Skip to content

nodePackages.prebuild-install: drop#470892

Merged
pyrox0 merged 1 commit intoNixOS:masterfrom
tomodachi94:push-oxknqmpslzrt
Dec 15, 2025
Merged

nodePackages.prebuild-install: drop#470892
pyrox0 merged 1 commit intoNixOS:masterfrom
tomodachi94:push-oxknqmpslzrt

Conversation

@tomodachi94
Copy link
Member

@tomodachi94 tomodachi94 commented Dec 15, 2025
edited
Loading

It appears to be unmaintained upstream, and it's definitely unmaintained in Nixpkgs. See upstream's recommendations for alternatives.

Also looks like one of it's dependencies is an older version of glob that has a CVE (CVE-2025-59343), though it's unclear to me if prebuild-install is actually vulnerable. There are patches pending upstream that have not been merged: prebuild/prebuild-install#214

Part of #229475.

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@tomodachi94 tomodachi94 requested a review from pyrox0 December 15, 2025 01:38
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 8.has: changelog This PR adds or changes release notes 6.topic: nodejs Node.js is a free, open-source, cross-platform JavaScript runtime environment 8.has: documentation This PR adds or changes documentation labels Dec 15, 2025
@pyrox0 pyrox0 added this pull request to the merge queue Dec 15, 2025
Merged via the queue into NixOS:master with commit 88699ef Dec 15, 2025
32 of 35 checks passed
@tomodachi94 tomodachi94 deleted the push-oxknqmpslzrt branch December 15, 2025 02:34
@tomodachi94 tomodachi94 mentioned this pull request Dec 15, 2025
Merged
13 tasks
tomodachi94 added a commit to tomodachi94/nixpkgs that referenced this pull request Dec 15, 2025
@tomodachi94
nodePackages.prebuild-install: mark as potentially vulnerable
79933db 
This package might be vulnerable to CVE-2025-59343 due to its dependency
on an old version of tar-fs.

I don't know if this CVE can be exploited with prebuild-install,
but better safe than sorry here.

Not-cherry-picked-because: Package was dropped on master (NixOS#470892)
pseudocc pushed a commit to pseudocc/nixpkgs that referenced this pull request Jan 9, 2026
@tomodachi94 @pseudocc
nodePackages.prebuild-install: mark as potentially vulnerable
0ae1a5b 
This package might be vulnerable to CVE-2025-59343 due to its dependency
on an old version of tar-fs.

I don't know if this CVE can be exploited with prebuild-install,
but better safe than sorry here.

Not-cherry-picked-because: Package was dropped on master (NixOS#470892)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pyrox0 pyrox0 Awaiting requested review from pyrox0

Assignees

No one assigned

Labels

6.topic: nodejs Node.js is a free, open-source, cross-platform JavaScript runtime environment 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tomodachi94 @pyrox0