Open Varun-Chakraborty opened 1 month ago
I'm having this issue as well another StackOverflow post suggested the same Stackoverflow post
I'm encountering the same problem with the 'npmlog' package. Upon further investigation, I noticed that the package has been archived. It seems that this could be causing the issue.
WARN 3 deprecated subdependencies found: are-we-there-yet@2.0.0, gauge@3.0.2, npmlog@5.0.1
dependencies:
bcrypt 5.1.1
└─┬ @mapbox/node-pre-gyp 1.0.11
└─┬ npmlog 5.0.1
├── are-we-there-yet 2.0.0
└── gauge 3.0.2
Node version: v20.11.0
@cristian2213 @Varun-Chakraborty try using bcryptjs Works exactly same without the issues with archived dependencies
@mathdebate09 that project was last updated 4 year ago, is it being maintained?
@Varun-Chakraborty i don't exactly know but popular OS communities (theodinproject & fullstackopen) said it's a safe alternative so I didn't check about it
@mathdebate09 oh great! using it for sometime now, looks good to me
It's getting worst
#18 2.004 npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
#18 2.190 npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
#18 2.216 npm warn deprecated npmlog@5.0.1: This package is no longer supported.
#18 2.321 npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
#18 2.461 npm warn deprecated are-we-there-yet@2.0.0: This package is no longer supported.
#18 2.547 npm warn deprecated gauge@3.0.2: This package is no longer supported.
proeject@1.0.0
└─┬ bcrypt@5.1.1
└─┬ @mapbox/node-pre-gyp@1.0.11
├─┬ npmlog@5.0.1
│ ├── are-we-there-yet@2.0.0
│ └── gauge@3.0.2
└─┬ rimraf@3.0.2
└─┬ glob@7.2.3
└── inflight@1.0.6
Last publish of bcryptjs is 7 years ago.
Might be considered as "It just works" but the fact that there is no reviews raises the following question: "What happens if a security issue is discovered?".
It seems that to produce an update the author would have to rewrite a big chunk of it.
[...] it is also true to say that it is no longer possible to git clone this repository and run npm install due to deprecated devDependencies - in particular, ClosureCompiler gets a 404 error when trying to install. That does mean if there were ever a need to apply a fix to this library, the whole build component of it would need fixing first. src: https://github.com/dcodeIO/bcrypt.js/issues/155#issuecomment-2141563316
Might be considered as "It just works" but the fact that there is no reviews raises the following question: "What happens if a security issue is discovered?".
Yep, that's the point.
I might be mistaken but it seems all of the deprecated warnings are from dependencies in @mapbox/node-pre-gyp
.
Looks like that package was last updated on Jul 14, 2023
I might be mistaken but it seems all of the deprecated warnings are from dependencies in
@mapbox/node-pre-gyp
. Looks like that package was last updated on Jul 14, 2023
Read about it, and what I understood is since this version of bcrypt is written in C++ we would need a binary to get it working with Node.js, so either we compile it on our own using C++ compiler or if available for our OS, use this prebuilt binary from node-pre-gyp, so updating that is not a concern since bcrypt itself is some 9 to 10 months old, what we were talking about are the packages like inflight, which is causing memory leak and crashing up the program
@Varun-Chakraborty @mapbox/node-pre-gyp
uses rimraf@3xx
which stopped using @glob @inflight
from version 4.0, https://github.com/isaacs/rimraf/issues/309 like last month (May 2024) so it'll take a while for the changes to reflect in various packages that depend on those
Hello guys, I did this to my package.json and the warning about inflight disappeared. Is this okay?
"dependencies": { "bcrypt": "^5.1.1" }, "overrides": { "glob": "10.4.2", "rimraf": "5.0.7" }
These were the only warnings that showed up after installing:
" npm warn deprecated npmlog@5.0.1: This package is no longer supported. npm warn deprecated are-we-there-yet@2.0.0: This package is no longer supported. npm warn deprecated gauge@3.0.2: This package is no longer supported. "
What do you guys think?
Hey, just tried installing
bcrypt
to my project and here's the deprecation warnings I am getting, just to notify if any of these are security issues:npm i bcrypt
just for the reference, I have node of version v20.10.0