Open-Source Wikis

/

Node.js

/

Vendored dependencies and build

nodejs/node

Vendored dependencies and build

Node.js bundles every dependency it needs into deps/ and builds them as part of the project. This page is the directory of vendored libraries, why each is there, and how the build wires them together.

Vendored libraries

Directory Upstream / Description Used by Updater
deps/v8/ The V8 JavaScript engine the runtime tools/dep_updaters/update-v8.sh
deps/uv/ libuv: cross-platform async I/O loop every async path tools/dep_updaters/update-uv.sh
deps/openssl/ OpenSSL or BoringSSL crypto, tls, https, http2, quic .github/workflows/update-openssl.yml
deps/ncrypto/ Node's wrapper crate over OpenSSL src/crypto/ (in-tree)
deps/llhttp/ HTTP/1.1 parser (nodejs/llhttp) http, https tools/dep_updaters/update-llhttp.sh
deps/nghttp2/ HTTP/2 implementation http2 tools/dep_updaters/update-nghttp2.sh
deps/ngtcp2/ QUIC + nghttp3 (HTTP/3) quic, experimental HTTP/3 (within ngtcp2 dir)
deps/ada/ WHATWG URL parser URL, URLPattern, fetch tools/dep_updaters/update-ada.sh
deps/simdjson/ SIMD-accelerated JSON parser --experimental-config-file tools/dep_updaters/update-simdjson.sh
deps/icu-small/ ICU (Unicode/i18n) Intl, URL, String, RegExp ICU tools/dep_updaters/update-icu.sh
deps/sqlite/ SQLite amalgamation node:sqlite tools/dep_updaters/update-sqlite.sh
deps/uvwasi/ uvwasi WASI runtime node:wasi (within uvwasi dir)
deps/zlib/ zlib zlib tools/dep_updaters/update-zlib.sh
deps/zstd/ Zstandard zlib (zstd subset) tools/dep_updaters/update-zstd.sh
deps/brotli/ Brotli zlib (brotli) tools/dep_updaters/update-brotli.sh
deps/cares/ c-ares: DNS resolver dns.resolve* tools/dep_updaters/update-cares.sh
deps/libffi/ libffi node:ffi tools/dep_updaters/update-libffi.sh
deps/undici/ Fetch / HTTP client by Node globalThis.fetch, WebSocket tools/dep_updaters/update-undici.sh
deps/amaro/ TypeScript stripper (SWC, Rust) --experimental-strip-types tools/dep_updaters/update-amaro.sh
deps/acorn/ Acorn parser (legacy code paths) a few JS-side spots tools/dep_updaters/update-acorn.sh
deps/cjs-module-lexer/ CJS named-export detection require(esm) interop tools/dep_updaters/update-cjs-module-lexer.sh
deps/corepack/ Corepack package-manager dispatcher shipped binary tools/dep_updaters/update-corepack.sh
deps/npm/ npm shipped binary (vendor / npm release)
deps/inspector_protocol/ Inspector wire-protocol generator src/inspector/ tools/inspector_protocol/
deps/perfetto/ Perfetto trace SDK trace_events (in-tree)
deps/postject/ Inject sections into ELF/Mach-O/PE SEA tools/dep_updaters/update-postject.sh
deps/LIEF/ ELF/Mach-O/PE manipulation SEA code-sign tooling tools/dep_updaters/update-lief.sh
deps/googletest/ googletest cctest tools/dep_updaters/update-googletest.sh
deps/histogram/ HdrHistogram perf_hooks (in-tree)
deps/minimatch/ minimatch fs.glob tools/dep_updaters/update-minimatch.sh
deps/nbytes/ nbytes (number-to-byte helpers) Buffer, crypto tools/dep_updaters/update-nbytes.sh
deps/merve/ Merve helpers (specific subsystem) (in-tree)
deps/crates/ Rust crates linked to the binary TypeScript stripper, future Rust deps (in-tree)

How the build assembles them

graph TD
    cfg[configure.py] --> gypi[config.gypi]
    gypi --> ngyp[node.gyp]
    ngyp --> deps[deps/v8/v8.gyp, libuv.gyp, openssl.gyp, ada.gyp, ...]
    ngyp --> srcs[src/*.cc]
    deps --> compile[per-target compile]
    srcs --> compile
    compile --> link[link node binary]
    link --> mks[run node_mksnapshot]
    mks --> snap[startup snapshot]
    snap --> link2[relink node binary with snapshot]
    link2 --> bin[node]
  • Each vendored dependency carries its own *.gyp describing how to compile it.
  • node.gyp includes those gyp files via the deps/ paths and produces a single node binary.
  • tools/js2c.cc runs as part of the build to embed all the JS sources.
  • node_mksnapshot runs a stripped-down Node to produce the V8 snapshot, which is then re-linked into the final binary.

Switches

./configure --help lists every "use system" toggle:

  • --shared-openssl, --shared-zlib, --shared-cares, --shared-libuv, --shared-nghttp2, --shared-brotli, --shared-ada, --shared-simdjson, --shared-sqlite, etc.

When toggled, the build links against the system library instead of compiling the bundled source. Distros such as Debian and Fedora use these to avoid duplicating large libraries.

Updating a vendored dep

  1. Run the matching tools/dep_updaters/update-*.sh (or follow doc/contributing/maintaining/maintaining-<name>.md).
  2. Verify the build, run targeted tests.
  3. PR with subsystem: deps: prefix and the upstream version in the commit message.
  4. The Security WG owns updates that touch the OpenSSL or QUIC stacks.

The automated workflows under .github/workflows/tools.yml open PRs when upstreams release.

See also

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Vendored dependencies and build – Node.js wiki | Factory