Single executable applications#
History
Version | Changes |
---|---|
v20.6.0 | Added support for "useSnapshot". |
v20.6.0 | Added support for "useCodeCache". |
v19.7.0, v18.16.0 | Added in: v19.7.0, v18.16.0 |
Stability: 1.1 - Active development
Source Code: src/node_sea.cc
This feature allows the distribution of a Node.js application conveniently to asystem that does not have Node.js installed.
Node.js supports the creation of single executable applications by allowingthe injection of a blob prepared by Node.js, which can contain a bundled script,into the node
binary. During start up, the program checks if anything has beeninjected. If the blob is found, it executes the script in the blob. OtherwiseNode.js operates as it normally does.
The single executable application feature currently only supports running asingle embedded script using the CommonJS module system.
Users can create a single executable application from their bundled scriptwith the node
binary itself and any tool which can inject resources into thebinary.
Here are the steps for creating a single executable application using one suchtool, postject:
Create a JavaScript file:
echo 'console.log(`Hello, ${process.argv[2]}!`);' > hello.js
Create a configuration file building a blob that can be injected into thesingle executable application (seeGenerating single executable preparation blobs for details):
echo '{ "main": "hello.js", "output": "sea-prep.blob" }' > sea-config.json
Generate the blob to be injected:
node --experimental-sea-config sea-config.json
Create a copy of the
node
executable and name it according to your needs:- On systems other than Windows:
cp $(command -v node) hello
- On Windows:
node -e "require('fs').copyFileSync(process.execPath, 'hello.exe')"
The
.exe
extension is necessary.Remove the signature of the binary (macOS and Windows only):
- On macOS:
codesign --remove-signature hello
- On Windows (optional):
signtool can be used from the installed Windows SDK. If this step isskipped, ignore any signature-related warning from postject.
signtool remove /s hello.exe
Inject the blob into the copied binary by running
postject
withthe following options:hello
/hello.exe
- The name of the copy of thenode
executablecreated in step 4.NODE_SEA_BLOB
- The name of the resource / note / section in the binarywhere the contents of the blob will be stored.sea-prep.blob
- The name of the blob created in step 1.--sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2
- Thefuse used by the Node.js project to detect if a file has been injected.--macho-segment-name NODE_SEA
(only needed on macOS) - The name of thesegment in the binary where the contents of the blob will bestored.
To summarize, here is the required command for each platform:
On Linux:
npx postject hello NODE_SEA_BLOB sea-prep.blob \ --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2
On Windows - PowerShell:
npx postject hello.exe NODE_SEA_BLOB sea-prep.blob ` --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2
On Windows - Command Prompt:
npx postject hello.exe NODE_SEA_BLOB sea-prep.blob ^ --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2
On macOS:
npx postject hello NODE_SEA_BLOB sea-prep.blob \ --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 \ --macho-segment-name NODE_SEA
Sign the binary (macOS and Windows only):
- On macOS:
codesign --sign - hello
- On Windows (optional):
A certificate needs to be present for this to work. However, the unsignedbinary would still be runnable.
signtool sign /fd SHA256 hello.exe
Run the binary:
- On systems other than Windows
$ ./hello worldHello, world!
- On Windows
$ .\hello.exe worldHello, world!
Generating single executable preparation blobs#
Single executable preparation blobs that are injected into the application canbe generated using the --experimental-sea-config
flag of the Node.js binarythat will be used to build the single executable. It takes a path to aconfiguration file in JSON format. If the path passed to it isn't absolute,Node.js will use the path relative to the current working directory.
The configuration currently reads the following top-level fields:
{ "main": "/path/to/bundled/script.js", "output": "/path/to/write/the/generated/blob.blob", "disableExperimentalSEAWarning": true, // Default: false "useSnapshot": false, // Default: false "useCodeCache": true, // Default: false "assets": { // Optional "a.dat": "/path/to/a.dat", "b.txt": "/path/to/b.txt" }}
If the paths are not absolute, Node.js will use the path relative to thecurrent working directory. The version of the Node.js binary used to producethe blob must be the same as the one to which the blob will be injected.
Note: When generating cross-platform SEAs (e.g., generating a SEAfor linux-x64
on darwin-arm64
), useCodeCache
and useSnapshot
must be set to false to avoid generating incompatible executables.Since code cache and snapshots can only be loaded on the same platformwhere they are compiled, the generated executable might crash on startup whentrying to load code cache or snapshots built on a different platform.
Assets#
Users can include assets by adding a key-path dictionary to the configurationas the assets
field. At build time, Node.js would read the assets from thespecified paths and bundle them into the preparation blob. In the generatedexecutable, users can retrieve the assets using the sea.getAsset() andsea.getAssetAsBlob() APIs.
{ "main": "/path/to/bundled/script.js", "output": "/path/to/write/the/generated/blob.blob", "assets": { "a.jpg": "/path/to/a.jpg", "b.txt": "/path/to/b.txt" }}
The single-executable application can access the assets as follows:
const { getAsset, getAssetAsBlob, getRawAsset } = require('node:sea');// Returns a copy of the data in an ArrayBuffer.const image = getAsset('a.jpg');// Returns a string decoded from the asset as UTF8.const text = getAsset('b.txt', 'utf8');// Returns a Blob containing the asset.const blob = getAssetAsBlob('a.jpg');// Returns an ArrayBuffer containing the raw asset without copying.const raw = getRawAsset('a.jpg');
See documentation of the sea.getAsset(), sea.getAssetAsBlob() and sea.getRawAsset()APIs for more information.
Startup snapshot support#
The useSnapshot
field can be used to enable startup snapshot support. In thiscase the main
script would not be when the final executable is launched.Instead, it would be run when the single executable application preparationblob is generated on the building machine. The generated preparation blob wouldthen include a snapshot capturing the states initialized by the main
script.The final executable with the preparation blob injected would deserializethe snapshot at run time.
When useSnapshot
is true, the main script must invoke thev8.startupSnapshot.setDeserializeMainFunction() API to configure codethat needs to be run when the final executable is launched by the users.
The typical pattern for an application to use snapshot in a single executableapplication is:
- At build time, on the building machine, the main script is run toinitialize the heap to a state that's ready to take user input. The scriptshould also configure a main function withv8.startupSnapshot.setDeserializeMainFunction(). This function will becompiled and serialized into the snapshot, but not invoked at build time.
- At run time, the main function will be run on top of the deserialized heapon the user machine to process user input and generate output.
The general constraints of the startup snapshot scripts also apply to the mainscript when it's used to build snapshot for the single executable application,and the main script can use the v8.startupSnapshot API to adapt tothese constraints. Seedocumentation about startup snapshot support in Node.js.
V8 code cache support#
When useCodeCache
is set to true
in the configuration, during the generationof the single executable preparation blob, Node.js will compile the main
script to generate the V8 code cache. The generated code cache would be part ofthe preparation blob and get injected into the final executable. When the singleexecutable application is launched, instead of compiling the main
script fromscratch, Node.js would use the code cache to speed up the compilation, thenexecute the script, which would improve the startup performance.
Note: import()
does not work when useCodeCache
is true
.
In the injected main script#
Single-executable application API#
The node:sea
builtin allows interaction with the single-executable applicationfrom the JavaScript main script embedded into the executable.
sea.isSea()
#
Added in: v21.7.0, v20.12.0
- Returns: <boolean> Whether this script is running inside a single-executableapplication.
sea.getAsset(key[, encoding])
#
Added in: v21.7.0, v20.12.0
This method can be used to retrieve the assets configured to be bundled into thesingle-executable application at build time.An error is thrown when no matching asset can be found.
key
<string> the key for the asset in the dictionary specified by theassets
field in the single-executable application configuration.encoding
<string> If specified, the asset will be decoded asa string. Any encoding supported by theTextDecoder
is accepted.If unspecified, anArrayBuffer
containing a copy of the asset would bereturned instead.- Returns: <string> | <ArrayBuffer>
sea.getAssetAsBlob(key[, options])
#
Added in: v21.7.0, v20.12.0
Similar to sea.getAsset(), but returns the result in a Blob
.An error is thrown when no matching asset can be found.
key
<string> the key for the asset in the dictionary specified by theassets
field in the single-executable application configuration.options
<Object>type
<string> An optional mime type for the blob.
- Returns: <Blob>
sea.getRawAsset(key)
#
Added in: v21.7.0, v20.12.0
This method can be used to retrieve the assets configured to be bundled into thesingle-executable application at build time.An error is thrown when no matching asset can be found.
Unlike sea.getAsset()
or sea.getAssetAsBlob()
, this method does notreturn a copy. Instead, it returns the raw asset bundled inside the executable.
For now, users should avoid writing to the returned array buffer. If theinjected section is not marked as writable or not aligned properly,writes to the returned array buffer is likely to result in a crash.
key
<string> the key for the asset in the dictionary specified by theassets
field in the single-executable application configuration.- Returns: <string> | <ArrayBuffer>
require(id)
in the injected main script is not file based#
require()
in the injected main script is not the same as the require()available to modules that are not injected. It also does not have any of theproperties that non-injected require() has except require.main. Itcan only be used to load built-in modules. Attempting to load a module that canonly be found in the file system will throw an error.
Instead of relying on a file based require()
, users can bundle theirapplication into a standalone JavaScript file to inject into the executable.This also ensures a more deterministic dependency graph.
However, if a file based require()
is still needed, that can also be achieved:
const { createRequire } = require('node:module');require = createRequire(__filename);
__filename
and module.filename
in the injected main script#
The values of __filename
and module.filename
in the injected main scriptare equal to process.execPath.
__dirname
in the injected main script#
The value of __dirname
in the injected main script is equal to the directoryname of process.execPath.
Notes#
Single executable application creation process#
A tool aiming to create a single executable Node.js application mustinject the contents of the blob prepared with --experimental-sea-config"
into:
- a resource named
NODE_SEA_BLOB
if thenode
binary is a PE file - a section named
NODE_SEA_BLOB
in theNODE_SEA
segment if thenode
binaryis a Mach-O file - a note named
NODE_SEA_BLOB
if thenode
binary is an ELF file
Search the binary for theNODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2:0
fuse string and flip thelast character to 1
to indicate that a resource has been injected.
Platform support#
Single-executable support is tested regularly on CI only on the followingplatforms:
- Windows
- macOS
- Linux (all distributions supported by Node.js except Alpine and allarchitectures supported by Node.js except s390x)
This is due to a lack of better tools to generate single-executables that can beused to test this feature on other platforms.
Suggestions for other resource injection tools/workflows are welcomed. Pleasestart a discussion at https://github.com/nodejs/single-executable/discussionsto help us document them.