Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecation of vercel/pkg is preventing Multi language Components to use NodeJS 20 and above #55

Open
aureq opened this issue Feb 26, 2024 · 4 comments
Labels
kind/engineering Work that is not visible to an external user kind/enhancement Improvements or new features

Comments

@aureq
Copy link
Member

aureq commented Feb 26, 2024

What happened?

As of January 2024, vercel/pkg has been officially deprecated. Additionally, there's a recent security issue (local privilege escalation) that's unresolved GHSA-22r3-9w55-cj54

This package is used as part of Pulumi CrossCode / Multi Language components.

With the current deprecation, users and customers who wrote MLC in TypeScript won't be able to upgrade above NodeJS 18 (latest officially working version).

Example

n/a

Output of pulumi about

n/a

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

@aureq aureq added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Feb 26, 2024
@justinvp justinvp transferred this issue from pulumi/pulumi Feb 26, 2024
@mjeffryes mjeffryes added kind/engineering Work that is not visible to an external user kind/enhancement Improvements or new features and removed needs-triage Needs attention from the triage team kind/bug Some behavior is incorrect or out of spec labels Feb 27, 2024
@mjeffryes
Copy link
Member

I think we're probably hoping to move to https://nodejs.org/api/single-executable-applications.html but will probably wait to see if it stabilizes for NodeJS 22.

@lukehoban
Copy link
Contributor

I think we're probably hoping to move to https://nodejs.org/api/single-executable-applications.html but will probably wait to see if it stabilizes for NodeJS 22.

Unfortunately, this is not stable yet - still at:

Stability: 1.1 - Active development

Also, there is no support for cross-compilation built in, and the current features are very low level, and would require us having a lot of complex logic for platform specific signing/etc.

I suspect we cannot move to this in the near term unfortunately.

I think there are a few near term options:

  1. Enable an option to use the boilerplate without compilation, so that consumers then do have to have Node installed locally, but can choose their version of Node.
  2. Find one of the forks of vercel/pkg and use that instead in the interim.

All that said, we support Node 18 until April 2025, and I think the answer may have to be that authoring MLC's in Node requires Node 18 for now, until either (a) Ndoe SEA support becomes mature enough to move to or (b) we get closer to Node 18 leaving support, in which case we'll have no choice but to do one of (1) or (2) above.

@ekkohdev
Copy link

https://github.com/yao-pkg/pkg is the most active and maintained fork, and currently has support for Node 20.11.1 as well as the updated 18.19.1.

That is likely the best short-term drop-in replacement, but the maintainer has already said there are no plans to keep maintaining it long term beyond the immediate needs from the community. They are also looking at Node SEA along with Deno and Bun as the better alternatives going forward.

yao-pkg/pkg#5 (comment)

@pierskarsenbarg
Copy link
Member

Unfortunately (and much to my disappointment) Bun won't work with Pulumi at the moment due to this issue: oven-sh/bun#8823

There are other changes we need in our codebase as well, but my understanding is that we need http2 and grpc to work first

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/engineering Work that is not visible to an external user kind/enhancement Improvements or new features
Projects
None yet
Development

No branches or pull requests

5 participants