search

kelektiv / node.bcrypt.js

bcrypt for NodeJs
MIT License
7.38k stars 510 forks source link

deprecated warnings #1038

Open Varun-Chakraborty opened 1 month ago

Varun-Chakraborty commented 1 month ago

Hey, just tried installing bcrypt to my project and here's the deprecation warnings I am getting, just to notify if any of these are security issues:

npm i bcrypt

npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated npmlog@5.0.1: This package is no longer supported.
npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm warn deprecated are-we-there-yet@2.0.0: This package is no longer supported.
npm warn deprecated gauge@3.0.2: This package is no longer supported.

added 57 packages, and audited 178 packages in 5s

just for the reference, I have node of version v20.10.0

mathdebate09 commented 1 month ago

I'm having this issue as well another StackOverflow post suggested the same Stackoverflow post

cristian2213 commented 1 month ago

I'm encountering the same problem with the 'npmlog' package. Upon further investigation, I noticed that the package has been archived. It seems that this could be causing the issue. 

WARN  3 deprecated subdependencies found: are-we-there-yet@2.0.0, gauge@3.0.2, npmlog@5.0.1
dependencies:
bcrypt 5.1.1
└─┬ @mapbox/node-pre-gyp 1.0.11
  └─┬ npmlog 5.0.1
    ├── are-we-there-yet 2.0.0
    └── gauge 3.0.2

Node version: v20.11.0

mathdebate09 commented 1 month ago

@cristian2213 @Varun-Chakraborty try using bcryptjs Works exactly same without the issues with archived dependencies

Varun-Chakraborty commented 1 month ago

@mathdebate09 that project was last updated 4 year ago, is it being maintained?

mathdebate09 commented 1 month ago

@Varun-Chakraborty i don't exactly know but popular OS communities (theodinproject & fullstackopen) said it's a safe alternative so I didn't check about it

Varun-Chakraborty commented 4 weeks ago

@mathdebate09 oh great! using it for sometime now, looks good to me

oom- commented 3 weeks ago

It's getting worst

#18 2.004 npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
#18 2.190 npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
#18 2.216 npm warn deprecated npmlog@5.0.1: This package is no longer supported.
#18 2.321 npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
#18 2.461 npm warn deprecated are-we-there-yet@2.0.0: This package is no longer supported.
#18 2.547 npm warn deprecated gauge@3.0.2: This package is no longer supported.
proeject@1.0.0
└─┬ bcrypt@5.1.1
  └─┬ @mapbox/node-pre-gyp@1.0.11
    ├─┬ npmlog@5.0.1
    │ ├── are-we-there-yet@2.0.0
    │ └── gauge@3.0.2
    └─┬ rimraf@3.0.2
      └─┬ glob@7.2.3
        └── inflight@1.0.6

Last publish of bcryptjs is 7 years ago.

Might be considered as "It just works" but the fact that there is no reviews raises the following question: "What happens if a security issue is discovered?".

It seems that to produce an update the author would have to rewrite a big chunk of it.

[...] it is also true to say that it is no longer possible to git clone this repository and run npm install due to deprecated devDependencies - in particular, ClosureCompiler gets a 404 error when trying to install. That does mean if there were ever a need to apply a fix to this library, the whole build component of it would need fixing first. src: https://github.com/dcodeIO/bcrypt.js/issues/155#issuecomment-2141563316

lightningspirit commented 3 weeks ago

Might be considered as "It just works" but the fact that there is no reviews raises the following question: "What happens if a security issue is discovered?".

Yep, that's the point.

callenAUS commented 2 weeks ago

I might be mistaken but it seems all of the deprecated warnings are from dependencies in @mapbox/node-pre-gyp. Looks like that package was last updated on Jul 14, 2023

Varun-Chakraborty commented 2 weeks ago

I might be mistaken but it seems all of the deprecated warnings are from dependencies in @mapbox/node-pre-gyp. Looks like that package was last updated on Jul 14, 2023

Read about it, and what I understood is since this version of bcrypt is written in C++ we would need a binary to get it working with Node.js, so either we compile it on our own using C++ compiler or if available for our OS, use this prebuilt binary from node-pre-gyp, so updating that is not a concern since bcrypt itself is some 9 to 10 months old, what we were talking about are the packages like inflight, which is causing memory leak and crashing up the program

ebosetalee commented 2 weeks ago

@Varun-Chakraborty @mapbox/node-pre-gyp uses rimraf@3xx which stopped using @glob @inflight from version 4.0, https://github.com/isaacs/rimraf/issues/309 like last month (May 2024) so it'll take a while for the changes to reflect in various packages that depend on those

vnc-tech commented 1 week ago

Hello guys, I did this to my package.json and the warning about inflight disappeared. Is this okay? "dependencies": { "bcrypt": "^5.1.1" }, "overrides": { "glob": "10.4.2", "rimraf": "5.0.7" }

These were the only warnings that showed up after installing:

" npm warn deprecated npmlog@5.0.1: This package is no longer supported. npm warn deprecated are-we-there-yet@2.0.0: This package is no longer supported. npm warn deprecated gauge@3.0.2: This package is no longer supported. "

What do you guys think?