth.
But at least that’s the first page!
The problem with JSR’s search box is that it has instant results in a popover as you type, but only a maximum of five packages. The popover doesn’t scroll. There’s no counter or any indicator to suggest more packages exist.
A search for just “hono” makes it appear that Hono is not on JSR.
You have to press return, or click the search icon button, to be taken to the full search results. And even then Hono doesn’t appear on the first page.
⚠️ It must be noted that the 3rd-party Orama powers JSR search which I’d previously described as “not fit for purpose”. I discuss Orama later in this post.
Standard Library
What about a search for “@std” the Deno standard library? If you remember last year the results were atrocious. The good news is that it can’t get worse.
Phew! These results are not atrocious but they’re not great either.
- Two entirely unrelated packages appear top
- An empty package outranks 36 of the 40 @std packages
- “UNSTABLE”
@stdpackages outrank their peers
In fact the @std packages appear to be ranked alphabetically with @std/yaml in 3rd and finally @std/assert all the way in 63rd on page four. That’s some algorithm…
The Deno standard library is a nice collection of TypeScript utilities. For example, @std/text exports an implementation of the Levenshtein distance. You would never know this by searching “levenshtein” on JSR.
From what I can tell only the package name and description is indexed.
The Deno documentation doesn’t document @std because JSR is supposed to be “Automatic API documentation”. It’s unfortunate that you can’t search the standard library unless you already know the exact package to look inside.
Never mind, we still have Google!
What would we search for? I think “deno levenshtein” makes sense.
Now then! What do we have here?
Use the fastest-levenshtein npm package in Deno
You have a number of ways to add fastest-levenshtein to your project. This install command might feel most familar to regular npm users.
Absolutely fascinating!
Deno has had an entire landing page dedicated to one NPM package.
And what is that at the bottom of the page?!
Are my eyes deceiving me. Is that… no, it couldn’t be…
Deno.com has had NPM search!
SEO and Malware
I say “had” because whilst respecting Deno’s brilliant SEO game, something dawned on me. It took me a while to realise what Deno were actually doing here. Deno.com generated dynamic pages for every NPM package. This unintentionally included known malware.
I think the security implications are obvious. Deno.com could have been used to legitimise a package and provide a false sense of security. Most malware on NPM isn’t as suspiciously named as this example.
⚠️ I did the responsible thing and reported the vulnerability. Deno acted within hours and removed the attack vector and NPM search. Only a few select pages remain.
As to why NPM (GitHub/Microsoft) allow well known malicious packages to remain on NPM is anyone’s guess. I can’t fault Deno much for this mistake. They trusted NPM just like the entire JavaScript ecosystem does.
As much as I’ve criticised JSR this incident has made me think twice about dismissing it. JavaScript deserves better than NPM in its current state.
How to Fix JSR Search?
This security issue led to an unusual opportunity. This morning I had a good chat with a couple of the Deno team webcam to webcam. They were very friendly and open.
On the call I explained how I discovered the issue (everything you’ve read above). I inquired about JSR search, referencing Issue #312 (Better Module Search) from March 2024 marked “P0” (highest priority).
The problem as I understand it comes down to operational expenses for JSR. Orama is free, but it sucks. Deno are keen for JSR open governance but less keen on funding JSR indefinitely. A dedicated search server would incur too high a cost-per-query.
Funding will be provided by the Deno Company until a formal legal structure is established. In the event that Deno Company funding becomes unavailable, the board will explore alternative funding sources, including community contributions, sponsorships, or grants.
We also discussed the technicalities of client-side search. This can work well for static websites but at the scale JSR aims to be that’s a whole new challenge.
JSR is in an awkward spot because good search, in my opinion, is a make-or-break feature. Ultimately I think if Deno wants JSR to succeed they’ll need to dig into the coffers. We’ll see in the coming months how they’ll tackle this issue.
Many thanks to Luca and Phil for their time this morning.
I declined an invite to join the Discord. Discord is an event horizon for knowledge.
This blog post was first drafted last week. Only this morning did I recognise the malware issue. I emailed Deno at 8:30am BST. Between that time and our chat at 12:00 noon the issue was resolved. That is an outstanding response!
Obviously, this series of events resulted in an major rewrite of my blog post. I had a wonderfully brutal quip about an extinct dinosaur I felt was too harsh in retrospective.
I also spent way too long on this meme which I no longer agree with.
But a meme can’t go to waste, sorry.
If NPM does not make more effort to remove known malware then maybe JSR is the answer?
This content originally appeared on dbushell.com (blog) and was authored by dbushell.com (blog)
dbushell.com (blog) | Sciencx (2025-06-23T10:00:00+00:00) JSR & Deno One Year Later – Malware?!. Retrieved from https://www.scien.cx/2025/06/23/jsr-deno-one-year-later-malware/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.