Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
prebuild-install
Advanced tools
A command line tool to easily install prebuilt binaries for multiple version of node/iojs on a specific platform
The prebuild-install npm package is used to install prebuilt binaries for Node.js modules, if available, before falling back to building from source. This can significantly speed up installation times and avoid the need for a full development environment with build tools like gcc or Visual Studio.
Installing prebuilt binaries
Automatically downloads and installs prebuilt binaries for a module if they are available for the current platform and Node.js version. If prebuilt binaries are not available, it will fall back to building from source.
npm install --save <module-name>
Custom binary hosting
Allows specifying custom hosting URLs and tag prefixes for prebuilt binaries, enabling the use of private or alternative binary hosting solutions.
npm install --build-from-source --prebuild-tag-prefix="<custom-prefix>-" --prebuild-download="<custom-hosting-url>"
Skipping prebuilt binary download
Forces the installation process to compile the module from source, bypassing the download of prebuilt binaries.
npm install --build-from-source
node-pre-gyp is a similar package that facilitates the installation of precompiled binaries for Node.js modules. It differs from prebuild-install in its configuration and build process, but serves a similar purpose of avoiding the need to compile modules from source.
node-gyp is not a direct alternative to prebuild-install but is often used in conjunction with it. node-gyp is a cross-platform command-line tool for compiling Node.js native addon modules from source. It is used when prebuilt binaries are not available or when a build from source is explicitly requested.
prebuild is a tool for creating and managing prebuilt binaries for Node.js modules. It is often used in tandem with prebuild-install. While prebuild is focused on the creation of the binaries, prebuild-install is designed for the end-user installation experience.
A command line tool to easily install prebuilt binaries for multiple versions of Node.js & Electron on a specific platform. By default it downloads prebuilt binaries from a GitHub release.
Instead of prebuild
paired with prebuild-install
, we recommend prebuildify
paired with node-gyp-build
.
With prebuildify
, all prebuilt binaries are shipped inside the package that is published to npm, which means there's no need for a separate download step like you find in prebuild
. The irony of this approach is that it is faster to download all prebuilt binaries for every platform when they are bundled than it is to download a single prebuilt binary as an install script.
Upsides:
node-gyp-build
runtime dependency is dependency-free and will remain so out of principle, because introducing dependencies would negate the shorter install time.Downsides:
npm publish
must be done after compiling and fetching prebuilt binaries (typically in CI).Use prebuild
to create and upload prebuilt binaries. Then change your package.json install script to:
{
"scripts": {
"install": "prebuild-install || node-gyp rebuild"
}
}
When a consumer then installs your package with npm thus triggering the above install script, prebuild-install
will download a suitable prebuilt binary, or exit with a non-zero exit code if there is none, which triggers node-gyp rebuild
in order to build from source.
Options (see below) can be passed to prebuild-install
like so:
{
"scripts": {
"install": "prebuild-install -r napi || node-gyp rebuild"
}
}
prebuild-install [options]
--download -d [url] (download prebuilds, no url means github)
--target -t version (version to install for)
--runtime -r runtime (Node runtime [node, napi or electron] to build or install for, default is node)
--path -p path (make a prebuild-install here)
--token -T gh-token (github token for private repos)
--arch arch (target CPU architecture, see Node OS module docs, default is current arch)
--platform platform (target platform, see Node OS module docs, default is current platform)
--tag-prefix <prefix> (github tag prefix, default is "v")
--build-from-source (skip prebuild download)
--verbose (log verbosely)
--libc (use provided libc rather than system default)
--debug (set Debug or Release configuration)
--version (print prebuild-install version and exit)
When prebuild-install
is run via an npm
script, options --build-from-source
, --debug
, --download
, --target
, --runtime
, --arch
--platform
and --libc
may be passed through via arguments given to the npm
command.
Alternatively you can set environment variables npm_config_build_from_source=true
, npm_config_platform
, npm_config_arch
, npm_config_target
npm_config_runtime
and npm_config_libc
.
On non-glibc Linux platforms, the Libc name is appended to platform name. For example, musl-based environments are called linuxmusl
. If --libc=glibc
is passed as option, glibc is discarded and platform is called as just linux
. This can be used for example to build cross-platform packages on Alpine Linux.
prebuild-install
supports downloading prebuilds from private GitHub repositories using the -T <github-token>
:
$ prebuild-install -T <github-token>
If you don't want to use the token on cli you can put it in ~/.prebuild-installrc
:
token=<github-token>
Alternatively you can specify it in the prebuild-install_token
environment variable.
Note that using a GitHub token uses the API to resolve the correct release meaning that you are subject to the (GitHub Rate Limit).
To create a token:
Generate new token
buttonGenerate token
button, see belowThe default scopes should be fine.
The end user can override binary download location through environment variables in their .npmrc file.
The variable needs to meet the mask % your package name %_binary_host
or % your package name %_binary_host_mirror
. For example:
leveldown_binary_host=http://overriden-host.com/overriden-path
Note that the package version subpath and file name will still be appended.
So if you are installing leveldown@1.2.3
the resulting url will be:
http://overriden-host.com/overriden-path/v1.2.3/leveldown-v1.2.3-node-v57-win32-x64.tar.gz
If you want to use prebuilds from your local filesystem, you can use the % your package name %_local_prebuilds
.npmrc variable to set a path to the folder containing prebuilds. For example:
leveldown_local_prebuilds=/path/to/prebuilds
This option will look directly in that folder for bundles created with prebuild
, for example:
/path/to/prebuilds/leveldown-v1.2.3-node-v57-win32-x64.tar.gz
Non-absolute paths resolve relative to the directory of the package invoking prebuild-install, e.g. for nested dependencies.
All prebuilt binaries are cached to minimize traffic. So first prebuild-install
picks binaries from the cache and if no binary could be found, it will be downloaded. Depending on the environment, the cache folder is determined in the following order:
${npm_config_cache}/_prebuilds
${APP_DATA}/npm-cache/_prebuilds
${HOME}/.npm/_prebuilds
With npm do:
npm install prebuild-install
FAQs
A command line tool to easily install prebuilt binaries for multiple version of node/iojs on a specific platform
The npm package prebuild-install receives a total of 0 weekly downloads. As such, prebuild-install popularity was classified as not popular.
We found that prebuild-install demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.