(abdisalan.com)

272 points abdisalan | 1 comments | 18 Nov 24 18:24 UTC | HN request time: 0.202s | source

Show context

speedgoose ◴[18 Nov 24 19:19 UTC] No.42175877[source]▶

I would heavily recommend to avoid NodeJS packages that depend on node-gyp. Node-gyp powered dependencies are very seldomly worth the hassle.

If you must depend on node-gyp, perhaps use dev containers so at least every developer in your team can work most of the time.

replies(4): >>42175988 #>>42176323 #>>42185890 #>>42191185 #

graypegg ◴[18 Nov 24 19:30 UTC] No.42175988[source]▶

>>42175877 #

So I'm pretty uninformed about the guts of node-gyp, and why it's used, but if people need to bring in dependancies from outside javascript... could WASM be a good fit there? Could store the binaries instead, and ship those... and in theory (correct me if I'm wrong) that shouldn't be much of a security issue due to the security model of WASM modules... or at least equal to the risk of running arbitrary build commands on your machine from a random node package.

replies(2): >>42176175 #>>42194296 #

1. int_19h ◴[18 Nov 24 19:49 UTC] No.42176175[source]▶

>>42175988 #

In principle, yes. In practice, the problem is that getting some random native library or tool compile with wasm as a target is not always easy. E.g. anything that relied on pthreads was out until fairly recently.

↑

The tragedy of running an old Node project