Investigate about Node.js single executable applications

[yhatt]

Node.js v19.7 and later include experimental support for single executable applications.

The standalone binaries of Marp CLI are currently produced by Vercel's pkg. However, due to the discontinuation of the pkg project in favor of Node.js's efforts, we must consider migrating.

pkg has been deprecated with 5.8.1 as the last release. There are a number of successful forked versions of pkg already with various feature additions. Further, we’re excited about Node.js 21’s support for single executable applications. Thank you for the support and contributions over the years. The repository will remain open and archived.

— https://github.com/vercel/pkg

pkg is still working but using compiled binary would be dangerous, due to the elevation of privilege vulnerability. (CVE-2024-24828)

[Aurosish07]

but pkg does not work with latest version of node.js and i am facing problems with the node.js inbuilt single executable application feature plz help if anyone know the correct way , i got stuck when it told to remove es module to common js

[yhatt]

Node.js SEA is still primitive, and it would take much longer time to make stable use. Meanwhile, we should switch pkg into well-maintained community fork @yao-pkg/pkg.

I could not find out a specific patch for the elevation of privilege vulnerability CVE-2024-24828, so I cannot say for certain that the forked pkg ensures the safety. However, yao-pkg/pkg#55 looks a good patch for known CVE. (yao-pkg/pkg#51 (comment))