gatsbyjs / gatsby

The best React-based framework with performance, scalability and security built in.
https://www.gatsbyjs.com
MIT License
55.3k stars 10.31k forks source link

Important dependencies update warnings. #23273

Closed ghost closed 4 years ago

ghost commented 4 years ago

Following are the warnings that appear while doing npm i or yarn install:

LekoArts commented 4 years ago

Thank you for opening this!

We're aware of these warnings but are currently bound to certain versions due to some dependencies. You won't need to do anything and you can ignore those warnings. Eventually we'll resolve those.

We're marking this issue as answered and closing it for now but please feel free to comment here if you would like to continue this discussion. We also recommend heading over to our communities if you have questions that are not bug reports or feature requests. We hope we managed to help and thank you for using Gatsby!

polarathene commented 4 years ago

We're aware of these warnings but are currently bound to certain versions due to some dependencies. You won't need to do anything and you can ignore those warnings. Eventually we'll resolve those.

@LekoArts what is the status on Chokidar warnings about breakage on node 14?

For watchpack, the maintainer was against updating to v3 of Chokidar due to supporting node v6 still(despite EOL status). Their current watchpack v2 beta is dropping chokidar entirely for some reason, with webpack v5 to use that instead, against the concerns raised by chokidar maintainer.

The current watchpack v1.x release did get chokidar v3 support, as some users were experiencing issues with chokidar v2 in node 14+. However watchpack supports this by making chokidar v2 and v3 optional dependencies. I'm not sure but I assume that's downloading both packages, so the warning about v2 with watchpack could be superfluous?

There is a few other warnings for other packages that reference chokidar v2 however, is there a tracking issue/PR for where these will eventually be resolved? I've been tracking down the dependencies and can see that some appear unmaintained for 1-2 years or so, or failed to push a new release out.

polarathene commented 4 years ago

The main gatsby package has an outdated semver:

https://github.com/gatsbyjs/gatsby/blob/445e31510e549e177363aaa29bd0b1edf70d4ff2/packages/gatsby/package.json#L33

That package reached a 1.0.2 release back in April 2019. Version 0.3.3(Aug 2018) is what gets installed still today however, and the project repo itself lacks any commits since Sep 2018.

It continues to list chokidar v2 as an optional dependency, but I'm not sure if that allows for overriding it elsewhere with chokidar v3(which is API compatible apart from an async close() and requiring node 8+).

If a dependency can be used, but you would like npm to proceed if it cannot be found or fails to install, then you may put it in the optionalDependencies object. This is a map of package name to version or url, just like the dependencies object. The difference is that build failures do not cause installation to fail. Entries in optionalDependencies will override entries of the same name in dependencies, so it’s usually best to only put in one place. - NPM docs - optionalDependency

polarathene commented 4 years ago

Update eslint-plugin-graphql to 4.0.0 to remove deprecation warning(I was originally going to submit an issue for this).


Doesn't appear to be any issue/PR for it, renovate-bot hasn't picked up on it.

Updating to 4.0.0 will remove a warning during install:

warning gatsby > eslint-plugin-graphql > graphql-config > graphql-import@0.7.1: GraphQL Import has been deprecated and merged into GraphQL Tools, so it will no longer get updates. Use GraphQL Tools instead to stay up-to-date! Check out https://www.graphql-tools.com/docs/migration-from-import for migration and https://the-guild.dev/blog/graphql-tools-v6 for new changes.
polarathene commented 4 years ago

The micromatch / snapdragon issue, I raised an issue with. The snapdragon package hasn't seen any activity since 2018, but micromatch which is maintained by the same devs has been active. There's already been a PR sitting around with the fix in snapdragon, but it hasn't been responded to. I raised an issue on micromatch repo to raise awareness of that.

I've also raised an issue for the request package deprecation in probe-image-size.

Hopefully those projects will update their dependencies and publish a new release.

One of the core-js warnings for upgrading to v3 relies on the fbjs package which has not seen a release since 2018, several months ago a maintainer did merge a PR updating the dependency, but there was no associated package version bump and release, so that's stuck while relied upon.

polarathene commented 4 years ago

Benefits by the chokidar maintainer for v3 are mentioned here:

We've released Chokidar 3 in April. See my post on that: Chokidar 3: How to save 32TB of traffic every week with one NPM package

The changes are pretty big. First of all, the package is 16 times smaller and uses 15 dependencies instead of 201. We've switched to n-api, which means users won't download fsevents binaries anymore. n-api is included in every nodejs installation, and it's tiny. Directory walking has been improved massively with stream implementation of readdirp. Massive RAM & CPU improvements etc.

From the blogpost link:

Switching node-fsevents to N-API, a new API for building native addons. In v2, we’ve been using node-gyp, which is buggy, sloppy, and produced useless errors while compiling. Rewriting readdirp — another module of ours — to a stream API. Allowed to reduce memory consumption by a factor of 5 in some cases To handle globs, we’ve rewritten picomatch and braces to use its own parsers instead of 3-rd party dep. This allowed to drop dependency count significantly.

~8MB package size down to ~500KB. node-gyp has caused plenty of problems for me, though I think that's still used elsewhere for some packages in sharp depending on system installed on.

ghost commented 4 years ago

Hello +1 to that. I'm feeling increasingly uneasy about these warnings too. @shreyansh-zazz can you reopen the issue ?

ghost commented 4 years ago

Hi @alvincodes

I don't have permission to reopen this issue.