forge icon indicating copy to clipboard operation
forge copied to clipboard
verified publisher icon digitalbazaar

Deprecated packages on install

Open ChrisMiami opened this issue 4 years ago • 3 comments

On 10/4/2021, issuing 'npm install' on new clone yields the following deprecation issues, some of which indicate serious issues. Most of them are downstream package imports, but may affect functionality of the forge package. I am using Node v15+ in production.

npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.) npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead. npm WARN deprecated [email protected]: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies. npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated [email protected]: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.

ChrisMiami avatar Oct 04 '21 17:10 ChrisMiami

I mean it's fair, but why not open a PR to fix this? You need to keep in mind that these "serious issues" are all devDependencies, and have nothing to do with the forge runtime which has no external dependencies. So from a security perspective these would only be problematic for testing and bundling.

I'm not saying those are trivial concerns, but I also wouldn't consider them "serious issues".

bfricka avatar Oct 19 '21 22:10 bfricka

All the dev deps will get updated at some point. The tricky part is that when you upgrade tools, they drop support for old node versions, and then you can't run tests anymore. Notably deps like mocha and karma. There are heroic measures that could be taken to keep everything working, but ain't nobody got time for that! What will likely happen is that all the code will get modernized, tools updated, support and testing on older nodes and browsers will end, bundles will be created that can support old systems (:heart: webpack, babel, and corejs), and hopefully people just submit bugs if there are legacy issues.

A work-in-progress to switch to es modules https://github.com/digitalbazaar/forge/pull/718 shows some of this in action.

davidlehn avatar Jan 07 '22 02:01 davidlehn

That being said, if you want to try and do small upgrades and they keep all the tests running and fix some warnings, please submit a PR!

davidlehn avatar Jan 07 '22 02:01 davidlehn