The problem I explained below is that the deprecated warnings that come out when I say npm i;
I'm investigating the reason why it was solved by installing uuid?
How could installing a UUID have destroyed all deprecated s?
Even the old version was not included in my package.json file, I installed it saying it would change if I install it from the errors.
EXPLAIN THE PROBLEM AND SOLUTION
enter image description here
When we say npm install, we observed that there are packages that are deprecated.
We looked at why these deprecated packages happen, how we can update them or if we are still using them, if we are not using them, we should remove them from the update. I observed that we are not using react-native-community/masked-view and removed it.
(Deleted node module from package json, called npm i.)
I observed that 8 of the 9 deprecated packages remain and the new order has changed.
enter image description here
deprecated babel-eslint#10.1.0: babel-eslint is now #babel/eslint-parser. This package will no longer receive updates.
enter image description here
I couldn't see the babel-eslint package when I looked in my package.json file. Instead, I think there was already an updated version of eslint.
uuid#3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
https://www.npmjs.com/package/uuid/v/3.4.0
I couldn't see that we are using uuid, I couldn't see anything about uuid in package.json file.
I thought that a package might be a dependency package and I thought it might have been accidentally deleted, so I decided to install it with a new version.
I said npm uuid, I deleted android and node modules, I said npm i and finally deprecated s are gone.
enter image description here
Related
I could not find any documentation which says that npm will not try to install a deprecated package version.
example:
2.0.0-beta.2 2.0.0-beta.5 2.0.0-rc.9
So if I install ^2.0.0-beta.2, it will resolve to 2.0.0-rc.9
And if I deprecate 2.0.0-rc.9
2.0.0-beta.2 2.0.0-beta.5 2.0.0-rc.9
(deprecated)
Now if I install ^2.0.0-beta.2, it will resolve to 2.0.0-beta.5
But I could not find any documentation which proves this behavior. Can someone please help to validate this?
I tested and confirmed that it does indeed ignore deprecated versions if there is another version it can use. (I temporarily deprecated metal-name version 1.3.1 and then ran npm install metal-name#1. It installed version 1.3.0 instead of 1.3.1. When I removed the deprecation for version 1.3.1, it went back to installing 1.3.1 when I ran npm install metal-name#1.
I can not find this behavior mentioned in the npm CLI documentation. However, I can find it mentioned in the commit log for the npm CLI client.
npm uses npm-pick-manifest to determine what to install. The README for that module says:
Prefers non-deprecated versions to deprecated versions.
NPM will do whatever you told it to do, based on your package.json rule for each dependency. If you use ^ as version prefix then yeah: you literally told NPM to use "whatever is the most up to date minor release".
See both the documentation for dependency management and the semver range documentation for what syntax is accepted and what they all mean.
react-dev-utils#11.0.4 installing a vulnerable version of browserlist, browserslist#4.14.2, although we have updated package on github. https://github.com/facebook/create-react-app/blob/main/packages/react-dev-utils/package.json#L57
[to test out, you may simple create any folder and do npm i react-dev-utils and then check it using npm ls browserlist]
I dont get, what all are the constraint for this. (I dont see any package-lock.json for this package, which could be a potential reason for the vuln). older version has reported vulnerability CVE-2021-23364.
react-dev-utils#11.0.4 installing a vulnerable version of browserlist, browserslist#4.14.2, although we have updated package on github
This is because that package.json file resides in the default branch which usually contains the latest or development code. At the time you posted the question, that change was not published to the npm registry.
react-dev-utils#11.0.4 has browserslist#4.14.2 listed in its package so that's the version that will be installed. Reference: https://cdn.jsdelivr.net/npm/react-dev-utils#11.0.4/package.json
You need atleast react-dev-utils#12.0.0 to fix that vulnerability. See the versions tab.
[to test out, you may simple create any folder and do npm i react-dev-utils and then check it using npm ls browserlist]
Running that command will install the latest version of react-dev-utils, which now has no vulnerability. So it will fix your issue.
I dont see any package-lock.json for this package, which could be a potential reason for the vuln
package-lock.json cannot be published to registry, only the top level lock file is respected. Reference: Should package-lock.json also be published?
this may be an example package, but how in general we update to latest package? have tried npm update as well.
npm update respects the semver range that you've set in your package.json. If its like "react-dev-utils": "11.0.4" that command won't do anything. If its "react-dev-utils": "^11.0.4", it will try to update to the latest 11.x.x version which you are already on, so again it won't do anything. Reference: npm update does not do anything
In general if you want to upgrade every direct dependency to latest version you can use npm-check-updates before running npm update. Refer https://nodejs.dev/learn/update-all-the-nodejs-dependencies-to-their-latest-version for detailed guide. Related: How to update each dependency in package.json to the latest version?
Now, if it is not a direct dependency, as was in your case, you can force resolutions. This is natively supported in Yarn and NPM v8.3.0 and above. In older NPM versions you need to use a dependency like npm-force-resolutions. Related thread: npm equivalent of yarn resolutions?
There are much more related threads that you can easily find by searching on the web.
It is saying upgrade to uuid#3.4.0 to Higher version, How should i deal with it
Please guide me achiving it
C:\Program Files>npm install -g yo
npm WARN deprecated request#2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated uuid#3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated har-validator#5.1.5: this library is no longer supported
C:\Users\DELL\AppData\Roaming\npm\yo -> C:\Users\DELL\AppData\Roaming\npm\node_modules\yo\lib\cli.js
C:\Users\DELL\AppData\Roaming\npm\yo-complete -> C:\Users\DELL\AppData\Roaming\npm\node_modules\yo\lib\completion\index.js
These are warnings that are up to the package author(s) to fix (or you have to file a pull request yourself in their repository where you fix it yourself).
If they don't keep their package updated with the newest dependencies, you will see this type of warnings.
Most of the time this is expected in the sense that package authors never manage to be 100% up to date always, and most of the time they will fix it in a later update. And most of the time the package will install correctly and work regardless of the warning. But sometimes these warnings could also imply security issues, which is not the case here, it seems.
If the package doesn't work after you have installed it, you have to file an issue with the yo author(s) or make a pull request to their repository.
Seems to me this install worked after all. You can check if the name of the package is added in your package.json or is found in the node_modules folder.
Whenever I install any packages through npm I keep getting this warning:
npm WARN deprecated fsevents#2.1.3: Please update to v 2.2.x
I tried various methods to update it. But all failed.
So my question is, is this important for Node.js?
Can I uninstall it, if possible?
Or is there any other ways to update or remove the warning?
Some package you are using is apparently using the v2.1.3 version of the fsevents module, yet that has been specifically deprecated (usually because of known problems or vulnerabilities) and it is recommended to use v2.2.x instead. If you aren't yourself directly using the fsevents package, then you can grep your node_modules directory and find out which package is using fsevents. You can then try several things:
First, make sure you have the latest version of all the packages you are specifically using in case it's already been fixed in one of those.
See if there's an update to the package that is using it that fixes the warning.
Contact the maintainer of the package that is using it to see if they have an update coming that fixes the warning.
Fork that package and modify their package.json to update to the latest version of fsevents and then test things to see if it all works appropriately and go with that until the maintainer of the package fixes the core.
File a bug/issue with the maintainer and wait until hey fix it.
When I download "Intermediate - Advanced users" version of polymer starter kit from github here and on the 4th step of these instructions here I always getting these WARNs:
$ sudo npm install
npm WARN deprecated gulp-minify-css#1.2.4: Please use gulp-clean-css
npm WARN deprecated graceful-fs#3.0.8: graceful-fs version 3 and before will fail on newer node releases. Please update to graceful-fs#^4.0.0 as soon as possible.
npm WARN engine launchpad#0.5.1: wanted: {"node":"^0.12"} (current: {"node":"4.4.2","npm":"2.15.0"})
npm WARN deprecated lodash#1.0.2: lodash#<3.0.0 is no longer maintained. Upgrade to lodash#^4.0.0.
npm WARN optional dep failed, continuing fsevents#1.0.11
npm WARN deprecated graceful-fs#1.2.3: graceful-fs version 3 and before will fail on newer node releases. Please update to graceful-fs#^4.0.0 as soon as possible.
npm WARN deprecated jade#0.26.3: Jade has been renamed to pug, please install the latest version of pug instead of jade
No matter what OS I'm using: tried both Ubuntu and Windows (git bash).
I have npm, bower, gulp installed globally but there's always those WARNs.
I think that maybe it's a dependencies problem or it's because of some code in some of polymer starter kit files, but I'm not a pro developer, so I can't find what is causing the problem
It's all seems to work though when I deploy the project, but I'm new to web dev and not sure if I have to just close my eyes on these WARNs
Nothing to worry about with those warnings. Those come from the npm packages that are set as dependencies in the package.json file. When you run npm install it will install all packages set in the package.json. Every single package has their own package.json that also has some dependenices. Each package install their own needed version of that package and sometimes they use older versions of those packages. Only way to get rid of those warnings would be to get the package creators to update their packages.
Only package that you can update yourself is the gulp-minify-css. You can uninstall that package npm remove gulp-minify-css --save-dev and install the newer non-deprecated version gulp-clean-css. npm install gulp-clean-css --save-dev. If you do that you need to update the gulpfile.js for the project to use the new package.
Find the styleTask for the starter-kit in the gulpfile.js:
var styleTask = function(stylesPath, srcs) {
return gulp.src(srcs.map(function(src) {
return path.join('app', stylesPath, src);
}))
.pipe($.changed(stylesPath, {extension: '.css'}))
.pipe($.autoprefixer(AUTOPREFIXER_BROWSERS))
.pipe(gulp.dest('.tmp/' + stylesPath))
.pipe($.minifyCss())
.pipe(gulp.dest(dist(stylesPath)))
.pipe($.size({title: stylesPath}));
};
and change the .pipe($.minifyCss()) row to be .pipe($.cleanCss({compatibility: 'ie10'}))
Now you have managed to update the starter-kit to use newer non-deprecated package.
Many packages in the npm package manager have some deprecated packages or cause other warnings while installing but most of the time there is no need to worry.
No need to worry about those warnings in this case. They shouldn't cause the problems that you allude to. I verified the PSK guide you mentioned (the page completely appears and functions without error in Chrome Version 49.0.2623.112 on OSX El Capitan).
npm displays deprecation warnings when a dependency being installed has been deprecated by the dependency's package owner/maintainer usually in favor of another package/version that has significant improvements. Packages can be deprecated/undeprecated at will and long after your app has been deployed.
For example, in January, you release an app that depends on gulp-minify-css#1.2.4. The owner of gulp-minify-css no longer has time to maintain the package, so he decides in March to deprecate it in favor of the actively maintained gulp-clean-css. Now, users who npm install your app (which also installs gulp-minify-css) see this deprecation warning, but your app still functions normally. The deprecation does not invalidate your app or cause errors.
While normally one might try to upgrade the dependencies to remove the warnings, that is not recommended for PSK due to package incompatibilities as recently discovered in a pull request:
So I just took this for a spin and I ran into some issues :( although
the current gulp plugins are deprecated they are working for the
community! This PR represents a "high risk" change, that we have found
to be breaking in several odd ways. For that reason I am going to
close this PR for now. That said let's revisit this PR in a few months
and see if things have stabilized more.