Why you shouldn't use Sails.js

This article was originally published at https://gist.github.com/joepie91/cc8b0c9723cc2164660e.

This article was published in 2015. Since then, the situation may have changed, and this article is kept for posterity. You should verify whether the issues still apply when making a decision

A large list of reasons why to avoid Sails.js and Waterline: https://kev.inburke.com/kevin/dont-use-sails-or-waterline/

Furthermore, the CEO of Balderdash, the company behind Sails.js, stated the following:

"we promise to push a fix within 60 days",

@kevinburkeshyp This would amount to a Service Level Agreement with the entire world; this is generally not possible, and does not exist in any software project that I know of.

Upon notifying him in the thread that I actually offer exactly that guarantee, and that his statement was thus incorrect, he accused me of "starting a flamewar", and proceeded to delete my posts.

UPDATE: The issue has been reopened by the founder of Balderdash. Mind that this article was written back when this was not the case yet, and judge appropriately.

He is apparently also unaware that Google Project Zero expects the exact same - a hard deadline of 90 days, after which an issue is publicly disclosed.

Now, just locking the thread would have been at least somewhat justifiable - he might have legitimately misconstrued my statement as inciting a flamewar.

What is not excusable, however, is removing my posts that show his (negligent) statement is wrong. This raises serious questions about what the Sails maintainers consider more important: their reputation, or the actual security of their users.

It would have been perfectly possible to just leave the posts intact - the thread would be locked, so a flamewar would not have been a possibility, and each reader could make up their own mind about the state of things.

In short: Avoid Sails.js. They do not have your best interests at heart, and this could result in serious security issues for your project.

For reference, the full thread is below, pre-deletion.

Automatic authentication keys

Whirlwind tour of (correct) npm usage

An overview of Javascript tooling

Monolithic vs. modular - what's the difference?

Synchronous vs. asynchronous

What is state?

Promises reading list

The Promises FAQ - addressing the most common questions and misconceptions about Promises

Error handling (with Promises)

Bluebird Promise.try using ES6 Promises

Please don't include minified builds in your npm packages!

How to get the actual width of an element in jQuery, even with border-box: box-sizing

A survey of unhandledRejection and rejectionHandled handlers

Quill.js glossary

Riot.js cheatsheet

Quick reference for `checkit` validators

ES Modules are terrible, actually

A few notes on the "Gathering weak npm credentials" article

How to install Node.js applications, if you're not a Node.js developer

Getting started with Node.js

Node.js for PHP developers

Rendering pages server-side with Express (and Pug)

Running a Node.js application using nvm as a systemd service

Persistent state in Node.js

node-gyp requirements

Introduction to sessions

Secure random values

Checking file existence asynchronously

Fixing "Buffer without new" deprecation warnings

Why you shouldn't use Sails.js

Building desktop applications with Node.js

Setting up Bookstack

A *complete* listing of operators in Nix, and their predence.

Setting up Hydra

Fixing root filesystem errors with fsck on NixOS

Stepping through builder steps in your custom packages

Using dependencies in your build phases

Source roots that need to be renamed before they can be used

Error: `error: cannot coerce a function to a string`

`buildInputs` vs. `nativeBuildInputs`?

QMake ignores my `PREFIX`/`INSTALL_PREFIX`/etc. variables!

Useful tools for working with NixOS

Proprietary AMD drivers (fglrx) causing fatal error in i387.h

Installing a few packages from `master`

GRUB2 on UEFI

Unblock ports in the firewall on NixOS

Guake doesn't start because of a GConf issue

FFMpeg support in youtube-dl

An incomplete rant about the state of the documentation for NixOS

Futures and Tokio

Database characteristics

Prefix codes (explained simply)

Cleaning sticky soda spills in a mechanical keyboard without disassembly

Hacking the Areson L103G

Batch-migrating Gitolite repositories to Gogs

What is(n't) Docker actually for?

Blocking LLM scrapers on Alibaba Cloud from your nginx configuration

Dealing with a degraded btrfs array due to disk failure

Don't use VPN services.

Normies just don't care about privacy

Why you probably shouldn't use a wildcard certificate

The 5-minute guide to the fediverse and Mastodon

No, your cryptocurrency cannot work

Is my blockchain a blockchain?

You don't need a blockchain.

Transitive dependencies and the commons

How to de-escalate situations

Treating hair lice in difficult hair

State resolution attacks

Working with DBus

Subgraph sorting

Why you shouldn't use Sails.js

No Comments

A complete listing of operators in Nix, and their predence.