Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please fix deprecated dependencies #72

Closed
ilg-ul opened this issue Mar 27, 2021 · 5 comments
Closed

Please fix deprecated dependencies #72

ilg-ul opened this issue Mar 27, 2021 · 5 comments

Comments

@ilg-ul
Copy link

ilg-ul commented Mar 27, 2021

Installing a package which depends on pacote@11.3.1 triggers warnings:

ilg@wks ~ % npm install xpm@next
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

These two deprecated dependencies are also used by tap:

ilg@wks ~ % npx npm-remote-ls pacote | grep har-validator
npx: installed 112 in 6.476s
   │  │     ├─ har-validator@5.1.5
ilg@wks ~ % npx npm-remote-ls pacote | grep request      
npx: installed 112 in 7.22s
   │  │  ├─ request@2.88.2
      │  ├─ request@2.88.2
ilg@wks ~ %

Could you fix those dependencies?

BTW, I don't think that it is very useful for npm to complain about deprecated indirect dependencies, since there is not much the author of the top package can do to fix them.
@fgblomqvist
Copy link

See this issue: npm/run-script#25

@ilg-ul
Copy link
Author

ilg-ul commented Apr 28, 2021

I see it, in the end it also depends on request, but apparently that is a different dependency path.

@ilg-ul
Copy link
Author

ilg-ul commented Jun 20, 2021

And also:

ilg@wks ~ % npm install -g pacote
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

added 157 packages, and audited 158 packages in 3s

4 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
ilg@wks ~ %

@bmarcotte
Copy link

Looks like a new major version of @npmcli/run-script, 2.0.0, was released today that updates their dependency on node-gyp to 8.x, which in turn, removes the dependency on request. I tried installing that into a clone of pacote, and it appears to work. After updating to it, the request, uuid, and har-validator packages only appear as children under tap, but since tap only appears as a devDependency here, picking up this new version of @npmcli/run-script should clean up the deprecation warnings for the downstream users of pacote.
Note: I did see 2 test failures in test/git.js (the git-clone tmp cache paths don't match the given regex), but those seem to be unrelated. I see the same failures even with the original version of @npmcli/run-script installed.

@ilg-ul
Copy link
Author

ilg-ul commented Jun 2, 2022

BTW, the way I avoided the deprecation messages was to bundle the dependencies with my package, as npm does.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wraithgar @ilg-ul @fgblomqvist @bmarcotte