Fix deprecation warnings logged while installing web-ext from npm

[rpl]

When web-ext is installed from npm, the following deprecation warnings are being logged:

npm WARN deprecated [email protected]: Package no longer supported. Contact [email protected] for more info.
npm WARN deprecated [email protected]: Jetpack extensions are no longer supported by Firefox. Use web-ext instead to build a WebExtension.
npm WARN deprecated [email protected]: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: Use cheerio-select instead
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated [email protected]: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated

None of these deprecated npm packages is a direct web-ext dependencies.

Follows a list of the packages listed in the deprecation warnings, along with notes about the dependencies through which they are inherited, actions to fix the deprecation warnings, opened pull request and/or issues (either from the web-ext repo or upstream repos).

TODO

[email protected] and [email protected]

Notes:

• These dependencies seems to be inherited through the sign-addon dependency
• har-validator is a request dependency

Actions:

• [x] file issue in the sign-addon repo

[email protected]

Notes:

• The warning message suggests to use promise-toolbox/fromEvent instead

Actions:

• [ ] this is a direct web-ext dependency, we should just replace its usage with the new npm package suggested

[email protected]

Notes:

• it seems to be a transitive dependency we inherit from request through sign-addon

Action:

• [ ] double-check if fixing the warning related to request would also fix this issue as a side effect (or if there are dependencies that would still keep that version in the transitive dependencies).

babel-eslint

Notes:

• In #2275 this additional warning has been reported

npm WARN deprecated [email protected]: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.

• babel-eslint should only be installed as part of the dev dependencies, and so this shouldn't be actually a warning that a user would be seeing while installing web-ext from npm, but we should replace the dev dependencies with the new @babel/eslint-parser package.

Actions:

• [ ] create a PR to replace the dev dependency

DONE

[email protected]

Notes:

• This dependency seems to be inherited through the addons-linter dependency
• It looks that addons-linter recently inherited this from [email protected] in mozilla/addons-linter#3516, looking to the cheerio changelog it looks that the warning may be fixed in next updates to the cheerio dependency once they solved

Actions:

• [x] double-check what may be the timing for the fix from the cheerio deps and/or file issue in the addons-linter repo (the updated cheerio deps has been merged in the addons-linter).

[email protected]

Notes:

• This dependency is inherited through the firefox-profile dependency.
• The mozilla-jetpack/jetpack-id github repo is also archived
• Upstream issue: saadtazi/firefox-profile-js#118

Actions:

• [x] Create a pull request in the upstream repository to remove the deprecated dependency: saadtazi/firefox-profile-js#119
• [x] wait for upstream maintainer opinion on upstream PR saadtazi/firefox-profile-js#119
• [x] merge renovatebot PR for firefox-profile-js 4.1.0 (#2170)

[email protected]

Notes:

• This looks that is inherited through the @cliqz-oss/firefox-client dependency.

Actions:

• [x] Replace unmaintained @cliqz-oss/firefox-client and @cliqz-oss/node-firefox-connect dependency with a new module part of web-ext sources (Pull Request: #2129)

[email protected]

Notes:

• This dependency should have been inherited through the @babel/[email protected] dependency

Actions:

• [x] Remove @babel/polyfill dependency ~~, replace with direct dependency on core-js@3 (at least if any polyfill is still needed for the nodejs versions currently supported)~~

[email protected] and [email protected]

Notes:

• These deps seems to be inherited through watchpack

Actions:

• [x] fix issues and merge webpack v5 and watchpack v2 pull requests (#2047, #2024)
• [x] double-check if updating webpack and watchpack to their last major releases was enough to get rid of these deprecation warnings

[email protected]

Notes:

• This dependency seems to be inherited through watchpack (watchpack -> watchpack-chokidar2 -> chokidar@2)

Actions:

• [x] fix issues and merge watchpack v2 pull requests (#2024)
• [x] double-check if updating watchpack to its last major release was enough to get rid of these deprecation warnings

[email protected]

Notes:

• This dependency seems to be inherited through webpack (webpack -> micromatch -> snapdragon)

Actions:

• [x] fix issues and merge webpack v5 pull request (#2047)
• [x] double-check if updating webpack to its last major releases was enough to get rid of these deprecation warnings

[darkred]

I'm currently getting the following with Node 16.3.0 (npm -v 7.15.1) on win10:

warnings:

PS C:\Users\Kostas> npm install -g web-ext

npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '[email protected]',
npm WARN EBADENGINE   required: { node: '>=12.0.0', npm: '>=6.9.0 <7.0.0' },
npm WARN EBADENGINE   current: { node: 'v16.3.0', npm: '7.15.1' }
npm WARN EBADENGINE }
npm WARN deprecated [email protected]: Use promise-toolbox/fromEvent instead
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142

Therefore the OP should be updated to reflect the current warnings: of the 10 deprecated lines in the OP, there are now only 4 (especially the event-to-promise and uuid lines were not present in the OP) :

npm WARN deprecated [email protected]: Use promise-toolbox/fromEvent instead
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142

---

Also please note the EBADENGINE lines, notably that npm version is required to be older than 7.0.0 . (I thought not to make a separate issue)

npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '[email protected]',
npm WARN EBADENGINE   required: { node: '>=12.0.0', npm: '>=6.9.0 <7.0.0' },
npm WARN EBADENGINE   current: { node: 'v16.3.0', npm: '7.15.1' }
npm WARN EBADENGINE }

[rpl]

thanks a lot @darkred! yep, [email protected] and the [email protected] ones are new and I should add it to this issue (and in the meantime the [email protected] one is gone).

We are aware of the EBADENGINE, it is an unfortunate side effect of a change on the lock file format that is creating issue for us in the CI jobs and forced us to set a upper bound on the npm engine to prevent renovatebot from changing the lock file to the format only supported by npm v7, given that EBADENGINE is a non-blocking warning for npm we decided to don't block the release on that.

Fixing that issue is currently tracked by the related renovatebot PR #2146.

[willdurand]

We filed an issue for the addons-linter warnings: https://github.com/mozilla/addons-linter/issues/3995

[willdurand]

file issue in the sign-addon repo

I filed: https://github.com/mozilla/sign-addon/issues/932

[willdurand]

[email protected]

This should get better once addons-linter has been updated and we replace request in sign-addon but there is still an issue with istanbul-lib-processinfo from nyc:

$ npm why uuid
[...]

[email protected]
node_modules/uuid
  uuid@"^3.3.3" from [email protected]
  node_modules/istanbul-lib-processinfo
    istanbul-lib-processinfo@"^2.0.2" from [email protected]
    node_modules/nyc
      dev nyc@"15.1.0" from the root project
  uuid@"^3.3.2" from [email protected]
  node_modules/request
    request@"~2.88.0" from [email protected]
    node_modules/dispensary
      dispensary@"0.62.0" from [email protected]
      node_modules/addons-linter
        addons-linter@"3.20.0" from the root project
    request@"2.88.2" from [email protected]
    node_modules/sign-addon
      sign-addon@"3.9.0" from the root project

[wagnerand]

web-ext 6.8.0 only has the following warnings remaining:

npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142

[equal-l2]

For clarity, all warnings remaining come from request, which is used by sign-addon.

[willdurand]

For clarity, all warnings remaining come from request, which is used by sign-addon.

Yep, and we have plans to get rid of sign-addon (and thus request) but we are not there yet :/

[equal-l2]

Any timeline for removing sign-addon? (I saw sign-addon was trying to replace request with got, but no progress is made for a while)

[wagnerand]

@rpl with sign-addon removed I believe this issue can be closed. Can you confirm?

I ran npm install against 3063a77 and did not see any warnings.

[rpl]

@wagnerand yes I confirm that to be the case.

We recently resumed the work on unblocking the v8 release, and QA is currently running a more complete verification around the behaviors of the web-ext v8 sign command.

[wagnerand]

Thanks Luca!

[odebroqueville]

FYI, I just updated to 7.10.0 and the issue is still present:

npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142

What are the issues encountered when using the latest release of sign-addon ?

[willdurand]

@odebroqueville this will be fixed in web-ext v8, which isn't ready yet.