Cordova installation dispalying warning

Issue Type

[ ] Bug Report
[ ] Feature Request
[x] Support Question

Description

showing some warning while installing Cordava

Information

npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated stringify-package@1.0.1: This module is not used anymore, and has been replaced by @npmcli/package-json npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

added 489 packages, and audited 490 packages in 36s

52 packages are looking for funding run npm fund for details

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run: npm audit fix --force

Run npm audit for details.

Command or Code

npm install -g cordava

Environment, Platform, Device

cmd

Version information

Checklist

[x] I searched for already existing GitHub issues about this
[x] I updated all Cordova tooling to their most recent version
[x] I included all the necessary information above

A fresh install shows different results (npm install -g cordova may not be a fresh install if you had an older version previously installed)

npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

added 489 packages, and audited 490 packages in 1m

52 packages are looking for funding
  run `npm fund` for details

5 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

You can use npm -g upgrade cordova to upgrade global packages. The difference between upgrade and install and install will update the main package, but may not recursively update it's dependencies or child dependencies, if the version is already satisfactory, where as upgrade will upgrade all of the package's dependencies and child dependencies recursively to the latest version available that satisfies their declared semver version.

This will resolve the deprecation warnings for receive for uuid and stringify-package

Nonetheless, there are still 2 active deprecations used, which are: har-validor and request

npm ls har-validator
cdvtest@1.0.0 /home/norman/test/cdvtest
└─┬ cordova@11.0.0
  └─┬ insight@0.11.1
    └─┬ request@2.88.2
      └── har-validator@5.1.5

As you can see, har-validot is used by request, soo...

npm ls request
cdvtest@1.0.0 /home/norman/test/cdvtest
└─┬ cordova@11.0.0
  ├─┬ cordova-create@4.0.0
  │ └─┬ cordova-fetch@3.0.1
  │   └─┬ pacote@11.3.5
  │     └─┬ @npmcli/run-script@1.8.6
  │       └─┬ node-gyp@7.1.2
  │         └── request@2.88.2 deduped
  └─┬ insight@0.11.1
    └── request@2.88.2

There are 2 sub-dependencies that Cordova depends on that is including this dependency, pacote which is part of NPM's codebase and insight. Pacote may need to wait for NodeJS's package node-gyp to update first. There isn't anything Cordova can do directly to resolve these deprecation warnings. While these packages are deprecated they should work as is for the foreseeable future. Therefore I think it's fine to wait for updates of the underlying packages for the time being.

As for the reported vulnerabilities, they are from the update-notifier package. There are ways to forcefully force cordova to use a different version, such as version 6.x of update-notifier which resolves the moderate vulnerabilities, however 6.x includes breaking changes that a simple test causes Cordova not to work properly. You can use npm audit to find more information on vulnerability to determine the severity for you.

apache / cordova