mirror of
https://github.com/lancedb/lancedb.git
synced 2026-05-14 02:20:40 +00:00
81617fd3d9
## Summary Switch the nodejs bindings and examples package from npm to pnpm 11 to pick up its stronger supply-chain defaults: - `minimumReleaseAge` defaults to 1 day, so newly-published (potentially compromised) versions aren't resolved into installs for at least 24h. - Install lifecycle scripts (`preinstall`/`install`/`postinstall`) are no longer run for arbitrary transitive deps; only an explicit allowlist may run them, and unapproved scripts cause install to fail (`strictDepBuilds: true`). - Audit uses GHSA IDs and `--fix=update` to add patched versions to `minimumReleaseAgeExclude`. This is the same class of protection that would have blunted the recent TanStack/`@uipath`/etc. compromise discussed in the [Aikido write-up](https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised). ## Changes - Replace `nodejs/package-lock.json` and `nodejs/examples/package-lock.json` with `pnpm-lock.yaml`. - Pin pnpm via `packageManager: pnpm@11.1.1` in both `package.json`s. - Add `pnpm-workspace.yaml` with the four build-script packages we actually need: `@biomejs/biome`, `onnxruntime-node`, `protobufjs`, `sharp`. Everything else is blocked from running install scripts. - Update package.json scripts (`npm run X` → `pnpm X`). - Update workflows: `.github/workflows/nodejs.yml`, `.github/workflows/npm-publish.yml`, and `.github/workflows/codex-fix-ci.yml` — install pnpm via `pnpm/action-setup@v4` and switch `setup-node` caches to `pnpm-lock.yaml`. - Refresh `nodejs/AGENTS.md`, `nodejs/CLAUDE.md`, and `nodejs/CONTRIBUTING.md`. `docs/package-lock.json` is **not** touched — out of scope for this PR. ## Test plan - [ ] `Lint` job (lint Rust/TS + examples lint) passes on CI. - [ ] `Linux (NodeJS 18/20)` build+test passes, including the examples test step. - [ ] `macos` build+test passes. - [ ] `NPM Publish` workflow's PR dry-run completes (build matrix + test matrix + dry `npm publish`). - [ ] No new install-script approvals are required at install time. ## Follow-ups - `update_package_lock_run_nodejs.yml` references a composite action path that doesn't exist (`./.github/workflows/update_package_lock_nodejs`); it was already broken pre-PR. We may want to either delete this workflow or rewrite it for pnpm in a follow-up. - Consider migrating `docs/` to pnpm in a separate PR. --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
195 lines
5.6 KiB
YAML
195 lines
5.6 KiB
YAML
name: NodeJS (NAPI)
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
pull_request:
|
|
paths:
|
|
- Cargo.toml
|
|
- Cargo.lock
|
|
- rust-toolchain.toml
|
|
- nodejs/**
|
|
- rust/**
|
|
- docs/src/js/**
|
|
- .github/workflows/nodejs.yml
|
|
- docker-compose.yml
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
env:
|
|
RUST_BACKTRACE: "1"
|
|
|
|
jobs:
|
|
lint:
|
|
name: Lint
|
|
runs-on: ubuntu-22.04
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
working-directory: nodejs
|
|
env:
|
|
# Need up-to-date compilers for kernels
|
|
CC: gcc-12
|
|
CXX: g++-12
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
lfs: true
|
|
- uses: pnpm/action-setup@v4
|
|
with:
|
|
version: 11.1.1
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
# pnpm 11 requires Node >= 22.13; use 24 since 22 hits EOL
|
|
# in October. The library itself still supports Node >= 18
|
|
# (see test matrix below).
|
|
node-version: 24
|
|
cache: 'pnpm'
|
|
cache-dependency-path: nodejs/pnpm-lock.yaml
|
|
- uses: actions-rust-lang/setup-rust-toolchain@v1
|
|
with:
|
|
components: rustfmt, clippy
|
|
- name: Install dependencies
|
|
run: |
|
|
sudo apt update
|
|
sudo apt install -y protobuf-compiler libssl-dev
|
|
- uses: Swatinem/rust-cache@v2
|
|
- name: Format Rust
|
|
run: cargo fmt --all -- --check
|
|
- name: Lint Rust
|
|
run: cargo clippy --profile ci --all --all-features -- -D warnings
|
|
- name: Lint Typescript
|
|
run: |
|
|
pnpm install --frozen-lockfile
|
|
pnpm lint-ci
|
|
- name: Lint examples
|
|
working-directory: nodejs/examples
|
|
# The `@lancedb/lancedb` dep points at file:../dist; pnpm errors if
|
|
# that dir is missing, so create an empty one for lint-only runs.
|
|
run: mkdir -p ../dist && pnpm install --frozen-lockfile && pnpm lint-ci
|
|
linux:
|
|
name: Linux (NodeJS ${{ matrix.node-version }})
|
|
timeout-minutes: 30
|
|
strategy:
|
|
matrix:
|
|
node-version: [ "18", "20" ]
|
|
runs-on: "ubuntu-22.04"
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
working-directory: nodejs
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
lfs: true
|
|
- uses: pnpm/action-setup@v4
|
|
with:
|
|
version: 11.1.1
|
|
- uses: actions/setup-node@v4
|
|
name: Setup Node.js 24 for build
|
|
with:
|
|
# pnpm 11 requires Node >= 22.13; use 24 since 22 hits EOL
|
|
# in October. Build/install runs on Node 24; tests run on the
|
|
# matrix version below using direct jest invocation.
|
|
node-version: 24
|
|
cache: 'pnpm'
|
|
cache-dependency-path: nodejs/pnpm-lock.yaml
|
|
- uses: Swatinem/rust-cache@v2
|
|
- name: Install dependencies
|
|
run: |
|
|
sudo apt update
|
|
sudo apt install -y protobuf-compiler libssl-dev
|
|
- name: Build
|
|
run: |
|
|
pnpm install --frozen-lockfile
|
|
# No `--` separator: pnpm forwards it literally, which would
|
|
# make napi-rs treat `--profile ci` as a cargo passthrough arg.
|
|
pnpm build:debug --profile ci
|
|
pnpm tsc
|
|
- name: Setup examples
|
|
working-directory: nodejs/examples
|
|
run: pnpm install --frozen-lockfile
|
|
- name: Check docs
|
|
run: |
|
|
# We run this as part of the job because the binary needs to be built
|
|
# first to export the types of the native code.
|
|
set -e
|
|
# `pnpm docs` would invoke pnpm's built-in `docs` command, not
|
|
# the script — use `pnpm run docs`.
|
|
pnpm run docs
|
|
if ! git diff --exit-code -- ../ ':(exclude)Cargo.lock'; then
|
|
echo "Docs need to be updated"
|
|
echo "Run 'pnpm run docs', fix any warnings, and commit the changes."
|
|
exit 1
|
|
fi
|
|
- uses: actions/setup-node@v4
|
|
name: Setup Node.js ${{ matrix.node-version }} for test
|
|
with:
|
|
node-version: ${{ matrix.node-version }}
|
|
- name: Setup localstack
|
|
working-directory: .
|
|
run: docker compose up --detach --wait
|
|
- name: Test
|
|
env:
|
|
S3_TEST: "1"
|
|
# Newer @smithy/core uses dynamic ESM imports.
|
|
NODE_OPTIONS: "--experimental-vm-modules"
|
|
# Invoke jest directly because pnpm 11 itself requires Node 22+
|
|
# while the matrix tests on older Node versions.
|
|
run: npx jest --verbose
|
|
- name: Test examples
|
|
working-directory: ./
|
|
env:
|
|
OPENAI_API_KEY: test
|
|
OPENAI_BASE_URL: http://0.0.0.0:8000
|
|
NODE_OPTIONS: "--experimental-vm-modules"
|
|
run: |
|
|
python ci/mock_openai.py &
|
|
cd nodejs/examples
|
|
npx jest --testEnvironment jest-environment-node-single-context --verbose
|
|
macos:
|
|
timeout-minutes: 30
|
|
runs-on: "macos-14"
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
working-directory: nodejs
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
lfs: true
|
|
- uses: pnpm/action-setup@v4
|
|
with:
|
|
version: 11.1.1
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
# pnpm 11 requires Node >= 22.13; use 24 since 22 hits EOL
|
|
# in October.
|
|
node-version: 24
|
|
cache: 'pnpm'
|
|
cache-dependency-path: nodejs/pnpm-lock.yaml
|
|
- uses: dtolnay/rust-toolchain@stable
|
|
- uses: Swatinem/rust-cache@v2
|
|
- name: Install dependencies
|
|
run: |
|
|
brew install protobuf
|
|
- name: Build
|
|
run: |
|
|
pnpm install --frozen-lockfile
|
|
# No `--` separator: pnpm forwards it literally, which would
|
|
# make napi-rs treat `--profile ci` as a cargo passthrough arg.
|
|
pnpm build:debug --profile ci
|
|
pnpm tsc
|
|
- name: Test
|
|
run: |
|
|
pnpm test
|