Deprecated dependencies not getting updated

Question

Deprecated dependencies not getting updated

cotes2020 opened this issue 6 months ago · 2 comments

cotes2020 commented 6 months ago

Hi there, my project uses the latest rollup-plugin-license (v3.4.0), and when I ran npm install, I got the warning:

npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported

It seems that the major version of glob is deprecated, out of curiosity I cloned this repository and checked the deprecation of all the dependencies and the result is as follows:

Upgrading ~/rollup-plugin-license/package.json
[====================] 38/38 100%

 @typescript-eslint/eslint-plugin   7.11.0  →    7.12.0
 @typescript-eslint/parser          7.11.0  →    7.12.0
 eslint                             8.57.0  →     9.4.0
 glob                               ~7.2.0  →   ~10.4.1
 jasmine                            3.10.0  →     5.1.0
 jasmine-core                       3.10.1  →     5.1.2
 magic-string                      ~0.30.0  →  ~0.30.10
 mkdirp                             ~3.0.0  →    ~3.0.1
 package-name-regex                 ~2.0.6  →    ~4.0.0
 prettier                            3.2.5  →     3.3.0

As you can see, the major versions of 5 of these packages are far behind (in red in the image), so they desperately need to be updated. If you have a specific reason for keeping the older versions, can you share why?

BTW, I noticed that this repository has dependabot installed, but it doesn't seem to be working very well, maybe you should consider improving the dependabot configuration?

Thanks for keeping up this excellent project!

Update:

If you don't mind, I can create a PR to help you fix the dependabot configuration.

Answer 1 · 2024-06-04T15:50:22.000Z

Hi,

Your reports mentioned some devDependencies, which should not impact you as these dependencies should not be installed on your project.

Among "dependencies" (not devDependencies):

glob: There was an issue on Windows (I don't remember which one exactly), but upgrade was not so easy.
package-name-regex: I need to check, if it has not been upgraded, it might be because of the version of node this package supports.
magic-string: the version is set to ~0.30.0, so it should be upgraded to the latest automatically on your project.
mkdirp: the version is set to ~3.0.0, so it should be upgrade to the latest automatically on your project.

If you don't mind, I can create a PR to help you fix the dependabot configuration.

No thanks, I only need to re-check how to upgrade glob & package-name-regex.

Answer 2 · 2024-06-04T16:05:46.000Z

Ok, got it, thanks for the detailed reply :)