Nearly all the time I use npm to install a package, I get a warning like:
npm WARN deprecated minimatch#1.0.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
Then I install the dubious packages with the advised version number.
Is there any way to make npm do this automatically? At own risk of course.
If you're not depending directly on the deprecated packages, you're probably not accomplishing anything by installing them directly. Whichever package depends on it is the one that needs to update its dependencies, and so on until you reach the package you're developing. Essentially: if it's important (e.g. a security problem), notify the package maintainers; if not, ignore the deprecation warning.
Related
The problem I explained below is that the deprecated warnings that come out when I say npm i;
I'm investigating the reason why it was solved by installing uuid?
How could installing a UUID have destroyed all deprecated s?
Even the old version was not included in my package.json file, I installed it saying it would change if I install it from the errors.
EXPLAIN THE PROBLEM AND SOLUTION
enter image description here
When we say npm install, we observed that there are packages that are deprecated.
We looked at why these deprecated packages happen, how we can update them or if we are still using them, if we are not using them, we should remove them from the update. I observed that we are not using react-native-community/masked-view and removed it.
(Deleted node module from package json, called npm i.)
I observed that 8 of the 9 deprecated packages remain and the new order has changed.
enter image description here
deprecated babel-eslint#10.1.0: babel-eslint is now #babel/eslint-parser. This package will no longer receive updates.
enter image description here
I couldn't see the babel-eslint package when I looked in my package.json file. Instead, I think there was already an updated version of eslint.
uuid#3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
https://www.npmjs.com/package/uuid/v/3.4.0
I couldn't see that we are using uuid, I couldn't see anything about uuid in package.json file.
I thought that a package might be a dependency package and I thought it might have been accidentally deleted, so I decided to install it with a new version.
I said npm uuid, I deleted android and node modules, I said npm i and finally deprecated s are gone.
enter image description here
It is saying upgrade to uuid#3.4.0 to Higher version, How should i deal with it
Please guide me achiving it
C:\Program Files>npm install -g yo
npm WARN deprecated request#2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated uuid#3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated har-validator#5.1.5: this library is no longer supported
C:\Users\DELL\AppData\Roaming\npm\yo -> C:\Users\DELL\AppData\Roaming\npm\node_modules\yo\lib\cli.js
C:\Users\DELL\AppData\Roaming\npm\yo-complete -> C:\Users\DELL\AppData\Roaming\npm\node_modules\yo\lib\completion\index.js
These are warnings that are up to the package author(s) to fix (or you have to file a pull request yourself in their repository where you fix it yourself).
If they don't keep their package updated with the newest dependencies, you will see this type of warnings.
Most of the time this is expected in the sense that package authors never manage to be 100% up to date always, and most of the time they will fix it in a later update. And most of the time the package will install correctly and work regardless of the warning. But sometimes these warnings could also imply security issues, which is not the case here, it seems.
If the package doesn't work after you have installed it, you have to file an issue with the yo author(s) or make a pull request to their repository.
Seems to me this install worked after all. You can check if the name of the package is added in your package.json or is found in the node_modules folder.
Whenever I install any packages through npm I keep getting this warning:
npm WARN deprecated fsevents#2.1.3: Please update to v 2.2.x
I tried various methods to update it. But all failed.
So my question is, is this important for Node.js?
Can I uninstall it, if possible?
Or is there any other ways to update or remove the warning?
Some package you are using is apparently using the v2.1.3 version of the fsevents module, yet that has been specifically deprecated (usually because of known problems or vulnerabilities) and it is recommended to use v2.2.x instead. If you aren't yourself directly using the fsevents package, then you can grep your node_modules directory and find out which package is using fsevents. You can then try several things:
First, make sure you have the latest version of all the packages you are specifically using in case it's already been fixed in one of those.
See if there's an update to the package that is using it that fixes the warning.
Contact the maintainer of the package that is using it to see if they have an update coming that fixes the warning.
Fork that package and modify their package.json to update to the latest version of fsevents and then test things to see if it all works appropriately and go with that until the maintainer of the package fixes the core.
File a bug/issue with the maintainer and wait until hey fix it.
Inside a Node.js project, it's not clear to me what is the correct workflow to ugpgrade a package to a major release.
Let's suppose I'm istalling stylelint: npm install --save stylelint by default puts inside my package.json the string "stylelint": "^8.4.1" which means that if I want to update it with npm update, I will get only minor and patch releases (8.4.2 is ok, 8.5.0 in ok, 9.0.0 is not).
If I check with npm outdated and it comes out that I could update to 9.0.0, npm update wouldn't work because of the restriction depicted above.
So, if I want to upgrade, what am I supposed to do?
Have I to manually modify my package.json to stylelint version ^9.0.0, delete node_modules directory and re-run npm install?
Or maybe I have just to remove the ^ character to let npm update do its job?
What is the common/best practice to adopt?
Thanks
Say you have "the-package" installed at version 3.x and want to upgrade to 5.x
You would do this:
npm install the-package#5
it will update package.json and package-lock.json as well.
You can also update multiple packages in one command like npm install package1#5 package2#16
To check which packages need updates, run npm outdated
So, if I want to upgrade, what am I supposed to do?
In order to update major releases you can use the npm-check-updates.
See this great answer.
Or maybe I have just to remove the ^ character to let npm update do its job?
What is the common/best practice to adopt?
The most common/best practice is to never allow automatic updates to versions that have potentially breaking changes. Workflows are all over the map, from; manual test and then update packages.json, to fully automated detect, test, update and submission of packages.json.
Many Java/JavaScript environments are particularly sensitive to transitive dependency changes due to the lack of side by side versioning support. If your package brings in a breaking change of one of its own dependencies, then your package has introduced a breaking change to the system. If your 1.y.z causes an update of one of its dependencies from X.Y.Z to X+1.Y.Z it introduces a breaking change and is therefore not a stable version 1.y.z. Other packages that depend on the same package name as yours could potentially be broken whenever the developers of that package released a breaking change. Never let the world get into that state!
I recommend you study the Diamond Dependency Problem and take to heart. You should always carefully test breaking changes and never try to force them on your customers.
As pointed out by #ShaharShokrani, this answer gives a good workflow for manually updating your package. And to remain in compliance with SemVer 2.0.0 #8, don't forget to bump your own major version number.
You can also remove and install the package.
npm rm package
npm i package
When I download "Intermediate - Advanced users" version of polymer starter kit from github here and on the 4th step of these instructions here I always getting these WARNs:
$ sudo npm install
npm WARN deprecated gulp-minify-css#1.2.4: Please use gulp-clean-css
npm WARN deprecated graceful-fs#3.0.8: graceful-fs version 3 and before will fail on newer node releases. Please update to graceful-fs#^4.0.0 as soon as possible.
npm WARN engine launchpad#0.5.1: wanted: {"node":"^0.12"} (current: {"node":"4.4.2","npm":"2.15.0"})
npm WARN deprecated lodash#1.0.2: lodash#<3.0.0 is no longer maintained. Upgrade to lodash#^4.0.0.
npm WARN optional dep failed, continuing fsevents#1.0.11
npm WARN deprecated graceful-fs#1.2.3: graceful-fs version 3 and before will fail on newer node releases. Please update to graceful-fs#^4.0.0 as soon as possible.
npm WARN deprecated jade#0.26.3: Jade has been renamed to pug, please install the latest version of pug instead of jade
No matter what OS I'm using: tried both Ubuntu and Windows (git bash).
I have npm, bower, gulp installed globally but there's always those WARNs.
I think that maybe it's a dependencies problem or it's because of some code in some of polymer starter kit files, but I'm not a pro developer, so I can't find what is causing the problem
It's all seems to work though when I deploy the project, but I'm new to web dev and not sure if I have to just close my eyes on these WARNs
Nothing to worry about with those warnings. Those come from the npm packages that are set as dependencies in the package.json file. When you run npm install it will install all packages set in the package.json. Every single package has their own package.json that also has some dependenices. Each package install their own needed version of that package and sometimes they use older versions of those packages. Only way to get rid of those warnings would be to get the package creators to update their packages.
Only package that you can update yourself is the gulp-minify-css. You can uninstall that package npm remove gulp-minify-css --save-dev and install the newer non-deprecated version gulp-clean-css. npm install gulp-clean-css --save-dev. If you do that you need to update the gulpfile.js for the project to use the new package.
Find the styleTask for the starter-kit in the gulpfile.js:
var styleTask = function(stylesPath, srcs) {
return gulp.src(srcs.map(function(src) {
return path.join('app', stylesPath, src);
}))
.pipe($.changed(stylesPath, {extension: '.css'}))
.pipe($.autoprefixer(AUTOPREFIXER_BROWSERS))
.pipe(gulp.dest('.tmp/' + stylesPath))
.pipe($.minifyCss())
.pipe(gulp.dest(dist(stylesPath)))
.pipe($.size({title: stylesPath}));
};
and change the .pipe($.minifyCss()) row to be .pipe($.cleanCss({compatibility: 'ie10'}))
Now you have managed to update the starter-kit to use newer non-deprecated package.
Many packages in the npm package manager have some deprecated packages or cause other warnings while installing but most of the time there is no need to worry.
No need to worry about those warnings in this case. They shouldn't cause the problems that you allude to. I verified the PSK guide you mentioned (the page completely appears and functions without error in Chrome Version 49.0.2623.112 on OSX El Capitan).
npm displays deprecation warnings when a dependency being installed has been deprecated by the dependency's package owner/maintainer usually in favor of another package/version that has significant improvements. Packages can be deprecated/undeprecated at will and long after your app has been deployed.
For example, in January, you release an app that depends on gulp-minify-css#1.2.4. The owner of gulp-minify-css no longer has time to maintain the package, so he decides in March to deprecate it in favor of the actively maintained gulp-clean-css. Now, users who npm install your app (which also installs gulp-minify-css) see this deprecation warning, but your app still functions normally. The deprecation does not invalidate your app or cause errors.
While normally one might try to upgrade the dependencies to remove the warnings, that is not recommended for PSK due to package incompatibilities as recently discovered in a pull request:
So I just took this for a spin and I ran into some issues :( although
the current gulp plugins are deprecated they are working for the
community! This PR represents a "high risk" change, that we have found
to be breaking in several odd ways. For that reason I am going to
close this PR for now. That said let's revisit this PR in a few months
and see if things have stabilized more.