Removing Corepack 2024/09/27 @ NodeֶԂ44࣌ݶ໨

X: @yosuke_furukawa GitHub: yosuke-furukawa

Removing Corepack ʹ͍ͭͯ࿩ͤͱ ఱܒԼΔ

ͱ͍͏Θ͚ͰಡΜͰΈͨɻ https://socket.dev/blog/node-js-takes-steps-towards-removing-cor

ܦҢ • corepack ͸ Node.js ͷcore͔Β࡟আ͢ΔࣄΛද໌͢ΔPR͕ Ϛʔδ͞Εͨɻ https://github.com/nodejs/package- maintenance/pull/606 • Package Maintenance Working Group ʹΑΔܾఆ • ͦ΋ͦ΋͜ͷGroupͷҙਤ͸ͲΜͳ΋ͷ͕͋Δͷ͔

Package Maintenance Working Group • ࣮ࡍʹൃ଍͞Εͨͷ͸6೥લɺNode.js v10͘Β͍ʁ • Node.js ͷΤίγεςϜͰ͋ΔpackageͷࢧԉΛ͢ΔͨΊͷά ϧʔϓ • όʔδϣϯΞοϓͷ๦͛ʹͳΔΑ͏ͳϥΠϒϥϦ΍ύοέʔδ ͷ໰୊Λಛఆ͠ɺαϙʔτΛߦ͏͜ͱ͕໨త

Package Maintenance Working Group • Version؅ཧʹؔ͢ΔNode.js ͱ Package Managerͷ໨త • ΞϓϦέʔγϣϯ։ൃऀ͕ҎԼͷ͜ͱ͕Ͱ͖ΔΑ͏ʹ͢Δ 1. ϓϩδΣΫτʹద੾ͳNode.js/Package Managerͷόʔδϣϯ͕ఆٛͰ͖Δ ͜ͱ 2. ϩʔΧϧ։ൃ༻ͷNode.js / Package ManagerΛΠϯετʔϧͰ͖Δ͜ͱ 3. ϓϩδΣΫτ͝ͱʹਖ਼͍͠Node.js / Package Manager ͷ࣮ߦ͕Ͱ͖Δ͜ͱ

Package Maintenance Working Group • ࠓճ2൪ͷʮϩʔΧϧʹΠϯετʔϧͰ͖ΔΑ͏ʹ͢Δʯͱ͍ ͏໨తͷͨΊͷվળͰʮcorepackΛ࡟আ͢Δʯͱ͍͏ରԠ͕ඞ ཁʹͳͬͨɻ • Ұॠฉ͘ͱҙຯ͕Θ͔Βͳ͍ɻʮվળͷͨΊʹ࡟আ͢Δʁʯͱ ͳΔɻগ͠ॱΛ௥ͬͯ࿩͢ɻɹ

Package Maintenance Working Group • Node.jsͷμ΢ϯϩʔυϖʔδ͕࠷ۙ৽͘͠ͳͬͨͷΛ஌ͬͯΔ ͩΖ͏͔ʁ

Package Maintenance Working Group • nvm ΍ fnm ͳͲͷόʔδϣϯ ؅ཧπʔϧܦ༝ͰೖΕΔΑ͏ͳ ಋೖ͕هड़͞ΕΔΑ͏ʹͳͬͨɻ • ͜͜ͷผλϒʹผ్ύοέʔδ ϚωʔδϟͷΠϯετʔϧ΋هࡌ ͞ΕΔ༧ఆʹͳ͍ͬͯΔɻ

Package Maintenance Working Group • ͭ·Γɺyarn, pnpm ͳͲͷπʔϧ ΋͜͜ͰΠϯετʔϧʹରͯ͠ खॱ͕هࡌ͞ΕΔɻ • ͦͷखॱ͸yarn, pnpmͷ ࡞ऀ͕ਪ঑͢ΔΠϯετʔϧखॱʹ ै͏ඞཁ͕͋Δ • ඞͣ͠΋corepackܦ༝ͰΠϯετʔϧ ͢Δ͜ͱ͕ਪ঑͞ΕΔΘ͚Ͱ͸ͳ͍

Package Maintenance Working Group • corepackͷཱͪҐஔ͕͜ΕʹΑΓएׯඍົʹͳΔɻ • ΠϯετʔϧखॱΛύοέʔδϚωʔδϟͷਪ঑ʹै͏ͳΒ͹ corepack͸ඞਢͰ͸ͳ͘ͳΔɻ

Corepack security issue? • corepackͷͦ΋ͦ΋ͷߟ͑ํͱͯ͠ npm Ҏ֎ͷιʔε͔ΒύοέʔδϚ ωʔδϟʔͷμ΢ϯϩʔυΛ޿͘Ͱ͖Δ΋ͷͱ͍ͯ͠Δɻ • ྫ͑͹ɺcorepack͕αϙʔτ͍ͯ͠Δ yarn ͷURL͕ࣦޮ͠ɺυϝΠϯ͕ ৐ͬऔΒΕͨ৔߹͸Ͳ͏ͳΔʁ • ެ͕ࣜαϙʔτ͢Δ package manager ͸ͪΌΜͱग़ॴ͕อূͰ͖Δ΋ͷ Ͱͳͯ͘͸ͳΒͳ͍ͷͰ͸ͳ͍͔ɺͦ͏͡Όͳ͍΋ͷ͸ೖΕΔ΂͖Ͱ͸ͳ ͍ͱ͍͏ҙݟ https://github.com/nodejs/corepack/issues/495

Corepack security issue? • ॺ໊Λ͚ͭͯ npm ͕ॺ໊ݕূͰվ͟ΜΛ๷ࢭ͢Δػೳ͕͢Ͱʹଘࡏ͠ ͍ͯΔͷͰɺͦͷΑ͏ͳܗͰ഑৴Ͱ͖Δඞཁ͕͋ΔͷͰ͸ͳ͍͔ʁ • গͳ͘ͱ΋ corepack ଆͰ package manager ͕ॻ͖׵͑ΒΕͯͳ͍͔ ΛݕূͰ͖Δػೳ͸ඞཁͳͷͰ͸ɻ • yarnʹॺ໊Λݕূ͢ΔΑ͏ͳػೳ͕ͳ͍͜ͱ΋ࢦఠ͞Ε͍ͯΔɻ • ݌ʑᨣʑ https://github.com/nodejs/corepack/issues/495

ཱͪҐஔ͕ո͘͠ͳΔ corepack

ͱ͍͏Θ͚Ͱ • Ұ୴ɺcorepackͷυΩϡϝϯτ͸ Node.js ͱ͸ผͳ΋ͷͱͯ͠ ެ͔ࣜΒ֎͢ • ͦͷޙঃʑʹcorepackΛnodeίΞ͔Β࡟আ͢ΔΑ͏ʹ͢Δɻ • corepackΛҾ͖ଓ͖ར༻͍ͨ͠ਓ͸corepackܦ༝ͷpackage manager ͷΠϯετʔϧํ๏΋μ΢ϯϩʔυϖʔδʹهࡌ͢Δ

ίϛϡχςΟͷ੠ ʮͨͩ͊ʔʔʔʔʯ

൵تަަ • corepack Λ default ʹ͠Α͏ͱͨ͠Β corepack ͕ফ͞Εͨɺ ԿΛݴ͍ͬͯΔ͔Θ͔ΒͶʔͱࢥ͏͕ʢུ

൵تަަ • ʮnpm ͕σϑΥϧτͰόϯυϧ͞ΕΔͷ͸มΘΒͳ͍ͬͯ͋Μ ͳ஗ͯ͘Τϥʔ͕Θ͔Γʹ͍͘πʔϧ͕σϑΥϧτͱ͔Ϊϟά ͩΖʯΈ͍ͨͳҙݟ΋͋Δ https://github.com/nodejs/node/pull/51981

my opinion

๻ͷҙݟ • ͱΓ͍͖͋͑ͣͳΓফ͑Δ͔ͱ͍͏ͱɺ·ͩফ͑ͳ͍͸ͣɻ • Ұ୴͜ͷܾఆΛ͍ͯ͠Δ͕ɺ൱ఆͷ੠΋େ͖͍ͷͰ·ͩͲ͏ͳΔ͔Θ͔Βͳ ͍ɻ • corepackͷϝΠϯϝϯςφൈ͖ͷٞ࿦Ͱ࿩͕·ͱ·ͬͯ͠·ͬͨͷͰɺϝ ΠϯϝϯςφΛೖΕͯ࿩͞ͳ͍͔ʁͱ͍͏ҙݟ΋͋Δɻ • ʮ΍ͬͺ࢒͢ΘʯΈ͍ͨʹͳΔՄೳੑ΋͋Δ͠ɺࠓ͙͢Ͳ͏͜͏Έ͍ͨͳಈ ͖Λ͠ͳͯ͘΋͍͍ؾ͸͢Δɻ

๻ͷҙݟ • pnpmΛσϑΝΫτͱͯ͠࢖͍ͬͯΔνʔϜ͸طʹpnpmଆͰ package managerͷόʔδϣϯΛݻఆ͢Δػೳ͕ೖͬͯΔͷͰ Ұ෦ͷػೳ͸corepack͕ͳͯ͘΋ྑ͍ɻ • ͦ͏͍͏;͏ʹ package manager ଆͰπʔϧͱόʔδϣϯͷ ݻఆ͸ೖΔ͔΋ɻͦ͏ͳͬͨΒ corepack ΋͔֬ʹ؇΍͔ʹ͍ Βͳ͘ͳΓͦ͏Ͱ͸͋Δɻ

๻ͷҙݟ • ͦ΋ͦ΋Ͱ͍͏ͱ nvm ͳͲͷ Runtime ͷόʔδϣϯϚωʔδϟʔ͸ίΞͷ தʹ͸ͳ͍ɻ • package managerͷ version manager ͚ͩίΞͷதʹ͋Δͷ͸ػೳఏڙత ʹยखམͪͳؾ͕͢Δɻ • rust ͷ cargo ͷΑ͏ʹversion manager Ͱ͋Γ package manager Ͱ͋Γɺ runtime upgrader Ͱ͋Δ͔ͷΑ͏ͳ։ൃʹඞཁͳػೳΛ౷Ұ͢Δπʔϧ͕ ͋ͬͯ΋ྑ͍Α͏ͳؾ͕ͨ͠ɻ