Inventory of dependencies in UI5 tooling

Question

Inventory of dependencies in UI5 tooling

swaldmann opened this issue 2 months ago · 4 comments

Is your feature request related to a problem? Please describe.

Currently installing @ui5/cli complains about outdated dependencies, for a rather minimal UI5 app with this package.json:

{
  "name": "browse",
  "version": "1.0.0",
  "main": "webapp/index.html",
  "scripts": {
    "build": "ui5 build preload --clean-dest --config ui5-deploy.yaml",
    "build-local": "ui5 build preload --clean-dest",
    "start": "ui5 serve"
  },
  "devDependencies": {
    "@ui5/cli": "^3",
    "ui5-task-zipper": "^3"
  },
  "ui5": {
    "dependencies": [
      "ui5-task-zipper"
    ]
  }
}

These come from (transitive) dependencies of @ui5/cli:

npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported

Some warnings might just be due to an outdated shrinkwrap, but imo the dependencies could be thinned nowadays with Node.js 18+ (now LTS) APIs. For example, there's no reason to use the rimraf or graceful-fs package with fs.rm() and other modern file system APIs now being stable.

Describe the solution you'd like

Do an inventory of which npm dependencies are not required in the UI5 tooling any more. Some hints:
- File system: rimraf, graceful-fs
- Unmaintained stuff that can be trivially implemented w/o deps nowadays: etag, fresh, yesno, escape-html…

Describe alternatives you've considered

–

Additional context

–

Answer 1 · 2024-07-10T14:13:19.000Z

Thanks for reporting. We are aware of this and already upgraded the respective dependencies on our development branches.

Most of them can't be upgraded in UI5 Tooling v3 without breaking compatibility, since they required Node.js versions above v16 (which is the lowest supported version for UI5 Tooling v3).

UI5 Tooling v4 with updated dependencies will be released soon. We will update this issue once it is available and check whether the warnings are resolved.

Answer 2 · 2024-07-11T08:08:47.000Z

Apologies. I just checked our current main branches and the warnings still appear. Looks like https://github.com/guybedford/devcert is quite outdated. We'll look into it. Thanks again for reporting! 👍

Answer 3 · 2024-07-11T15:13:34.000Z

BTW, if there are older dependencies that don't have a good replacement but just very few users are interested in the feature they enable I'd just consider turning it into an optional peer dependency.

We do this in @cap-js/hana for example, where we ship hdb by default but @sap/hana-client has to be manually added if required:
https://github.com/cap-js/cds-dbs/blob/main/hana/package.json#L29-L36

Answer 4 · 2024-08-15T12:42:42.000Z

Affected dependencies have been updated in guybedford/devcert#7

The deprecation warnings should be resolved with the latest UI5 CLI. Thanks again for reporting.