expressjs.com icon indicating copy to clipboard operation
expressjs.com copied to clipboard

Published 20 hours ago verified publisher icon expressjs

Remove forever as a recommended process manager.

Open ronperris opened this issue 5 years ago • 5 comments

Motivation

In Process managers for Express apps the first section on the page recommends using forever. This was a great recommendation a couple years ago, but unfortunately this package doesn't appear to be actively maintained anymore.

Clues

  1. The code hasn't been updated since November 2nd of 2016.
  2. 7 out 15 of its dependencies have reported security vulnerabilities.
  3. Last response in the issue tracker was November 1st of 2016.
  4. Issue tracker has 267 issues without responses.
  5. The last pull request was merged on November 1st of 2016.
  6. Forever is broken in Node 10, a PR to fix it is open but no one has responded to it since it was opened on February 24th 2018.
  7. npm audit is reporting a vulnerability in one of the dependencies, a PR to fix it is open but no one has responded since it was opened on Oct 2nd 2017.

ronperris avatar Oct 24 '18 21:10 ronperris

You certainly have good points. I tend to agree, but would like to hear from @dougwilson and anyone else who cares to chime in.

crandmck avatar Oct 28 '18 03:10 crandmck

So I have never used it personally, so I don't really have too much opinions on it. But I do have some responses for the clues:

  1. Yea, not great, but of course not 100% meaningful if it works.
  2. I think you're including devDependencies, which have no bearing on people using it. Actually installing forever only shows found 1 low severity vulnerability (and I didn't look into what that actually was -- it may be a non-issue).
  3. Also not great, but if it works, it works.
  4. Same as (1) and (3)
  5. Same as above
  6. I'm not doubting you here, but I cannot find an open PR about Node.js 10. Perhaps it was merged / fixed now?
  7. Yea, seems like a repeat of (2)

Anyway, our page is just a list of process managers in alphabetical order. It doesn't "recommend" forever explicitly, at least over any of the others listed.

In the end, circling back around, I don't really have an opinion, as I don't really use them. We strive to maintain a list of them that work, leaving the ultimate choice between them to the users (to evaluate things like you have done above to choose which one is best for your needs).

So... shrug

dougwilson avatar Oct 28 '18 03:10 dougwilson

Thanks @dougwilson for looking in to it. Several your points above give me pause. I, too, could not find a PR (open or closed) referencing Node 10 at all.

Also, this brings to mind the discussion in #988 ... As I think about it, there are a bunch of things listed on the "Resources" menu that kinda beg the same question: middleware, PMs, frameworks, etc.

The fact that this page is on the "Advanced Topics" menu (along with for example, "best practices" pages) rather than "Resources" kind of puts it in a different light.

It's true that we don't explicitly recommended any of these, but as @wesleytodd noted in #988, the fact that they're listed (actually, for PMs, described in some detail) on the site, while many others are not is an implicit endorsement at some level. Obviously, the question is: What's that level?

Since this question seems to keep coming up in different contexts, I think we should at least try to be consistent and have the same criteria for all of these...but obviously the Express TC can't test everything vs. all the most popular Node/Express versions, so we rely on the community.

Even though this project (or any Express-relevant project listed on the site) is not being actively maintained, if it's still useful to some significant part of the community, it could reasonably still be listed. As I peruse https://github.com/foreverjs/forever, I see that people are still opening ~1-2 issues a month, so it's clearly getting some use.

Until we come up with a general set of criteria, I'm inclined to keep it on the site.

However, it might make sense to pare WAY down the amount of detail on this page, and just list each PM with a link, etc., along the lines of what we have for frameworks or 3rd-party middleware. This would give less of an impression of "endorsement."

crandmck avatar Oct 29 '18 06:10 crandmck

it might make sense to pare WAY down the amount of detail on this page

I completely agree with you @crandmck. For these especially, it is barely related to express, and really shouldn't be express specific anyway, it makes sense to remove/pare it down.

wesleytodd avatar Oct 29 '18 20:10 wesleytodd

I opened #993. I'll try to find time to open a PR for it soon.

Let's keep this issue open for a while in case @ronperris or anyone else wants to comment on forever specifically.

crandmck avatar Oct 30 '18 05:10 crandmck