search

hubotio / hubot

A customizable life embetterment robot.
https://hubotio.github.io/hubot/
MIT License
16.64k stars 3.75k forks source link

fix deprecated dependencies #1605

Closed joeyguerra closed 1 year ago

joeyguerra commented 1 year ago

Hubot is old. There are some dependencies that are deprecated, no longer maintained. The following is the output from NPM with Node.js v18.3.0. The current Node.js LTS version is v18.16.0.

I'm guessing that in order to resolve these issues, we might have to get rid of some of the dev dependencies. For instance, I just noticed that coveralls depends on a version of request that is out of date and has a security issue.


➜  hubot git:(master) ✗ npm i
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated formatio@1.1.1: This package is unmaintained. Use @sinonjs/formatio instead
npm WARN deprecated samsam@1.1.2: This package has been deprecated in favour of @sinonjs/samsam
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

added 866 packages, and audited 1103 packages in 5s

175 packages are looking for funding
  run `npm fund` for details

2 moderate severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.```
technicalpickles commented 1 year ago

I renamed this "fix deprecated dependencies", which I think reflects the work. "Modernize the code base" can mean a lot more.

coveralls is a code coverage tool, with a service backing it. If it's not useful, then can drop it if it's not providing value AND has deprecations.

joeyguerra commented 1 year ago

I don't yet have a scenario where I would get value from coveralls. I could see using it if we were strictly using TDD as our designing process. But I don't want to be dogmatic about TDD. I prefer balancing tradeoffs instead of apply a general rule across the board.

I'll create a PR to remove coveralls.

joeyguerra commented 1 year ago

Dependencies have been updated to their latest versions. We'll work on replacing the log module in a future release.