BobDickinson
commented
8 years ago We modified the CLI to no install the devDependencies and we upgraded a new express-hbs, so these warnings are all gone on a production install from the CLI.
Closed BobDickinson closed 8 years ago
BobDickinson
commented
8 years ago We modified the CLI to no install the devDependencies and we upgraded a new express-hbs, so these warnings are all gone on a production install from the CLI.
We have a number of npm warnings currently, as follows:
npm install:
npm WARN deprecated jade@0.26.3: Jade has been renamed to pug, please install the latest version of pug instead of jademocha -> jade 0.26.3 - See: https://github.com/mochajs/mocha/issues/2200
npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issuemocha -> glob -> minimatch 0.3.0 - See: https://github.com/mochajs/mocha/issues/2318
Both of these are caused by Mocha, which is only a dev dependency (and as such, doesn't present a risk to users of Synchro). For reasons only the gods of npm understand, dev dependencies are installed in our case (because there is a package.json, that means "development environment"?).
The Mocha team can't update either of these deps because doing so would break their Node 0.8.x compatibility (because both of the deps use ^ in a semver, and that isn't supported on Node 0.8.x or earlier). As such, they can't make the change until they do a major release (3.0.0). Not clear when that will happen.
The best solution pending the 3.0.0 release is probably to modify the Synchro CLI installer to not install the dev dependencies, ie:
npm install --only=devnpm install of synchro-web:
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issueexpress-hbs -> readdirp -> minimatch 0.2.14 - See: https://github.com/barc/express-hbs/issues/102
Waiting for express-hbs release. After reviewing the warning, we don't have any actual exposure here.
The best solution pending a new release of express-hbs is probably to just disable warnings in npm install in the Synchro CLI, ie:
npm install --loglevel=errornpm install of synchro-studio:
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issueexpress-hbs -> readdirp -> mini match 0.2.14 (see above)
Same analysis and recommendation as above.