On Thu, Jun 18, 2026 at 01:11:30PM -0700, Gordon Messmer wrote:
> I've started a review of a nodejs package, and its bundled node_modules
> include wasm and native binaries. I wanted to provide the packager with
> examples of packages that fix up their node_modules properly, but I'm
> actually a little confused by what I found.
> 
> I picked nodejs-undici for reference, since it has a sources script: 
> https://src.fedoraproject.org/rpms/nodejs-undici/blob/rawhide/f/undici-sources.sh
> 
> That script removes wasm and rebundles the code, but only for the program
> itself. It's not stripping the node_modules directories of pre-built
> content. The prod directory is relatively small and I didn't see any
> pre-built binaries, but the dev directory contains "esbuild" ELF binaries.
> 
> Shouldn't node_modules be stripped of this kind of content before uploading
> source?
> 
> What package would you recommend as an reference example?

For the sgx-pccs package, I started with the nodejs-packaging-bundler
but eventually forked it, for a variety of reasons:

  https://src.fedoraproject.org/rpms/sgx-pccs/blob/rawhide/f/pccs-nodejs-bundler

My fork explicitly purges "node_modules/*/prebuilds" precisely for
the reasons you mention. That's not sufficient though, I also had
to specialcase purge node_modules/sqlite3/deps/sqlite-autoconf-*.tar.gz

Ben's reply is the good description for why this all kind of sucks
in the NPM ecosystems.

Ultimately when I update the bundled stuff, I will audit what fles
are included, by listing all files, and excluding filenames/extensions
I'm happy with and then seeing what is left:

  tar tJvf pccs-1.25-20260318-node-modules.tar.xz  |
    grep -v -E 
'(/|LICENSE.*|LICENCE|license|License|Makefile|\.(js|map|json|ts|md|bnf|txt|mjs|yml|h|cc|gypi|gyp|html|c|markdown|yaml|csv)|/\..*)$'
 

I should probably put that grep into my bundler script to highlight
the output.

I'm not going to claim my sgx-pccs package is a reference example.
I've merely made it mildly less awful, to get to a point where I
can tolerate shipping it.

Oh and if you're doing anything with npm bundling, for your own
safety make sure to set

   ignore-scripts=true

in $HOME/.npmrc to mitigate the risk of worms attacking your system
during package bundling and never run any npm scripts/builds on your
primary system - always in a throwaway container/vm/chroot.

You want the "npm run install" task to be during the RPM %build phase
anyway, as any build logic needs to execute in a pristine koji root,
not the developers' local system.


My overall recommendation is to stay away from anything NodeJS related
to the greatest extent possible.

With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to