Replies: 8 comments 19 replies
-
|
I would expect, effectively, that you can run something almost identical to |
Beta Was this translation helpful? Give feedback.
-
|
Exactly! That's amazing; that's definitely what I was worried about. Thank you, @ljharb, for clearing that out :) |
Beta Was this translation helpful? Give feedback.
-
Imo it's not Node's job to respect Rather, whatever tool is built should just support taking an existing tgz as input. |
Beta Was this translation helpful? Give feedback.
-
|
That is a perfectly viable alternative - that would allow a user to run npm pack, and pass the resulting tarball into this tool. |
Beta Was this translation helpful? Give feedback.
-
|
Yup also agree; what I was more referring, to is that we're aiming to support assets. |
Beta Was this translation helpful? Give feedback.
-
This is a brilliant UX that we didn't consider. You are right, we shouldn't invent the same logic over and over again. This is a pretty cool way of outlining those responsibilities. |
Beta Was this translation helpful? Give feedback.
-
|
Hey @ovflowd , Yeah, this is definitely a feature we are making sure to support from day 1. Both the resource injector and the virtual file system components described in https://github.com/nodejs/single-executable/blob/main/blog/2022-08-05-an-overview-of-the-current-state.md are agnostic to the actual file contents that can be injected, which can definitely be non-JS assets like images too. More precisely, https://github.com/postmanlabs/postject is able to inject arbitrary data as sections to the binary file, independently on what their contents are. Postject won't even attempt to read what is getting injected on it. From its point of view, it's just bytes. The virtual file system is essentially an archive format that also doesn't care about what it goes in it. We are taking Electron's ASAR as the main source of inspiration here, which can include images, JSON files, etc out of the box already. As a matter of fact, one of the key reasons why we need a virtual file system to start with is to support these types of files. For pure JavaScript applications (that do not use any form of dynamic requires), we could bundle all the JS together and inject it without any notion of a VFS. Where as with a VFS, we can preserve arbitrary files and resolve require calls and |
Beta Was this translation helpful? Give feedback.
-
Why is my head itching with encoding issues here? (Not code-encoding, but actual open-format encodings within the binary, such as PDF, PNGs, or anything that has its "own" encoding. I mean, I bet nothing that some headers that impose where the content of specific asset starts and ends can't solve, but I remember having some issues in the past with how different file-system encodings (weird, yes) would affect the bitwise operations when unpacking data. (I might just be saying bs, but who knows) |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, I hear what you are saying. I think those issues are solved by a proper archive format that is truly agnostic on what it is stored on it and doesn't rely on i.e. certain byte sequences not being part of the data, etc. ASARs from Electron match that description (it is essentially Tar + a table of contents for random access) and I have never heard any problems with it on this regard. I guess @dsanders11 and @RaisinTen can confirm (they are also in Electron's governance) |
Beta Was this translation helpful? Give feedback.
-
|
Pretty sure zip is effectively the same: (optionally) compressed blobs and a table of contents at the end. |
Beta Was this translation helpful? Give feedback.
-
|
It is, indeed! @arcanis has shared ZipFS with (https://github.com/nodejs/single-executable/blob/main/docs/existing-solutions.md), which is used in Yarn for very similar reasons. There are various VFS implementations that are similar in concept but with certain differences, like ASAR and Zip. One of the key areas of work I want to do within this team is exhaustively list all the requirements needed for a VFS across SEA use cases and make sure we select (or create, though we rather select an existing one) solution. |
Beta Was this translation helpful? Give feedback.
-
|
Looks like @RaisinTen already kickstarted a discussion for it here: #21 |
Beta Was this translation helpful? Give feedback.
-
Exactly. This is the whole reason why https://github.com/postmanlabs/postject exists: security. We strongly believe any data injected into the binary must be within the boundaries of the binary and must be protected by code-signatures. This wouldn't be the case if we just appended the data at the tail of binary.
I don't think we should impose any limits. Even if specific operating systems have size limitations on i.e. binary sections, we can split the payload into N sections and inject them all with Postject still. I guess the size limit is whatever practical upper bound your operating system imposes :D |
Beta Was this translation helpful? Give feedback.
-
Yes, I was, let's say, worried about this part. I'm not 100% sure, as it's been ages, but afaik, there are some hypothetical limits of how big one binary might be, and how much can be allocated to the memory. But that's the kind of low-level stuff I don't know, but would expect someone from FreeDesktop or MSDN to know the answer. |
Beta Was this translation helpful? Give feedback.
-
I suppose we will validate during build-time that we're not extrapolating those bounds, right? |
Beta Was this translation helpful? Give feedback.
-
|
Maybe! We would have to do some research on this. Can you create a GitHub Issue for tracking this? I think these limits are definitely worth documenting in this repo for future reference, and we could add this item to the agenda for the first SEA team call that @robertgzr and @RaisinTen will be kickstarting soon!
I think the answer to this is based on the results from the research. For example, if the theoretical limit is not fixed and is not of the binary format itself but on the characteristics of the machine executing the binary (i.e. RAM), then it might be better to not validate it. |
Beta Was this translation helpful? Give feedback.
-
|
I wonder if @dsanders11 already knows about these theoretical limits. I know he went SUPER deep on Mach-O, ELF and PE for Postject already :P |
Beta Was this translation helpful? Give feedback.
-
|
I am researching the available sea solutions so that I can deploy my node.js app on my client's computer without the source code. I understand that node.js now supports single executables and I would like to try it. I have been reading the articles, discussions, etc. on node.js-sea but I have questions but I can't find the answers. For example, a web app isn't just the main node.js program, there are also ejs views, css files, mysql script files and so on. So, how do I go about bundling these into the single executable binary file? I keep reading the 'node.js-sea currently only supports running a single embedded script' in node.js-sea documentation, does this mean it doesn't allow bundling assets such as ejs views, etc.? |
Beta Was this translation helpful? Give feedback.
-
|
i guess the only way to serve static files from inside the exe is to monkey patch the fs module to use the |
Beta Was this translation helpful? Give feedback.
-
Do you know of any easy ways to do this, as we are currently looking at doing this in a project and it seems like a bit of an impossible task without knowing how fs works in detail |
Beta Was this translation helpful? Give feedback.
-
|
imo if you must have that functionality you can still you the |
Beta Was this translation helpful? Give feedback.
-
|
My understanding is that Vercel and other bundlers only bundle js code to
produce a single executable, correct me if I am wrong as I am not an
expert. However, in real life apps, in addition to the js code, there are
many non-js code such as node.js, html, jss, ejs, etc. My problem is that
since js/node.js is an interpreted language, I cannot compile them to
produce a single load module to execute. This forces me to share the source
code during deployment/implementation. My question to you is: Does Vercel
allow bundling of js code as well as non-js code, to produce a single
executable file? If so, that is great and I want to know how it is done.
Thanks.
Behran
…On Mon, Aug 19, 2024 at 9:44 PM RGdevz ***@***.***> wrote:
imo if you must have that functionality you can still you the pkg package
from vercel its still working great in my projects, there is also more up
to date version at https://github.com/yao-pkg/pkg
—
Reply to this email directly, view it on GitHub
<#17 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AVPNZ4JMJ3LIOPJQUHBSJRDZSI4J3AVCNFSM6AAAAABJLZJOXKVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAMZYG42TINA>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
Beta Was this translation helpful? Give feedback.
-
|
Both node-sea and pkg let you embed files into single executable, the difference is that pkg patch the fs module so you can read files from the executable like you would read from the filesystem, there is example of express server in pkg repo to see example of how its works. |
Beta Was this translation helpful? Give feedback.
-
|
That is great, I have not checked it out yet but I'll definitely do it.
Another question: To my knowledge, Vercel is a paid software whereas
node-sea is not. If they both do the same thing then does it make more
sense to use node-sea because it is free? Unfortunately, because node-sea
is new, there is not much information on the Internet regarding how to use
it.
…On Wed, Aug 21, 2024 at 1:23 AM RGdevz ***@***.***> wrote:
Both node-sea and pkg let you embed files into single executable, the
difference is that pkg patch the fs module so you can read files from the
executable like you would read from the filesystem, there is example of
express server in pkg repo to see example of how its works.
—
Reply to this email directly, view it on GitHub
<#17 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AVPNZ4JPKE3COSMZSVPYPQDZSO6WHAVCNFSM6AAAAABJLZJOXKVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTANBQGA4DGMA>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
Beta Was this translation helpful? Give feedback.
-
|
Vercel is not a "software", it's a company which sells a bunch of cloud services and |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the clarification. But it is still a paid service whereas
node-sea is free to my knowledge.
…On Wed, Aug 21, 2024 at 1:39 PM GabenGar ***@***.***> wrote:
Vercel is not a "software", it's a company which sells a bunch of cloud
services and pkg is just one of their packages.
—
Reply to this email directly, view it on GitHub
<#17 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AVPNZ4PJE556JKLY6QUQQ23ZSRU47AVCNFSM6AAAAABJLZJOXKVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTANBQGYYDCNQ>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
Beta Was this translation helpful? Give feedback.
-
|
RGdevz, you say I can use both node-sea and Vercel pkg for what I want to
do. I have researched the Internet re node-sea usage but found very little
info. Have you used node-sea and if so can you provide some details on how
to produce a single executable file from different code such as html, js,
node.js, css, ejs, etc. in my app? If not, I guess I will need to pay for
the Vercel pkg service and use it. I am a new node.js developer and this
will be my first time deploying an app to a hosting company server. So, a
detailed list of steps involved on how to do it will help me a great deal.
…On Wed, Aug 21, 2024 at 1:59 PM Behran Meydaner ***@***.***> wrote:
Thanks for the clarification. But it is still a paid service whereas
node-sea is free to my knowledge.
On Wed, Aug 21, 2024 at 1:39 PM GabenGar ***@***.***> wrote:
> Vercel is not a "software", it's a company which sells a bunch of cloud
> services and pkg is just one of their packages.
>
> —
> Reply to this email directly, view it on GitHub
> <#17 (reply in thread)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AVPNZ4PJE556JKLY6QUQQ23ZSRU47AVCNFSM6AAAAABJLZJOXKVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTANBQGYYDCNQ>
> .
> You are receiving this because you commented.Message ID:
> ***@***.***
> com>
>
|
Beta Was this translation helpful? Give feedback.
-
I know this might be a silly discussion, as we're discussing right now of means to effectively bundle JavaScript within the binary (and still be able to sign it), one of the questions that often comes upon my mind is, what about some of the static assets.
At least for some Apps, e.g., Electron, I imagine you want to bundle a few assets within the Application manifest (or binary) instead of remote-loading them. (This is a practice even Chrome Extensions are doing since their Manifest v2, which allows bundled assets within the packaged CRX file.
For me, it is considered important to be able to attach these files in a reliably way because of scenarios like:
What I mean with this silly example is just about code-injection of non-signed sections of your binary, which could easily lead to CVEs of (For example, CWE-95) code injection.
Packaging, distributing and including these assets for me is something worth discussing.
What do you folks think about this topic? (What should be allowed to be bundled, and how much?)
Beta Was this translation helpful? Give feedback.
All reactions