@yao-pkg/pkg 5.16.1 → 6.0.1

package/README.md

@@ -1,7 +1,3 @@
-**Disclaimer: `pkg` was created for use within containers and is not intended for use in serverless environments. For those using Vercel, this means that there is no requirement to use `pkg` in your projects as the benefits it provides are not applicable to the platform.**
-
-![](https://res.cloudinary.com/zeit-inc/image/upload/v1509936789/repositories/pkg/pkg-repo-banner-new.png)
-
 [![Build Status](https://github.com/yao-pkg/pkg/actions/workflows/ci.yml/badge.svg)](https://github.com/yao-pkg/pkg/actions/workflows/ci.yml)
 
 This command line interface enables you to package your Node.js project into an executable that can be run even on devices without Node.js installed.
@@ -27,7 +23,7 @@ npm install -g @yao-pkg/pkg
 After installing it, run `pkg --help` without arguments to see list of options:
 
 ```console
-pkg [options] <input>
+  pkg [options] <input>
 
   Options:
 
@@ -44,30 +40,32 @@ pkg [options] <input>
     --public-packages    force specified packages to be considered public
     --no-bytecode        skip bytecode generation and include source files as plain js
     --no-native-build    skip native addons build
-    --no-signature       skip signature of the final executable on macos
     --no-dict            comma-separated list of packages names to ignore dictionaries. Use --no-dict * to disable all dictionaries
     -C, --compress       [default=None] compression algorithm = Brotli or GZip
+    --sea                (Experimental) compile give file using node's SEA feature. Requires node v20.0.0 or higher and only single file is supported
 
   Examples:
 
-  - Makes executables for Linux, macOS and Windows
+  – Makes executables for Linux, macOS and Windows
     $ pkg index.js
-  - Takes package.json from cwd and follows 'bin' entry
+  – Takes package.json from cwd and follows 'bin' entry
     $ pkg .
-  - Makes executable for particular target machine
-    $ pkg -t node16-win-arm64 index.js
-  - Makes executables for target machines of your choice
-    $ pkg -t node16-linux,node18-linux,node16-win index.js
-  - Bakes '--expose-gc' and '--max-heap-size=34' into executable
+  – Makes executable for particular target machine
+    $ pkg -t node14-win-arm64 index.js
+  – Makes executables for target machines of your choice
+    $ pkg -t node16-linux,node18-linux,node18-win index.js
+  – Bakes '--expose-gc' and '--max-heap-size=34' into executable
     $ pkg --options "expose-gc,max-heap-size=34" index.js
-  - Consider packageA and packageB to be public
+  – Consider packageA and packageB to be public
     $ pkg --public-packages "packageA,packageB" index.js
-  - Consider all packages to be public
+  – Consider all packages to be public
     $ pkg --public-packages "*" index.js
-  - Bakes '--expose-gc' into executable
+  – Bakes '--expose-gc' into executable
     $ pkg --options expose-gc index.js
-  - reduce size of the data packed inside the executable with GZip
+  – reduce size of the data packed inside the executable with GZip
     $ pkg --compress GZip index.js
+  – compile the file using node's SEA feature. Creates executables for Linux, macOS and Windows
+    $ pkg --sea index.js
 ```
 
 The entrypoint of your project is a mandatory CLI argument. It may be:

package/lib-es5/help.js

@@ -23,6 +23,7 @@ function help() {
     --no-native-build    skip native addons build
     --no-dict            comma-separated list of packages names to ignore dictionaries. Use --no-dict * to disable all dictionaries
     -C, --compress       [default=None] compression algorithm = Brotli or GZip
+    --sea                (Experimental) compile give file using node's SEA feature. Requires node v20.0.0 or higher and only single file is supported
 
   ${colors_1.pc.dim('Examples:')}
 
@@ -44,6 +45,8 @@ function help() {
     ${colors_1.pc.cyan('$ pkg --options expose-gc index.js')}
   ${colors_1.pc.gray('–')} reduce size of the data packed inside the executable with GZip
     ${colors_1.pc.cyan('$ pkg --compress GZip index.js')}
+  ${colors_1.pc.gray('–')} compile the file using node's SEA feature. Creates executables for Linux, macOS and Windows
+    ${colors_1.pc.cyan('$ pkg --sea index.js')}
 `);
 }
 exports.default = help;

package/lib-es5/index.js

@@ -23,6 +23,7 @@ const walker_1 = __importDefault(require("./walker"));
 const compress_type_1 = require("./compress_type");
 const mach_o_1 = require("./mach-o");
 const options_1 = __importDefault(require("./options"));
+const sea_1 = __importDefault(require("./sea"));
 const { version } = JSON.parse((0, fs_1.readFileSync)(path_1.default.join(__dirname, '../package.json'), 'utf-8'));
 function isConfiguration(file) {
     return (0, common_1.isPackageJson)(file) || file.endsWith('.config.json');
@@ -163,6 +164,7 @@ async function exec(argv2) {
             'v',
             'version',
             'signature',
+            'sea',
         ],
         string: [
             '_',
@@ -396,6 +398,13 @@ async function exec(argv2) {
             }
         }
     }
+    if (argv.sea) {
+        await (0, sea_1.default)(inputFin, {
+            targets,
+            signature: argv.signature,
+        });
+        return;
+    }
     // fetch targets
     const { bytecode } = argv;
     const nativeBuild = argv['native-build'];

package/lib-es5/mach-o.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.signMachOExecutable = exports.patchMachOExecutable = void 0;
+exports.signMachOExecutable = exports.removeMachOExecutableSignature = exports.patchMachOExecutable = void 0;
 const child_process_1 = require("child_process");
 function parseCStr(buf) {
     for (let i = 0; i < buf.length; i += 1) {
@@ -28,6 +28,11 @@ function patchCommand(type, buf, file) {
         buf.writeUInt32LE(strsizePatched, 12);
     }
 }
+/**
+ * It would be nice to explain the purpose of this patching function
+ * @param file
+ * @returns
+ */
 function patchMachOExecutable(file) {
     const align = 8;
     const hsize = 32;
@@ -58,4 +63,10 @@ function signMachOExecutable(executable) {
     }
 }
 exports.signMachOExecutable = signMachOExecutable;
+function removeMachOExecutableSignature(executable) {
+    (0, child_process_1.execFileSync)('codesign', ['--remove-signature', executable], {
+        stdio: 'inherit',
+    });
+}
+exports.removeMachOExecutableSignature = removeMachOExecutableSignature;
 //# sourceMappingURL=mach-o.js.map

package/lib-es5/sea.js

@@ -0,0 +1,268 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const child_process_1 = require("child_process");
+const util_1 = __importDefault(require("util"));
+const path_1 = require("path");
+const promises_1 = require("fs/promises");
+const fs_1 = require("fs");
+const promises_2 = require("stream/promises");
+const crypto_1 = require("crypto");
+const os_1 = require("os");
+const unzipper_1 = __importDefault(require("unzipper"));
+const tar_1 = require("tar");
+const log_1 = require("./log");
+const mach_o_1 = require("./mach-o");
+const exec = util_1.default.promisify(child_process_1.exec);
+/** Returns stat of path when exits, false otherwise */
+const exists = async (path) => {
+    try {
+        return await (0, promises_1.stat)(path);
+    }
+    catch (_a) {
+        return false;
+    }
+};
+const defaultSeaConfig = {
+    disableExperimentalSEAWarning: true,
+    useSnapshot: false,
+    useCodeCache: false,
+};
+/** Download a file from a given URL and save it to `filePath` */
+async function downloadFile(url, filePath) {
+    const response = await fetch(url);
+    if (!response.ok || !response.body) {
+        throw new Error(`Failed to download file from ${url}`);
+    }
+    const fileStream = (0, fs_1.createWriteStream)(filePath);
+    return (0, promises_2.pipeline)(response.body, fileStream);
+}
+/** Extract node executable from the archive */
+async function extract(os, archivePath) {
+    const nodeDir = (0, path_1.basename)(archivePath, os === 'win' ? '.zip' : '.tar.gz');
+    const archiveDir = (0, path_1.dirname)(archivePath);
+    let nodePath = '';
+    if (os === 'win') {
+        // use unzipper to extract the archive
+        const { files } = await unzipper_1.default.Open.file(archivePath);
+        const nodeBinPath = `${nodeDir}/node.exe`;
+        const nodeBin = files.find((file) => file.path === nodeBinPath);
+        if (!nodeBin) {
+            throw new Error('Node executable not found in the archive');
+        }
+        nodePath = (0, path_1.join)(archiveDir, `${nodeDir}.exe`);
+        // extract the node executable
+        await (0, promises_2.pipeline)(nodeBin.stream(), (0, fs_1.createWriteStream)(nodePath));
+    }
+    else {
+        const nodeBinPath = `${nodeDir}/bin/node`;
+        // use tar to extract the archive
+        await (0, tar_1.extract)({
+            file: archivePath,
+            cwd: archiveDir,
+            filter: (path) => path === nodeBinPath,
+        });
+        // check if the node executable exists
+        nodePath = (0, path_1.join)(archiveDir, nodeBinPath);
+    }
+    // check if the node executable exists
+    if (!(await exists(nodePath))) {
+        throw new Error('Node executable not found in the archive');
+    }
+    return nodePath;
+}
+/** Verify the checksum of downloaded NodeJS archive */
+async function verifyChecksum(filePath, checksumUrl, fileName) {
+    var _a;
+    const response = await fetch(checksumUrl);
+    if (!response.ok) {
+        throw new Error(`Failed to download checksum file from ${checksumUrl}`);
+    }
+    const checksums = await response.text();
+    const expectedChecksum = (_a = checksums
+        .split('\n')
+        .find((line) => line.includes(fileName))) === null || _a === void 0 ? void 0 : _a.split(' ')[0];
+    if (!expectedChecksum) {
+        throw new Error(`Checksum for ${fileName} not found`);
+    }
+    const fileBuffer = await (0, promises_1.readFile)(filePath);
+    const hashSum = (0, crypto_1.createHash)('sha256');
+    hashSum.update(fileBuffer);
+    const actualChecksum = hashSum.digest('hex');
+    if (actualChecksum !== expectedChecksum) {
+        throw new Error(`Checksum verification failed for ${fileName}`);
+    }
+}
+/** Get the node os based on target platform */
+function getNodeOs(platform) {
+    const allowedOSs = ['darwin', 'linux', 'win'];
+    const platformsMap = {
+        macos: 'darwin',
+    };
+    const validatedPlatform = platformsMap[platform] || platform;
+    if (!allowedOSs.includes(validatedPlatform)) {
+        throw new Error(`Unsupported OS: ${platform}`);
+    }
+    return validatedPlatform;
+}
+/** Get the node arch based on target arch */
+function getNodeArch(arch) {
+    const allowedArchs = ['x64', 'arm64', 'armv7l', 'ppc64', 's390x'];
+    if (!allowedArchs.includes(arch)) {
+        throw new Error(`Unsupported architecture: ${arch}`);
+    }
+    return arch;
+}
+/** Get latest node version based on the provided partial version */
+async function getNodeVersion(nodeVersion) {
+    // validate nodeVersion using regex. Allowed formats: 16, 16.0, 16.0.0
+    const regex = /^\d{1,2}(\.\d{1,2}){0,2}$/;
+    if (!regex.test(nodeVersion)) {
+        throw new Error('Invalid node version format');
+    }
+    const parts = nodeVersion.split('.');
+    if (parts.length > 3) {
+        throw new Error('Invalid node version format');
+    }
+    if (parts.length === 3) {
+        return nodeVersion;
+    }
+    const response = await fetch('https://nodejs.org/dist/index.json');
+    if (!response.ok) {
+        throw new Error('Failed to fetch node versions');
+    }
+    const versions = await response.json();
+    const latestVersion = versions
+        .map((v) => v.version)
+        .find((v) => v.startsWith(`v${nodeVersion}`));
+    if (!latestVersion) {
+        throw new Error(`Node version ${nodeVersion} not found`);
+    }
+    return latestVersion;
+}
+/** Fetch, validate and extract nodejs binary. Returns a path to it */
+async function getNodejsExecutable(target, opts) {
+    if (opts.nodePath) {
+        // check if the nodePath exists
+        if (!(await exists(opts.nodePath))) {
+            throw new Error(`Priovided node executable path "${opts.nodePath}" does not exist`);
+        }
+        return opts.nodePath;
+    }
+    if (opts.useLocalNode) {
+        return process.execPath;
+    }
+    const nodeVersion = await getNodeVersion(target.nodeRange.replace('node', ''));
+    const os = getNodeOs(target.platform);
+    const arch = getNodeArch(target.arch);
+    const fileName = `node-${nodeVersion}-${os}-${arch}.${os === 'win' ? 'zip' : 'tar.gz'}`;
+    const url = `https://nodejs.org/dist/${nodeVersion}/${fileName}`;
+    const checksumUrl = `https://nodejs.org/dist/${nodeVersion}/SHASUMS256.txt`;
+    const downloadDir = (0, path_1.join)((0, os_1.homedir)(), '.pkg-cache', 'sea');
+    // Ensure the download directory exists
+    if (!(await exists(downloadDir))) {
+        await (0, promises_1.mkdir)(downloadDir, { recursive: true });
+    }
+    const filePath = (0, path_1.join)(downloadDir, fileName);
+    // skip download if file exists
+    if (!(await exists(filePath))) {
+        log_1.log.info(`Downloading nodejs executable from ${url}...`);
+        await downloadFile(url, filePath);
+    }
+    log_1.log.info(`Verifying checksum of ${fileName}`);
+    await verifyChecksum(filePath, checksumUrl, fileName);
+    log_1.log.info(`Extracting node binary from ${fileName}`);
+    const nodePath = await extract(os, filePath);
+    return nodePath;
+}
+/** Bake the blob into the executable */
+async function bake(nodePath, target, blobPath) {
+    const outPath = (0, path_1.resolve)(process.cwd(), target.output);
+    log_1.log.info(`Creating executable for ${target.nodeRange}-${target.platform}-${target.arch}....`);
+    if (!(await exists((0, path_1.dirname)(outPath)))) {
+        log_1.log.error(`Output directory "${(0, path_1.dirname)(outPath)}" does not exist`);
+        return;
+    }
+    // check if executable_path exists
+    if (await exists(outPath)) {
+        log_1.log.warn(`Executable ${outPath} already exists, will be overwritten`);
+    }
+    // copy the executable as the output executable
+    await (0, promises_1.copyFile)(nodePath, outPath);
+    log_1.log.info(`Injecting the blob into ${outPath}...`);
+    if (target.platform === 'macos') {
+        (0, mach_o_1.removeMachOExecutableSignature)(outPath);
+        await exec(`npx postject "${outPath}" NODE_SEA_BLOB "${blobPath}" --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 --macho-segment-name NODE_SEA`);
+    }
+    else {
+        await exec(`npx postject "${outPath}" NODE_SEA_BLOB "${blobPath}" --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2`);
+    }
+}
+/** Create NodeJS executable using sea */
+async function sea(entryPoint, opts) {
+    entryPoint = (0, path_1.resolve)(process.cwd(), entryPoint);
+    if (!(await exists(entryPoint))) {
+        throw new Error(`Entrypoint path "${entryPoint}" does not exist`);
+    }
+    const nodeMajor = parseInt(process.version.slice(1).split('.')[0], 10);
+    // check node version, needs to be at least 20.0.0
+    if (nodeMajor < 20) {
+        throw new Error(`SEA support requires as least node v20.0.0, actual node version is ${process.version}`);
+    }
+    const nodePaths = await Promise.all(opts.targets.map((target) => getNodejsExecutable(target, opts)));
+    // create a temporary directory for the processing work
+    const tmpDir = (0, path_1.join)((0, os_1.tmpdir)(), 'pkg-sea', `${Date.now()}`);
+    await (0, promises_1.mkdir)(tmpDir, { recursive: true });
+    try {
+        // change working directory to the temp directory
+        process.chdir(tmpDir);
+        // docs: https://nodejs.org/api/single-executable-applications.html
+        const blobPath = (0, path_1.join)(tmpDir, 'sea-prep.blob');
+        const seaConfigFilePath = (0, path_1.join)(tmpDir, 'sea-config.json');
+        const seaConfig = Object.assign({ main: entryPoint, output: blobPath }, Object.assign(Object.assign({}, defaultSeaConfig), (opts.seaConfig || {})));
+        log_1.log.info('Creating sea-config.json file...');
+        await (0, promises_1.writeFile)(seaConfigFilePath, JSON.stringify(seaConfig));
+        log_1.log.info('Generating the blob...');
+        await exec(`node --experimental-sea-config "${seaConfigFilePath}"`);
+        await Promise.allSettled(nodePaths.map(async (nodePath, i) => {
+            const target = opts.targets[i];
+            await bake(nodePath, target, blobPath);
+            const output = target.output;
+            if (opts.signature && target.platform === 'macos') {
+                const buf = (0, mach_o_1.patchMachOExecutable)(await (0, promises_1.readFile)(output));
+                await (0, promises_1.writeFile)(output, buf);
+                try {
+                    // sign executable ad-hoc to workaround the new mandatory signing requirement
+                    // users can always replace the signature if necessary
+                    (0, mach_o_1.signMachOExecutable)(output);
+                }
+                catch (_a) {
+                    if (target.arch === 'arm64') {
+                        log_1.log.warn('Unable to sign the macOS executable', [
+                            'Due to the mandatory code signing requirement, before the',
+                            'executable is distributed to end users, it must be signed.',
+                            'Otherwise, it will be immediately killed by kernel on launch.',
+                            'An ad-hoc signature is sufficient.',
+                            'To do that, run pkg on a Mac, or transfer the executable to a Mac',
+                            'and run "codesign --sign - <executable>", or (if you use Linux)',
+                            'install "ldid" utility to PATH and then run pkg again',
+                        ]);
+                    }
+                }
+            }
+        }));
+    }
+    catch (error) {
+        throw new Error(`Error while creating the executable: ${error}`);
+    }
+    finally {
+        // cleanup the temp directory
+        await (0, promises_1.rm)(tmpDir, { recursive: true }).catch(() => {
+            log_1.log.warn(`Failed to cleanup the temp directory ${tmpDir}`);
+        });
+    }
+}
+exports.default = sea;
+//# sourceMappingURL=sea.js.map

package/lib-es5/walker.js

@@ -235,13 +235,30 @@ function stepDetect(record, marker, derivatives) {
         throw (0, log_1.wasReported)(error.message);
     }
 }
-function findCommonJunctionPoint(file, realFile) {
+/**
+ * Find a common junction point between a symlink and the real file path.
+ *
+ * @param {string} file The file path, including symlink(s).
+ * @param {string} realFile The real path to the file.
+ *
+ * @throws {Error} If no common junction point is found prior to hitting the
+ *                 filesystem root.
+ */
+async function findCommonJunctionPoint(file, realFile) {
     // find common denominator => where the link changes
-    while ((0, common_1.toNormalizedRealPath)(path_1.default.dirname(file)) === path_1.default.dirname(realFile)) {
+    while (true) {
+        const stats = await promises_1.default.lstat(file);
+        if (stats.isSymbolicLink()) {
+            return { file, realFile };
+        }
         file = path_1.default.dirname(file);
         realFile = path_1.default.dirname(realFile);
+        // If the directory is /, break out of the loop and log an error.
+        if (file === path_1.default.parse(file).root ||
+            realFile === path_1.default.parse(realFile).root) {
+            throw new Error('Reached root directory without finding a common junction point');
+        }
     }
-    return { file, realFile };
 }
 class Walker {
     constructor() {
@@ -286,8 +303,8 @@ class Walker {
             log_1.log.debug(`${what} ${task.file} is added to queue.`);
         }
     }
-    appendSymlink(file, realFile) {
-        const a = findCommonJunctionPoint(file, realFile);
+    async appendSymlink(file, realFile) {
+        const a = await findCommonJunctionPoint(file, realFile);
         file = a.file;
         realFile = a.realFile;
         if (!this.symLinks[file]) {
@@ -337,7 +354,7 @@ class Walker {
             store: common_1.STORE_STAT,
         });
     }
-    appendBlobOrContent(task) {
+    async appendBlobOrContent(task) {
         if (strictVerify) {
             (0, assert_1.default)(task.file === (0, common_1.normalizePath)(task.file));
         }
@@ -360,7 +377,7 @@ class Walker {
             return;
         }
         this.append(Object.assign(Object.assign({}, task), { file: realFile }));
-        this.appendSymlink(task.file, realFile);
+        await this.appendSymlink(task.file, realFile);
         this.appendStat({
             file: task.file,
             store: common_1.STORE_STAT,
@@ -382,7 +399,7 @@ class Walker {
                                 script,
                             ]);
                         }
-                        this.appendBlobOrContent({
+                        await this.appendBlobOrContent({
                             file: (0, common_1.normalizePath)(script),
                             marker,
                             store: common_1.STORE_BLOB,
@@ -398,7 +415,7 @@ class Walker {
                     log_1.log.debug(' Adding asset : .... ', asset);
                     const stat = await promises_1.default.stat(asset);
                     if (stat.isFile()) {
-                        this.appendBlobOrContent({
+                        await this.appendBlobOrContent({
                             file: (0, common_1.normalizePath)(asset),
                             marker,
                             store: common_1.STORE_CONTENT,
@@ -420,7 +437,7 @@ class Walker {
                         // 2) non-source (non-js) files of top-level package are shipped as CONTENT
                         // 3) parsing some js 'files' of non-top-level packages fails, hence all CONTENT
                         if (marker.toplevel) {
-                            this.appendBlobOrContent({
+                            await this.appendBlobOrContent({
                                 file,
                                 marker,
                                 store: (0, common_1.isDotJS)(file) ? common_1.STORE_BLOB : common_1.STORE_CONTENT,
@@ -428,7 +445,7 @@ class Walker {
                             });
                         }
                         else {
-                            this.appendBlobOrContent({
+                            await this.appendBlobOrContent({
                                 file,
                                 marker,
                                 store: common_1.STORE_CONTENT,
@@ -576,7 +593,7 @@ class Walker {
             ]);
         }
         if (stat && stat.isFile()) {
-            this.appendBlobOrContent({
+            await this.appendBlobOrContent({
                 file,
                 marker,
                 store: common_1.STORE_CONTENT,
@@ -662,14 +679,14 @@ class Walker {
                 (0, assert_1.default)(newPackageForNewRecords.packageJson ===
                     (0, common_1.normalizePath)(newPackageForNewRecords.packageJson));
             }
-            this.appendBlobOrContent({
+            await this.appendBlobOrContent({
                 file: newPackageForNewRecords.packageJson,
                 marker: newPackageForNewRecords.marker,
                 store: common_1.STORE_CONTENT,
                 reason: record.file,
             });
         }
-        this.appendBlobOrContent({
+        await this.appendBlobOrContent({
             file: newFile,
             marker: newPackageForNewRecords ? newPackageForNewRecords.marker : marker,
             store: common_1.STORE_BLOB,
@@ -709,7 +726,7 @@ class Walker {
         await this.stepDerivatives(record, marker, derivatives1);
         if (store === common_1.STORE_BLOB) {
             if (unlikelyJavascript(record.file) || (0, common_1.isDotNODE)(record.file)) {
-                this.appendBlobOrContent({
+                await this.appendBlobOrContent({
                     file: record.file,
                     marker,
                     store: common_1.STORE_CONTENT,
@@ -717,7 +734,7 @@ class Walker {
                 return; // discard
             }
             if (marker.public || marker.hasDictionary) {
-                this.appendBlobOrContent({
+                await this.appendBlobOrContent({
                     file: record.file,
                     marker,
                     store: common_1.STORE_CONTENT,
@@ -847,14 +864,14 @@ class Walker {
         this.symLinks = {};
         await this.readDictionary(marker);
         entrypoint = (0, common_1.normalizePath)(entrypoint);
-        this.appendBlobOrContent({
+        await this.appendBlobOrContent({
             file: entrypoint,
             marker,
             store: common_1.STORE_BLOB,
         });
         if (addition) {
             addition = (0, common_1.normalizePath)(addition);
-            this.appendBlobOrContent({
+            await this.appendBlobOrContent({
                 file: addition,
                 marker,
                 store: common_1.STORE_CONTENT,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yao-pkg/pkg",
-  "version": "5.16.1",
+  "version": "6.0.1",
   "description": "Package your Node.js project into an executable",
   "main": "lib-es5/index.js",
   "license": "MIT",
@@ -34,7 +34,9 @@
     "prebuild-install": "^7.1.1",
     "resolve": "^1.22.0",
     "stream-meter": "^1.0.4",
-    "tinyglobby": "^0.2.9"
+    "tar": "^7.4.3",
+    "tinyglobby": "^0.2.9",
+    "unzipper": "^0.12.3"
   },
   "devDependencies": {
     "@babel/core": "^7.23.0",
@@ -46,8 +48,12 @@
     "@types/picomatch": "^3.0.1",
     "@types/resolve": "^1.20.2",
     "@types/stream-meter": "^0.0.22",
+    "@types/tar": "^6.1.13",
+    "@types/unzipper": "^0.10.10",
     "@typescript-eslint/eslint-plugin": "^6.7.4",
     "@typescript-eslint/parser": "^6.7.4",
+    "esbuild": "^0.24.0",
+    "esbuild-register": "^3.6.0",
     "eslint": "^8.50.0",
     "eslint-config-airbnb-base": "^15.0.0",
     "eslint-config-airbnb-typescript": "^17.1.0",
@@ -71,10 +77,9 @@
     "fix": "npm run lint:style -- -w && npm run lint:code -- --fix",
     "prepare": "npm run build",
     "prepublishOnly": "npm run lint",
-    "test": "npm run build && npm run test:18 && npm run test:16 && npm run test:host",
+    "test": "npm run build && npm run test:host && npm run test:18 && npm run test:20",
     "test:20": "node test/test.js node20 no-npm",
     "test:18": "node test/test.js node18 no-npm",
-    "test:16": "node test/test.js node16 no-npm",
     "test:host": "node test/test.js host only-npm",
     "release": "read -p 'GITHUB_TOKEN: ' GITHUB_TOKEN && export GITHUB_TOKEN=$GITHUB_TOKEN && release-it"
   },
@@ -137,5 +142,8 @@
   "publishConfig": {
     "access": "public"
   },
-  "packageManager": "yarn@1.22.22"
+  "packageManager": "yarn@1.22.22",
+  "engines": {
+    "node": ">=18.0.0"
+  }
 }

package/prelude/bootstrap.js

@@ -22,7 +22,7 @@ const fs = require('fs');
 const { isRegExp } = require('util').types;
 const Module = require('module');
 const path = require('path');
-const { promisify, _extend } = require('util');
+const { promisify } = require('util');
 const { Script } = require('vm');
 const { homedir } = require('os');
 const util = require('util');
@@ -2005,7 +2005,7 @@ function payloadFileSync(pointer) {
       args.splice(pos, 0, {});
     }
     const opts = args[pos];
-    if (!opts.env) opts.env = _extend({}, process.env);
+    if (!opts.env) opts.env = { ...process.env };
     // see https://github.com/vercel/pkg/issues/897#issuecomment-1049370335
     if (opts.env.PKG_EXECPATH !== undefined) return;
     opts.env.PKG_EXECPATH = EXECPATH;