The latest articles on DEV Community by Edouard Maleix (@getlarge). https://dev.to/getlarge https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1253749%2Fc4b87a1b-784c-491c-ab9e-1cd2a4df299c.jpeg https://dev.to/getlarge en Edouard Maleix Wed, 18 Jun 2025 04:53:39 +0000 https://dev.to/getlarge/ever-felt-like-your-authorization-code-could-be-easier-to-maintain-and-more-flexible-how-4maa https://dev.to/getlarge/ever-felt-like-your-authorization-code-could-be-easier-to-maintain-and-more-flexible-how-4maa <div class="ltag__link"> <a href="/this-is-learning" class="ltag__link__link"> <div class="ltag__link__org__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Forganization%2Fprofile_image%2F3314%2Fdc73eb74-08f9-4592-b599-c08f2bb14b4d.png" alt="This is Learning" width="192" height="192"> <div class="ltag__link__user__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1253749%2Fc4b87a1b-784c-491c-ab9e-1cd2a4df299c.jpeg" alt="" width="800" height="800"> </div> </div> </a> <a href="https://dev.to/this-is-learning/how-to-protect-your-api-with-openfga-from-rebac-concepts-to-practical-usage-4n9j" class="ltag__link__link"> <div class="ltag__link__content"> <h2>How to Protect Your API with OpenFGA: From ReBAC Concepts to Practical Usage</h2> <h3>Edouard Maleix for This is Learning ・ Jun 15</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#tutorial</span> <span class="ltag__link__tag">#openfga</span> <span class="ltag__link__tag">#authorization</span> <span class="ltag__link__tag">#security</span> </div> </div> </a> </div> tutorial openfga authorization security Edouard Maleix Mon, 17 Mar 2025 10:50:00 +0000 https://dev.to/playfulprogramming/building-single-executable-applications-with-nodejs-16k3 https://dev.to/playfulprogramming/building-single-executable-applications-with-nodejs-16k3 <blockquote> <p><em>"Can we upgrade to the latest Node.js version?"</em></p> </blockquote> <p>A few months ago, I did not imagine that this seemingly innocent question from a client would bring me so <strong>deep</strong> into the world of single executable applications, a.k.a. SEA, a.k.a. executable binaries.</p> <p>Their team had been using <a href="https://github.com/vercel/pkg" rel="noopener noreferrer">PKG</a> to package Node.js applications into standalone executables, but then they hit a roadblock - PKG has been deprecated. While the community <a href="https://github.com/yao-pkg/pkg" rel="noopener noreferrer">fork</a> had kept pace with Node.js evolution (even working on Node.js v22), the constant changes to Node.js internals made maintaining these patches challenging. Each new <strong>Node.js version required adapting to internal changes</strong>, creating an ongoing maintenance effort that added complexity to their deployment pipeline.</p> <p>That's when I remembered hearing about Node.js <strong>Single Executable Applications (SEA)</strong> - a native feature. As someone who's spent years optimizing deployment pipelines and container strategies, I knew I had to explore this promising alternative.</p> <p>In this article, I'm sharing what I've learned about SEA, a feature that fundamentally shifts how we package and distribute Node.js applications. If you've encountered:</p> <ul> <li>Delays waiting for packaging tools to support new Node.js versions</li> <li>Complex configuration requirements for native modules</li> <li>The maintenance burden of keeping dependencies versions and build tools in sync with runtime</li> <li>The search for lighter, more portable deployment artifacts</li> </ul> <p>...then you'll find this exploration valuable.</p> <p>I'll take you through both the technical foundations and practical implementation of SEA, showing how it can simplify your deployment strategy while making your applications more portable and secure.</p> <h2> Table of contents </h2> <ol> <li>Two Worlds of Application Distribution</li> <li>Technical Foundation</li> <li>Practical Implementation</li> <li>Docker Integration</li> <li>Performance Benchmarks</li> <li>The Reality of Code Protection</li> <li>Conclusion</li> </ol> <h2> Two Worlds of Application Distribution </h2> <p>First, I want to distinguish between each distribution method.</p> <h3> Traditional Node.js Deployment </h3> <p>The conventional approach to Node.js deployment has several limitations:</p> <ul> <li> <strong>Fragmented Distribution</strong>: Source files, dependencies, and runtime are all separate pieces</li> <li> <strong>Environment Dependencies</strong>: Applications only work when the target environment has the exact right setup</li> <li> <strong>Configuration Fragility</strong>: Settings files must be correctly placed and formatted</li> <li> <strong>Version Constraints</strong>: The correct Node.js version must be present</li> </ul> <p>This creates a brittle deployment pipeline where one small misconfiguration can cause everything to fail.</p> <h3> Single Executable Applications Deployment </h3> <p>Single Executable Applications (SEA) represent a fundamental paradigm shift:</p> <ul> <li> <strong>Complete Self-Containment</strong>: Code, dependencies, assets, and runtime bundled in one binary</li> <li> <strong>Environment Independence</strong>: The application carries its environment with it</li> <li> <strong>Protected Configuration</strong>: Settings embedded and secured within the executable</li> <li> <strong>Deployment Simplicity</strong>: One file to deploy, one file to run</li> </ul> <p>This approach represents a <strong>shift-left</strong> in application delivery—moving deployment concerns from operations teams into the development process. With SEA, developers take ownership of packaging the entire application environment during development rather than leaving it to deployment time.</p> <p>The result? Applications that are more reliable, more secure, and significantly easier to deploy.</p> <h2> Technical Foundation </h2> <p>As a longtime Node.js developer, I was curious about how this feature was implemented. Let's peek under the hood!</p> <h3> The Anatomy of a SEA </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8uxdc8pfznc8zmjcfoas.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8uxdc8pfznc8zmjcfoas.png" alt="SEA Composition" width="800" height="301"></a></p> <p>A Single Executable Application builds in three distinct stages:</p> <ol> <li><strong>Collection Stage</strong></li> <li><strong>Virtual File System Stage</strong></li> <li><strong>Binary Integration Stage</strong></li> </ol> <h4> Collection Stage </h4> <p>This is where things start getting interesting! The SEA tooling gathers:</p> <ul> <li>JavaScript application code</li> <li>JSON configuration files</li> <li>Dependencies from <code>node_modules</code> </li> <li>Native add-ons</li> <li>Static assets</li> </ul> <h4> Virtual File System Stage </h4> <p>This is where the real magic happens. Instead of just bundling files, SEA creates a miniature in-memory filesystem that:</p> <ul> <li>Preserves directory structures exactly as they were</li> <li>Maintains file permissions</li> <li>Keeps symbolic links intact</li> <li>Retains original file paths</li> <li>Enables fast random access</li> </ul> <h4> Binary Integration Stage </h4> <p>The final step injects our virtual filesystem into the Node.js binary:</p> <ul> <li>Preserves execution ability</li> <li>Maintains code signing compatibility</li> <li>Enables runtime detection</li> <li>Supports cross-platform formats (Mach-O, PE, ELF)</li> </ul> <h2> Internals </h2> <p>The conductor behind the SEA orchestra is a small piece of C++ code in the Node.js source.</p> <blockquote> <p><strong>Note</strong> This is the nerdy part, feel free to jump to the Practical Implementation if you're more interested in hands-on examples.</p> </blockquote> <h3> SEA Configuration </h3> <p>The <a href="https://github.com/nodejs/node/blob/main/src/node_sea.cc" rel="noopener noreferrer"><code>node_sea.cc</code></a> evolves around the <code>SeaResource</code> structure.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="k">class</span> <span class="nc">SeaResource</span> <span class="p">{</span> <span class="nl">public:</span> <span class="k">static</span> <span class="k">constexpr</span> <span class="kt">uint32_t</span> <span class="n">kMagic</span> <span class="o">=</span> <span class="mh">0x1EA</span><span class="p">;</span> <span class="c1">// SEA magic number</span> <span class="k">static</span> <span class="k">constexpr</span> <span class="kt">size_t</span> <span class="n">kHeaderSize</span> <span class="o">=</span> <span class="mi">8</span><span class="p">;</span> <span class="c1">// Size of header</span> <span class="n">SeaFlags</span> <span class="n">flags</span><span class="p">;</span> <span class="n">std</span><span class="o">::</span><span class="n">string_view</span> <span class="n">code_path</span><span class="p">;</span> <span class="n">std</span><span class="o">::</span><span class="n">string_view</span> <span class="n">main_code_or_snapshot</span><span class="p">;</span> <span class="n">std</span><span class="o">::</span><span class="n">optional</span><span class="o">&lt;</span><span class="n">std</span><span class="o">::</span><span class="n">string_view</span><span class="o">&gt;</span> <span class="n">code_cache</span><span class="p">;</span> <span class="n">std</span><span class="o">::</span><span class="n">unordered_map</span><span class="o">&lt;</span><span class="n">std</span><span class="o">::</span><span class="n">string_view</span><span class="p">,</span> <span class="n">std</span><span class="o">::</span><span class="n">string_view</span><span class="o">&gt;</span> <span class="n">assets</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <p>This structure shows us several critical design decisions:</p> <ol> <li>Use of a magic number (0x1EA) to identify the injected program during deserialization</li> <li>Support for both code and snapshots</li> <li>Optional location for code cache (we'll talk about it later)</li> <li>Asset storage in a key-value format</li> </ol> <h3> SEA Generation Process </h3> <p>The high-level process of the SEA creation is simple:</p> <ol> <li>Read the main (bundled) script</li> <li>Generate V8 snapshot if needed (I will talk about snapshot later)</li> <li>Generate code cache if requested (I will talk about cache later)</li> <li>Processes and includes assets</li> <li>Serialize everything into a single Blob </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="n">ExitCode</span> <span class="nf">GenerateSingleExecutableBlob</span><span class="p">(</span><span class="k">const</span> <span class="n">SeaConfig</span><span class="o">&amp;</span> <span class="n">config</span><span class="p">,</span> <span class="k">const</span> <span class="n">std</span><span class="o">::</span><span class="n">vector</span><span class="o">&lt;</span><span class="n">std</span><span class="o">::</span><span class="n">string</span><span class="o">&gt;&amp;</span> <span class="n">args</span><span class="p">,</span> <span class="k">const</span> <span class="n">std</span><span class="o">::</span><span class="n">vector</span><span class="o">&lt;</span><span class="n">std</span><span class="o">::</span><span class="n">string</span><span class="o">&gt;&amp;</span> <span class="n">exec_args</span><span class="p">)</span> <span class="p">{</span> <span class="n">std</span><span class="o">::</span><span class="n">string</span> <span class="n">main_script</span><span class="p">;</span> <span class="n">ReadFileSync</span><span class="p">(</span><span class="o">&amp;</span><span class="n">main_script</span><span class="p">,</span> <span class="n">config</span><span class="p">.</span><span class="n">main_path</span><span class="p">.</span><span class="n">c_str</span><span class="p">());</span> <span class="k">if</span> <span class="p">(</span><span class="k">static_cast</span><span class="o">&lt;</span><span class="kt">bool</span><span class="o">&gt;</span><span class="p">(</span><span class="n">config</span><span class="p">.</span><span class="n">flags</span> <span class="o">&amp;</span> <span class="n">SeaFlags</span><span class="o">::</span><span class="n">kUseSnapshot</span><span class="p">))</span> <span class="p">{</span> <span class="n">GenerateSnapshotForSEA</span><span class="p">(...);</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="k">static_cast</span><span class="o">&lt;</span><span class="kt">bool</span><span class="o">&gt;</span><span class="p">(</span><span class="n">config</span><span class="p">.</span><span class="n">flags</span> <span class="o">&amp;</span> <span class="n">SeaFlags</span><span class="o">::</span><span class="n">kUseCodeCache</span><span class="p">))</span> <span class="p">{</span> <span class="n">GenerateCodeCache</span><span class="p">(</span><span class="n">config</span><span class="p">.</span><span class="n">main_path</span><span class="p">,</span> <span class="n">main_script</span><span class="p">);</span> <span class="p">}</span> <span class="n">std</span><span class="o">::</span><span class="n">unordered_map</span><span class="o">&lt;</span><span class="n">std</span><span class="o">::</span><span class="n">string</span><span class="p">,</span> <span class="n">std</span><span class="o">::</span><span class="n">string</span><span class="o">&gt;</span> <span class="n">assets</span><span class="p">;</span> <span class="n">BuildAssets</span><span class="p">(</span><span class="n">config</span><span class="p">.</span><span class="n">assets</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">assets</span><span class="p">);</span> <span class="n">SeaSerializer</span> <span class="n">serializer</span><span class="p">;</span> <span class="n">serializer</span><span class="p">.</span><span class="n">Write</span><span class="p">(</span><span class="n">sea</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Resource Injection </h3> <p>SEA uses the postject library to add our VFS as a new section in the binary file format.</p> <p>Different operating systems use different binary formats. Node.js support the following:</p> <ul> <li>macOS uses Mach-O</li> <li>Windows uses Portable Executable (PE)</li> <li>Linux uses ELF (Executable and Linkable Format) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="n">std</span><span class="o">::</span><span class="n">string_view</span> <span class="nf">FindSingleExecutableBlob</span><span class="p">()</span> <span class="p">{</span> <span class="cp">#ifdef __APPLE__ </span> <span class="n">postject_options</span> <span class="n">options</span><span class="p">;</span> <span class="n">postject_options_init</span><span class="p">(</span><span class="o">&amp;</span><span class="n">options</span><span class="p">);</span> <span class="n">options</span><span class="p">.</span><span class="n">macho_segment_name</span> <span class="o">=</span> <span class="s">"NODE_SEA"</span><span class="p">;</span> <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">blob</span> <span class="o">=</span> <span class="k">static_cast</span><span class="o">&lt;</span><span class="k">const</span> <span class="kt">char</span><span class="o">*&gt;</span><span class="p">(</span> <span class="n">postject_find_resource</span><span class="p">(</span><span class="s">"NODE_SEA_BLOB"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">size</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">options</span><span class="p">));</span> <span class="cp">#else </span> <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">blob</span> <span class="o">=</span> <span class="k">static_cast</span><span class="o">&lt;</span><span class="k">const</span> <span class="kt">char</span><span class="o">*&gt;</span><span class="p">(</span> <span class="n">postject_find_resource</span><span class="p">(</span><span class="s">"NODE_SEA_BLOB"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">size</span><span class="p">,</span> <span class="nb">nullptr</span><span class="p">));</span> <span class="cp">#endif </span> <span class="k">return</span> <span class="p">{</span><span class="n">blob</span><span class="p">,</span> <span class="n">size</span><span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h3> Read-Only Assets </h3> <p>One important security feature is read-only asset access.<br> The implementation ensures assets remain read-only through careful API design:</p> <ol> <li>Assets are stored as immutable string_views</li> <li>The ArrayBuffer is created with a no-op deleter</li> <li>No API exists for modifying assets once bundled </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="kt">void</span> <span class="nf">GetAsset</span><span class="p">(</span><span class="k">const</span> <span class="n">FunctionCallbackInfo</span><span class="o">&lt;</span><span class="n">Value</span><span class="o">&gt;&amp;</span> <span class="n">args</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Validate input</span> <span class="n">CHECK_EQ</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">Length</span><span class="p">(),</span> <span class="mi">1</span><span class="p">);</span> <span class="n">CHECK</span><span class="p">(</span><span class="n">args</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">IsString</span><span class="p">());</span> <span class="n">Utf8Value</span> <span class="n">key</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">GetIsolate</span><span class="p">(),</span> <span class="n">args</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> <span class="n">SeaResource</span> <span class="n">sea_resource</span> <span class="o">=</span> <span class="n">FindSingleExecutableResource</span><span class="p">();</span> <span class="k">auto</span> <span class="n">it</span> <span class="o">=</span> <span class="n">sea_resource</span><span class="p">.</span><span class="n">assets</span><span class="p">.</span><span class="n">find</span><span class="p">(</span><span class="o">*</span><span class="n">key</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">it</span> <span class="o">==</span> <span class="n">sea_resource</span><span class="p">.</span><span class="n">assets</span><span class="p">.</span><span class="n">end</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="n">std</span><span class="o">::</span><span class="n">unique_ptr</span><span class="o">&lt;</span><span class="n">v8</span><span class="o">::</span><span class="n">BackingStore</span><span class="o">&gt;</span> <span class="n">store</span> <span class="o">=</span> <span class="n">ArrayBuffer</span><span class="o">::</span><span class="n">NewBackingStore</span><span class="p">(</span> <span class="k">const_cast</span><span class="o">&lt;</span><span class="kt">char</span><span class="o">*&gt;</span><span class="p">(</span><span class="n">it</span><span class="o">-&gt;</span><span class="n">second</span><span class="p">.</span><span class="n">data</span><span class="p">()),</span> <span class="n">it</span><span class="o">-&gt;</span><span class="n">second</span><span class="p">.</span><span class="n">size</span><span class="p">(),</span> <span class="p">[](</span><span class="kt">void</span><span class="o">*</span><span class="p">,</span> <span class="kt">size_t</span><span class="p">,</span> <span class="kt">void</span><span class="o">*</span><span class="p">)</span> <span class="p">{},</span> <span class="c1">// No-op deleter prevents modifications</span> <span class="nb">nullptr</span><span class="p">);</span> <span class="n">Local</span><span class="o">&lt;</span><span class="n">ArrayBuffer</span><span class="o">&gt;</span> <span class="n">ab</span> <span class="o">=</span> <span class="n">ArrayBuffer</span><span class="o">::</span><span class="n">New</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">GetIsolate</span><span class="p">(),</span> <span class="n">std</span><span class="o">::</span><span class="n">move</span><span class="p">(</span><span class="n">store</span><span class="p">));</span> <span class="n">args</span><span class="p">.</span><span class="n">GetReturnValue</span><span class="p">().</span><span class="n">Set</span><span class="p">(</span><span class="n">ab</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Load the SEA </h3> <p>The final step is loading the SEA and executing the bundled code:</p> <ol> <li>Gets the current V8 context and environment</li> <li>Finds the SEA resource using <code>FindSingleExecutableResource()</code> </li> <li>Verifies it's not using a snapshot (<code>CHECK(!sea.use_snapshot())</code>)</li> <li>Converts the main code into a V8 value using <code>ToV8Value</code> </li> <li>Calls the CJS (CommonJS) run callback with the converted code (from this, you can guess that only CJS is supported!) </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="n">MaybeLocal</span><span class="o">&lt;</span><span class="n">Value</span><span class="o">&gt;</span> <span class="n">LoadSingleExecutableApplication</span><span class="p">(</span> <span class="k">const</span> <span class="n">StartExecutionCallbackInfo</span><span class="o">&amp;</span> <span class="n">info</span><span class="p">)</span> <span class="p">{</span> <span class="n">Local</span><span class="o">&lt;</span><span class="n">Context</span><span class="o">&gt;</span> <span class="n">context</span> <span class="o">=</span> <span class="n">Isolate</span><span class="o">::</span><span class="n">GetCurrent</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">GetCurrentContext</span><span class="p">();</span> <span class="n">Environment</span><span class="o">*</span> <span class="n">env</span> <span class="o">=</span> <span class="n">Environment</span><span class="o">::</span><span class="n">GetCurrent</span><span class="p">(</span><span class="n">context</span><span class="p">);</span> <span class="n">SeaResource</span> <span class="n">sea</span> <span class="o">=</span> <span class="n">FindSingleExecutableResource</span><span class="p">();</span> <span class="n">CHECK</span><span class="p">(</span><span class="o">!</span><span class="n">sea</span><span class="p">.</span><span class="n">use_snapshot</span><span class="p">());</span> <span class="n">Local</span><span class="o">&lt;</span><span class="n">Value</span><span class="o">&gt;</span> <span class="n">main_script</span> <span class="o">=</span> <span class="n">ToV8Value</span><span class="p">(</span><span class="n">env</span><span class="o">-&gt;</span><span class="n">context</span><span class="p">(),</span> <span class="n">sea</span><span class="p">.</span><span class="n">main_code_or_snapshot</span><span class="p">).</span><span class="n">ToLocalChecked</span><span class="p">();</span> <span class="k">return</span> <span class="n">info</span><span class="p">.</span><span class="n">run_cjs</span><span class="o">-&gt;</span><span class="n">Call</span><span class="p">(</span> <span class="n">env</span><span class="o">-&gt;</span><span class="n">context</span><span class="p">(),</span> <span class="n">Null</span><span class="p">(</span><span class="n">env</span><span class="o">-&gt;</span><span class="n">isolate</span><span class="p">()),</span> <span class="mi">1</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">main_script</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Practical Implementation </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx86gpq9mesddavn6uzrd.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx86gpq9mesddavn6uzrd.gif" alt="Practice" width="480" height="404"></a></p> <p>I built a file management service using Fastify to demonstrate SEA capabilities in the real world. The complete source code is available in the <a href="https://github.com/getlarge/node-sea-demo" rel="noopener noreferrer">Node-SEA Demo repository</a>.</p> <blockquote> <p>Hopefully, <a href="https://github.com/lirantal" rel="noopener noreferrer">Liran Tal</a> won't put the shame on me with this example app, no input validation, no rate limit, no auth, at least there's a path traversal check ;)</p> </blockquote> <h3> Project Structure </h3> <p>The project structure is simple, while representing a typical Node.js HTTP API application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">node</span><span class="o">-</span><span class="nx">sea</span><span class="o">-</span><span class="nx">demo</span><span class="o">/</span> <span class="err">├──</span> <span class="nx">src</span><span class="o">/</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">main</span><span class="p">.</span><span class="nx">ts</span> <span class="err">#</span> <span class="nx">Entry</span> <span class="nx">point</span> <span class="kd">with</span> <span class="nx">SEA</span> <span class="nx">detection</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">app</span><span class="o">/</span> <span class="err">│</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">app</span><span class="p">.</span><span class="nx">ts</span> <span class="err">#</span> <span class="nx">Fastify</span> <span class="nx">setup</span> <span class="err">│</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">helpers</span><span class="p">.</span><span class="nx">ts</span> <span class="err">#</span> <span class="nx">Utilities</span> <span class="err">│</span> <span class="err">│</span> <span class="err">└──</span> <span class="nx">routes</span><span class="o">/</span> <span class="err">│</span> <span class="err">│</span> <span class="err">└──</span> <span class="nx">root</span><span class="p">.</span><span class="nx">ts</span> <span class="err">#</span> <span class="nx">API</span> <span class="nx">handlers</span> <span class="err">│</span> <span class="err">└──</span> <span class="nx">assets</span><span class="o">/</span> <span class="err">#</span> <span class="nx">Static</span> <span class="nx">files</span> <span class="err">├──</span> <span class="nx">sea</span><span class="o">-</span><span class="nx">config</span><span class="p">.</span><span class="nx">json</span> <span class="err">#</span> <span class="nx">SEA</span> <span class="nx">configuration</span> <span class="err">└──</span> <span class="nx">project</span><span class="p">.</span><span class="nx">json</span> <span class="err">#</span> <span class="nx">Build</span> <span class="nx">configuration</span> </code></pre> </div> <h3> Key Implementation Details </h3> <p>The first challenge I encountered was detecting whether we're running in a SEA environment to override the <code>require</code> function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">sea</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">node:sea</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">sea</span><span class="p">.</span><span class="nf">isSea</span><span class="p">())</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">createRequire</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">node:module</span><span class="dl">'</span><span class="p">);</span> <span class="nx">require</span> <span class="o">=</span> <span class="nf">createRequire</span><span class="p">(</span><span class="nx">__filename</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nc">Fastify</span><span class="p">({</span> <span class="na">logger</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">trustProxy</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <blockquote> <p>When running as a SEA, <code>require.cache</code> is undefined! The bug is tracked <a href="https://github.com/nodejs/node/issues/49163" rel="noopener noreferrer">here</a>.</p> </blockquote> <p>Another pain point was managing Fastify plugins within the SEA environment. I found explicit registration works better than auto-loading, to avoid compilation issues:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">app</span><span class="p">(</span><span class="nx">fastify</span><span class="p">:</span> <span class="nx">FastifyInstance</span><span class="p">,</span> <span class="nx">opts</span><span class="p">:</span> <span class="nx">AppOptions</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span><span class="nx">sensible</span><span class="p">);</span> <span class="k">await</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span><span class="nx">fastifyMultipart</span><span class="p">,</span> <span class="p">{</span> <span class="na">limits</span><span class="p">:</span> <span class="p">{</span> <span class="na">fileSize</span><span class="p">:</span> <span class="nx">opts</span><span class="p">.</span><span class="nx">fileSize</span> <span class="o">??</span> <span class="mi">1048576</span> <span class="o">*</span> <span class="mi">10</span><span class="p">,</span> <span class="c1">// 10MB</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">assetsDir</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getAssetsDir</span><span class="p">();</span> <span class="k">await</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span><span class="nx">fastifyStatic</span><span class="p">,</span> <span class="p">{</span> <span class="na">root</span><span class="p">:</span> <span class="nx">assetsDir</span><span class="p">,</span> <span class="na">prefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/assets/</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span><span class="nx">routes</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Security was another concern. Since SEA applications might also run with elevated privileges, I implemented strict path safety:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// routes/root.ts</span> <span class="kd">const</span> <span class="nx">safePathResolve</span> <span class="o">=</span> <span class="p">(</span><span class="nx">userPath</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">baseDir</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">userPath</span> <span class="o">||</span> <span class="sr">/</span><span class="se">[/\\]</span><span class="sr">/</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">userPath</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">resolvedPath</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="nx">baseDir</span><span class="p">,</span> <span class="nx">userPath</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">resolvedPath</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="nx">baseDir</span><span class="p">)))</span> <span class="p">{</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nf">warn</span><span class="p">({</span> <span class="na">path</span><span class="p">:</span> <span class="nx">userPath</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">Path traversal attempt detected</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">resolvedPath</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nf">error</span><span class="p">({</span> <span class="nx">err</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="nx">userPath</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">Path resolution error</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h3> Build Process </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpe3ks4tqxixdqrbcmi3v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpe3ks4tqxixdqrbcmi3v.png" alt="Build process" width="800" height="174"></a></p> <p>The first step in creating an SEA is properly bundling your JavaScript. I explored several bundlers and found ESBuild offers the best balance of speed and ease of use.</p> <h4> Bundling with ESBuild </h4> <p>ESBuild prepares your application for SEA packaging through CLI or build tools.</p> <h4> Direct ESBuild Command </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx esbuild <span class="se">\</span> <span class="nt">--format</span><span class="o">=</span>cjs <span class="se">\</span> <span class="nt">--platform</span><span class="o">=</span>node <span class="se">\</span> <span class="nt">--bundle</span> <span class="se">\</span> <span class="nt">--tsconfig</span><span class="o">=</span>apps/node-sea-demo/tsconfig.app.json <span class="se">\</span> <span class="nt">--outdir</span><span class="o">=</span>dist/apps/node-sea-demo <span class="se">\</span> <span class="nt">--out-extension</span>:.js<span class="o">=</span>.js <span class="se">\</span> <span class="nt">--outfile</span><span class="o">=</span>main.js <span class="se">\</span> apps/node-sea-demo/src/main.ts </code></pre> </div> <p>Each flag serves a specific purpose:</p> <ul> <li> <code>--format=cjs</code>: SEA only works with CommonJS (no ESM yet, remember?)</li> <li> <code>--platform=node</code>: Targets Node.js environment</li> <li> <code>--bundle</code>: Rolls up all imports into a single file</li> <li> <code>--outfile</code>: Specifies the output file for the bundled code</li> </ul> <h4> Nx ESBuild plugin Configuration </h4> <p>If you're using Nx (like I do), you can configure the build in your project's configuration file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">project.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"executor"</span><span class="p">:</span><span class="w"> </span><span class="s2">"@nx/esbuild:esbuild"</span><span class="p">,</span><span class="w"> </span><span class="nl">"outputs"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"{options.outputPath}"</span><span class="p">],</span><span class="w"> </span><span class="nl">"defaultConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="s2">"production"</span><span class="p">,</span><span class="w"> </span><span class="nl">"options"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"platform"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node"</span><span class="p">,</span><span class="w"> </span><span class="nl">"outputPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dist/apps/node-sea-demo"</span><span class="p">,</span><span class="w"> </span><span class="nl">"format"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"cjs"</span><span class="p">],</span><span class="w"> </span><span class="nl">"bundle"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"thirdParty"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"main"</span><span class="p">:</span><span class="w"> </span><span class="s2">"apps/node-sea-demo/src/main.ts"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tsConfig"</span><span class="p">:</span><span class="w"> </span><span class="s2">"apps/node-sea-demo/tsconfig.app.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"assets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"apps/node-sea-demo/src/assets/**/*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"generatePackageJson"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"esbuildOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"sourcemap"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"outExtension"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">".js"</span><span class="p">:</span><span class="w"> </span><span class="s2">".js"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Generating the Executable </h3> <p>After struggling with single executables builder tools like PKG, I was glad to discover Node.js's native SEA support. The configuration is refreshingly simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">sea-config.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"main"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dist/apps/node-sea-demo/main.js"</span><span class="p">,</span><span class="w"> </span><span class="nl">"output"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dist/apps/node-sea-demo/demo.blob"</span><span class="p">,</span><span class="w"> </span><span class="nl">"disableExperimentalSEAWarning"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"useCodeCache"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"assets"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"package.json"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dist/apps/node-sea-demo/package.json"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The executable generation process varies by platform, if you are using Nx, you can make your life easier by using my <a href="https://github.com/getlarge/nx-node-sea" rel="noopener noreferrer">plugin</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">nx.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">//...</span><span class="w"> </span><span class="nl">"plugins"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"plugin"</span><span class="p">:</span><span class="w"> </span><span class="s2">"@getlarge/nx-node-sea"</span><span class="p">,</span><span class="w"> </span><span class="nl">"include"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"apps/**/*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"options"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"seaTargetName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sea-build"</span><span class="p">,</span><span class="w"> </span><span class="nl">"buildTarget"</span><span class="p">:</span><span class="w"> </span><span class="s2">"build"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>.. and then run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nx run node-sea-demo:sea-build </code></pre> </div> <p>Otherwise, you can use the following commands for each platform, see the <a href="https://nodejs.org/api/single-executable-applications.html#single-executable-applications" rel="noopener noreferrer">Node.js SEA documentation</a> for more details:</p> <h4> Linux </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate blob</span> node <span class="nt">--experimental-sea-config</span> sea-config.json <span class="c"># Copy node binary</span> <span class="nb">cp</span> <span class="si">$(</span><span class="nb">command</span> <span class="nt">-v</span> node<span class="si">)</span> dist/app/node <span class="c"># Inject blob</span> npx postject dist/app/node NODE_SEA_BLOB dist/app/demo.blob <span class="se">\</span> <span class="nt">--sentinel-fuse</span> NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 </code></pre> </div> <h4> macOS </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate blob</span> node <span class="nt">--experimental-sea-config</span> sea-config.json <span class="c"># Copy node binary</span> <span class="nb">cp</span> <span class="si">$(</span><span class="nb">command</span> <span class="nt">-v</span> node<span class="si">)</span> dist/app/node <span class="c"># Remove signature</span> codesign <span class="nt">--remove-signature</span> dist/app/node <span class="c"># Inject blob</span> npx postject dist/app/node NODE_SEA_BLOB dist/app/demo.blob <span class="se">\</span> <span class="nt">--sentinel-fuse</span> NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 <span class="se">\</span> <span class="nt">--macho-segment-name</span> NODE_SEA <span class="c"># Re-sign binary</span> codesign <span class="nt">--sign</span> - dist/app/node </code></pre> </div> <h4> Windows </h4> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="c"># Generate blob</span><span class="w"> </span><span class="n">node</span><span class="w"> </span><span class="nt">--experimental-sea-config</span><span class="w"> </span><span class="nx">sea-config.json</span><span class="w"> </span><span class="c"># Copy node binary</span><span class="w"> </span><span class="n">copy</span><span class="w"> </span><span class="nv">$</span><span class="nn">env</span><span class="p">:</span><span class="nv">ProgramFiles</span><span class="nx">\nodejs\node.exe</span><span class="w"> </span><span class="o">.</span><span class="nx">\dist\app\node.exe</span><span class="w"> </span><span class="c"># Inject blob</span><span class="w"> </span><span class="n">npx</span><span class="w"> </span><span class="nx">postject</span><span class="w"> </span><span class="nx">dist/app/node.exe</span><span class="w"> </span><span class="nx">NODE_SEA_BLOB</span><span class="w"> </span><span class="nx">dist/app/demo.blob</span><span class="w"> </span><span class="err">^</span><span class="w"> </span><span class="nt">--sentinel-fuse</span><span class="w"> </span><span class="n">NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2</span><span class="w"> </span></code></pre> </div> <blockquote> <p><strong>Note</strong>: You can't just build once and run everywhere:</p> <ul> <li>Code cache and snapshots are platform-specific</li> <li>Native modules (still) require platform-specific compilation</li> </ul> </blockquote> <h2> Docker Integration </h2> <p>As someone who's built countless Docker images for Node.js apps, I couldn't wait to see how SEA could optimize container size.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flxvc3krqupdyruw33h0p.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flxvc3krqupdyruw33h0p.gif" alt="Size Matters" width="480" height="270"></a></p> <p>I experimented with three different approaches:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2atjvj6moz1aotls41kv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2atjvj6moz1aotls41kv.png" alt="Docker images comparison chart" width="500" height="400"></a></p> <ol> <li><strong>Full Image (235MB)</strong></li> </ol> <ul> <li>Uses complete Node.js runtime</li> <li>Includes OS dependencies</li> <li>Simplest to build and debug</li> </ul> <ol> <li> <strong>Minimal Image (156MB)</strong> <ul> <li>Uses scratch as base</li> <li>Includes only essential OS dependencies</li> <li>Smallest possible footprint</li> </ul> </li> </ol> <p>That 156MB image size might not seem impressive compared to Go or Rust applications' Docker image, but it's a dramatic improvement over the typical 800MB+ Node.js image!</p> <h3> Full image </h3> <ol> <li>Uses full Node.js runtime - Contains development dependencies (OS)</li> <li>Create dedicated user (always good)</li> <li>Copy ESBuild bundle and change permissions</li> <li>No need to install deps, dependencies are bundled</li> <li>Run the app with node </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> docker.io/node:lts-alpine</span> <span class="k">ENV</span><span class="s"> HOST=0.0.0.0</span> <span class="k">ENV</span><span class="s"> PORT=3000</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">RUN </span>addgroup <span class="nt">--system</span> node-sea-demo <span class="o">&amp;&amp;</span> <span class="se">\ </span> adduser <span class="nt">--system</span> <span class="nt">-G</span> node-sea-demo node-sea-demo <span class="k">COPY</span><span class="s"> dist/apps/node-sea-demo node-sea-demo/</span> <span class="k">RUN </span><span class="nb">chown</span> <span class="nt">-R</span> node-sea-demo:node-sea-demo . <span class="k">CMD</span><span class="s"> [ "node", "node-sea-demo" ]</span> </code></pre> </div> <h3> Minimal image </h3> <ol> <li>alpine to start and dependencies to build</li> <li>Install glibc for proper library copying</li> <li>copy bundled code and SEA config</li> <li>Bundle and remove debugging information ( # Strip the binary to remove debug symbols)</li> <li>Uses scratch as a base image,</li> <li>Eliminates unnecessary OS files</li> <li>Include minimal OS dependencies (loader) and copy the Node.js SEA executable</li> <li>Run the standalone executable </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="w"> </span><span class="s">node:lts-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">build</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">RUN </span>apk add <span class="nt">--no-cache</span> build-base python3 <span class="k">RUN </span>wget <span class="nt">-q</span> <span class="nt">-O</span> /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub <span class="o">&amp;&amp;</span> <span class="se">\ </span> wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.35-r1/glibc-2.35-r1.apk <span class="o">&amp;&amp;</span> <span class="se">\ </span> apk add <span class="nt">--no-cache</span> glibc-2.35-r1.apk <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">rm </span>glibc-2.35-r1.apk <span class="k">COPY</span><span class="s"> dist/apps/node-sea-demo dist/apps/node-sea-demo</span> <span class="k">COPY</span><span class="s"> apps/node-sea-demo/sea-config.json .</span> <span class="c"># Create the SEA bundle and verify the file exists and is executable</span> <span class="k">RUN </span>node <span class="nt">--experimental-sea-config</span> sea-config.json <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">cp</span> <span class="si">$(</span><span class="nb">command</span> <span class="nt">-v</span> node<span class="si">)</span> dist/apps/node-sea-demo/node <span class="o">&amp;&amp;</span> <span class="se">\ </span> npx postject dist/apps/node-sea-demo/node NODE_SEA_BLOB dist/apps/node-sea-demo/node-sea-demo.blob <span class="nt">--sentinel-fuse</span> NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">chmod</span> +x dist/apps/node-sea-demo/node <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="c"># # Strip the binary to remove debug symbols</span> strip dist/apps/node-sea-demo/node <span class="c"># Create directory structure for dependencies</span> <span class="k">RUN </span><span class="nb">mkdir</span> <span class="nt">-p</span> deps <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="c"># Copy all required shared libraries</span> ldd dist/apps/node-sea-demo/node | grep "=&gt; /" | awk '{print $3}' | \ xargs -I '{}' cp -L '{}' deps/ &amp;&amp; \ # Copy additional required files cp /lib/ld-linux-*.so.* deps/ &amp;&amp; \ # Create necessary symlinks mkdir -p deps/lib64 &amp;&amp; \ cp /lib/ld-linux-*.so.* deps/lib64/ <span class="k">FROM</span><span class="s"> scratch</span> <span class="k">COPY</span><span class="s"> --from=build /app/deps /lib/</span> <span class="c"># Ensure lib64 exists and has the loader</span> <span class="k">COPY</span><span class="s"> --from=build /app/deps/lib64 /lib64/</span> <span class="c"># Copy the Node.js SEA executable</span> <span class="k">COPY</span><span class="s"> --from=build /app/dist/apps/node-sea-demo/node /app/node</span> <span class="k">ENV</span><span class="s"> HOST=0.0.0.0</span> <span class="k">ENV</span><span class="s"> PORT=3000</span> <span class="k">EXPOSE</span><span class="s"> ${PORT}</span> <span class="k">ENTRYPOINT</span><span class="s"> [ "/app/node" ]</span> </code></pre> </div> <h2> Performance Benchmarks </h2> <p>Using the <code>useCodeCache</code> option offers a dual benefit of better performance and slightly improved code protection.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">sea-config.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"useCodeCache"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Enable</span><span class="w"> </span><span class="err">code</span><span class="w"> </span><span class="err">caching</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>I ran some benchmarks to see how the application performs when:</p> <ul> <li>regular Node.js (no SEA)</li> <li>running with code cache enabled</li> <li>running without code cache</li> </ul> <p>Here's what I found:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fslm4p0oifv4dcur69rs4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fslm4p0oifv4dcur69rs4.png" alt="SEA performance benchmark chart" width="700" height="400"></a></p> <p>The results surprised me:</p> <ul> <li>Code cache improved startup time by ~7%</li> <li>Blob size increased by only ~7% with code cache enabled</li> <li>Cold starts showed significant variance (typical for any Node.js app)</li> <li>Hot starts were consistently faster with code cache</li> </ul> <h3> How Code Cache Works </h3> <p>When JavaScript code is executed, V8 (Node.js's JavaScript engine) compiles it to bytecode before execution. This compilation takes time. Code cache stores this pre-compiled bytecode, allowing V8 to skip the compilation step on subsequent runs.</p> <p>The performance improvement is most noticeable for:</p> <ul> <li>Application startup time (as shown in our benchmarks)</li> <li>Cold starts in serverless environments</li> <li>Complex codebase with many dependencies</li> </ul> <blockquote> <p>For most applications, I'd definitely recommend enabling code cache despite the slight size increase.</p> </blockquote> <h2> The Reality of Code Protection </h2> <p>One question that frequently comes up when discussing SEA is:</p> <blockquote> <p><em>"Are our source code and proprietary algorithms safe inside the executable?"</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiohp6sutygjn38gw7y74.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiohp6sutygjn38gw7y74.gif" alt="You have my attention" width="500" height="281"></a></p> <p>While SEA bundles your code inside the Node.js binary, it's important to understand that <strong>this is not true obfuscation</strong>. Let me demonstrate why.</p> <h3> Extracting Code from SEA Executables </h3> <p>As said already, a SEA is a Node.js binary with your code injected as a resource section. With the right tools, extracting this section is relatively straightforward.</p> <p>On macOS, extracting code from a SEA executable is a bit more involved than on Linux due to the Mach-O binary format. Here's a demo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. First, examine the Mach-O headers to locate the NODE_SEA segment</span> otool <span class="nt">-l</span> dist/apps/node-sea-demo/node | <span class="nb">grep</span> <span class="nt">-A</span> 20 NODE_SEA <span class="c"># 2. Note the offset, size, and address of the NODE_SEA segment</span> <span class="c"># The output will show something like:</span> segname NODE_SEA vmaddr 0x0000000104e20000 vmsize 0x0000000000254000 fileoff 81739776 filesize 2432242 maxprot 0x00000001 initprot 0x00000001 nsects 1 flags 0x0 Section sectname __NODE_SEA_BLOB segname NODE_SEA <span class="c"># ...</span> <span class="c"># 3. Extract the segment using dd, extract from the offset &lt;fileoff&gt; and size &lt;filesize&gt;</span> <span class="nb">dd </span><span class="k">if</span><span class="o">=</span>your-sea-app <span class="nv">of</span><span class="o">=</span>extracted.blob <span class="nv">bs</span><span class="o">=</span>1 <span class="nv">skip</span><span class="o">=</span>81739776 <span class="nv">count</span><span class="o">=</span>2432242 </code></pre> </div> <h3> Examining the Extracted Content </h3> <p>Once extracted, the blob contains the bundled JavaScript code in a readable format. Let's see what it actually looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Look for readable strings</span> strings extracted.blob | less <span class="c"># For function declarations</span> strings extracted.blob | <span class="nb">grep</span> <span class="nt">-A</span> 10 <span class="s2">"function"</span> | less <span class="c"># Targeting assets</span> strings extracted.blob | <span class="nb">grep</span> <span class="nt">-A</span> 10 <span class="s2">"assets"</span> | less </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5upowf3scvel7f0ow5sy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5upowf3scvel7f0ow5sy.png" alt="Code extraction screenshot" width="800" height="436"></a></p> <blockquote> <p>Amazing, right?</p> </blockquote> <p>As you can see, the original source code remains largely intact and readable. This is why relying solely on SEA for code protection is insufficient for truly sensitive intellectual property.</p> <h3> How can we protect our code? </h3> <p>For genuinely sensitive code, I recommend a multi-layered approach:</p> <ol> <li>Use SEA with Bytenode for basic protection (be aware it was already <a href="https://swarm.ptsecurity.com/how-we-bypassed-bytenode-and-decompiled-node-js-bytecode-in-ghidra/" rel="noopener noreferrer">reversed engineered</a>)</li> <li>Keep truly sensitive algorithms on a secure server accessed via API</li> <li>Consider legal protections (contracts, terms of service)</li> </ol> <blockquote> <p><strong>Remember</strong>: no code shipped to a client's machine can ever be 100% protected against a determined adversary with sufficient resources and time.</p> </blockquote> <h2> Conclusion </h2> <p>Node.js Single Executable Applications have transformed how I deliver Node.js applications, offering:</p> <ul> <li>Improved deployment reliability</li> <li>Better security through bundling</li> <li>Reduced environmental dependencies</li> <li>Optimized resource usage</li> </ul> <p>After years of dubious deployment strategy, I can now distribute my Node.js applications as single files that "just work" on the target system.</p> <p>Want to try it yourself? Here are some next steps:</p> <ol> <li>Experiment with the provided example application</li> <li>Evaluate SEA for your specific use cases</li> <li>Implement in your CI/CD pipeline</li> <li>Join the Node.js SEA community and contribute!</li> </ol> <p>If you have questions or want to share your SEA experiences, drop a comment below or reach out to me on <a href="https://www.linkedin.com/in/edouard-maleix/" rel="noopener noreferrer">Linkedin</a> or <a href="https://github.com/getlarge" rel="noopener noreferrer">GitHub</a>.</p> <div class="ltag__user ltag__user__id__1253749"> <a href="/getlarge" class="ltag__user__link profile-image-link"> <div class="ltag__user__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1253749%2Fc4b87a1b-784c-491c-ab9e-1cd2a4df299c.jpeg" alt="getlarge image"> </div> </a> <div class="ltag__user__content"> <h2> <a class="ltag__user__link" href="/getlarge">Edouard Maleix</a>Follow </h2> <div class="ltag__user__summary"> <a class="ltag__user__link" href="/getlarge">I am a Senior Software Engineer, focusing on distributed systems, application security and developer productivity/creativity. Based in Vienna 🥐, Austria.</a> </div> </div> </div> node tutorial devops docker