Libraries deprecated or no longer supported - how to handle?

Question

Libraries deprecated or no longer supported - how to handle?

polynaught opened this issue 3 years ago · 4 comments

I got the following warnings (called vulnerabilities?) and wonder what to do about them. Is this something you'd have to fix? Can I simply update deprecated libraries or will this break openupm-cli?

C:\Windows\system32>npm install -g openupm-cli
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see request/request#3142
npm WARN deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)

added 294 packages, and audited 295 packages in 20s

19 packages are looking for funding
run npm fund for details

6 vulnerabilities (3 moderate, 2 high, 1 critical)

To address all issues (including breaking changes), run:
npm audit fix --force

Run npm audit for details.
npm notice
npm notice New minor version of npm available! 8.5.5 -> 8.9.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v8.9.0
npm notice Run npm install -g npm@8.9.0 to update!
npm notice

Answer 1 · 2022-05-07T13:32:15.000Z

Vulnerabilities can mean a lot depending on the actual message. Some packages are just out-of-dated and have been marked as deprecated to force the user to update.

Yes, I should update them regularly.

Answer 2 · 2022-05-07T21:06:28.000Z

thx for clarification

Answer 3 · 2022-05-08T07:30:12.000Z

I have updated all dependencies to the latest version. It will resolve part of the vulnerabilities.

It requires a node version >= v14. https://nodejs.org/en/download/

Then run npm install -g openupm-cli@latest

However, there are still some outdated dependencies. All of them are caused by request and npm-registry-client that are in the maintenance mode (working but deprecated). I don't have a plan to replace them so far.

npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

npm ls uuid
openupm-cli@1.15.0 /projects/openupm-cli
└─┬ another-npm-registry-client@8.7.0
  └─┬ request@2.88.2
    └── uuid@3.4.0

npm ls har-validator
openupm-cli@1.15.0 /projects/openupm-cli
└─┬ another-npm-registry-client@8.7.0
  └─┬ request@2.88.2
    └── har-validator@5.1.5

Answer 4 · 2022-05-09T14:40:45.000Z

BTW, a critical bug has been fixed in v1.15.2

npm install -g openupm-cli@1.15.2