(abdisalan.com)

272 points abdisalan | 1 comments | 18 Nov 24 18:24 UTC | HN request time: 0.321s | source

Show context

speedgoose ◴[18 Nov 24 19:19 UTC] No.42175877[source]▶

I would heavily recommend to avoid NodeJS packages that depend on node-gyp. Node-gyp powered dependencies are very seldomly worth the hassle.

If you must depend on node-gyp, perhaps use dev containers so at least every developer in your team can work most of the time.

replies(4): >>42175988 #>>42176323 #>>42185890 #>>42191185 #

graypegg ◴[18 Nov 24 19:30 UTC] No.42175988[source]▶

>>42175877 #

So I'm pretty uninformed about the guts of node-gyp, and why it's used, but if people need to bring in dependancies from outside javascript... could WASM be a good fit there? Could store the binaries instead, and ship those... and in theory (correct me if I'm wrong) that shouldn't be much of a security issue due to the security model of WASM modules... or at least equal to the risk of running arbitrary build commands on your machine from a random node package.

replies(2): >>42176175 #>>42194296 #

1. _fat_santa ◴[20 Nov 24 14:43 UTC] No.42194296[source]▶

>>42175988 #

In practice you're just kinda stuck with it because whatever NPM package you're using is using that under the hood. One of my project depends on it because of postgres DB bindings, there would be no easy way for me to get rid of it without either finding another binding (which that is the official one) or rebuilding it myself which will just take too much time and effort for what it's worth

↑

The tragedy of running an old Node project