The pkg-fetch npm package is used to fetch and cache Node.js binaries for the pkg project. It is primarily used to download Node.js binaries that are compatible with the pkg tool, which allows you to package Node.js applications into standalone executables.
Fetch Node.js binaries
This feature allows you to fetch a specific version of Node.js binaries for a given platform and architecture. The code sample demonstrates how to fetch Node.js version 14.15.1 for a Linux x64 system.
const fetch = require('pkg-fetch');
(async () => {
const nodeVersion = 'node-v14.15.1';
const platform = 'linux';
const arch = 'x64';
const binaryPath = await fetch.need({ nodeRange: nodeVersion, platform, arch });
console.log(`Binary path: ${binaryPath}`);
})();Cache management
This feature provides access to the cache path where the fetched binaries are stored. The code sample shows how to retrieve and print the cache path.
const fetch = require('pkg-fetch');
(async () => {
const cachePath = fetch.system.cache;
console.log(`Cache path: ${cachePath}`);
})();Check for binary existence
This feature allows you to check if a specific Node.js binary already exists in the cache. The code sample demonstrates how to check for the existence of Node.js version 14.15.1 for a Linux x64 system.
const fetch = require('pkg-fetch');
(async () => {
const nodeVersion = 'node-v14.15.1';
const platform = 'linux';
const arch = 'x64';
const exists = await fetch.exists({ nodeRange: nodeVersion, platform, arch });
console.log(`Binary exists: ${exists}`);
})();Nexe is a command-line utility that compiles your Node.js application into a single executable file. It also fetches Node.js binaries but focuses more on the compilation and packaging of the application. Compared to pkg-fetch, nexe provides a more integrated solution for creating standalone executables.
Pkg is a tool that packages Node.js projects into executables for various platforms. It uses pkg-fetch internally to fetch the necessary Node.js binaries. While pkg-fetch focuses on fetching binaries, pkg provides a higher-level interface for packaging applications.
Node-pre-gyp is a tool that makes it easy to publish and install Node.js C++ addons from binaries. It fetches pre-built binaries for Node.js modules, similar to how pkg-fetch fetches Node.js binaries. However, node-pre-gyp is more focused on native addons rather than standalone executables.
A utility to fetch or build patched Node binaries used by pkg to generate executables. This repo hosts prebuilt binaries in Releases.
| Node | Platform | Architectures | Minimum OS version |
|---|---|---|---|
| 81, 101, 121, 14, 16, 18 | alpine | x64, arm64 | 3.7.3, other distros with musl libc >= 1.1.18 |
| 81, 101, 121, 14, 16, 18 | linux | x64 | Enterprise Linux 7, Ubuntu 14.04, Debian jessie, other distros with glibc >= 2.17 |
| 81, 101, 121, 14, 16, 18 | linux | arm64 | Enterprise Linux 8, Ubuntu 18.04, Debian buster, other distros with glibc >= 2.27 |
| 81, 101, 121, 14, 16, 18 | linuxstatic | x64, arm64 | Any distro with Linux Kernel >= 2.6.32 (>= 3.10 strongly recommended) |
| 16, 18 | linuxstatic | armv72 | Any distro with Linux Kernel >= 2.6.32 (>= 3.10 strongly recommended) |
| 81, 101, 121, 14, 16, 18 | macos | x64 | 10.13 |
| 14, 16, 18 | macos | arm643 | 11.0 |
| 81, 101, 121, 14, 16, 18 | win | x64 | 8.1 |
| 14, 16, 18 | win | arm64 | 10 |
[1]: end-of-life, may be removed in the next major release.
[2]: best-effort basis, not semver-protected.
[3]: mandatory code signing is enforced by Apple.
We do not expect this project to have vulnerabilities of its own. Nonetheless, as this project distributes prebuilt Node.js binaries,
Node.js security vulnerabilities affect binaries distributed by this project, as well.
Like most of you, this project does not have access to advance/private disclosures of Node.js security vulnerabilities. We can only closely monitor the public security advisories from the Node.js team. It takes time to build and release a new set of binaries, once a new Node.js version has been released.
It is possible for this project to fall victim to a supply chain attack.
This project deploys multiple defense measures to ensure that the safe binaries are delivered to users:
pkg-fetch rejects the binary if it does not match the hardcoded hash.pkg-fetch package on npm is strictly permission-controlled
pkg-fetch clonegit clone https://github.com/nodejs/node.gitcd nodegit checkout v18.13.0git apply ..\pkg-fetch\patches\node.v18.12.1.cpp.patch --rejectgit add -Agit diff --staged --src-prefix=node/ --dst-prefix=node/ > ..\pkg-fetch\patches\node.v18.13.0.cpp.patchUsually when a patch is rejected, it's because the context around the changes
was refactored slightly since the last patched version. This is not usually
complicated to resolve, but requires a human to interpret the changes since the
last version pkg was patched against, compared with the version you wish to
create a patch for.
One method is to pull up the diff for the file where the rejects apply for the
changes between the last tag (e.g. v18.12.1 to use the previous example) and the
tag you want a patch for (e.g. v18.13.0 to use the previous example). Alongside
this, have the .rej file and go through each rejected hunk by hunk and use
your best judgement to determine how it should apply against the new tag.
Save you results, and export the overall git diff with the commands from the example above.
The expectation is that a patch applies cleanly, with no delta or offsets from the source repo.
When making a change to a patch file, it is possible to apply that patch without building by running
yarn applyPatches --node-range node18
where the --node-range can be specified to apply patches for the version of
node for which you are updating patches. If unspecified, the latest node version
in patches.json will be used.
Ultimately, the patch should result in fully functional node binary, but the
applyPatches script can be used to quickly iterate just the application of
the patches you are updating without needing to wait for the full build to
complete.
You can use the yarn start script to build the binary locally, which is helpful
when updating patches to ensure functionality before pushing patch updates for
review.
For example:
yarn start --node-range node18 --arch x64 --output dist
FAQs
Compiles and stores base binaries for pkg
The npm package pkg-fetch receives a total of 154,426 weekly downloads. As such, pkg-fetch popularity was classified as popular.
We found that pkg-fetch demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.
Security News
Research
Socket researchers found a malicious Maven package impersonating the legitimate ‘XZ for Java’ library, introducing a backdoor for remote code execution.