Closed poppypiney closed 2 years ago
mongoose 5 is what we used in the online bootcamp I followed to get started on this, but there's probably no reason to stick with the old version. I have just been afraid that switching might screw something up, but now is probably the time to try and see.
I noticed that your package-lock.json is different from mine, May I ask which node/npm version do you use for this project? I will try to use the same version which I believe can help us the chance to have different warnings/errors
It looks like I'm using npm version 6.14.4 Which are you using?
I normally use node 16.x.x and npm 8.x.x the LTS version
I am going to make a copy of the app and try updating mongoose, node and npm to see if all still works fine.
Edit: I made a first attempt at updating and am realizing, if I update node and npm then I update them for my entire machine, not just the app I am currently working in, correct?
usually, when working with node, we will install it with node version manager such as nvm (https://github.com/nvm-sh/nvm) or n (https://github.com/tj/n) which can help us switch to a different version of node easier, because of the point you said it would change to the entire machine.
Ok, I have updated node with nvm, thanks for the tip. Do I need to do anything further to update the app as well?
Thanks! I will also try to upgrade to Mongoose 6 today or tomorrow.
After everything is upgraded, I will begin working on deployment for some early beta-testing while I work on building out our database search and filter capabilities.
I am confused about how to upgrade mongoose, and about upgrading node modules in general.
I ran npm update
which seemed to work, but the modules listed in my package.json are still the same old versions. How do I get that info to update? Do I have to do it manually? Or do I re-run npm init
or something similar?
Also, because of the info returned on npm update
, I am concerned about breakages. Those terminal returns are copies and pasted below, in case they are relevant.
npm update
returned:
npm WARN deprecated multer@1.4.4: Multer 1.x is affected by CVE-2022-24434. This is fixed in v1.4.4-lts.1 which drops support for versions of Node.js before 6. Please upgrade to at least Node.js 6 and version 1.4.4-lts.1 of Multer. If you need support for older versions of Node.js, we are open to accepting patches that would fix the CVE on the main 1.x release line, whilst maintaining compatibility with Node.js 0.10.
added 88 packages, removed 26 packages, changed 122 packages, and audited 420 packages in 13s
42 packages are looking for funding
run `npm fund` for details
11 vulnerabilities (6 moderate, 3 high, 2 critical)
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
npm audit
returned:
# npm audit report
dicer *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
No fix available
node_modules/dicer
busboy <=0.3.1
Depends on vulnerable versions of dicer
node_modules/busboy
multer <=2.0.0-rc.3
Depends on vulnerable versions of busboy
node_modules/multer
ejs <3.1.7
Severity: critical
Template injection in ejs - https://github.com/advisories/GHSA-phwq-j96m-2c2q
fix available via `npm audit fix --force`
Will install ejs-mate@4.0.0, which is a breaking change
node_modules/ejs-mate/node_modules/ejs
ejs-mate <=3.0.0
Depends on vulnerable versions of ejs
node_modules/ejs-mate
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install nodemon@1.3.3, which is a breaking change
node_modules/got
node_modules/package-json/node_modules/got
@mapbox/mapbox-sdk *
Depends on vulnerable versions of got
node_modules/@mapbox/mapbox-sdk
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier >=0.2.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
nodemon >=1.3.5
Depends on vulnerable versions of update-notifier
node_modules/nodemon
11 vulnerabilities (6 moderate, 3 high, 2 critical)
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
npm update
will update versions only if indicated it should do so in package.json
. this behavior is determined by the caret and tilde notation, which you can read about here. this is because automatic upgrades to minor/major versions of packages can cause compatibility issues, so for good reason, npm makes you upgrade manually. if you want to upgrade mongoose, manually change the version indicated in your package.json
file and run npm install
.
resources: npm update, caret & tilde notation: https://docs.npmjs.com/cli/v6/commands/npm-update semantic versioning in npm: https://docs.npmjs.com/about-semantic-versioning
excellent, this makes sense now, thank you!
I've noticed warnings such
Accessing non-existent property 'count' of module exports inside circular dependency
while starting the app and then found that these warnings come from using mongoose 5 with an old MongoDB driver.I am not so sure, Is there any reason to keep mongoose 5 as a dependency?
Also, I did a little test bumping to v6 and edited index.js by removing these mongoose.connect options { useNewUrlParser: true, useCreateIndex: true } as they mention here https://mongoosejs.com/docs/migrating_to_6.html#no-more-deprecation-warning-options
the result seems to be ok, no warning/no error threw up on the terminal but still not so sure