nodejs/node
Vendored dependencies and build
Node.js bundles every dependency it needs into deps/ and builds them as part of the project. This page is the directory of vendored libraries, why each is there, and how the build wires them together.
Vendored libraries
| Directory | Upstream / Description | Used by | Updater |
|---|---|---|---|
deps/v8/ |
The V8 JavaScript engine | the runtime | tools/dep_updaters/update-v8.sh |
deps/uv/ |
libuv: cross-platform async I/O loop | every async path | tools/dep_updaters/update-uv.sh |
deps/openssl/ |
OpenSSL or BoringSSL | crypto, tls, https, http2, quic |
.github/workflows/update-openssl.yml |
deps/ncrypto/ |
Node's wrapper crate over OpenSSL | src/crypto/ |
(in-tree) |
deps/llhttp/ |
HTTP/1.1 parser (nodejs/llhttp) | http, https |
tools/dep_updaters/update-llhttp.sh |
deps/nghttp2/ |
HTTP/2 implementation | http2 |
tools/dep_updaters/update-nghttp2.sh |
deps/ngtcp2/ |
QUIC + nghttp3 (HTTP/3) | quic, experimental HTTP/3 |
(within ngtcp2 dir) |
deps/ada/ |
WHATWG URL parser | URL, URLPattern, fetch |
tools/dep_updaters/update-ada.sh |
deps/simdjson/ |
SIMD-accelerated JSON parser | --experimental-config-file |
tools/dep_updaters/update-simdjson.sh |
deps/icu-small/ |
ICU (Unicode/i18n) | Intl, URL, String, RegExp ICU |
tools/dep_updaters/update-icu.sh |
deps/sqlite/ |
SQLite amalgamation | node:sqlite |
tools/dep_updaters/update-sqlite.sh |
deps/uvwasi/ |
uvwasi WASI runtime | node:wasi |
(within uvwasi dir) |
deps/zlib/ |
zlib | zlib |
tools/dep_updaters/update-zlib.sh |
deps/zstd/ |
Zstandard | zlib (zstd subset) |
tools/dep_updaters/update-zstd.sh |
deps/brotli/ |
Brotli | zlib (brotli) |
tools/dep_updaters/update-brotli.sh |
deps/cares/ |
c-ares: DNS resolver | dns.resolve* |
tools/dep_updaters/update-cares.sh |
deps/libffi/ |
libffi | node:ffi |
tools/dep_updaters/update-libffi.sh |
deps/undici/ |
Fetch / HTTP client by Node | globalThis.fetch, WebSocket |
tools/dep_updaters/update-undici.sh |
deps/amaro/ |
TypeScript stripper (SWC, Rust) | --experimental-strip-types |
tools/dep_updaters/update-amaro.sh |
deps/acorn/ |
Acorn parser (legacy code paths) | a few JS-side spots | tools/dep_updaters/update-acorn.sh |
deps/cjs-module-lexer/ |
CJS named-export detection | require(esm) interop |
tools/dep_updaters/update-cjs-module-lexer.sh |
deps/corepack/ |
Corepack package-manager dispatcher | shipped binary | tools/dep_updaters/update-corepack.sh |
deps/npm/ |
npm | shipped binary | (vendor / npm release) |
deps/inspector_protocol/ |
Inspector wire-protocol generator | src/inspector/ |
tools/inspector_protocol/ |
deps/perfetto/ |
Perfetto trace SDK | trace_events |
(in-tree) |
deps/postject/ |
Inject sections into ELF/Mach-O/PE | SEA | tools/dep_updaters/update-postject.sh |
deps/LIEF/ |
ELF/Mach-O/PE manipulation | SEA code-sign tooling | tools/dep_updaters/update-lief.sh |
deps/googletest/ |
googletest | cctest |
tools/dep_updaters/update-googletest.sh |
deps/histogram/ |
HdrHistogram | perf_hooks |
(in-tree) |
deps/minimatch/ |
minimatch | fs.glob |
tools/dep_updaters/update-minimatch.sh |
deps/nbytes/ |
nbytes (number-to-byte helpers) | Buffer, crypto |
tools/dep_updaters/update-nbytes.sh |
deps/merve/ |
Merve helpers | (specific subsystem) | (in-tree) |
deps/crates/ |
Rust crates linked to the binary | TypeScript stripper, future Rust deps | (in-tree) |
How the build assembles them
graph TD
cfg[configure.py] --> gypi[config.gypi]
gypi --> ngyp[node.gyp]
ngyp --> deps[deps/v8/v8.gyp, libuv.gyp, openssl.gyp, ada.gyp, ...]
ngyp --> srcs[src/*.cc]
deps --> compile[per-target compile]
srcs --> compile
compile --> link[link node binary]
link --> mks[run node_mksnapshot]
mks --> snap[startup snapshot]
snap --> link2[relink node binary with snapshot]
link2 --> bin[node]- Each vendored dependency carries its own
*.gypdescribing how to compile it. node.gypincludes those gyp files via thedeps/paths and produces a singlenodebinary.tools/js2c.ccruns as part of the build to embed all the JS sources.node_mksnapshotruns a stripped-down Node to produce the V8 snapshot, which is then re-linked into the final binary.
Switches
./configure --help lists every "use system" toggle:
--shared-openssl,--shared-zlib,--shared-cares,--shared-libuv,--shared-nghttp2,--shared-brotli,--shared-ada,--shared-simdjson,--shared-sqlite, etc.
When toggled, the build links against the system library instead of compiling the bundled source. Distros such as Debian and Fedora use these to avoid duplicating large libraries.
Updating a vendored dep
- Run the matching
tools/dep_updaters/update-*.sh(or followdoc/contributing/maintaining/maintaining-<name>.md). - Verify the build, run targeted tests.
- PR with
subsystem: deps:prefix and the upstream version in the commit message. - The Security WG owns updates that touch the OpenSSL or QUIC stacks.
The automated workflows under .github/workflows/tools.yml open PRs when upstreams release.
See also
- Bootstrap and startup — for
tools/snapshot/and the snapshot pipeline. - Node-API — for how vendored deps appear to native addons.
- Reference › dependencies — terse dependency catalog.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.