Please fix deprecated dependencies

Question

Please fix deprecated dependencies

Closed this issue 2 years ago · 5 comments

Installing a package which depends on pacote@11.3.1 triggers warnings:

ilg@wks ~ % npm install xpm@next
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

These two deprecated dependencies are also used by tap:

ilg@wks ~ % npx npm-remote-ls pacote | grep har-validator
npx: installed 112 in 6.476s
   │  │     ├─ har-validator@5.1.5
ilg@wks ~ % npx npm-remote-ls pacote | grep request      
npx: installed 112 in 7.22s
   │  │  ├─ request@2.88.2
      │  ├─ request@2.88.2
ilg@wks ~ %

Could you fix those dependencies?

BTW, I don't think that it is very useful for npm to complain about deprecated indirect dependencies, since there is not much the author of the top package can do to fix them.

Answer 1 · 2021-04-28T23:20:08.000Z

See this issue: npm/run-script#25

Answer 2 · 2021-04-28T23:55:58.000Z

I see it, in the end it also depends on request, but apparently that is a different dependency path.

Answer 3 · 2021-06-20T18:06:11.000Z

And also:

ilg@wks ~ % npm install -g pacote
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

added 157 packages, and audited 158 packages in 3s

4 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
ilg@wks ~ %

Answer 4 · 2021-09-27T19:55:51.000Z

Looks like a new major version of @npmcli/run-script, 2.0.0, was released today that updates their dependency on node-gyp to 8.x, which in turn, removes the dependency on request. I tried installing that into a clone of pacote, and it appears to work. After updating to it, the request, uuid, and har-validator packages only appear as children under tap, but since tap only appears as a devDependency here, picking up this new version of @npmcli/run-script should clean up the deprecation warnings for the downstream users of pacote.
Note: I did see 2 test failures in test/git.js (the git-clone tmp cache paths don't match the given regex), but those seem to be unrelated. I see the same failures even with the original version of @npmcli/run-script installed.

Answer 5 · 2022-06-02T13:53:46.000Z

BTW, the way I avoided the deprecation messages was to bundle the dependencies with my package, as npm does.