Re: How to handle nodejs bundling with native compiled modules ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 05, 2024 at 06:39:28AM -0400, Jan Staněk wrote:
> Hi Daniel,
> Node.js in Fedora generally suffers from lack of community/interest in
> this particular combination. Aside from sporadic drive-by contribution,
> AFAIK I'm the only one somewhat invested/paid for caring for it.
> 
> As a consequence, there's currently *no good way* to package Node.js
> stuff. The bundling exception and `nodejs-packaging-bundler` script
> are stop-gap solutions to allow us to package at least something.
> Basically any improvements and patches welcome, let me know!
> 
> "Daniel P. Berrangé" <berrange@xxxxxxxxxx> writes:
> > Since maintainers run 'nodejs-packaging-bundler' on their local dev
> > machine, we're running compilation on this dev machine, with whatever
> > toolchain is present. The maintainer then uploads this to the lookaside
> > cache.
> >
> > This is obviously not good, as any compilation tasks must take place
> > inside koji with known toolchains used.
> 
> Should, but as stated above, hands are generally thrown in the air
> when Node is concerned.
> 
> I recently also ran into an issue when a dependency (esbuild) pulls
> an optional dependency based on the current architecture.
> As a consequence, now the package that uses it can only be built
> on x86_64 builder, since my laptop is x86_64. :-(
> I'm not even sure what can be done about that.
> 
> > I'm wondering how to deal with this ?
> >
> > A first step would be patching nodejs-packaging-bundler script to
> > look for any .a, .o and .node files, and exclude them from the
> > tarball.
> >
> > The spec would then have to manually run 'node-gyp' to re-create
> > the .node files. That is probably sufficient to avoid this particular
> > problem.
> 
> If you manage to get this working, patches welcome.

Thanks to this

  https://medium.com/cider-sec/npm-might-be-executing-malicious-code-in-your-ci-without-your-knowledge-e5e45bab2fed

I figured out a way to update nodejs-packaging-bundler to work
in a better way, such that script execution is postponed until
RPM %build phase:

  https://src.fedoraproject.org/rpms/nodejs-packaging/pull-request/15

> > More generally though I'm concerned that using 'npm install' in the
> > 'nodejs-packaging-bundler' tool to create deps bundles is a flawed
> > conceptual approach.
> >
> > The result of 'npm install' is not a pristine source tree, it is
> > something that is derived from the source tree in some manner.
> >
> > Even if no native toolchain is used, IIUC, the package.json file
> > can request execution of arbirary scripts which get triggered by
> > 'npm install'. We surely want all this to be run in a known
> > environment, not the maintainer's local machine ?
> >
> > I would think for bundling nodejs deps, we want to be downloading
> > all the pristine tarballs for each package, and then run 'npm install'
> > against this set of tarballs during %build ?
> 
> As far as I know, there is no easy way to get the pristine source
> tarballs easily. The npmjs.io registry does not contain the source
> tarballs, but whatever distribution files (built, preprocessed,
> minified, …) the author decided to upload.

Seems all we really needed was the "--ignore-scripts" arg for
"npm install", which turns it into a predictable "download & unpack
sources only" action

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux