On Thu, Jun 18, 2026 at 01:11:30PM -0700, Gordon Messmer wrote: > I've started a review of a nodejs package, and its bundled node_modules > include wasm and native binaries. I wanted to provide the packager with > examples of packages that fix up their node_modules properly, but I'm > actually a little confused by what I found. > > I picked nodejs-undici for reference, since it has a sources script: > https://src.fedoraproject.org/rpms/nodejs-undici/blob/rawhide/f/undici-sources.sh > > That script removes wasm and rebundles the code, but only for the program > itself. It's not stripping the node_modules directories of pre-built > content. The prod directory is relatively small and I didn't see any > pre-built binaries, but the dev directory contains "esbuild" ELF binaries. > > Shouldn't node_modules be stripped of this kind of content before uploading > source? > > What package would you recommend as an reference example?
For the sgx-pccs package, I started with the nodejs-packaging-bundler but eventually forked it, for a variety of reasons: https://src.fedoraproject.org/rpms/sgx-pccs/blob/rawhide/f/pccs-nodejs-bundler My fork explicitly purges "node_modules/*/prebuilds" precisely for the reasons you mention. That's not sufficient though, I also had to specialcase purge node_modules/sqlite3/deps/sqlite-autoconf-*.tar.gz Ben's reply is the good description for why this all kind of sucks in the NPM ecosystems. Ultimately when I update the bundled stuff, I will audit what fles are included, by listing all files, and excluding filenames/extensions I'm happy with and then seeing what is left: tar tJvf pccs-1.25-20260318-node-modules.tar.xz | grep -v -E '(/|LICENSE.*|LICENCE|license|License|Makefile|\.(js|map|json|ts|md|bnf|txt|mjs|yml|h|cc|gypi|gyp|html|c|markdown|yaml|csv)|/\..*)$' I should probably put that grep into my bundler script to highlight the output. I'm not going to claim my sgx-pccs package is a reference example. I've merely made it mildly less awful, to get to a point where I can tolerate shipping it. Oh and if you're doing anything with npm bundling, for your own safety make sure to set ignore-scripts=true in $HOME/.npmrc to mitigate the risk of worms attacking your system during package bundling and never run any npm scripts/builds on your primary system - always in a throwaway container/vm/chroot. You want the "npm run install" task to be during the RPM %build phase anyway, as any build logic needs to execute in a pristine koji root, not the developers' local system. My overall recommendation is to stay away from anything NodeJS related to the greatest extent possible. With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :| -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
