loading...
Cover image for Bundle your Node app to a single executable for Windows, Linux and OsX

Bundle your Node app to a single executable for Windows, Linux and OsX

Jochem Stoel on September 16, 2018

A question I get asked so many times by so many people is how to compile a Node app to a single executable. I am surprised because this is actually...
pic
Editor guide
Collapse
petermbenjamin profile image
Peter Benjamin

protect source code from being altered or copied - You can't open executable files in a simple text editor.

hide API credentials - Same difference as protecting source code

It's very easy to examine source code of bundled/packaged node.js applications.

introspecting packaged/bundled binaries with strings linux command

Collapse
petermbenjamin profile image
Peter Benjamin

Please, don't recommend pkg, or any bundling/packaging technique, as a security/privacy control.

If you need to protect sensitive/secret data (e.g. passwords, API tokens), you can use one of many symmetric (e.g. AES-256) or asymmetric (RSA) encryption algorithms.

Alternatively, there are developer tools that aim to solve this problem in a more developer friendly way than you having to manage public/private keys yourself. I personally like Hashicorp Vault.

Collapse
jochemstoel profile image
Jochem Stoel Author

You are right. Please let me point out that I was not recommending pkg as a security protocol but listing it as one of the reasons people ask me how to use it.

edit: additionally, is there any Windows equivalent of what you're doing in the example with strings?

Thread Thread
petermbenjamin profile image
Peter Benjamin

I was not recommending pkg as a security protocol but listing it as one of the reasons people ask me how to use it.

The way you're presenting the topic implies that you're suggesting bundling/packaging applications for these use-cases.

is there any Windows equivalent of what you're doing in the example with strings?

superuser.com/questions/124081/is-...

Thread Thread
jochemstoel profile image
Jochem Stoel Author

Say Peter, how would you go about making your code unreadable then if this is not the way? Simply obfuscate it? That does not do a well enough job in my opinion.

Thread Thread
petermbenjamin profile image
Peter Benjamin

It depends on what you're trying to accomplish.

If you're trying to make your code "unreadable", then obfuscation is what you're looking for. Keep in mind, obfuscation does not make your code "secure". There are such thing as deobfuscators.

If you want to "secure" your source code, well, there is little you can do in this area for the following reasons:

  • Dynamic languages are easily accessible/readable.
  • Compiled languages that compile to intermediate byte-code can be decompiled:
  • Compiled languages that compile to machine native code can be disassembled (i.e. translated to assembly)
Thread Thread
jsloop42 profile image
jsloop42

You can open the binary in Ollydbg on Windows and search for strings. It will be visible as plain text. But the source code itself will be in assembly, because we are decompiling a native code.

On macOS, you can view using the free version of Hopper disassembler.

Collapse
jsloop42 profile image
jsloop42

String search is not same as looking at plain source code. Strings are preserved as such in any application, be it written in C or AOT JS, unless you mangle using other techniques. You are misleading the reader. Open the native binary in any decompiler and you will get assembly, not bytecode like with Java class files.

Collapse
tux0r profile image
tux0r

The bundled executable does not perform better and because it includes a full Node it is a whole lot bigger (22MB) than just the 13kb JavaScript.

A 22 MB executable file which does not have a significant performance advantage is a perfectly good reason to question the Why, in my irrelevant opinion...

Collapse
jochemstoel profile image
Jochem Stoel Author

What are you saying?

Collapse
tux0r profile image
tux0r

I'm suggesting that those who ask for an improvement should consider native development instead.

Thread Thread
jochemstoel profile image
Jochem Stoel Author

I would like to brutally honestly point out that I have not really done much benchmarking to support my claim that there is no difference.

Thread Thread
tux0r profile image
tux0r

I have. It even becomes worse because of the additional library overhead.

Collapse
Sloan, the sloth mascot
Comment deleted
Collapse
jochemstoel profile image
Jochem Stoel Author

I don't know, never happened to me. I could have a look with you at your code if you want.

Collapse
Sloan, the sloth mascot
Comment deleted
jochemstoel profile image
Jochem Stoel Author

I don't know I'd have to see your code.

Thread Thread
Sloan, the sloth mascot
Comment deleted
jochemstoel profile image
Jochem Stoel Author

Hey Batman, are you on Windows or Linux? How are you building exactly?
From the docs: Just be sure to call pkg package.json or pkg . to make use of scripts and assets entries.

Also you might want to look at this Snapshot Filesystem part of the docs because maybe your assets are packaged correctly but you are not using the right path to access them.

If you want you can send me these files and I will have a look for you to see what is wrong. Skype jochem.stoel or Discord jochemstoel#7529

Thread Thread
Sloan, the sloth mascot
Comment deleted
jochemstoel profile image
Jochem Stoel Author

I have offered to take a look at your code several times and you are not answering any of my questions. There is not much I can do for you at this point. Yes it might be that you are using Node 10. No maybe that is not at all the case. I don't know.

Collapse
josiahbryan profile image
Josiah Bryan

Cross compile? I have a device my company still manufacturers and deploys world-wide, running Ubuntu 14.04.3 ... on an ARMv7 Processor. I have a node app I'm creating for the product family, and I'd like to run it on this device as well. Tried going the whole nvm route to install-and-run node directly on it, but gyphy fails to build some deps from the project locally on the device. I'd really much rather use pkg to build a binary to deploy to the device.

However, building the examples/express example from the pkg repo with pkg 4.4.9 like pkg . --targets node10.15.3-linux-armv7 --no-bytecode (on a linux box) and scp'ing the resulting binary over to the IOT device running the armv7 / Ubuntu 14 setup, I get the following error when trying to run the binary:

./express-example: relocation error: ./express-example: symbol
_ZTVNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEEE, 
version GLIBCXX_3.4.21 not defined in file libstdc++.so.6 with link time reference

(Line wraps added to break long line)

Googling the error (specifically with regards to GLIBC and libstdc++.so.6) has gotten me nowhere. I can't figure out if the libstdc++ on the device is too old or too new. Tried updating libstdc++ but it said it was already at the latest version (for that OS.) I've got no clue where to go from here... Is there some way to compile the binary via pkg with different options, or statically link the libraries it needs instead of relying on system libraries?

Also, when I try to use a newer node version (like 10.21.0, etc) - it fails with an "unable to build" message. I know I can crosscompile regular C/C++ code on that linux box for ARM (we do that currently with Jenkins in the cloud on a linux box), so is there a way to get crosscompile working at buildtime?

Here's the error for building with 10.21:

[root@decidr express]# ./node_modules/.bin/pkg . --targets node10-linux-armv7 --no-bytecode
> pkg@4.4.9
> Fetching base Node.js binaries to PKG_CACHE_PATH
  fetched-v10.21.0-linux-armv7 [                    ] 0%
> Error! 404 Not Found
  https://github.com/zeit/pkg-fetch/releases/download/v2.6/uploaded-v2.6-node-v10.21.0-linux-armv7
> Asset not found by direct link:
  {"tag":"v2.6","name":"uploaded-v2.6-node-v10.21.0-linux-armv7"}
> Not found in GitHub releases:
  {"tag":"v2.6","name":"uploaded-v2.6-node-v10.21.0-linux-armv7"}
> Building base binary from source:
  built-v10.21.0-linux-armv7
> Error! Not able to build for 'armv7' here, only for 'x64'

I find myself rather stuck - can't run node directly on the device, and the device won't run the pkg-built binary, even though it builds ARMv7 code. No idea how to proceed forward - any assistance or ideas? :)

Collapse
marlarius profile image
marlarius

Thanks a lot. This was just what I needed. I need to distribute a cross platform utility including a small webserver, so node was an obvious choice. My only problem was that the users are mostly non-techs, so I didn't like the thought of them having to install node and all the dependencies. pkg works out of the box. I don't even need to create the package.json file and module exports and whatnot. I simply enter "pkg myutil.js" - done! A second after I have three executables, one for Linux, Windows and Mac.

Collapse
rmarsack profile image
robin marsack

I am trying to do this exact thing right now at work and just removed pkg because it doesn't support being behind a proxy - full stop, as far as I can tell. A work around mentioned on their github didn't work (just download the files to your cache, remove the failed file, retry), and I can't find any other solutions. A bummer because it seems like the big game in town.

Collapse
jochemstoel profile image
Jochem Stoel Author

What exactly do you mean by not working behind a proxy?

Collapse
anshup7 profile image
Anshuman Upadhyay

I am facing the issue related to this. Updated the question on stackoverflow here :

stackoverflow.com/questions/546834...

Can You please help?

Collapse
jochemstoel profile image
Jochem Stoel Author

The error message seems to be saying it can not execute/find powershell. Check the PKG docs for process.cwd() and how to deal with current working directory.

Collapse
defman profile image
Sergey Kislyakov πŸ‡·πŸ‡ΊπŸ‡ΊπŸ‡Έ

What are those "Yes, @joelnet " notes? Is there a reason for them?

Collapse
joelnet profile image
JavaScript Joel

lol. I think it's a tongue in cheek jab at some of the comment discussions which have been... lengthy. Probably a discussion about my preferences to write function expressions instead of statements.

If you are curious, check it some of my articles. Most of them are pretty controversial. :)

I actually wouldn't find anything wrong with the code written here though.

And you wouldn't want to know how I would write it either. It'd probably involve pipes or compose or a new language spec I have been working on github.com/joelnet/MojiScript

But those things have their place. When the entire team understands FP. Or in your own personal projects etc. Always code to the team :D

Collapse
avalander profile image
Avalander

Yeah, from my perspective I guess it's some sort of inside joke between you both, but it's kind of mean if it isn't.

Also, we all know that joelnet would start a new line for each chained method :P

Nice article, for the rest, I didn't know about pkg :)

Collapse
eduar2 profile image
Eduardo Arcentales

What happens if your function have some environment variables (read from some file). How can you configure it in package.json?

Collapse
jochemstoel profile image
Jochem Stoel Author

You can include assets in your package too.

Collapse
eduar2 profile image
Eduardo Arcentales

Well, I can reach it, my "only" problem now is if I execute in Windows to create a executable windows file, it works. But if I create my exe in Linux, when I go to Windows Machine it doesn't work.

Thread Thread
jochemstoel profile image
Jochem Stoel Author

Does it throw an exception file not found when your run it? That might have something to do with the 'virtual' path your assets are stored. Those are not consistent on every platform.

Packaged files have /snapshot/ prefix in their paths (or C:\snapshot\ in Windows). If you used pkg /path/app.js command line, then __filename value will be likely /snapshot/path/app.js at run time. __dirname will be /snapshot/path as well.

Possibly useful:
detecting assets
snapshot filesystem

Collapse
filipesrezende profile image
Filipe Rezende

Very interesting! How can i embed server dependencies like Express, Mongoose, etc?

Collapse
jochemstoel profile image
Jochem Stoel Author

I wrote this already.

Dependencies need to be in package.json
If you NPM install after you created your app, it will automatically add the dependency to package.json for you.

Collapse
frytaz1 profile image
frytaz1

Can i use pkg not to include node in my binary but just link it from separate file ?

Collapse
jochemstoel profile image
Jochem Stoel Author

I don't understand.

Collapse
frytaz1 profile image
frytaz1

Lets say i have few executables app1.exe, app2.exe, app3.exe and i want to save up disk space.
So i would like pkg not to bundle node executable inside each binary, but dynamically link it. Is this possible ?

Thread Thread
jochemstoel profile image
Jochem Stoel Author

Well I'm still not sure entirely what you mean but you could create a single bundle of Node with a set of dependencies that you need, then let it execute process.argv[2] or start a REPL if none is provided.

What you basically have then is an executable that behaves just like Node.exe but with a few extra modules already included.

Hope this helps you.

Collapse
frytaz1 profile image
frytaz1

Bundled binary is large, it includes node itself ?
Is there a way to use pkg so it dynamically links to node instead ?

Collapse
jochemstoel profile image
Jochem Stoel Author

Yes, the bundled binary includes Node. It basically puts your scripts and the Node executable in one file.
As for loading Node dynamically, I think you are missing the point.

Collapse
adilismail621 profile image
Adil ismail

Hi, how can i run this exe everytime the user logs in ro windowz? It must run on every reboot.

Collapse
sjames1958gm profile image
Stephen James

I would suggest using npx rather than installing it locally so you get the most up to date version.

Collapse
cocoegaliciar profile image
coco-egaliciar

Its a fraud...
This is my code, I open the file.exe in Notepad++, scroling I found exactly my source code. jaja... This is not a real option for security. :/

Collapse
jochemstoel profile image
Jochem Stoel Author

We already went over this.