Move over to using node's packaging tool

[iamdavidmt]

https://github.com/vercel/pkg is now in read only mode and has vulnerabilities https://devhub.checkmarx.com/cve-details/CVE-2024-24828/.

• [ ] Investigate: https://nodejs.org/api/single-executable-applications.html
• [ ] Upgrade to node 21
• [ ] Build and test on all OS's

[jasongwartz]

I went through a very similar investigation recently for my open-source project pklpack, first trialing vercel/pkg (which I had used on another project) and then looking into Node's newer SEA support. For that project, I also needed to be able to embed an additional binary asset, which complicated things slightly. I landed on using caxa, but since that's also deprecated and unmaintained, not a huge amount better than vercel/pkg.

This article also does a decent job outlining the steps to use Node SEA. I might have a crack at an implementation, out of my own curiosity.

[jasongwartz]

I was able to throw together a first-pass implementation using esbuild and Node SEA: https://github.com/eco-infra/ecoinfra/compare/master...jasongwartz:ecoinfra:node-sea

Note that this isn't cross platform, and I've just stuffed the required steps into a package.sh file. But you should be able to run npm run build && npm run package, and then execute ./bin afterwards.

[jasongwartz]

One more note - for other asset blob dependencies (I've just noticed one on node_modules/figlet/fonts/Standard.flf), there's a separate mechanism for it: https://nodejs.org/api/single-executable-applications.html#assets

[iamdavidmt]

Fantastic investigation thus far; on a separate but related note - I'm going to move the testing aspect into a new issue