Skip to content

fix: opt out of node-gyp on install via gypfile:false#367

Merged
szegedi merged 1 commit into
mainfrom
BridgeAR/2026-07-06-gypfile-false
Jul 7, 2026
Merged

fix: opt out of node-gyp on install via gypfile:false#367
szegedi merged 1 commit into
mainfrom
BridgeAR/2026-07-06-gypfile-false

Conversation

@BridgeAR

@BridgeAR BridgeAR commented Jul 7, 2026

Copy link
Copy Markdown
Member

Summary

Dropping the no-op install script in #363 stopped Yarn Berry's YN0007 warning, but it handed control to npm's publish-time normalization. With binding.gyp in the dev tree (excluded from the tarball) and no install/preinstall script, npm synthesizes "gypfile": true and "install": "node-gyp rebuild" into the published manifest. npm consumers then run node-gyp rebuild against a binding.gyp that isn't in the package, and the install fails — this shipped broken in 5.16.0 (see the linked review, e.g. the pprof-it CI failure).

Setting "gypfile": false suppresses that implicit hook while keeping the manifest free of lifecycle scripts, so npm and Yarn Berry both install the prebuilt binaries without a build step. The regression test now pins gypfile:false alongside the existing no-lifecycle-scripts assertion.

Why

"gypfile": false is package metadata rather than a lifecycle script, so it does not reintroduce the YN0007 warning #363 removed. Verified against npm's own normalization (@npmcli/package-json): with binding.gyp still on disk, the normalized manifest keeps gypfile: false and no synthesized install script — the exact metadata that was broken in 5.16.0.

A follow-up patch release is needed since latest (5.16.0) is currently broken for npm consumers.

Fixes: #364 (review)

@datadog-datadog-prod-us1

datadog-datadog-prod-us1 Bot commented Jul 7, 2026

Copy link
Copy Markdown

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 6 Pipeline jobs failed

Build | asan (24)   View in Datadog   GitHub Actions

DataDog/apm-reliability/pprof-nodejs | benchmarks: [18]   View in Datadog   GitLab

DataDog/apm-reliability/pprof-nodejs | benchmarks: [20]   View in Datadog   GitLab

View all 6 failed jobs.

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 43fb612 | Docs | Datadog PR Page | Give us feedback!

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

Overall package size

Self size: 2.4 MB
Deduped: 3.1 MB
No deduping: 3.1 MB

Dependency sizes | name | version | self size | total size | |------|---------|-----------|------------| | pprof-format | 2.2.2 | 500.53 kB | 500.53 kB | | source-map | 0.7.6 | 185.63 kB | 185.63 kB | | node-gyp-build | 4.8.4 | 13.86 kB | 13.86 kB |

🤖 This report was automatically generated by heaviest-objects-in-the-universe

@BridgeAR BridgeAR marked this pull request as ready for review July 7, 2026 13:17

@szegedi szegedi left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The base branch should be main, not v5.x

@BridgeAR BridgeAR marked this pull request as draft July 7, 2026 13:25
@BridgeAR BridgeAR force-pushed the BridgeAR/2026-07-06-gypfile-false branch from d0d9efd to 6b67b97 Compare July 7, 2026 13:27
@BridgeAR BridgeAR changed the base branch from v5.x to main July 7, 2026 13:27
@BridgeAR BridgeAR marked this pull request as ready for review July 7, 2026 13:28
@szegedi szegedi enabled auto-merge (squash) July 7, 2026 13:43
Dropping the no-op install script in #363 stopped Yarn Berry's YN0007
warning, but it let npm's publish-time normalization take over: with
binding.gyp present in the dev tree (and excluded from the tarball) and
no install/preinstall script, npm synthesizes "gypfile": true and
"install": "node-gyp rebuild" into the published manifest. Consumers on
npm then run node-gyp rebuild against a binding.gyp that isn't in the
package and the install fails, which shipped broken in 5.16.0.

Setting "gypfile": false suppresses that implicit hook while keeping the
manifest free of lifecycle scripts, so both npm and Yarn Berry install
the prebuilt binaries without a build step. The regression test now also
pins gypfile:false alongside the no-lifecycle-scripts assertion.

Fixes: #364 (review)
@BridgeAR BridgeAR force-pushed the BridgeAR/2026-07-06-gypfile-false branch from 6b67b97 to 43fb612 Compare July 7, 2026 17:44
@BridgeAR BridgeAR added the semver-patch Bug or security fixes, mainly label Jul 7, 2026
@szegedi szegedi merged commit 2e3ad63 into main Jul 7, 2026
@szegedi szegedi deleted the BridgeAR/2026-07-06-gypfile-false branch July 7, 2026 17:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

semver-patch Bug or security fixes, mainly

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants