UNPKG

pkg-fetch/README.md

Version:

4.56 kBMarkdownView Raw

1A utility to fetch or build patched Node binaries used by [pkg](https://github.com/vercel/pkg) to generate executables. This repo hosts prebuilt binaries in [Releases](https://github.com/vercel/pkg-fetch/releases).
2
3## Binary Compatibility
4
5| Node                                                          | Platform    | Architectures               | Minimum OS version                                                                |
6| ------------------------------------------------------------- | ----------- | --------------------------- | --------------------------------------------------------------------------------- |
7| 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 | alpine      | x64, arm64                  | 3.7.3, other distros with musl libc >= 1.1.18                                     |
8| 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 | linux       | x64                         | Enterprise Linux 7, Ubuntu 14.04, Debian jessie, other distros with glibc >= 2.17 |
9| 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 | linux       | arm64                       | Enterprise Linux 8, Ubuntu 18.04, Debian buster, other distros with glibc >= 2.27 |
10| 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 | linuxstatic | x64, arm64                  | Any distro with Linux Kernel >= 2.6.32 (>= 3.10 strongly recommended)             |
11| 16                                                            | linuxstatic | armv7<sup>[[2]](#fn2)</sup> | Any distro with Linux Kernel >= 2.6.32 (>= 3.10 strongly recommended)             |
12| 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 | macos       | x64                         | 10.13                                                                             |
13| 14, 16                                                        | macos       | arm64<sup>[[3]](#fn3)</sup> | 11.0                                                                              |
14| 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 | win         | x64                         | 8.1                                                                               |
15| 14, 16                                                        | win         | arm64                       | 10                                                                                |
16
17<em id="fn1">[1]</em>: end-of-life, may be removed in the next major release.
18
19<em id="fn2">[2]</em>: best-effort basis, not semver-protected.
20
21<em id="fn3">[3]</em>: [mandatory code signing](https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11_0_1-universal-apps-release-notes) is enforced by Apple.
22
23## Security
24
25We do not expect this project to have vulnerabilities of its own. Nonetheless, as this project distributes prebuilt Node.js binaries,
26
27**Node.js security vulnerabilities affect binaries distributed by this project, as well.**
28
29Like most of you, this project does not have access to advance/private disclosures of Node.js security vulnerabilities. We can only closely monitor the **public** security advisories from the Node.js team. It takes time to build and release a new set of binaries, once a new Node.js version has been released.
30
31We aim to complete the full cycle within a day, when there is a security update. Please [open an issue](https://github.com/vercel/pkg-fetch/issues/new) if there is no action for a while.
32
33**It is possible for this project to fall victim to a supply chain attack.**
34
35This project deploys multiple defense measures to ensure that the safe binaries are delivered to users:
36
37- Binaries are compiled by [Github Actions](https://github.com/vercel/pkg-fetch/actions)
38  - Workflows and build logs are transparent and auditable.
39  - Artifacts are the source of truth. Even repository/organization administrators can't tamper them.
40- Hashes of binaries are hardcoded in [source](https://github.com/vercel/pkg-fetch/blob/HEAD/lib/expected.ts)
41  - Origins of the binaries are documented.
42  - Changes to the binaries are logged by VCS (Git) and are publicly visible.
43  - `pkg-fetch` rejects the binary if it does not match the hardcoded hash.
44- GPG-signed hashes are available in [Releases](https://github.com/vercel/pkg-fetch/releases)
45  - Easy to spot a compromise.
46- `pkg-fetch` package on npm is strictly permission-controlled
47  - Only authorized Vercel employees can push new revisions to npm.
48
49Report to [security@vercel.com](mailto:security@vercel.com), if you noticed a disparity between (hashes of) binaries.

1	`A utility to fetch or build patched Node binaries used by [pkg](https://github.com/vercel/pkg) to generate executables. This repo hosts prebuilt binaries in [Releases](https://github.com/vercel/pkg-fetch/releases).`
2
3	`## Binary Compatibility`
4
5	`\| Node \| Platform \| Architectures \| Minimum OS version \|`
6	`\| ------------------------------------------------------------- \| ----------- \| --------------------------- \| --------------------------------------------------------------------------------- \|`
7	`\| 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 \| alpine \| x64, arm64 \| 3.7.3, other distros with musl libc >= 1.1.18 \|`
8	`\| 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 \| linux \| x64 \| Enterprise Linux 7, Ubuntu 14.04, Debian jessie, other distros with glibc >= 2.17 \|`
9	`\| 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 \| linux \| arm64 \| Enterprise Linux 8, Ubuntu 18.04, Debian buster, other distros with glibc >= 2.27 \|`
10	`\| 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 \| linuxstatic \| x64, arm64 \| Any distro with Linux Kernel >= 2.6.32 (>= 3.10 strongly recommended) \|`
11	`\| 16 \| linuxstatic \| armv7<sup>[[2]](#fn2)</sup> \| Any distro with Linux Kernel >= 2.6.32 (>= 3.10 strongly recommended) \|`
12	`\| 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 \| macos \| x64 \| 10.13 \|`
13	`\| 14, 16 \| macos \| arm64<sup>[[3]](#fn3)</sup> \| 11.0 \|`
14	`\| 8<sup>[[1]](#fn1)</sup>, 10<sup>[[1]](#fn1)</sup>, 12, 14, 16 \| win \| x64 \| 8.1 \|`
15	`\| 14, 16 \| win \| arm64 \| 10 \|`
16
17	`<em id="fn1">[1]</em>: end-of-life, may be removed in the next major release.`
18
19	`<em id="fn2">[2]</em>: best-effort basis, not semver-protected.`
20
21	`<em id="fn3">[3]</em>: [mandatory code signing](https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11_0_1-universal-apps-release-notes) is enforced by Apple.`
22
23	`## Security`
24
25	`We do not expect this project to have vulnerabilities of its own. Nonetheless, as this project distributes prebuilt Node.js binaries,`
26
27	`Node.js security vulnerabilities affect binaries distributed by this project, as well.`
28
29	`Like most of you, this project does not have access to advance/private disclosures of Node.js security vulnerabilities. We can only closely monitor the public security advisories from the Node.js team. It takes time to build and release a new set of binaries, once a new Node.js version has been released.`
30
31	`We aim to complete the full cycle within a day, when there is a security update. Please [open an issue](https://github.com/vercel/pkg-fetch/issues/new) if there is no action for a while.`
32
33	`It is possible for this project to fall victim to a supply chain attack.`
34
35	`This project deploys multiple defense measures to ensure that the safe binaries are delivered to users:`
36
37	`- Binaries are compiled by [Github Actions](https://github.com/vercel/pkg-fetch/actions)`
38	`- Workflows and build logs are transparent and auditable.`
39	`- Artifacts are the source of truth. Even repository/organization administrators can't tamper them.`
40	`- Hashes of binaries are hardcoded in [source](https://github.com/vercel/pkg-fetch/blob/HEAD/lib/expected.ts)`
41	`- Origins of the binaries are documented.`
42	`- Changes to the binaries are logged by VCS (Git) and are publicly visible.`
43	- `pkg-fetch` rejects the binary if it does not match the hardcoded hash.
44	`- GPG-signed hashes are available in [Releases](https://github.com/vercel/pkg-fetch/releases)`
45	`- Easy to spot a compromise.`
46	- `pkg-fetch` package on npm is strictly permission-controlled
47	`- Only authorized Vercel employees can push new revisions to npm.`
48
49	`Report to [security@vercel.com](mailto:security@vercel.com), if you noticed a disparity between (hashes of) binaries.`