nodejs: statically link libstdc++/libgcc on Linux for portable .node

[ligon]

Summary

• Statically link libstdc++ and libgcc into the Linux .node addon by default,
  behind an opt-out CMake option (LBUG_NODEJS_STATIC_LIBSTDCXX).

Why

The published lbugjs.node for Linux dynamically links libstdc++, requiring
at least GLIBCXX_3.4.31. The package therefore fails to load on every
stable distro whose system libstdc++ predates the GitHub-hosted runner's:
Debian 12 (≤3.4.30), Ubuntu 22.04 (≤3.4.30), RHEL 8/9 family.

Users hit:

Error: /lib/aarch64-linux-gnu/libstdc++.so.6: version `GLIBCXX_3.4.31' not found
(required by .../@ladybugdb/core/lbugjs.node)
code: 'ERR_DLOPEN_FAILED'

The liblbug.a static lib already statically links its own libstdc++ via
the compat (manylinux_2_28 + gcc-toolset-13) build; only the addon shim
was leaking the GLIBCXX dependency.

Result

Locally verified on Debian 12 ARM (linux-aarch64). After this change,
ldd lbugjs.node shows only libc, libm, and ld-linux — no libstdc++
dependency, no GLIBCXX version requirement. Binary grows from ~22 MB to
~36 MB (embedded libstdc++), but loads on any glibc-based Linux.

Test plan

• CI (nodejs-workflow.yml) passes on linux-x64 and linux-arm64
• Resulting .node depends only on libc/libm/ld (ldd check)
• Smoke test on Debian 12 / Ubuntu 22.04

[aheev]

maybe we could just use manylinux for building nodejs addon too 🤔

[adsharma]

LDFLAGS: "-static-libstdc++"

is key here. Without it, the manylinux builds will also have the same issue.

The static linking fixes the end user headache, but it also opens up a security issue. Every CVE in libstdc++ requires shipping new nodejs binaries. The Linux distro people are against it.

One compromise is to mark these nodjes binaries as compat and configure RPM and DEB packages to turn off static linking.

[adsharma]

Also, is -static-libgcc really needed for fixing this issue?

[ligon]

The packagers are clearly in a situation where they know and control a lot in terms of what libraries are available, so turning off static linking there seems not like a compromise but sensible design.

…

On Sun, Apr 26, 2026 at 8:05 AM adsharma ***@***.***> wrote: *adsharma* left a comment (LadybugDB/ladybug-nodejs#11) <#11 (comment)> LDFLAGS: "-static-libstdc++" is key here. Without it, the manylinux builds will also have the same issue. The static linking fixes the end user headache, but it also opens up a security issue. Every CVE in libstdc++ requires shipping new nodejs binaries. The Linux distro people are against it. One compromise is to mark these nodjes binaries as compat and configure RPM and DEB packages to turn off static linking. — Reply to this email directly, view it on GitHub <#11 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAET2DEFB75P7SQ33OM7AHL4XYQVLAVCNFSM6AAAAACYGTZXS6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DGMRSGMYTSMBUGE> . Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS <https://github.com/notifications/mobile/ios/AAET2DBWRBVR3QX35R5DOLT4XYQVLA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMZSGIZTCOJQGQY2M4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KUZTPN52GK4S7NFXXG> and Android <https://github.com/notifications/mobile/android/AAET2DHVYTBYIKUOL6GHKE34XYQVLA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMZSGIZTCOJQGQY2M4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2K4ZTPN52GK4S7MFXGI4TPNFSA>. Download it today! You are receiving this because you authored the thread.Message ID: ***@***.***>

-- Ethan Ligon, Professor Agricultural & Resource Economics University of California, Berkeley

[adsharma]

LadybugDB/ladybug#370 already fixed this. Could you please test a recent nightly?

libgcc is statically linked by default. I don't think we need any changes.

The release binaries are built from CI in the main repo. The CI in this repo exists to sanity check the code independently.

[adsharma]

Please test the v0.15.4 release that went out today.

[ligon]

Confirmed fixed in v0.15.4 on the original platform (Debian 12 / glibc 2.36 / aarch64).

$ ldd node_modules/@ladybugdb/core/lbugjs.node
        linux-vdso.so.1
        libm.so.6 => /lib/aarch64-linux-gnu/libm.so.6
        libgcc_s.so.1 => /lib/aarch64-linux-gnu/libgcc_s.so.1
        libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6
        /lib/ld-linux-aarch64.so.1

$ strings .../lbugjs.node | grep '^GLIBCXX_'
GLIBCXX_TUNABLES         # tunables string only, no version requirement

No libstdc++.so.6, no GLIBCXX_3.4.31 requirement. Database.getVersion() reports 0.15.4, a trivial RETURN 1+1 round-trips. Binary is 25 MB (vs ~22 MB dynamic / ~36 MB I measured with -static-libstdc++ -static-libgcc), consistent with -static-libstdc++ only — which matches @adsharma's read that -static-libgcc wasn't needed. Closing this PR.