Refine dependencies

[imcotton]

I've made minimal changes to address outdated dependencies, they're atomic commits which easy to review or pick individually.

It's mostly by replacing request with make-fetch-happen, which I made similar changes in purescript/spago#840.

---

resolves #32

[imcotton]

ref: tapjs/tapjs#746

[kritzcreek]

Changes look great to me! Thanks for the nice commits making it easy to review.

The only commit I'm not 100% sure about is the one replacing express, but that's mostly because I don't understand what the old implementation was doing. The new one looks reasonable, and if it works for spago I think it ought to work here as well.

[JordanMartinez]

The only commit I'm not 100% sure about is the one replacing express, but that's mostly because I don't understand what the old implementation was doing.

Which commit is that?

[kritzcreek]

Which commit is that?

b3c3656

[imcotton]

That change replaces long deprecated request module, which is the cause of warning during the installation. Modern fetch spec has slightly different interface, thus the diff coming from.

[JordanMartinez]

I looked through the docs of the dependency. Here's a summary of what their readmes say in a linear fashion.

node-fetch is a lightweight version of window.fetch for Node that makes a few tradeoffs from the spec (v2 and v3. It uses node-core streams.

minipass-fetch matches the API of node-fetch but uses "minipass streams" (see below quote) and supports the full set of TLS Options that may be provided to https.request() when making https requests.

Minipass streams are faster and more deterministic in their timing contract than node-core streams, making them a better fit for many server-side use cases.

minipass is an implementation of PassThrough Streams.

However minipass-fetch doesn't implement some features. Thus, make-fetch-happen, which is the dependency in question being added here, adds such features:

• Builds around minipass-fetch for the core fetch API implementation
• Request pooling out of the box
• Quite fast, really
• Automatic HTTP-semantics-aware request retries
• Cache-fallback automatic "offline mode"
• Proxy support (http, https, socks, socks4, socks5)
• Built-in request caching following full HTTP caching rules (Cache-Control, ETag, 304s, cache fallback on error, etc).
• Customize cache storage with any Cache API-compliant Cache instance. Cache to Redis!
• Node.js Stream support
• Transparent gzip and deflate support
• Subresource Integrity support

None of the above seems to be a concern to me.

...that's mostly because I don't understand what the old implementation was doing

AFAICT, an HTTP streaming request was being piped into another stream that unpacks the .tar file into an unzipped file on the file system.

[imcotton]

Thanks @JordanMartinez for the detailed write up, if only I could adding here:

The major features that missing from native http / https (for the sake of adoption in here)

• redirection (curl -L)
• proxy (curl -x)
• body parsing

request was a decent 3rd-party module, but unfortunately it has been inactive since 2018 and been put into deprecation in 2020.

node-fetch is one viable alternative but in v3 it went to ESM only which affects the adoption, currently it focus on its v4 development.

make-fetch-happen is a re-implementation of node-fetch, it maintained by npm, Inc. (now GitHub?), and also facilitates npm install which gives strong confidence in this replacement.

[jamescallumyoung]

A fresh install today of purescript-installer still throws these warnings. Is it possible to get this PR merged to fix them?

Warnings:

npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

I'm running purescript-installer@v0.2.0 via purescript@v0.14.0 since that's the version required for the exercises in the purescript-book.

I'm happy to help fix the current merge conflicts if @imcotton is no longer able to. Just let me know!

[imcotton]

Haven't noticed the conflicts afterward, rebased, please let me know if there is anything left.

[imcotton]

Changed TAP to ignore coverage ratio during test on CI, @JordanMartinez please help to trigger the workflows, thanks.

[JordanMartinez]

This has been published as v0.3.1.

[JordanMartinez]

Do you mind submitting a PR to the PureScript repo, bumping this dependency's version to 0.3.1?

[imcotton]

I'd happy to, one second : )

[rhendric]

Hey @imcotton, I suspect something about this PR is causing #37, but I haven't gone and learned enough about the libraries used to make a proper diagnosis. Could you take a look and see if something jumps out at you?