Distribute binaries via platform-specific optional NPM dependencies #35
Description
Hi C2PA Node team!
This package currently downloads platform-specific binaries in its postinstall script, which can cause issues in a few cases (network isolated CI environment, PnP solutions, hardened networks, etc) and generally increases the risk of supply chain attacks. Would you be able to please additionally setup platform-specific optional NPM dependencies, which can be downloaded and distributed by the package manager itself?
The generally recommended workflow is to have both setups in place, optional dependencies as a first attempt, and downloading in a postinstall as a backup only if it doesn't already exist (what this package currently only does). Sentry have written an article about this exact setup, how to do it, and the reasons for doing it this way. https://sentry.engineering/blog/publishing-binaries-on-npm
Thank you! :)