Open cdata opened 8 years ago
FredKSchott
commented
8 years ago The last time we looked into this all warnings were caused by dependencies of our dependencies that we couldn't easily update. See: https://github.com/Polymer/polymer-cli/issues/64#issuecomment-218226759
But... that was back in May. A lot has probably changed since then. This would definitely be worth another look (esp. with security warning & Node's v7 October release date re: graceful-fs)
TimvdLippe
commented
8 years ago It seems that Mocha (which has a dependency on jade) is currently in beta for 3.0.0 and this major version has dropped jade in favor of the new name pug. Therefore that error should be gone when Mocha has released stable 3.0.0.
Gulp is slowly but steadily adopting vinyl-fs 4.0.0 (whereas 3.X depended on the old lodash), but seems not to be finished with their work in https://github.com/gulpjs/gulp/issues/1604
Most of the minimatch@2 warnings are from vinyl-fs used again gulp and used by polymer-build, from glob used by web-component-tester. glob used by archiver, used by wd which is again used by web-component-tester.
minimatch@0 is used in globule in gaze in glob-watcher in vinyl-fs in gulp in polymer-build and from globule in gaze in glob-watcher in vinyl-fs in gulp in polymer-build.
minimatch@1 is used in minimatch-all in polymer-build.
to-iso-string is used in mocha in web-component-tester.
gradeful-fs is used in glob in globule in gaze in glob-watcher in vinyl-fs in gulp in polymer-build.
All in all, 1 is a direct dependency of polymer-build. All others are quite some levels deep in very similar packages. Probably when gulp is upgraded most of these are fixed.
FredKSchott
commented
8 years ago @TimvdLippe 🙌 🙌 🙌 Thanks for the great investigation!
Looks like Gulp is currently sitting at the top of a rabbit hole that leads through vinyl-fs, graceful-fs, and into a node.js philosophical debate around internal code, monkey patching, and the v7 release (https://github.com/nodejs/node/issues/8149). We can offer to lend some time to help the gulp team upgrade but they seem blocked by this bigger issue.
FredKSchott
commented
8 years ago Just created a PR for minimatch-all here: https://github.com/joshwnj/minimatch-all/pull/1
Getting that merged will fix the scary DoS issue.
joeblew99
commented
8 years ago @FredKSchott Its merged. waiting on the gulp team to get vinylfs baked in i guess (gulpjs/gulp#1604) still ...
my latest bash upgrade.....
x-MacBook-Pro:app-marked-element apple$ npm install -g polymer-cli
npm WARN deprecated lodash.isarray@4.0.0: This package is deprecated. Use Array.isArray.
npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated lodash@1.0.2: lodash@<3.0.0 is no longer maintained. Upgrade to lodash@^4.0.0.
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated graceful-fs@1.2.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
npm WARN deprecated to-iso-string@0.0.2: to-iso-string has been deprecated, use @segment/to-iso-string instead.
npm WARN deprecated jade@0.26.3: Jade has been renamed to pug, please install the latest version of pug instead of jade
npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
/Users/apple/.nvm/versions/node/v6.3.1/bin/polymer -> /Users/apple/.nvm/versions/node/v6.3.1/lib/node_modules/polymer-cli/bin/polymer.js
- tweetnacl@0.14.3 node_modules/polymer-cli/node_modules/bcrypt-pbkdf/node_modules/tweetnacl
/Users/apple/.nvm/versions/node/v6.3.1/lib
└─┬ polymer-cli@0.16.0
├─┬ fs-extra@0.30.0
│ └── graceful-fs@4.1.9
├─┬ polylint@2.10.1
│ └─┬ hydrolysis@1.24.1
│ ├── babel-polyfill@6.16.0
│ └─┬ escodegen@1.8.1
│ └─┬ optionator@0.8.2
│ └── fast-levenshtein@2.0.5
├─┬ request@2.75.0
│ └─┬ http-signature@1.1.1
│ └─┬ sshpk@1.10.1
│ └── tweetnacl@0.14.3
└─┬ web-component-tester@4.3.4
└── test-fixture@1.1.1 (git://github.com/polymerelements/test-fixture.git#05514d6f32ade6fe54de5b242bbb43ea9dcff3c0)
node --version
v6.3.1
We'll do a big round of updates in the next week or two to try to get rid of everything that we can. We actually moved to using vinyl-fs directly a little while ago, which should help us get rid of all gulp problems.
joeblew99
commented
8 years ago thanks for the update.
using it direct and bypassing the in betweens sounds smart long term. The laws of diminishing returns are kicking in using the in betweens i guess.
super happy to see it coming along...
stale[bot]
commented
4 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
cdata
commented
4 years ago If this is still an issue, it ought to be fixed 💁♂️
stale[bot]
commented
3 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Description
Sometimes I install or upgrade the
polymer-clipackage in my local environment.What I expect to happen
The installation eventually succeeds, displaying a list of the installed dependencies, all in good order, with no scary messages that give me pause.
What actually happened
There are some scary warning messages that give me pause. Example from installing
v0.15.0:The list includes deprecation / unmaintained warnings, rename warnings and particularly of note: a security vulnerability warning.