Comment 3 for bug 1779863

I've created an issue on nodejs' tracker to discuss this also: https://github.com/nodejs/node/issues/21897

Let me rephrase what you just said a bit, because I think you're getting it a bit incorrectly.

People are distributing binaries through npm, and these binaries are expected to work directly when being loaded inside the nodejs runtime because there are ABI contracts from the nodejs runtime.

These contracts include exposing OpenSSL symbols. More specifically, NodeJS extensions aren't supposed to link against OpenSSL directly. They get OpenSSL's symbols transitively through the NodeJS binary. This is also true for zlib and libuv. Ubuntu (transitively from Debian) is shipping a version of the NodeJS runtime that breaks these ABI contracts by linking in OpenSSL 1.1 instead of 1.0. More specifically, the symbols and ABI exposed from NodeJS 8.x are supposed to be that of OpenSSL 1.0, but since your runtime is linked against 1.1, it exposes this ABI instead, which transitively breaks native modules that are expecting the 1.0 ABI of OpenSSL.