nodejs: fix checkPhase with `sandbox=relaxed` on Darwin by al3xtjames · Pull Request #425699 · NixOS/nixpkgs

al3xtjames · 2025-07-16T06:38:25Z

The following tests fail on Darwin with the sandbox enabled:

not ok 2612 parallel/test-runner-output
not ok 3053 parallel/test-tls-get-ca-certificates-system
not ok 3054 parallel/test-tls-get-ca-certificates-system-without-flag
not ok 3363 parallel/test-watch-file-shared-dependency
not ok 4057 parallel/test-runner-complex-dependencies
not ok 4058 parallel/test-runner-global-setup-watch-mode
not ok 4228 sequential/test-watch-mode-watch-flags

Node.js uses Security.framework to read the system CA certificates from the system keychain on Darwin. Fix the tls-get-ca-certificates-system tests by adding the files and Mach services used by Security.framework to the sandbox profile. Also allow the FSEvents Mach service as the runner and watch tests use FSEvents on Darwin.

Also patch test-macos-app-sandbox to use codesign from sigtool, which allows it to work with the sandbox enabled.

Fixes: #423244

Things done

Add a 👍 reaction to pull requests you find important.

aduh95 · 2025-07-16T09:15:57Z

Can you fix the commit message to use nodejs: instead of node: please? And ideally replace Node with Node.js

ofalvai

Thank you for investigating this long-standing issue 🚀

aduh95

I'm not affected by the test failures, so I can't confirm it solves it, but the changes LGTM

aduh95 · 2025-08-13T09:43:03Z

@al3xtjames any chance you could fix the conflicts here please?

aduh95 · 2025-08-19T08:15:08Z

Any chance we could get this merged? /cc @FliegendeWurst @dasJ @drupol

aduh95 · 2025-08-30T06:13:38Z

@al3xtjames can you rebase to fix the conflicts please?

This is no longer needed now that apple-sdk_11 is the default SDK.

test-macos-app-sandbox uses the system-provided codesign binary (/usr/bin/codesign) to apply entitlements to an app bundle. This fails in the sandbox as /usr/bin/codesign is not accessible. Patch the test to instead use the codesign binary from sigtool. The test was updated to pass the executable path to codesign as sigtool can't handle the bundle path.

The following tests fail on Darwin with the sandbox enabled [1]: not ok 2612 parallel/test-runner-output not ok 3053 parallel/test-tls-get-ca-certificates-system not ok 3054 parallel/test-tls-get-ca-certificates-system-without-flag not ok 3363 parallel/test-watch-file-shared-dependency not ok 4057 parallel/test-runner-complex-dependencies not ok 4058 parallel/test-runner-global-setup-watch-mode not ok 4228 sequential/test-watch-mode-watch-flags Node.js uses Security.framework to read the system CA certificates from the system keychain on Darwin. Fix the tls-get-ca-certificates-system tests by adding the files and Mach services used by Security.framework to the sandbox profile. Also allow the FSEvents Mach service as the runner and watch tests use FSEvents on Darwin. [1]: https://gist.github.com/al3xtjames/0eb3c30d37c1ebab99968c62ee544300

aduh95 · 2025-08-30T07:41:07Z

Any chance we could get this merged? /cc @dasJ @fabianhjr

fabianhjr · 2025-08-30T15:56:59Z

Can't test on darwin but going by the two previous approvals

aduh95 · 2025-08-31T16:32:46Z

@al3xtjames do you think the failure in https://hydra.nixos.org/build/306435782 could be related to this PR?

al3xtjames · 2025-08-31T17:45:14Z

Hmm, e2e1617 builds fine on my local machine. I can reproduce the failure if I comment out ++ gypPatches here though: https://github.com/NixOS/nixpkgs/blob/staging-next/pkgs/development/web/nodejs/v22.nix#L56

vcunat · 2025-08-31T18:00:24Z

I think that darwin builders on hydra.nixos.org are unsandboxed. (I'm trying to stay away from darwin-specific stuff.)

aduh95 · 2025-08-31T22:07:31Z

I've opened nodejs/gyp-next#311 to hopefully fix the error

vcunat · 2025-09-01T09:08:00Z

So we now apply this to staging-next's nodejs* as a patch conditional for darwin?

aduh95 · 2025-09-01T10:05:32Z

I've opened #439129

ofborg bot added the 6.topic: darwin Running or building packages on Darwin label Jul 16, 2025

nix-owners bot requested a review from aduh95 July 16, 2025 06:45

al3xtjames changed the title ~~node: fix checkPhase with sandbox=relaxed on Darwin~~ node: fix checkPhase with sandbox=relaxed on Darwin Jul 16, 2025

al3xtjames force-pushed the node-darwin branch from 38b0eaa to 8b6a605 Compare July 16, 2025 23:54

al3xtjames changed the title ~~node: fix checkPhase with sandbox=relaxed on Darwin~~ nodejs: fix checkPhase with sandbox=relaxed on Darwin Jul 16, 2025

aduh95 mentioned this pull request Jul 18, 2025

nodejs_24: 24.4.0 -> 24.4.1 #425602

Merged

13 tasks

ofalvai approved these changes Jul 23, 2025

View reviewed changes

nixpkgs-ci bot added 12.approvals: 1 This PR was reviewed and approved by one person. 2.status: merge conflict This PR has merge conflicts with the target branch labels Jul 23, 2025

al3xtjames force-pushed the node-darwin branch from 8b6a605 to e3e1ac9 Compare July 29, 2025 15:35

nixpkgs-ci bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Jul 29, 2025

aduh95 approved these changes Jul 29, 2025

View reviewed changes

nixpkgs-ci bot added the 2.status: merge conflict This PR has merge conflicts with the target branch label Aug 7, 2025

al3xtjames force-pushed the node-darwin branch from e3e1ac9 to c6913c6 Compare August 14, 2025 05:05

al3xtjames mentioned this pull request Aug 19, 2025

nodejs: fix hardcoded values in GYP script #434742

Merged

13 tasks

aduh95 approved these changes Aug 19, 2025

View reviewed changes

nixpkgs-ci bot added the 2.status: merge conflict This PR has merge conflicts with the target branch label Aug 28, 2025

al3xtjames added 3 commits August 30, 2025 01:26

nodejs: drop v8 instrumentation patch

cbb3c85

This is no longer needed now that apple-sdk_11 is the default SDK.

al3xtjames force-pushed the node-darwin branch from c6913c6 to 8362b18 Compare August 30, 2025 06:28

nixpkgs-ci bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Aug 30, 2025

aduh95 approved these changes Aug 30, 2025

View reviewed changes

fabianhjr merged commit 45859bf into NixOS:staging Aug 30, 2025
28 of 31 checks passed

aduh95 mentioned this pull request Aug 31, 2025

nodejs_22: 22.18.0 -> 22.19.0 #438035

Merged

13 tasks

Uh oh!

Conversation

al3xtjames commented Jul 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Things done

Uh oh!

aduh95 commented Jul 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ofalvai left a comment

Choose a reason for hiding this comment

Uh oh!

aduh95 left a comment

Choose a reason for hiding this comment

Uh oh!

aduh95 commented Aug 13, 2025

Uh oh!

aduh95 commented Aug 19, 2025

Uh oh!

aduh95 commented Aug 30, 2025

Uh oh!

aduh95 commented Aug 30, 2025

Uh oh!

fabianhjr commented Aug 30, 2025

Uh oh!

Uh oh!

aduh95 commented Aug 31, 2025

Uh oh!

al3xtjames commented Aug 31, 2025

Uh oh!

vcunat commented Aug 31, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

aduh95 commented Aug 31, 2025

Uh oh!

vcunat commented Sep 1, 2025

Uh oh!

aduh95 commented Sep 1, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

al3xtjames commented Jul 16, 2025 •

edited

Loading

aduh95 commented Jul 16, 2025 •

edited

Loading

vcunat commented Aug 31, 2025 •

edited

Loading