-
-
Notifications
You must be signed in to change notification settings - Fork 53
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ship prebuilt binaries using optionalDependencies instead of install script #207
Comments
One problem with this approach is that it doesn't distinguish between musl-based and glibc-based Linux distributions. Unfortunately, we have to make this distinction. See for example the latest release: 1.20.10. Note especially TL;DR: Node produces official Docker images based on either Alpine Linux or Debian Linux. The former is a minimal image often used as a base for Node-based servers. The latter is a full Linux distribution, mostly used for development. Alpine Linux uses BTW, disabling post-install breaks the official way of distributing binary plugins — they are all compiled during post-install. The same goes for For security reasons, |
@uhop the references packages provided contains Example of Matrix of builds:
It is not the only official way, it used to be. Over the years NPM ecosystem evolved to provide pre-built binaries and support for multiple platforms and libc implementations. The build can still be used as a fallback method in case the target platform doesn't have the pre-built binary.
This alternative to not build and download from some cache still relies on scripts, it is not really approved by my company security standards. In addition, the management of such snowflake is not something that users are willing to maintain and they expect out-of-the-box solution works. I understand this is an open source project and need support for feature requests like this. If you're open to contributions please let me know. |
Thank you for the write up. Let's get down to brass tacks.
I am not building a Rust binary.
Could you point me to the relevant documents? Let me start you up:
Which one talks about it? Just to be complete, this is the documentation for I do not understand how it chooses the right binary. Does it try to install all available optional packages and the "wrong" ones somehow fail? How does it know it is the right one? I can specify OS and CPU in
If you followed the links, you'll see that there is no way to encode Did I missed anything? I am sure I did. I am looking forward to learn more on that topic. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Some strict CI environments doesn't allow execute post-install scripts, this causes RE2 package to never download or build the native addon. Other restrictions include internet access where external requests other than internal NPM proxy are not allowed.
This is done as a Node.js recommended security practice to prevent supply-chain attacks.
The solution is to use optionalDependencies and distribute it directly from NPM, no more scripts/external requests required.
There're some example rust bindings projects that use this method successfully:
https://github.com/Brooooooklyn/snappy
https://github.com/napi-rs/node-rs
Other references:
https://sentry.engineering/blog/publishing-binaries-on-npm
evanw/esbuild#1621
The text was updated successfully, but these errors were encountered: