1 Star 1 Fork 0

琉璃 / pkg-fetch

加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
贡献代码
同步代码
取消
提示: 由于 Git 不支持空文件夾,创建文件夹后会生成空的 .keep 文件
Loading...
README
MIT

A utility to fetch or build patched Node binaries used by pkg to generate executables. This repo hosts prebuilt binaries in Releases.

Binary Compatibility

Node Platform Architectures Minimum OS version
8[1], 10[1], 12, 14, 16 alpine x64, arm64 3.7.3, other distros with musl libc >= 1.1.18
8[1], 10[1], 12, 14, 16 linux x64 Enterprise Linux 7, Ubuntu 14.04, Debian jessie, other distros with glibc >= 2.17
8[1], 10[1], 12, 14, 16 linux arm64 Enterprise Linux 8, Ubuntu 18.04, Debian buster, other distros with glibc >= 2.27
8[1], 10[1], 12, 14, 16 linuxstatic x64, arm64 Any distro with Linux Kernel >= 2.6.32 (>= 3.10 strongly recommended)
16 linuxstatic armv7[2] Any distro with Linux Kernel >= 2.6.32 (>= 3.10 strongly recommended)
8[1], 10[1], 12, 14, 16 macos x64 10.13
14, 16 macos arm64[3] 11.0
8[1], 10[1], 12, 14, 16 win x64 8.1
14, 16 win arm64 10

[1]: end-of-life, may be removed in the next major release.

[2]: best-effort basis, not semver-protected.

[3]: mandatory code signing is enforced by Apple.

Security

We do not expect this project to have vulnerabilities of its own. Nonetheless, as this project distributes prebuilt Node.js binaries,

Node.js security vulnerabilities affect binaries distributed by this project, as well.

Like most of you, this project does not have access to advance/private disclosures of Node.js security vulnerabilities. We can only closely monitor the public security advisories from the Node.js team. It takes time to build and release a new set of binaries, once a new Node.js version has been released.

We aim to complete the full cycle within a day, when there is a security update. Please open an issue if there is no action for a while.

It is possible for this project to fall victim to a supply chain attack.

This project deploys multiple defense measures to ensure that the safe binaries are delivered to users:

  • Binaries are compiled by Github Actions
    • Workflows and build logs are transparent and auditable.
    • Artifacts are the source of truth. Even repository/organization administrators can't tamper them.
  • Hashes of binaries are hardcoded in source
    • Origins of the binaries are documented.
    • Changes to the binaries are logged by VCS (Git) and are publicly visible.
    • pkg-fetch rejects the binary if it does not match the hardcoded hash.
  • GPG-signed hashes are available in Releases
    • Easy to spot a compromise.
  • pkg-fetch package on npm is strictly permission-controlled
    • Only authorized Vercel employees can push new revisions to npm.

Report to security@vercel.com, if you noticed a disparity between (hashes of) binaries.

MIT License Copyright (c) 2017 Zeit, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

简介

暂无描述 展开 收起
TypeScript 等 2 种语言
MIT
取消

发行版

暂无发行版

贡献者

全部

近期动态

加载更多
不能加载更多了
1
https://gitee.com/283/pkg-fetch.git
git@gitee.com:283/pkg-fetch.git
283
pkg-fetch
pkg-fetch
main

搜索帮助

14c37bed 8189591 565d56ea 8189591