Add support for nodejs-mobile

[jaimecbernardo]

Hi,
nodejs-mobile is a fork of node used to run Node.js applications on Android and iOS.

It also allows building and running native modules. For this, it tries to use nodejs-mobile-gyp instead of node-gyp. The way it does this is setting the npm_config_node_gyp to point to nodejs-mobile-gyp. However, npm, since v7+, has started overwriting this environment variable before passing it to modules, such as node-pre-gyp.

This PR makes it so we check for the NODEJS_MOBILE_GYP environment variable to try to set node_gyp's location before trying the other methods. This variable is already used in some projects related to nodejs-mobile, so we decided to pick it:
https://github.com/nodejs-mobile/prebuild-for-nodejs-mobile/blob/44687f6cb4c0375e0f4ef063ce3321350f159241/bin.js#L367
https://github.com/nodejs-mobile/nodejs-mobile-react-native/blob/794f395152f25d1c5ccf9cc794eafa8ce58ad541/scripts/ios-build-native-modules.sh#L116
https://github.com/nodejs-mobile/nodejs-mobile-react-native/blob/794f395152f25d1c5ccf9cc794eafa8ce58ad541/android/build.gradle#L433
https://github.com/okhiroyuki/nodejs-mobile-cordova/blob/9d02c76700bba851241922d7632555546b4ee771/src/android/build.gradle#L243

The original motivation for this change was building sqlite3, which uses "@mapbox/node-pre-gyp", for nodejs-mobile. This is currently possible by adding this overrides field to a package.json of a project that's using sqlite3, but in theory it should help improve compatibility with other modules as well:

  "overrides": {
    "sqlite3": {
      "@mapbox/node-pre-gyp": "github:JaneaSystems/mapbox-node-pre-gyp#add-support-for-nodejs-mobile"
    }
  }

We'd consider this change would be safe for current uses, since in theory a process which sets an environment variable called NODEJS_MOBILE_GYP is likely to want to build for nodejs-mobile.

@staltz , FYI, since this information may help unblock building other modules in nodejs-mobile.

[cclauss]

Trying to understand... Does this enable me to set an environment variable that switches node-gyp to be any executable I choose? Would that be a vast attack vector?

[jaimecbernardo]

Good question 🤔
I suppose in theory yes, but if you check the code for the whole function, you get this code right after my addition:

  if (process.env.npm_config_node_gyp) {
    try {
      node_gyp_bin = process.env.npm_config_node_gyp;
      if (existsSync(node_gyp_bin)) {
        return node_gyp_bin;
      }
    } catch (err) {
      // do nothing
    }
  }

This addition follows the pattern that exists already in the code, just with a different environment variable, which is what is used in Node.js mobile.

[jaimecbernardo]

Here's a direct link that opens the diff showing the code next to it opened as well: https://github.com/mapbox/node-pre-gyp/pull/704/files/cd5f1b4c0ca0b2b14a7d650441c3a9bff4150a6e#diff-b5f34a62c1cecd1c9964561345faa126b26e2bd642a1f67ee6bbe6a9931bb972R32-R41

[jaimecbernardo]

Please rebase now that #900 has been merged and our GitHub Actions are passing again.

• Upgrade tar-fs && npm install && npm audit fix #900

@cclauss , just rebased, thank you for the review!