concurrently icon indicating copy to clipboard operation
concurrently copied to clipboard
verified publisher icon open-cli-tools

Drop dependency on `spawn-command`

Open mcmxcdev opened this issue 2 years ago • 2 comments

We recently started using https://socket.dev/ as part of our dependencies maintenance and it flagged spawn-command as problematic due to it being unmaintained: https://socket.dev/npm/package/spawn-command

The last release was 8 years ago, so there's probably other solutions out there or even can be written with native Node.js nowadays.

mcmxcdev avatar Mar 03 '23 06:03 mcmxcdev

I'd take that warning with a grain of salt. Just because a package hasn't been updated in a while, is that really a problem?

I've been writing code for Node.js for more than a decade now, and the child_process API has been quite stable for a while. It's probably why spawn-command didn't need to update either.

See also: https://fagnerbrack.com/how-the-fuck-did-we-get-here-b9bac6ba7a0f

On another note, we briefly played with using a different package to spawn commands between v3.0.0 to v3.2.0. It was causing a couple of issues, so if we're to use a different package at all -- I'd like it to address #69. cc @paescuj

gustavohenke avatar Apr 14 '23 07:04 gustavohenke

An old package itself is not a problem as long as it doesn't pull in any dependencies itself which become outdated, contain CVEs etc. Doesn't seem to be an issue with spawn-command from a quick look into our lockfile.

I simply opened this issue to raise awareness about it. If it is looked at and the conclusion is that everything is fine, even better :)

mcmxcdev avatar Apr 14 '23 08:04 mcmxcdev

Hi folks, this is now done in v9.0.0. https://github.com/open-cli-tools/concurrently/releases/tag/v9.0.0

gustavohenke avatar Sep 08 '24 13:09 gustavohenke