Microsoft proposes type syntax for JavaScript

Long overdue innovation or an affront to all that developers hold dear?

Type-fans rejoice! Plans (or a proposal, at least) are afoot to pop some type-checking into the infamously dynamically typed JavaScript.

The proposal planned from Microsoft and others, including devs from the Igalia Coding Experience program and Bloomberg, is all about adding "types as comments" to the language.

The theory is that it would become possible to have a syntax for types that could be used by tools that need those hooks (such as Microsoft's own TypeScript) and ignored by those that do not.

Types are a controversial and, some might say, long overdue innovation for the venerable JavaScript.

JavaScript survey: Most use React but satisfaction low


The popularity of tools such as TypeScript and Flow, with built-in type checking, has demonstrated that a demand exists. The most recent State of JavaScript survey highlighted Static Typing as something many were thirsting for.

The thing is, there is wide variation in opinions about what Static Typing actually represents in the world of JavaScript, not to mention a healthy subset that would run a mile from such functionality. The proposal from the group of devs led by Microsoft is a compromise position. At present, in the TypeScript world, one can express types in JSDoc comments, which tend to be a little verbose and, dare we say it, clunky in use.

The example given by Microsoft's Daniel Rosenwasser of current TypeScript JSDoc comment practise is:

 * @param a {number}
 * @param b {number}
function add(a, b) {
    return a + b;

Which could, if the proposal gets accepted, become something like:

function add(a: number, b: number) {
    return a + b;

"The idea of this proposal," said Rosenwasser, "is that JavaScript could carve out a set of syntax for types that engines would entirely ignore, but which tools like TypeScript, Flow, and others could use."

Rosenwasser was quick to emphasize that the proposal is not about sticking TypeScript type-checking into every JavaScript runtime (certainly, one could imagine all kinds of compatibility problems down the line) instead, the plan is that the approach would be picked up by any type checker, not just the likes of TypeScript.

Certainly, if a developer is accustomed to using a type checker, then the approach has much to commend it. However, by carefully making sure everything remains optional there is also the risk it might just complicate things further and simply be ignored.

Unsurprisingly, debate over the move has rumbled on since its publication last week. Some think the idea is an excellent one while others are a little more negative.

Rosenwasser said: "A proposal like this will receive a lot of feedback and appropriate scrutiny."

It is also still only a proposal at the moment, planned for Stage 1 of the ECMA TC39 process. There are therefore many hurdles ahead before the concept (if accepted) makes its way into the form ECMAScript and plenty of opportunity for debate.

However, judging by the responses of just over 16,000 devs that answered questions in the 2021 State of JavaScript survey, there is appetite for some sort of type functionality. The developers' proposal is a first step on the way. ®

Broader topics

Narrower topics

Other stories you might like

  • Emma Sleep Company admits checkout cyber attack
    Customers wake to a nightmare as payment data pilfered from UK website

    Emma Sleep Company has confirmed to The Reg that it suffered a Magecart attack which enabled ne'er-do-wells to skim customers' credit or debit card data from its website.

    Customers were informed of the breach by the mattress maker via email in the past week, with the business saying it was "subject to a cyber attack leading to the theft of personal data" but not specifying in the message when it discovered the digital burglary.

    "This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen, whether you completed your purchase or not," the email to customers states.

    Continue reading
  • Any fool can write a language: It takes compilers to save the world
    The language wars were fun, but they're done

    Opinion Here's a recipe for happiness. Don't get overexcited by the latest "C is not a language" kerfuffle.

    Proper coders have known since its inception that C is as much a glorified library of assembler macros as anything else. Don't sweat it. That business with operating systems being infected by their old C genes, crippling all the new cool Rusts and Swifts? So what? If your code is limited by its OS interactions, you should probably go write a kernel.

    There is one place, and one place only, where you should invest your emotional and intellectual  energies. Compilers. They saved the world once, and they're about to do it again.

    Continue reading
  • Microsoft Azure developers targeted by 200-plus data-stealing npm packages
    Another day, another attack on the software supply chain

    A group of more than 200 malicious npm packages targeting developers who use Microsoft Azure has been removed two days after they were made available to the public.

    Security firm JFrog on Wednesday said that earlier this week its automated analysis system began raising the alarm about dubious uploads to the npm Registry, the most popular public source of software libraries for the JavaScript ecosystem. This group of packages grew from about 50 to at least 200 by March 21.

    "After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire @azure npm scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope," observed security researchers Andrey Polkovnychenko and Shachar Menashe in a write-up. "Currently, the observed malicious payload of these packages were PII (Personally identifiable information) stealers."

    Continue reading
  • JavaScript library updated to wipe files from Russian computers
    Package used by big apps now drops anti-war text files on desktops

    The developer of JavaScript library node-ipc, which is used by the popular vue.js framework, deliberately introduced a critical security vulnerability that, for some netizens, would destroy their computers' files.

    Brandon Nozaki Miller, aka RIAEvangelist on GitHub, created node-ipc, which is fetched about a million times a week from the NPM registry, and is described as an "inter-process communication module for Node, supporting Unix sockets, TCP, TLS, and UDP."

    It appears Miller intentionally changed his code to overwrite the host system's data, then changed the code to display a message calling for world peace, as a protest against Russia's invasion of Ukraine. GitHub on Wednesday declared this a critical vulnerability tracked as CVE-2022-23812.

    Continue reading

Biting the hand that feeds IT © 1998–2022