search

http-party / node-portfinder

A simple tool to find an open port or domain socket on the current machine
https://github.com/http-party/node-portfinder
Other
887 stars 95 forks source link

migrate to mkdirp v1 #112

Closed Hypnosphi closed 2 years ago

Hypnosphi commented 4 years ago

npm says that mkdirp v0.x has been deprecated: 

npm WARN deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
jimmywarting commented 3 years ago

how about dropping it and use nodes built in mkdir (recursive option) instead?

eriktrom commented 3 years ago

how about dropping it and use nodes built in mkdir (recursive option) instead?

we have to support node 0.10.x - that said - neither of the above (built in mkdir or promises) can be merged in...

is there a security issue here or just 'lets keep node modern' which is totally legit, just not with this lib unfortunately

open to discussion if there is a reason outside of staying modern...

Hypnosphi commented 3 years ago

lets keep node modern

it's rather 'lets not depend on deprecated things'

jimmywarting commented 3 years ago

... and use less dependencies and making it smaller

eriktrom commented 3 years ago

I actually feel the same way and have opened an issue (that I need to clean up b/c it was a brain dump) #122

perhaps it should just say:

'lets not depend on deprecated things'

at least that's what I am trying to say, in a very round about way :)

DavideBecker commented 2 years ago

You should consider updating mkdirp at least to a version that fixes https://github.com/advisories/GHSA-xvch-5gv4-984h. See:

https://github.com/isaacs/node-mkdirp/issues/27 https://github.com/substack/minimist/issues/164

ext commented 2 years ago

how about dropping it and use nodes built in mkdir (recursive option) instead?

we have to support node 0.10.x - that said - neither of the above (built in mkdir or promises) can be merged in...

I'm not fully understanding the reasoning here but skimming through some older comments it seems to be related to embedded machines running older node versions? Correct me if I'm wrong though.

My two cents about this is that some systems are using older nodejs versions and will not / cannot update but they would probably not update portfinder either? I suggest to release a new breaking 2.0.0 release dropping support for older nodejs versions and if needed critical bugfixes could be backported to v1 while v2 could be kept a bit more modern.

mkdirp can be replaced since Node 10 and Node 10 is so old by now it is end-of-life already (since a year ago). Node 0.10.x is almost 6 years after EOL.

Glandos commented 2 years ago

mkdirp has a new 0.5.6 version with updated minimist dependency. It should fix the issue for now.

eriktrom commented 2 years ago

@see https://github.com/http-party/node-portfinder/issues/131

also minimist has been updated tonight, it will go out in the next release this week.