Cleanup dependencies based on deprecated packages

[fluiddot]

What problem does this address?

npm reports several warnings about deprecated packages when installing the dependencies the first time. In an effort of cleaning up the dependencies, it would be great to review them and execute the needed upgrades/removals of those packages.

This issue tracks the different tasks we'd need to accomplish to remove the deprecation warnings.

What is your proposed solution?

Remove or find a replacement for the deprecated packages and upgrade the packages where they are used accordingly.

• [ ] stable package

Used by @wordpress/scripts package:

└─┬ @wordpress/scripts@26.10.0 -> ./packages/scripts
  └─┬ @svgr/webpack@6.2.1
    └─┬ @svgr/plugin-svgo@6.2.0
      └─┬ svgo@2.8.0
        └── stable@0.1.8

npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility

• [ ] urix package

Used by react-native-sass-transformer (related to React Native):

  └─┬ react-native-sass-transformer@1.4.0
    └─┬ css-to-react-native-transform@1.9.0
      └─┬ css@2.2.4
        ├─┬ source-map-resolve@0.5.2
        │ └── urix@0.1.0 deduped
        └── urix@0.1.0

npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated

• [ ] trim package

Used by @wordpress/docgen:

└─┬ @wordpress/docgen@1.48.0 -> ./packages/docgen
  └─┬ remark-parse@6.0.3
    └── trim@0.0.1

npm WARN deprecated trim@0.0.1: Use String.prototype.trim() instead

• [ ] har-validator package

Used by appium and wd (related to mobile E2E tests):

├─┬ appium@1.22.3
│ └─┬ appium-tizen-driver@1.1.1-beta.5
│   └─┬ appium-base-driver@4.5.1
│     └─┬ request@2.88.2
│       └── har-validator@5.1.5
└─┬ wd@1.12.1
  └─┬ request@2.88.0
    └── har-validator@5.1.5

npm WARN deprecated har-validator@5.1.5: this library is no longer supported

• [ ] resolve-url package

Used by react-native-sass-transformer (related to React Native):

  └─┬ react-native-sass-transformer@1.4.0
    └─┬ css-to-react-native-transform@1.9.0
      └─┬ css@2.2.4
        └─┬ source-map-resolve@0.5.2
          └── resolve-url@0.2.1

npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated

• [ ] source-map-url package

Used by react-native-sass-transformer (related to React Native):

  └─┬ react-native-sass-transformer@1.4.0
    └─┬ css-to-react-native-transform@1.9.0
      └─┬ css@2.2.4
        └─┬ source-map-resolve@0.5.2
          └── source-map-url@0.4.0

npm WARN deprecated source-map-url@0.4.0: See https://github.com/lydell/source-map-url#deprecated

• [ ] fsevents package

Used by several packages (including React Native Metro server):

├─┬ @playwright/test@1.32.0
│ └── fsevents@2.3.2
├─┬ @storybook/addon-docs@7.2.2
│ └─┬ @jest/transform@29.6.2
│   └─┬ jest-haste-map@29.6.2
│     └── fsevents@2.3.2 deduped
├─┬ core-js-builder@3.31.0
│ └─┬ webpack@4.46.0
│   └─┬ watchpack@1.7.5
│     └─┬ watchpack-chokidar2@2.0.1
│       └─┬ chokidar@2.1.8
│         └── fsevents@1.2.13
├─┬ react-native@0.71.11
│ └─┬ @react-native-community/cli@10.2.4
│   └─┬ @react-native-community/cli-plugin-metro@10.2.3
│     └─┬ metro@0.73.10
│       └─┬ metro-file-map@0.73.10
│         └── fsevents@2.3.2 deduped
└─┬ sass@1.35.2
  └─┬ chokidar@3.5.3
    └── fsevents@2.3.2 deduped

npm WARN deprecated fsevents@1.2.13: The v1 package contains DANGEROUS / INSECURE binaries. Upgrade to safe fsevents v2

• [ ] chokidar package

Used by several packages:

├─┬ @pmmmwh/react-refresh-webpack-plugin@0.5.2
│ └─┬ webpack-dev-server@4.4.0
│   └── chokidar@3.5.3 deduped
├─┬ @storybook/addon-docs@7.2.2
│ └─┬ @storybook/csf-plugin@7.2.2
│   └─┬ unplugin@1.4.0
│     └── chokidar@3.5.3 deduped
├─┬ @storybook/react-webpack5@7.2.2
│ └─┬ @storybook/builder-webpack5@7.2.2
│   └─┬ fork-ts-checker-webpack-plugin@8.0.0
│     └── chokidar@3.5.3 deduped
├─┬ core-js-builder@3.31.0
│ └─┬ webpack@4.46.0
│   └─┬ watchpack@1.7.5
│     ├── chokidar@3.5.3 deduped
│     └─┬ watchpack-chokidar2@2.0.1
│       └── chokidar@2.1.8
└─┬ sass@1.35.2
  └── chokidar@3.5.3

npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies

• [ ] querystring package

Used by react-refresh-webpack-plugin and React Native:

├─┬ @pmmmwh/react-refresh-webpack-plugin@0.5.2
│ └─┬ webpack-hot-middleware@2.25.1
│   └── querystring@0.2.0
└─┬ @wordpress/react-native-editor@1.101.0 -> ./packages/react-native-editor
  └─┬ jsdom-jscore-rn@0.1.8
    └── querystring@0.2.0 deduped

npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.

• [ ] uuid package

Used by several packages (including Mobile E2E tests):

├─┬ @actions/core@1.9.1
│ └── uuid@8.3.2
├─┬ @pmmmwh/react-refresh-webpack-plugin@0.5.2
│ └─┬ webpack-dev-server@4.4.0
│   └─┬ sockjs@0.3.24
│     └── uuid@8.3.2
├─┬ @storybook/addon-actions@7.2.2
│ └── uuid@9.0.0
├─┬ @wordpress/annotations@2.39.0 -> ./packages/annotations
│ └── uuid@8.3.0 deduped
├─┬ @wordpress/block-library@8.16.0 -> ./packages/block-library
│ └── uuid@8.3.0 deduped
├─┬ @wordpress/blocks@12.16.0 -> ./packages/blocks
│ └── uuid@8.3.0 deduped
├─┬ @wordpress/components@25.5.0 -> ./packages/components
│ └── uuid@8.3.0 deduped
├─┬ @wordpress/core-data@6.16.0 -> ./packages/core-data
│ └── uuid@8.3.0 deduped
├─┬ @wordpress/e2e-tests@7.10.0 -> ./packages/e2e-tests
│ └── uuid@8.3.0 deduped
├─┬ appium@1.22.3
│ ├─┬ appium-base-driver@7.11.0
│ │ └─┬ webdriverio@6.12.1
│ │   └─┬ devtools@6.12.1
│ │     └── uuid@8.3.2 deduped
│ ├─┬ appium-flutter-driver@0.0.32
│ │ └─┬ rpc-websockets@5.3.1
│ │   └── uuid@3.4.0
│ ├─┬ appium-ios-driver@4.8.3
│ │ └─┬ appium-ios-simulator@3.29.0
│ │   └─┬ node-simctl@6.6.0
│ │     └── uuid@8.3.2 deduped
│ ├─┬ appium-safari-driver@2.2.1
│ │ └─┬ node-simctl@6.4.1
│ │   └── uuid@8.3.2 deduped
│ ├─┬ appium-support@2.54.1
│ │ └── uuid@8.3.2
│ └─┬ appium-tizen-driver@1.1.1-beta.5
│   └─┬ appium-base-driver@4.5.1
│     └─┬ request@2.88.2
│       └── uuid@3.4.0
├─┬ jest-junit@13.0.0
│ └── uuid@8.3.2
├─┬ lerna@7.1.4
│ └── uuid@9.0.0
├── uuid@8.3.0
└─┬ wd@1.12.1
  └─┬ request@2.88.0
    └── uuid@3.4.0

npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

• [ ] source-map-resolve package

Used by react-native-sass-transformer and Babel preset:

├─┬ @wordpress/react-native-editor@1.101.0 -> ./packages/react-native-editor
│ └─┬ react-native-sass-transformer@1.4.0
│   └─┬ css-to-react-native-transform@1.9.0
│     └─┬ css@2.2.4
│       └── source-map-resolve@0.5.2
└─┬ core-js-builder@3.31.0
  └─┬ webpack@4.46.0
    └─┬ micromatch@3.1.10
      └─┬ snapdragon@0.8.2
        └── source-map-resolve@0.5.2 deduped

npm WARN deprecated source-map-resolve@0.5.2: See https://github.com/lydell/source-map-resolve#deprecated

• [ ] request package

Used by appium and wd (related to Mobile E2E tests):

├─┬ appium@1.22.3
│ ├─┬ appium-ios-driver@4.8.3
│ │ └─┬ appium-remote-debugger@5.7.0
│ │   └─┬ appium-base-driver@4.5.1
│ │     ├── request@2.88.2 deduped
│ │     └─┬ webdriverio@5.23.0
│ │       └─┬ webdriver@5.23.0
│ │         └── request@2.88.2 deduped
│ └─┬ appium-tizen-driver@1.1.1-beta.5
│   └─┬ appium-base-driver@4.5.1
│     ├── request@2.88.2
│     └─┬ webdriverio@5.23.0
│       └─┬ webdriver@5.23.0
│         └── request@2.88.2 deduped
└─┬ wd@1.12.1
  └── request@2.88.0

npm WARN deprecated request@2.88.0: request has been deprecated, see https://github.com/request/request/issues/3142

• [ ] uglify-es package

Used by React Native (Metro server):

└─┬ react-native@0.71.11
  └─┬ @react-native-community/cli@10.2.4
    └─┬ @react-native-community/cli-plugin-metro@10.2.3
      └─┬ metro@0.73.10
        └─┬ metro-minify-uglify@0.73.10
          └── uglify-es@3.3.9

npm WARN deprecated uglify-es@3.3.9: support for ECMAScript is superseded by `uglify-js` as of v3.13.0

[bph]

Having a list of warnings on the build process will give new contributors pause, and might keep them from moving forward because they might not trust their capabilities.

What would be involved, apart from needed time, to work on removing them?

@youknowriad @mcsf @gziolo

[gziolo]

@sirreal should land soon a PR https://github.com/WordPress/gutenberg/pull/57800 with package deduplication, which updates what's in the lock file. The next step would require auditing the list again and eventually upgrading the problematic packages to more recent version.

[sirreal]

Packages have been deduped and several dependencies have been upgraded. We can reassess what needs to be done now.