Expose the new hash_256 method that was introduced here.

Now that recrypt-rs has Schnorr signing implemented, we need to consume those changes in the Node binding and expose a method to be able to do it. Also consume the security changes PR as well.

As a (Travis) build process
I want to have a script I can execute to build, package, publish binaries, and publish to npm

Probably will need to be worked on in conjunction with #9

Needs further research on how the Travis multi-arch stuff works. Does it kick off a job for each arch? How do we tie them back together? I started thinking about this when trying to write the "top level build/publish script" ticket. We need to publish a binary for each arch/node combo, and then publish to npm.

See https://github.com/IronCoreLabs/recrypt-node-binding/blob/c7f06ba9097bce2ee064409f19ee0bfae131ea8e/publish.js

HI, i'm trying to import this node-binding into my NextJs project to run, but it keeps tlling me this error: ./node_modules/@ironcorelabs/recrypt-node-binding/bin-package/index.node
Module parse failed: Unexpected character '�' (1:0)
You may need an appropriate loader to handle this file type, currently no loaders are configured to process this file. See https://webpack.js.org/concepts#loaders
(Source code omitted for this binary file)

Please show me the proper way to import into framework like NextJs, thanks

As a (Travis) build process
I want a way to upload a binary tar.gz to github releases
so that it can be downloaded at NPM install time.

AC:

• the resultant upload can be successfully downloaded by ./node_modules/.bin/node-pre-gyp install

A good starting point might be
node-pre-gyp-github. During inital assessment this package did not upload the full archive and only created an 100 byte (correctly named) file in github.

Also note that file can only be downloaded once the release is not marked DRAFT.

Now that there is a manually written index.js as the entrypoint, we're duplicating a lot of work between index.js and index.d.ts that is error prone. Write an index.ts that replaces both in the repo, and a build process that produces both of the original files for NPM packaging.

Problem

When we compile the Neon node-binding source, the Node addon binary that it generates is not portable between architectures. This prevents us from being able to compile the source and publish it to NPM as we don't know the platform the user is installing from. Having users compile the addon at install time isn't very feasible since the chance that they have the various build dependencies (Rust, Neon, etc) is very minimal. Instead, we need to generate compiled binaries for various platforms and have those be retrieved at install time depending on the environment we're present in.

This is a known issue within Neon, but not something that appears to be actively developed or discussed even.

node-gyp

A rough parallel to what we're doing within Neon is node-gyp which is a tool for building Node addons from C++ code for Node. Where Neon helps us build Rust code into a native Node module, node-gyp does the same thing from C++ to native Node modules. As node-gyp is a more stable build tool, there's a larger ecosystem of tooling around dealing with this issue.

node-pre-gyp

What appears to be the most popular solution for handling the pre-compiled binary problem is the node-pre-gyp toolkit. This project aims to make it easy for distributing Node addons via pre-compiling binaries for various platforms. The quick and dirty workflow is

• Configure node-pre-gyp for the location of your binaries as well as where they are hosted
• Auto build and upload your binaries to an AWS bucket
• Add a postinstall script to your package.json so that when users run NPM install on it, once it's been installed it discovers the machines platform and requests the appropriate binary from the AWS bucket, extracts it and configures all paths.
• Optionally falls back to compiling the code via node-gyp if a binary cannot be found for the users machine.

This rough workflow is about the same as we'd ideally do with our node-binding. We likely won't have support for falling back to compiling locally given the lifting required there, but everything else should work roughly the same.

Resources

Other various resources/thoughts I've found so far after looking into this

• By default node-pre-gyp defaults to uploading/downloading to AWS buckets. There are tools such as node-pre-gyp-github that upload to GitHub releases. It seems like using GitHub releases for our binaries might be a good idea. Alternatively we would probably use a GCP bucket.

• Building the binaries for various platforms should be able to easily be done via Travis and there are a number of examples about how this is done for node-pre-gyp projects. Travis can build for both linux/osx as well as various NodeJS versions. There isn't Windows support or 32-bit support, so we'd have to decide how much we care about those platforms.

• This is a very detailed article which goes through the lengthy process that is involved to setup node-pre-gyp.

• I'm pretty skeptical that we'd be able to use node-pre-gyp with our stuff since we're in Rust. Maybe there's a way to use it for only the uploading/post-install downloading, but we might end up doing the same amount of work if we just wrote a tool ourselves. More investigation would be needed before we can decide on a route there.

• I've proven that the Neon module that is generated for these bindings works on both Node 8 and Node 10. However, there are no guarantees that future versions will work. So compiled versions would need to be build per Node version. This means that the cross-product of binaries would be [version of binding] x [version of node] x [platform (linux,osx,win)] x [supported architecture (x32/x64)]. Yeesh.

• A good project to look at for using node-pre-gyp is the Node Sqlite3 project.

Open Questions

• Even if we end up getting this all working above, there's still an issue that the whole process only works if consumers of the binding build their code on the same platform where it runs. If we have the above setup correctly but a developer is building on their local Mac before pushing the results to some location where it'll be run in Linux, the whole system breaks down. We might end up needing a way for developers to specify their platform via some environment variable so that I could build on one architecture but have the results be built for a different architecture.

• It should also be noted that Node 8/10 support WASM modules and I've proven that they work as expected. The WASM modules are also platform agnostic so they'd work to publish them to NPM. However the performance isn't great compared to these bindings so it depends on how much performance we need to wring out of this library.

Contains updates to new rand 0.6 and other dep updates. Consuming this will also fix the next release of the bindings to not be pulled from recrypt-rs master. (https://github.com/IronCoreLabs/recrypt-node-binding/blob/master/native/Cargo.toml#L13)

As a release manager
I want to be able to have Travis build and release recrypt-node-binding for multiple architecture and multiple Node.js versions when a new release is created.

AC

• When a release tag is created in git the build/publish process should kick off
• Releases should be created for Linux x86_64, MacOSX for Node 8 and Node 10
• An NPM package should be published

Publish version to match recrypt to designate "production ready" usage.

https://github.com/IronCoreLabs/recrypt-node-binding/runs/6751924442?check_suite_focus=true seems to indicate that we need to support arm64 on Mac:

dlopen(/Users/ironcore/actions-runner/_work/recrypt-node-binding/recrypt-node-binding/bin-package/index.node, 0x0001): tried: '/Users/ironcore/actions-runner/_work/recrypt-node-binding/recrypt-node-binding/bin-package/index.node' (mach-o file, but is an incompatible architecture (have 'arm64', need 'x86_64')), '/usr/local/lib/index.node' (no such file), '/usr/lib/index.node' (no such file)

In support of the common alpine-linux deployment environment, build and upload to releases a musl linked version of these bindings.

Creating this should "just work" per neon if the build is run in a musl environment, causing recrypt-rs and its gridiron dependency to be built linked against musl.

Add a compile/publish step to build a binary for windows. We might need to move this repo over to GitHub Actions as part of this in order to add windows builds.

Similar to what we did for the wasm-binding code, we should implement changes to the node-bindings to map errors to extract out the internal error message from recrypt-rs and expose that to the caller. Currently the caller just gets a fairly unhelpful "neon error" style message.

Hey, I'd love to start using this and the associated wasm libraries but we have recently upgraded to Node 21, which you don't support yet.

Are there any plans to support Node 21? If so, when?

Thanks in advance.

Apparently some people run non-LTS versions of NodeJS. We should support those versions so we don't get ugly error messages for them and now make us iterate our version support above version 8 in the consuming projects package.json files.

GitHub is reporting three vulnerabilities:

lodash critical CVE-2019-10744
mixin-deep high sev CVE-2019-10746
set-value high sev CVE-2019-10747

neon is coming up with a new build/distribution process, the experimental example project is here. Check it out and see if it will work to replace node-pre-gyp for us.

Known high severity security vulnerability detected in handlebars < 4.0.14 defined in yarn.lock.

yarn.lock update suggested: handlebars ~> 4.0.14.

Known high severity security vulnerability detected in js-yaml < 3.13.1 defined in yarn.lock.

yarn.lock update suggested: js-yaml ~> 3.13.1.

We should also update Recrypt to the latest and consume all breaking changes there as well. Also add Node12 support which will require us to rely on a fork of Neon.

Apparently neon binaries are supposed to be portable across Node versions. Investigate how that would affect our build and release process, we may be able to cut down on the number of artifacts and builds significantly.

This CI run failed. It only failed for our Mac builds.

dlopen(/Users/ironcore/actions-runner/_work/recrypt-node-binding/recrypt-node-binding/bin-package/index.node, 0x0001): tried: '/Users/ironcore/actions-runner/_work/recrypt-node-binding/recrypt-node-binding/bin-package/index.node' (mach-o file, but is an incompatible architecture (have 'arm64', need 'x86_64')), '/usr/local/lib/index.node' (no such file), '/usr/lib/index.node' (no such file)

Figure out if we can use node-pre-gyp for the postinstall NPM step of pulling down the expected architecture binary from the expected location. We don't want node-pre-gyp to do anything with node-gyp, just the configuration/simplification of determining an architecture and pulling down the proper binary.

As a (Travis) build process
I want a yarn target to call
so that a .tar.gz file is produced for the target architecture.

AC

• node-pre-gyp is used to produce this tar.gz so we can rely on it for naming and downloading at install time
• This should be a target like yarn run package unless there's a reason for it to be separate.
• The resultant tar.gz should only contain the index.node file to minimize size

Can be based off of the current node-pre-gyp