`punycode` deprecation message displayed with Node.js >= `v21.x`

MikeMcC399 commented 10 months ago

Summary

When @cypress/request is run in a Node.js 21.x or 22.x environment, a deprecation notice is output:

[DEP0040] DeprecationWarning: The punycode module is deprecated. Please use a userland alternative instead.

punycode has been deprecated in Node.js since v7.0.0. Starting with Node.js 21.x the deprecation is actively announced at run-time (see https://github.com/nodejs/node/pull/47202).

The linked deprecation notice contains the text:

"The version of the punycode module bundled in Node.js is being deprecated. In a future major version of Node.js this module will be removed."

This poses a risk for the future use of @cypress/request.

Simplest Example to Reproduce

Create the following file as request_test.js

const request = require('@cypress/request');
request('https://github.com/cypress-io/request');

In a Node.js 22.x environment, install @cypress/request and execute with

node --trace-deprecation request_test.js

Alternatively execute the following in a clone of this repo:

npm install
export NODE_OPTIONS=--trace-deprecation
npm run test-ci

Expected Behavior

No deprecation warning should be produced when using @cypress/request under Node.js 22.x

Current Behavior

When Node.js v21.0.0 is used, then running the test produces a deprecation warning:

$ node --trace-deprecation request_test.js
(node:3952) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
    at node:punycode:3:9
    at BuiltinModule.compileForInternalLoader (node:internal/bootstrap/realm:397:7)
    at BuiltinModule.compileForPublicLoader (node:internal/bootstrap/realm:333:10)
    at loadBuiltinModule (node:internal/modules/helpers:101:7)
    at Module._load (node:internal/modules/cjs/loader:1006:17)
    at Module.require (node:internal/modules/cjs/loader:1237:19)
    at require (node:internal/modules/helpers:176:18)
    at Object.<anonymous> (/home/mike/github/request_test/node_modules/psl/index.js:5:16)
    at Module._compile (node:internal/modules/cjs/loader:1378:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1437:10)

showing that psl@1.9.0 is the problematic call.

$ npm ls psl
└─┬ @cypress/request@3.0.1
  └─┬ tough-cookie@4.1.3
    └── psl@1.9.0

See issue https://github.com/lupomontero/psl/issues/315

Solution options

The Node.js punycode deprecation notice contains hints on how to update to a supported environment. It seems that this will not be possible to implement for @cypress/request without major changes.

punycode is not used directly by @cypress/request so the issue could only be solved by updating dependencies. Since codecov@3.8.3 is already the latest version and codecov has been deprecated. At first glance that would seem to block resolving the issue through simple version update of dependencies.

Some dependencies are proposed for update through PR https://github.com/cypress-io/request/pull/45, however this does not solve the issue. It would require quite some effort to dig into each of the dependencies to check their relationship with this issue.

The repo request/request from which @cypress/request is forked, was already deprecated on Feb 11, 2020 and therefore there will be no resolution available from the upstream repo.

Dependency tree

$ npm ls punycode
@cypress/request@0.0.0-development
├─┬ browserify@13.3.0
│ ├── punycode@1.4.1
│ └─┬ url@0.11.3
│   └── punycode@1.4.1 deduped
├─┬ codecov@3.8.3
│ └─┬ urlgrey@1.0.0
│   └─┬ fast-url-parser@1.1.3
│     └── punycode@1.4.1 deduped
├─┬ coveralls@3.1.1
│ └─┬ request@2.88.2
│   ├─┬ har-validator@5.1.5
│   │ └─┬ ajv@6.12.6
│   │   └─┬ uri-js@4.4.1
│   │     └── punycode@2.3.0
│   └─┬ tough-cookie@2.5.0
│     └── punycode@2.3.0
├─┬ karma-browserify@5.3.0
│ └─┬ watchify@3.11.1
│   └─┬ browserify@16.5.2
│     └── punycode@1.4.1 deduped
├─┬ tap@15.2.3
│ ├─┬ tap-mocha-reporter@5.0.4
│ │ └─┬ unicode-length@2.1.0
│ │   └── punycode@2.3.0
│ └─┬ treport@3.0.3
│   └─┬ unicode-length@2.0.2
│     └── punycode@2.1.1
└─┬ tough-cookie@4.1.3
  └── punycode@2.3.0

browserify@13.3.0

├─┬ browserify@13.3.0
│ ├── punycode@1.4.1
│ └─┬ url@0.11.3
│   └── punycode@1.4.1 deduped

browserify current version is browserify@17.0.0 published 3 years ago.

codecov@3.8.3

├─┬ codecov@3.8.3
│ └─┬ urlgrey@1.0.0
│   └─┬ fast-url-parser@1.1.3
│     └── punycode@1.4.1 deduped

codecov@3.8.3 is the latest version and the package has been deprecated.

karma-browserify@5.3.0

├─┬ karma-browserify@5.3.0
│ └─┬ watchify@3.11.1
│   └─┬ browserify@16.5.2
│     └── punycode@1.4.1 deduped

karma-browserify current version is karma-browserify@8.1.0 published 2 years ago.

Context

https://nodejs.org/dist/latest-v21.x/docs/api/punycode.html#punycode

Since the version of the punycode module bundled in Node.js is being deprecated and it will be removed in a future major version of Node.js, there is a risk that at some time in the future @cypress/request will no longer work.

Your Environment

software	version
@cypress/request	`3.0.1`
node	~~`v21.0.0`~~ `v22.5.1`
npm	~~`10.2.0`~~ `10.8.2`
Operating System	`Ubuntu 22.04.4 LTS`

AnWeber commented 10 months ago

Just for information on how tough-cookie wants to deal with this error: https://github.com/salesforce/tough-cookie/issues/324

MikeMcC399 commented 10 months ago

@AnWeber

Just for information on how tough-cookie wants to deal with this error: salesforce/tough-cookie#324

Thanks for passing this on!

MikeMcC399 commented 2 months ago

https://github.com/salesforce/tough-cookie/issues/338#issuecomment-2091270187 says the fix is available in a pre-release v5 version of tough-cookie

cypress-io / request