On Thu, Sep 05, 2024 at 06:39:28AM -0400, Jan Staněk wrote: > Hi Daniel, > Node.js in Fedora generally suffers from lack of community/interest in > this particular combination. Aside from sporadic drive-by contribution, > AFAIK I'm the only one somewhat invested/paid for caring for it. > > As a consequence, there's currently *no good way* to package Node.js > stuff. The bundling exception and `nodejs-packaging-bundler` script > are stop-gap solutions to allow us to package at least something. > Basically any improvements and patches welcome, let me know! > > "Daniel P. Berrangé" <berrange@xxxxxxxxxx> writes: > > Since maintainers run 'nodejs-packaging-bundler' on their local dev > > machine, we're running compilation on this dev machine, with whatever > > toolchain is present. The maintainer then uploads this to the lookaside > > cache. > > > > This is obviously not good, as any compilation tasks must take place > > inside koji with known toolchains used. > > Should, but as stated above, hands are generally thrown in the air > when Node is concerned. > > I recently also ran into an issue when a dependency (esbuild) pulls > an optional dependency based on the current architecture. > As a consequence, now the package that uses it can only be built > on x86_64 builder, since my laptop is x86_64. :-( > I'm not even sure what can be done about that. > > > I'm wondering how to deal with this ? > > > > A first step would be patching nodejs-packaging-bundler script to > > look for any .a, .o and .node files, and exclude them from the > > tarball. > > > > The spec would then have to manually run 'node-gyp' to re-create > > the .node files. That is probably sufficient to avoid this particular > > problem. > > If you manage to get this working, patches welcome. Thanks to this https://medium.com/cider-sec/npm-might-be-executing-malicious-code-in-your-ci-without-your-knowledge-e5e45bab2fed I figured out a way to update nodejs-packaging-bundler to work in a better way, such that script execution is postponed until RPM %build phase: https://src.fedoraproject.org/rpms/nodejs-packaging/pull-request/15 > > More generally though I'm concerned that using 'npm install' in the > > 'nodejs-packaging-bundler' tool to create deps bundles is a flawed > > conceptual approach. > > > > The result of 'npm install' is not a pristine source tree, it is > > something that is derived from the source tree in some manner. > > > > Even if no native toolchain is used, IIUC, the package.json file > > can request execution of arbirary scripts which get triggered by > > 'npm install'. We surely want all this to be run in a known > > environment, not the maintainer's local machine ? > > > > I would think for bundling nodejs deps, we want to be downloading > > all the pristine tarballs for each package, and then run 'npm install' > > against this set of tarballs during %build ? > > As far as I know, there is no easy way to get the pristine source > tarballs easily. The npmjs.io registry does not contain the source > tarballs, but whatever distribution files (built, preprocessed, > minified, …) the author decided to upload. Seems all we really needed was the "--ignore-scripts" arg for "npm install", which turns it into a predictable "download & unpack sources only" action With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue