|
| 1 | +# Deprecated packages UX revamp |
| 2 | + |
| 3 | +## Summary |
| 4 | + |
| 5 | +Add a new notification interface at the end of every `install` informing the user of how much packages are deprecated in their current installed tree, in replacement of warning messages printed to standard output during the install. |
| 6 | + |
| 7 | +## Motivation |
| 8 | + |
| 9 | +There are two main motivations for this change: |
| 10 | + |
| 11 | +1. It has been a long time coming effort to clean the output of `npm install` and this would be the final act to convert what used to be hundreds of lines printed in users interface during install into the notification system provided at the end that let users aware of audit issues, funding and now deprecations. |
| 12 | +2. The current warning messages does not provide any context to where that package is coming from, leaving users very confused to see that warning when the deprecated package in question is not a direct dependency of their project. |
| 13 | + |
| 14 | +## Detailed Explanation |
| 15 | + |
| 16 | +During `npm install` arborist should no longer print warnings lines for each package that is marked as deprecated and it should instead queue them up and provide metrics that can be printed at the end of the install, similar to how it works with audit today. |
| 17 | + |
| 18 | +A new command can be introduced to properly display the current deprecations. |
| 19 | + |
| 20 | +## Alternatives |
| 21 | + |
| 22 | +- Leave warning messages as is, don't change anything in the current UX |
| 23 | +- Implement only the increments to existing commands |
| 24 | +- Implement notifications system but not any of the increments to existing commands |
| 25 | +- Modify warning messages during install and leave deprecations warnings to ecosystem, e.g: https://github.com/ljharb/npm-deprecations |
| 26 | + |
| 27 | +## Implementation |
| 28 | + |
| 29 | +Install changes: |
| 30 | +- **arborist** should implement a mechanism to queue deprecation notices, maybe something similar to: `lib/audit-report.js` |
| 31 | +- **cli** will need additions to `lib/utils/reify-output.js` in order to make sure we retrieve that info from arborist and properly display the deprecated packages notification. |
| 32 | + |
| 33 | +### Install example: |
| 34 | + |
| 35 | +```sh |
| 36 | +$ npm install abbrev |
| 37 | + |
| 38 | +added 6 packages, and audited 6 packages in 870ms |
| 39 | + |
| 40 | +3 deprecated packages found (1 direct, 2 transitive) |
| 41 | + |
| 42 | +To find out more, run: |
| 43 | + npm deprecations |
| 44 | + |
| 45 | +4 vulnerabilities found (1 low, 1 moderate, 2 high) |
| 46 | + |
| 47 | +To address all issues (including breaking changes), run: |
| 48 | + npm audit fix --force |
| 49 | + |
| 50 | +Run `npm audit` for details |
| 51 | +``` |
| 52 | + |
| 53 | +### Overview of all deprecated packages after an install |
| 54 | + |
| 55 | +Creates a new `deprecations` subcommand in the cli. |
| 56 | + |
| 57 | +For the next few examples, assume an install such as: |
| 58 | + |
| 59 | +```sh |
| 60 | +$ npm ls |
| 61 | +project@1.0.0 $HOME/work/project |
| 62 | +├── foo@0.4.0 |
| 63 | +├─┬ lorem@0.4.0 |
| 64 | +│ └── ipsum@2.0.0 deprecated |
| 65 | +├─┬ abbrev@3.0.9 |
| 66 | +│ └── bar@2.88.0 deprecated |
| 67 | +└── once@1.4.0 deprecated |
| 68 | +``` |
| 69 | + |
| 70 | +#### 1. Prints deprecated notices for direct dependencies in the current install, e.g: |
| 71 | + |
| 72 | +``` |
| 73 | +$ npm deprecations |
| 74 | +once@1.4.0 https://github.com/lydell/resolve-url#deprecated |
| 75 | +``` |
| 76 | + |
| 77 | +#### 2. Prints deprecated notices for **all** deprecated packages in the current install, e.g: |
| 78 | + |
| 79 | +``` |
| 80 | +$ npm deprecations --all |
| 81 | +ipsum@2.0.0 this library is no longer supported |
| 82 | +bar@2.88.0 "Please update to latest v2.3 or v2.2" |
| 83 | +once@1.4.0 https://github.com/lydell/resolve-url#deprecated |
| 84 | +``` |
| 85 | + |
| 86 | +#### 3. Print deprecation notices for a given package from the current install when using package name only, e.g: |
| 87 | + |
| 88 | +``` |
| 89 | +$ npm deprecations once |
| 90 | +once@1.4.0 https://github.com/lydell/resolve-url#deprecated |
| 91 | +``` |
| 92 | + |
| 93 | +#### 3.1. Support different output types: |
| 94 | + |
| 95 | +``` |
| 96 | +$ npm deprecations once --json |
| 97 | +{ |
| 98 | + "once": { |
| 99 | + "1.4.0": "https://github.com/lydell/resolve-url#deprecated" |
| 100 | + } |
| 101 | +} |
| 102 | +``` |
| 103 | + |
| 104 | +#### 3.2. Support multiple positional arguments: |
| 105 | + |
| 106 | +``` |
| 107 | +$ npm deprecations once ipsum |
| 108 | +once@1.4.0 https://github.com/lydell/resolve-url#deprecated |
| 109 | +ipsum@2.0.0 this library is no longer supported |
| 110 | +``` |
| 111 | + |
| 112 | +#### 4. Support reaching to the registry when using qualified spec as positional argument, e.g: |
| 113 | + |
| 114 | +``` |
| 115 | +$ npm deprecations dot-prop-legacy@latest |
| 116 | +dot-prop-legacy@4.2.1 dot-prop released a v4.2.1, please migrate back to dot-prop@4.2.1 https://www.npmjs.com/package/dot-prop/v/4.2.1 |
| 117 | +``` |
| 118 | + |
| 119 | +#### 5. Support other common arborist options, e.g: |
| 120 | + |
| 121 | +``` |
| 122 | +$ npm deprecations --only=prod |
| 123 | +once@1.4.0 https://github.com/lydell/resolve-url#deprecated |
| 124 | +``` |
| 125 | + |
| 126 | +## Prior Art |
| 127 | + |
| 128 | +`npm install` will print a single warning line during install for each deprecated package found, e.g: |
| 129 | + |
| 130 | +```sh |
| 131 | +$ npm install |
| 132 | +npm WARN deprecated ipsum@2.0.0: this library is no longer supported |
| 133 | +npm WARN deprecated bar@2.88.0: "Please update to latest v2.3 or v2.2" |
| 134 | +npm WARN deprecated once@1.4.0: https://github.com/lydell/resolve-url#deprecated |
| 135 | + |
| 136 | +4 vulnerabilities found (1 low, 1 moderate, 2 high) |
| 137 | + |
| 138 | +To address all issues (including breaking changes), run: |
| 139 | + npm audit fix --force |
| 140 | + |
| 141 | +Run `npm audit` for details |
| 142 | +``` |
0 commit comments