libraz

English

日本語

English

日本語

Appearance

Jul 02, 2026/#programming#securityENJA

Write Once

I wrote a CDC engine that parses MySQL binlog. C++ core, Node.js N-API binding, distributed via npm. But N-API means native addons. linux-x64, darwin-arm64, win32-x64 — a separate binary for each platform, bundled into the package. GitHub Actions runs a matrix build. prebuildify generates the binaries. The CI pipeline grows with every OS and architecture combination.

I wanted WASM. One .wasm file for every platform. No matrix builds. The core parser is already designed to be WASM-compatible. But the BinlogClient opens TCP sockets, spawns threads, and reads the stream with blocking I/O. WASM doesn't have sockets. The technology I wanted for easier distribution couldn't accept input.

I've seen this dream before.

Java said it first. Write Once, Run Anywhere. It stormed the browser with applets, left behind gray rectangles and thirty-second startup times, and vanished. Go was supposed to eliminate distribution headaches with single binaries — until you touch CGO and cross-compilation breaks. C# went from Mono to .NET Core to MAUI, reinventing itself each time, still not there. WASM is the latest iteration. WASI is working on socket and thread abstractions. The spec is still in preview.

Every generation says "this time." Every generation hits the same wall. OS differences, runtime differences, I/O model differences. Each new layer of abstraction just moves where the leaks show up.

Even if WASM had worked, there's another problem. .wasm and .node files are binaries. The source code is on GitHub, but nothing guarantees that the binary you get from npm install was built from that source. Reproducing the build locally means reproducing the CI environment exactly. That's not realistic.

In 2018, malware was injected into the npm package event-stream. The maintainer handed repository access to a trusted third party, and malicious code slipped in. That was JavaScript — you could read the source and catch it. If the same thing happens to a native addon or a WASM module distributed as a binary, who verifies it?

Sigstore, SLSA, Artifact Attestations — the tools exist. But I don't know anyone who checks attestations every time they run npm install.

Chasing "runs anywhere" led to "no idea what's running."

My CDC engine ships binaries for six platforms. I attached npm provenance too. Sigstore signs the build origin, the signature ships with the package. The right thing to do. Whether anyone checks it when they npm install — I wouldn't know.

© 2026 libraz · All bugs are considered features.