feat(npm): detect prebuilt binaries and gate them behind binary/allow_binary field#1415
feat(npm): detect prebuilt binaries and gate them behind binary/allow_binary field#1415Gitjay11 wants to merge 1 commit into
Conversation
…ld (hermetoproject#1015) Signed-off-by: Gitjay11 <newajay.11r@gmail.com>
There was a problem hiding this comment.
Code Review
This pull request introduces a feature to detect prebuilt .node binaries within npm packages and control their installation via a binary configuration field, similar to how it's handled for other package managers. The changes are well-structured, adding the necessary model updates in input.py, implementing the detection logic in npm.py by inspecting package tarballs, and including comprehensive unit tests. The implementation is sound and aligns with the project's goal of ensuring hermetic builds. I have one minor suggestion to improve code clarity by removing a redundant method call.
| if not prebuilt_files: | ||
| continue | ||
|
|
||
| pkg_name = path.path.stem.removesuffix(".tgz") |
There was a problem hiding this comment.
The use of .removesuffix(".tgz") is redundant here. The pathlib.Path.stem property already returns the final path component without its last suffix. Using just .stem is cleaner and avoids redundancy.
| pkg_name = path.path.stem.removesuffix(".tgz") | |
| pkg_name = path.path.stem |
References
- The repository style guide (line 20) requires flagging code redundancy. The use of
.removesuffix(".tgz")is redundant becausepath.path.stemalready provides the filename without the extension. (link)
|
Thank you for the contribution! |
|
Closing due to inactivity. |
Description:
This PR implements Solution 2 for issue #1015 by detecting npm packages that ship with prebuilt
.nodebinaries (such as those generated byprebuildify) and gating their installation based on the binary input field.here is the solution 1 : #1392
Previously, some modules containing
.nodebinaries were bypassing the hermetic build-from-source process. This implementation ensures that:.tgztarballs are scanned for.nodefiles within prebuilds/ directories.PackageRejectederror unless the user has explicitly configured the binary field for that package.