GithubHelp home page GithubHelp logo

kevincorcor / pkg-fetch Goto Github PK

View Code? Open in Web Editor NEW

This project forked from vercel/pkg-fetch

0.0 1.0 0.0 1.14 MB

A utility to fetch or build patched Node binaries used by `pkg` to generate executables. This repo hosts prebuilt binaries in Releases.

Home Page: https://npmjs.com/pkg-fetch

License: MIT License

JavaScript 4.21% TypeScript 95.79%

pkg-fetch's Introduction

A utility to fetch or build patched Node binaries used by pkg to generate executables. This repo hosts prebuilt binaries in Releases.

Binary Compatibility

Node Platform Architectures Minimum OS version
81, 101, 12, 14, 16, 172 alpine x64, arm64 3.7.3, other distros with musl libc >= 1.1.18
81, 101, 12, 14, 16, 172 linux x64 Enterprise Linux 7, Ubuntu 14.04, Debian jessie, other distros with glibc >= 2.17
81, 101, 12, 14, 16, 172 linux arm64 Enterprise Linux 8, Ubuntu 18.04, Debian buster, other distros with glibc >= 2.27
81, 101, 12, 14, 16, 172 linuxstatic x64, arm64 Any distro with Linux Kernel >= 2.6.32 (>= 3.10 strongly recommended)
16, 172 linuxstatic armv72 Any distro with Linux Kernel >= 2.6.32 (>= 3.10 strongly recommended)
81, 101, 12, 14, 16, 172 macos x64 10.13
14, 16, 172 macos arm643 11.0
81, 101, 12, 14, 16, 172 win x64 8.1
14, 16, 172 win arm64 10

[1]: end-of-life, may be removed in the next major release.

[2]: best-effort basis, not semver-protected.

[3]: mandatory code signing is enforced by Apple.

Security

We do not expect this project to have vulnerabilities of its own. Nonetheless, as this project distributes prebuilt Node.js binaries,

Node.js security vulnerabilities affect binaries distributed by this project, as well.

Like most of you, this project does not have access to advance/private disclosures of Node.js security vulnerabilities. We can only closely monitor the public security advisories from the Node.js team. It takes time to build and release a new set of binaries, once a new Node.js version has been released.

We aim to complete the full cycle within a day, when there is a security update. Please open an issue if there is no action for a while.

It is possible for this project to fall victim to a supply chain attack.

This project deploys multiple defense measures to ensure that the safe binaries are delivered to users:

  • Binaries are compiled by Github Actions
    • Workflows and build logs are transparent and auditable.
    • Artifacts are the source of truth. Even repository/organization administrators can't tamper them.
  • Hashes of binaries are hardcoded in source
    • Origins of the binaries are documented.
    • Changes to the binaries are logged by VCS (Git) and are publicly visible.
    • pkg-fetch rejects the binary if it does not match the hardcoded hash.
  • GPG-signed hashes are available in Releases
    • Easy to spot a compromise.
  • pkg-fetch package on npm is strictly permission-controlled
    • Only authorized Vercel employees can push new revisions to npm.

Report to [email protected], if you noticed a disparity between (hashes of) binaries.

pkg-fetch's People

Contributors

biancode avatar cnnaik avatar danielgindi avatar david-mohr avatar dependabot[bot] avatar greenkeeperio-bot avatar hipstersmoothie avatar hypfer avatar igorklopov avatar jesec avatar leerob avatar leo avatar madscientist159 avatar n1ru4l avatar pdcastro avatar psact avatar qix- avatar rauchg avatar robcresswell avatar robertslando avatar xanonid avatar

Watchers

 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.