1 | A utility to fetch or build patched Node binaries used by [pkg](https://github.com/vercel/pkg) to generate executables. This repo hosts prebuilt binaries in [Releases](https://github.com/vercel/pkg-fetch/releases).
|
2 |
|
3 | ## Binary Compatibility
|
4 |
|
5 | | Node | Platform | Architectures | Minimum OS version |
|
6 | | ------------------------------------------------------------- | ----------- | --------------------------- | --------------------------------------------------------------------------------- |
|
7 | | 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 | alpine | x64, arm64 | 3.7.3, other distros with musl libc >= 1.1.18 |
|
8 | | 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 | linux | x64 | Enterprise Linux 7, Ubuntu 14.04, Debian jessie, other distros with glibc >= 2.17 |
|
9 | | 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 | linux | arm64 | Enterprise Linux 8, Ubuntu 18.04, Debian buster, other distros with glibc >= 2.27 |
|
10 | | 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 | linuxstatic | x64, arm64 | Any distro with Linux Kernel >= 2.6.32 (>= 3.10 strongly recommended) |
|
11 | | 16 | linuxstatic | armv7<sup>[[2]](#fn2)</sup> | Any distro with Linux Kernel >= 2.6.32 (>= 3.10 strongly recommended) |
|
12 | | 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 | macos | x64 | 10.13 |
|
13 | | 14, 16 | macos | arm64<sup>[[3]](#fn3)</sup> | 11.0 |
|
14 | | 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 | win | x64 | 8.1 |
|
15 | | 14, 16 | win | arm64 | 10 |
|
16 |
|
17 | <em id="fn1">[1]</em>: end-of-life, may be removed in the next major release.
|
18 |
|
19 | <em id="fn2">[2]</em>: best-effort basis, not semver-protected.
|
20 |
|
21 | <em id="fn3">[3]</em>: [mandatory code signing](https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11_0_1-universal-apps-release-notes) is enforced by Apple.
|
22 |
|
23 | ## Security
|
24 |
|
25 | We do not expect this project to have vulnerabilities of its own. Nonetheless, as this project distributes prebuilt Node.js binaries,
|
26 |
|
27 | **Node.js security vulnerabilities affect binaries distributed by this project, as well.**
|
28 |
|
29 | Like most of you, this project does not have access to advance/private disclosures of Node.js security vulnerabilities. We can only closely monitor the **public** security advisories from the Node.js team. It takes time to build and release a new set of binaries, once a new Node.js version has been released.
|
30 |
|
31 | We aim to complete the full cycle within a day, when there is a security update. Please [open an issue](https://github.com/vercel/pkg-fetch/issues/new) if there is no action for a while.
|
32 |
|
33 | **It is possible for this project to fall victim to a supply chain attack.**
|
34 |
|
35 | This project deploys multiple defense measures to ensure that the safe binaries are delivered to users:
|
36 |
|
37 | - Binaries are compiled by [Github Actions](https://github.com/vercel/pkg-fetch/actions)
|
38 | - Workflows and build logs are transparent and auditable.
|
39 | - Artifacts are the source of truth. Even repository/organization administrators can't tamper them.
|
40 | - Hashes of binaries are hardcoded in [source](https://github.com/vercel/pkg-fetch/blob/HEAD/lib/expected.ts)
|
41 | - Origins of the binaries are documented.
|
42 | - Changes to the binaries are logged by VCS (Git) and are publicly visible.
|
43 | - `pkg-fetch` rejects the binary if it does not match the hardcoded hash.
|
44 | - GPG-signed hashes are available in [Releases](https://github.com/vercel/pkg-fetch/releases)
|
45 | - Easy to spot a compromise.
|
46 | - `pkg-fetch` package on npm is strictly permission-controlled
|
47 | - Only authorized Vercel employees can push new revisions to npm.
|
48 |
|
49 | Report to [security@vercel.com](mailto:security@vercel.com), if you noticed a disparity between (hashes of) binaries.
|