chore: remove node-pre-gyp dependency#334
Merged
Merged
Conversation
aabmass
force-pushed
the
remove-node-pre-gyp
branch
from
839ab0b to
7e00a4a
Compare
Member
Author
|
I'm working on removing the "ci/kokoro: system test (prebuild binaries)" test, since it's no longer needed as we won't be providing prebuilt binaries. |
psx95
reviewed
Jun 26, 2026
This resolves issue google#320 and CVE-2026-24842 by completely removing the @mapbox/node-pre-gyp dependency, which is no longer needed since we don't need to support prebuilt binaries on older Node.js versions. - Removed @mapbox/node-pre-gyp from dependencies and simplified gyp build target in binding.gyp. - Refactored heap-profiler-bindings.ts and time-profiler-bindings.ts to load the native addon using the bindings package directly. - Updated npm install/pretest scripts in package.json to rebuild the native addon directly with node-gyp. TAG=agy CONV=4ca117e0-d8fa-4e4c-8cfa-b52e896710d3
aabmass
force-pushed
the
remove-node-pre-gyp
branch
from
7e00a4a to
ad14b4d
Compare
psx95
approved these changes
Jun 26, 2026
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #334 +/- ##
==========================================
- Coverage 41.92% 41.75% -0.17%
==========================================
Files 14 14
Lines 2092 2086 -6
Branches 42 42
==========================================
- Hits 877 871 -6
Misses 1197 1197
Partials 18 18 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This resolves issue #320 and CVE-2026-24842 by completely removing the
@mapbox/node-pre-gypdependency.Context
Prebuilt binaries were only being built and uploaded for older Node.js versions (Node 12, 14, 16, 17). Users running on Node 18+ were already compiling from source on installation because
node-pre-gypfell back to source builds when no prebuilt binary was found on GCS.Changes
@mapbox/node-pre-gypfrom package.json and simplified binding.gyp to remove theaction_after_buildtarget.bindingspackage directly.node-gyp rebuildon pretest.typescript@5,gts@5, and@types/node@16) in system-test/test.sh to fix compilation failures under Node 14.This resolves the security vulnerability in
tarby removing it from the dependency graph entirely, while preserving Node 14+ compatibility.