mesh-cli@latest has multiple dependencies on UNmaintained packages
Opened this issue · 10 comments
yarn global add mesh-cli@latest
yarn global v1.12.3
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Installed "mesh-cli@1.0.0-RC9" with binaries:
- mesh
- mesh-docker
- mesh-sync
- mesh-list
- mesh-add
- mesh-get
- mesh-admin
- mesh-validate
- mesh-remove
- mesh-update
- mesh-unlink
- mesh-link
Done in 1.69s.
yarn global upgrade
yarn global v1.12.3
[1/4] Resolving packages...
warning mesh-cli > unirest > request > node-uuid@1.4.8: Use uuid module instead
warning mesh-cli > unirest > request > hawk > hoek@2.16.3: This version is no longer maintained. Please upgrade to the latest version.
warning mesh-cli > unirest > request > hawk > sntp > hoek@2.16.3: This version is no longer maintained. Please upgrade to the latest version.
warning mesh-cli > unirest > request > hawk > boom@2.10.1: This version is no longer maintained. Please upgrade to the latest version.
warning mesh-cli > unirest > request > hawk > boom > hoek@2.16.3: This version is no longer maintained. Please upgrade to the latest version.
warning mesh-cli > unirest > request > hawk > cryptiles@2.0.5: This version is no longer maintained. Please upgrade to the latest version.
warning mesh-cli > unirest > request > hawk > cryptiles > boom@2.10.1: This version is no longer maintained. Please upgrade to the latest version.
...
We need to find a replacement for unirest.
Unirest does appear abandoned.
Without having looked at all at what, specifically, mesh-cli is using unirest for, for 'http tooling', this might be helpful:
https://npmcompare.com/compare/connect,express,hapi,rest,unirest
and take a look at the apparently quite active project,
https://github.com/expressjs/express
https://expressjs.com/en/4x/api.html
Likely overkill, but seems to cover most of unirest's methods.
Just installed a mesh instance, and bumped into this issue.
Afaict, there've been no commits here for awhile ...
Is mesh-cli abandoned? Or are there concrete plans to address this?
@pgnd We currently have no bandwidth to address this. The function of the CLI is not affected. The plan still stands to replace / remove the unirest dependency. Any help in doing so would be appreciated.
@pgnd Personally I would like to add something light weight like https://www.npmjs.com/package/request - I think that lib would cover all the current functionality. In the long term we want to generate a client using OpenAPI specification once that is possible.
OpenAPI, as in https://github.com/OAI/OpenAPI-Specification ? I'm aware of it, but have no experience with it ...
As for https://www.npmjs.com/package/request, it appears to be be active -- which is good news.
I'm not entirely clear why it's not in the comparison at:
https://npmcompare.com/compare/connect,express,hapi,rest,unirest
Is it apples-n-oranges? I'll do a bit of reading up to understand what's actually needed.
No surprise, but a 'mesh cli' that fires lots of errors on install/update doesn't "message" well, even if it still functions well-enough ....
I was also recommended https://www.npmjs.com/package/axios as a good alternative. It has even less dependencies compared to request and already supports promises.
Fyi, there appears to be a newer version of 'unirest', v0.6.0
https://github.com/Kong/unirest-nodejs/blob/master/package.json
which pulls in newer 'request', 'cryptiles', 'hawk' & 'boom' ...
Not quite dead/abandoned ... yet?
Might it be worth considering a refresh of mesh-cli with the newer dep?