Skip to content

fix: opt out of node-gyp on install via gypfile:false#367

Open
BridgeAR wants to merge 1 commit into
mainfrom
BridgeAR/2026-07-06-gypfile-false
Open

fix: opt out of node-gyp on install via gypfile:false#367
BridgeAR wants to merge 1 commit into
mainfrom
BridgeAR/2026-07-06-gypfile-false

Conversation

@BridgeAR

@BridgeAR BridgeAR commented Jul 7, 2026

Copy link
Copy Markdown
Member

Summary

Dropping the no-op install script in #363 stopped Yarn Berry's YN0007 warning, but it handed control to npm's publish-time normalization. With binding.gyp in the dev tree (excluded from the tarball) and no install/preinstall script, npm synthesizes "gypfile": true and "install": "node-gyp rebuild" into the published manifest. npm consumers then run node-gyp rebuild against a binding.gyp that isn't in the package, and the install fails — this shipped broken in 5.16.0 (see the linked review, e.g. the pprof-it CI failure).

Setting "gypfile": false suppresses that implicit hook while keeping the manifest free of lifecycle scripts, so npm and Yarn Berry both install the prebuilt binaries without a build step. The regression test now pins gypfile:false alongside the existing no-lifecycle-scripts assertion.

Why

"gypfile": false is package metadata rather than a lifecycle script, so it does not reintroduce the YN0007 warning #363 removed. Verified against npm's own normalization (@npmcli/package-json): with binding.gyp still on disk, the normalized manifest keeps gypfile: false and no synthesized install script — the exact metadata that was broken in 5.16.0.

A follow-up patch release is needed since latest (5.16.0) is currently broken for npm consumers.

Fixes: #364 (review)

@datadog-datadog-prod-us1

This comment has been minimized.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

Overall package size

Self size: 2.4 MB
Deduped: 3.1 MB
No deduping: 3.1 MB

Dependency sizes | name | version | self size | total size | |------|---------|-----------|------------| | pprof-format | 2.2.2 | 500.53 kB | 500.53 kB | | source-map | 0.7.6 | 185.63 kB | 185.63 kB | | node-gyp-build | 4.8.4 | 13.86 kB | 13.86 kB |

🤖 This report was automatically generated by heaviest-objects-in-the-universe

@BridgeAR BridgeAR marked this pull request as ready for review July 7, 2026 13:17

@szegedi szegedi left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The base branch should be main, not v5.x

@BridgeAR BridgeAR marked this pull request as draft July 7, 2026 13:25
Dropping the no-op install script in #363 stopped Yarn Berry's YN0007
warning, but it let npm's publish-time normalization take over: with
binding.gyp present in the dev tree (and excluded from the tarball) and
no install/preinstall script, npm synthesizes "gypfile": true and
"install": "node-gyp rebuild" into the published manifest. Consumers on
npm then run node-gyp rebuild against a binding.gyp that isn't in the
package and the install fails, which shipped broken in 5.16.0.

Setting "gypfile": false suppresses that implicit hook while keeping the
manifest free of lifecycle scripts, so both npm and Yarn Berry install
the prebuilt binaries without a build step. The regression test now also
pins gypfile:false alongside the no-lifecycle-scripts assertion.

Fixes: #364 (review)
@BridgeAR BridgeAR force-pushed the BridgeAR/2026-07-06-gypfile-false branch from d0d9efd to 6b67b97 Compare July 7, 2026 13:27
@BridgeAR BridgeAR changed the base branch from v5.x to main July 7, 2026 13:27
@BridgeAR BridgeAR marked this pull request as ready for review July 7, 2026 13:28
@szegedi szegedi enabled auto-merge (squash) July 7, 2026 13:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants