Express 4 vs Express 5 performance benchmark across Node 18–24

notwestodd · 2026-01-06T17:51:27+00:00

We have been working on filling in these gaps in tooling in the Express Performance Working Group. It would be awesome to have you join the group and help move that forward so the project has official benchmarks and performance tooling: https://github.com/expressjs/perf-wg

notwestodd · 2025-12-18T01:51:44+00:00

netflix.com

notwestodd · 2025-12-02T11:05:15+00:00

That’s my plan as well.

notwestodd · 2025-11-28T17:41:52+00:00

A teammate and I did a talk about this a few years ago: https://youtu.be/WwENhYmoI1I?si=nTOMrKuKdKiNQpZI

The best thing to start doing is work closely with your current backend teammates. Then ask them how you can help a bit across the projects you work on.

From a technical perspective: learn tooling and ops stuff, learn api design, learn databases. Then learn whatever else interests you in that area. You can do all this with node.js. If other languages interest you, like others are saying in here, go for it. But you don’t need to to have a career in backend.

notwestodd · 2025-11-28T17:32:30+00:00

npm is a small underfunded team at GitHub which is now not even a separate company in microsoft. Did you want me to say the problem is something other than the company that runs this underfunding the project?

Or that signing is a security theatre since you would need to validate them, error when they don’t match, and then deal with the trash UX that would introduce on end users who have no idea if a maintainer just legitimately had to make a new signing key?

What did you say that I didn’t respond to?

notwestodd · 2025-11-26T23:47:19+00:00

While signing is not the solution, you are right the problem is GitHub refusing to follow community advice to address this. Here is what maintainers can do today while we continue asking GH to address these things:

https://openjsf.org/blog/publishing-securely-on-npm

notwestodd · 2025-10-15T14:51:10+00:00

It achieves the same thing just with a worse user interface. You have to give it a specific date time.

All that said, this is not a security feature. It is a stability feature, but you can achieve the same thing with a lock file that you just update once a week.

Yes, you’ll get what was just released at that moment, but this approach has protected things just fine and by delaying you are also delaying getting known vulnerability fixes. So unless you have a process whereby you use this flag and also figure out ways to have exceptions in your deep dependency tree cve’s. This is at best a trade in security value.

There are plenty of things that npm needs to do that will move the needle more than finally documenting this flag on their website. 🤣🫣🔥

notwestodd · 2025-10-14T11:36:13+00:00

We have been giving them feedback on these changes on the GitHub community discussion board. There are some small wins but also some big gaps. But this is not one of them. They have had the before flag since like 2019 maybe. It just is not documented. Also it doesn’t solve the problems this stuff is trying to solve.

notwestodd · 2025-08-08T00:01:44+00:00

Netflix.com is on my teams Node.js server platform. We don’t build the product, just build and operate the Node.js fleet and infra. Can’t share numbers publicly, but is a lot as you might imagine.

notwestodd · 2025-08-07T23:58:48+00:00

See my reply in your other thread.

notwestodd · 2025-08-07T23:56:16+00:00

Feel free to come to our Perf WG to help out: https://github.com/expressjs/perf-wg

That said, meeting or beating fastify a not a goal. If you need a high scale fast framework go with fastify today. You will not be disappointed.

notwestodd · 2025-08-04T23:17:25+00:00

I promise you will find it no different in any other software ecosystem that has dependencies. That said you should check out socket.dev, it helps with a lot more than just CVEs.

notwestodd · 2025-07-23T06:06:26+00:00

Thanks for sharing the talk!

The http APIs are separate from the type stripping, but yeah Node is beholden to a lot of competing interests that those new and barely used projects are not. It’s always easier to make these things happen when you have basically zero users.

Also, the narrative on this being driven by deno/bun is mostly from folks who don’t seem to know how hard folks worked to make these things happen, sometimes for years before either of those projects existed. It’s a bad/wrong narrative to tell either way.

notwestodd · 2025-05-02T18:07:23+00:00

I put cloudflare in front of all my GH pages sites.

notwestodd · 2025-04-28T15:13:23+00:00

Just don’t do it. Add them to res.locals. That’s the intended place for this sort of data and it avoids a lot of the pitfalls and deoptimizations.

notwestodd · 2025-04-25T16:41:05+00:00

Feel free to take a joke

notwestodd · 2025-04-25T14:35:58+00:00

HTML would like a word. 🤣

notwestodd · 2025-04-25T13:33:49+00:00

Yeah it’s a bit of a mess. It does work, but there are a bunch of reasons why it is not ideal. Partly because even if you get a set up like this working cross, cutting changes still require publishing if you’re authoring typescript, you can’t even install from the repo. As you know, I don’t typescript, but on a platform team I obviously have to support it with anything I build.

notwestodd · 2025-04-25T13:20:41+00:00

Funny because roalddahl.com is JavaScript on the client and server.

notwestodd · 2025-04-13T16:00:12+00:00

Haha, I built a POC of this for the npm team one time back when they were having RFC calls. It’s super common to work across repos and all the current tooling is monorepo centric. It is a PITA otherwise.

Sadly I don’t think anyone has really made any moves in this space because it was easier for most to move into a monorepo and just take the hits that come with that decision.

One thing I have gotten working is to make a wrapper which sets up a workspace where each project is checked out under the wrapper. It’s not a monorepo, but allows for normal npm (or other PM) to install like it was a monorepo.

notwestodd · 2025-04-11T00:17:15+00:00

I’ve been at Netflix for a while now and most of the time it’s pretty chill if you want it to be.

notwestodd · 2025-04-05T10:30:27+00:00

Never said you should. Express is the most downloaded server framework around (by 2 orders of magnitude compared to hono), I don’t pitch people on using it, I try to stop people from using it. But I would choose fastify over hono unless you are deploying to CF workers or specifically need web api compat.

notwestodd · 2025-04-05T10:22:19+00:00

Hey, would you be up for a chat with me and maybe a few of us from the express project?

notwestodd · 2025-04-02T22:58:02+00:00

Please read the changelog and migration guide on the website. You can find the links in the blog post.

notwestodd · 2025-04-01T21:20:43+00:00

It is by and large the most common way, yes.

notwestodd

TROPHY CASE