{"id":15681068,"url":"https://github.com/jesec/pkg-fetch","last_synced_at":"2025-05-07T10:24:52.707Z","repository":{"id":44325191,"uuid":"330668940","full_name":"jesec/pkg-fetch","owner":"jesec","description":null,"archived":false,"fork":false,"pushed_at":"2022-07-08T22:48:50.000Z","size":1200,"stargazers_count":11,"open_issues_count":0,"forks_count":3,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-19T14:36:21.444Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jesec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"license.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-01-18T13:06:20.000Z","updated_at":"2024-12-30T04:03:00.000Z","dependencies_parsed_at":"2022-08-26T20:44:32.492Z","dependency_job_id":null,"html_url":"https://github.com/jesec/pkg-fetch","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jesec%2Fpkg-fetch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jesec%2Fpkg-fetch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jesec%2Fpkg-fetch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jesec%2Fpkg-fetch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jesec","download_url":"https://codeload.github.com/jesec/pkg-fetch/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252857544,"owners_count":21815047,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-03T16:49:08.038Z","updated_at":"2025-05-07T10:24:52.619Z","avatar_url":"https://github.com/jesec.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"A utility to fetch or build patched Node binaries used by [pkg](https://github.com/vercel/pkg) to generate executables. This repo hosts prebuilt binaries in [Releases](https://github.com/vercel/pkg-fetch/releases).\n\n## Binary Compatibility\n\n| Node                                                                              | Platform    | Architectures             | Minimum OS version                                                                |\n| --------------------------------------------------------------------------------- | ----------- | ------------------------- | --------------------------------------------------------------------------------- |\n| 8\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 10\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 12\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 14, 16, 18 | alpine      | x64, arm64                | 3.7.3, other distros with musl libc \u003e= 1.1.18                                     |\n| 8\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 10\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 12\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 14, 16, 18 | linux       | x64                       | Enterprise Linux 7, Ubuntu 14.04, Debian jessie, other distros with glibc \u003e= 2.17 |\n| 8\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 10\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 12\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 14, 16, 18 | linux       | arm64                     | Enterprise Linux 8, Ubuntu 18.04, Debian buster, other distros with glibc \u003e= 2.27 |\n| 8\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 10\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 12\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 14, 16, 18 | linuxstatic | x64, arm64                | Any distro with Linux Kernel \u003e= 2.6.32 (\u003e= 3.10 strongly recommended)             |\n| 16, 18                                                                            | linuxstatic | armv7\u003csup\u003e[2](#fn2)\u003c/sup\u003e | Any distro with Linux Kernel \u003e= 2.6.32 (\u003e= 3.10 strongly recommended)             |\n| 8\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 10\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 12\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 14, 16, 18 | macos       | x64                       | 10.13                                                                             |\n| 14, 16, 18                                                                        | macos       | arm64\u003csup\u003e[3](#fn3)\u003c/sup\u003e | 11.0                                                                              |\n| 8\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 10\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 12\u003csup\u003e[1](#fn1)\u003c/sup\u003e, 14, 16, 18 | win         | x64                       | 8.1                                                                               |\n| 14, 16, 18                                                                        | win         | arm64                     | 10                                                                                |\n\n\u003cem id=\"fn1\"\u003e[1]\u003c/em\u003e: end-of-life, may be removed in the next major release.\n\n\u003cem id=\"fn2\"\u003e[2]\u003c/em\u003e: best-effort basis, not semver-protected.\n\n\u003cem id=\"fn3\"\u003e[3]\u003c/em\u003e: [mandatory code signing](https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11_0_1-universal-apps-release-notes) is enforced by Apple.\n\n## Security\n\nWe do not expect this project to have vulnerabilities of its own. Nonetheless, as this project distributes prebuilt Node.js binaries,\n\n**Node.js security vulnerabilities affect binaries distributed by this project, as well.**\n\nLike most of you, this project does not have access to advance/private disclosures of Node.js security vulnerabilities. We can only closely monitor the **public** security advisories from the Node.js team. It takes time to build and release a new set of binaries, once a new Node.js version has been released.\n\nWe aim to complete the full cycle within a day, when there is a security update. Please [open an issue](https://github.com/vercel/pkg-fetch/issues/new) if there is no action for a while.\n\n**It is possible for this project to fall victim to a supply chain attack.**\n\nThis project deploys multiple defense measures to ensure that the safe binaries are delivered to users:\n\n- Binaries are compiled by [Github Actions](https://github.com/vercel/pkg-fetch/actions)\n  - Workflows and build logs are transparent and auditable.\n  - Artifacts are the source of truth. Even repository/organization administrators can't tamper them.\n- Hashes of binaries are hardcoded in [source](https://github.com/vercel/pkg-fetch/blob/HEAD/lib/expected.ts)\n  - Origins of the binaries are documented.\n  - Changes to the binaries are logged by VCS (Git) and are publicly visible.\n  - `pkg-fetch` rejects the binary if it does not match the hardcoded hash.\n- GPG-signed hashes are available in [Releases](https://github.com/vercel/pkg-fetch/releases)\n  - Easy to spot a compromise.\n- `pkg-fetch` package on npm is strictly permission-controlled\n  - Only authorized Vercel employees can push new revisions to npm.\n\nReport to [security@vercel.com](mailto:security@vercel.com), if you noticed a disparity between (hashes of) binaries.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjesec%2Fpkg-fetch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjesec%2Fpkg-fetch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjesec%2Fpkg-fetch/lists"}