Description
Following the great work in #828 I think the next step is to audit any build steps related to dependencies and tools used in those build steps from a repeatability and supply chain perspective.
For dependencies that only contain a direct copy of the original source code for the dependencies and are completely built from that source during the Node.js make process there should be nothing to do other than to confirm they fall into that category.
For others, which have additional build steps we'll want to see what gets used/pulled in during those build steps, and see if we are comfortable that we can get the exact versions of the tools used in the future and that we have enough information that we complete the build steps if needed for some future Node.js release in a way that generates the same result. If we dynamically pull in tools we should also confirm we are confident that the source is trusted and not a potential source of a supply chain attack.
A good example of this is undici were there are WASM binaries that are build outside of the Node.js make step. These use dynamically installed packages in a docker container. Would we get the same version of those packages if we installed them a year from now? If not we might be introducing unexpected changes as we do maintenance releases.
Lets go through each of the dependencies and categorize them into
- Original source - no issue, fully build in
Node.js make nodejs - Build steps from original source - fully documented and repeatable
- Build steps - needs work or unsure.
- acorn
- acorn-walk
- ada
- base64
- brotli
- cares
- cjs-module-lexer
- corepack
- googletest
- histogram
- icu-small
- llhttp
- minimatch
- nghttp2
- ngtcp2
- npm
- openssl
- postject
- simdutf
- undici
- uv
- vwasi
- v8
- zlib
Also note that we may need to not only look at the steps in the tools/dep_updaters directory but also look at the tools used to generate a new release of the dependency if what we copy over contains what would not be considered original source.