-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove binding.gyp from npm package #21
Conversation
This has broken our builds since we proxy the public npm registry with an instance of jFrog's Artifactory. Our instance artifactory does not support pre built binaries. Thus, we get the following errors upon install;
|
@mkaufmaner The prebuilt binaries are included in the archive from npm, we don't pull the binaries at install time from for example s3 or GitHub, so the prebuilds should be present even if that's not supported. It seems that it could be caused by caching as described in DataDog/dd-trace-js#2239 (comment). |
@rochdev Understood. We are in the process of attempting to "fix" our internal registry to use the prebuilt binaries from the npm registry properly. However, I am concerned that any functionality around pulling and caching binaries may have been disabled purposefully by our security team. Could you please elaborate on "triggering security tools."? Was that the reason for this being removed in the first place? If so, then security should have added an exception. Regardless of the reason for removing the bindings from the published package, could you please add them back? Instead, change the install script to detect the prebuilt binaries like it did before? Furthermore, this is a breaking change because it drops support for building the supporting libraries from source using through the existing package managers. Thus, the major version of this package should have been incremented to reflect. |
The presence of an install script is what makes security tools flag it. Install scripts can do anything, including malicious things. |
It shouldn't be a breaking change because the prebuilds are directly in the package, so they will always be pulled at install time regardless of any external access. This is usually not true as most packages use |
This is a real breaking change... as in, its BREAKING our deployments and npm install's from project pulls... Please revert back, as many people do not have access to reset cache or force their administrators to accept what is happening here. If its not reverted back, a working solution needs to be provided that does not involve modifying artifactory etc, one solution I've tried is package.json overrides but I believe I need to find and add more then just dd-native-metrics for npm install dd-trace override |
Package managers support building native add-ons based on the presence of the If we were to remove the native code completely, which we plan to do in the future when Node provides all the metrics, then the same issue would still happen even though there would be no native code at all. In that sense, even if we were to bring back the file, this would only be a temporary fix until the issue comes back later. We need to figure out exactly what is happening here, and once we know the root cause of this bug then we can provide a working solution.
I completely agree with this, which is why I've been trying to reproduce for the last few days. I want to fix this, but I need to know how to reproduce. Now that it seems that private registries are pretty much always involved, I'll try to see if I can come up with a reproduction and understand what is going on. |
@artfiedler Can you share which private registry you are using and whether it's hosted as a service or on-premise? |
@artfiedler I was able to reproduce with an OSS private registry. You can follow progress in npm/cli#5234 but I'll also update all threads about the issue when there is a resolution. |
@rochdev Could you add the bindings.gyp file back to the published package in the meantime? |
On premise JFrog 7.35.2 rev 73502900 |
@mkaufmaner @artfiedler Please see DataDog/dd-trace-js#2239 (comment) for a workaround. |
This file is no longer needed now that prebuilds exist for all supported platforms and architectures. It also has the benefit of removing the need for an
install
script which was triggering security tools.