search

librarianphp / librarian

A static site generator and markdown indexer inspired by Hugo and DEV, written in PHP
https://librarianphp.dev/
MIT License
134 stars 11 forks source link

Dependency Discussion #32

Closed unisys12 closed 1 year ago

unisys12 commented 1 year ago

I just learned about Librarian this morning and since I have a soft spot for SSG's and PHP, I naturally wanted to check it out. Upon install though, I noticed a few red flags after running npm install.

npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'amqplib@0.5.2',
npm WARN EBADENGINE   required: { node: '>=0.8 <=9' },
npm WARN EBADENGINE   current: { node: 'v18.12.1', npm: '9.6.7' }
npm WARN EBADENGINE }
npm WARN deprecated uuid@3.3.2: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 322 packages, and audited 323 packages in 38s

70 packages are looking for funding
  run `npm fund` for details

12 vulnerabilities (4 moderate, 4 high, 4 critical)

I do not look at NPM Warnings like they are a meaning to the end of the world, but I will at least investigate them. If for no other reason then to learn. And that's primarily my goal with the dev projects I have. Any who!

Upon looking into the above warning and resulting audit report, this all stems from a dependency found in package.json on line 14 https://github.com/librarianphp/librarian/blob/54bfb9bdf6057b4abfce074ee346a765191b42d4/package.json#L14

Looking through the Blame history, it seems as though this was added back in 2021 when the initial config for TailwindCSS was setup. It seems that the only JS that is used in the project is PrismJS, so to make double sure I did a search in VSCode for uses of Tailwind related methods, such as tailwind.createApp( & api.use. I will admit that it's not an exhaustive search or anything, but it was enough for me to think that Librarian is not using Websockets or any fancy streaming of I/O. At least on the surface.

Running a simple npm remove tailwind results in the removal of 191 packages and everything, as far as I can tell, seems to work normally. And with all due respect to your time and this project, I wanted to at least open up a discussion before submitting any code changes. Thank you for all you do and the time that you have devoted to it!

erikaheidi commented 1 year ago

Hi @unisys12 ! Thank you for opening this discussion, and for taking the time to investigate. I was confused at first but then I realized the package name changed from tailwind to tailwindcss - then THIS is WHY all those warnings! Thanks so much for flagging this. I just updated it and all the warnings are gone, I will release a new version today with the change.

erikaheidi commented 1 year ago

Merged and done! Sorry I didn't give you time to send the PR, it's because I need to make a release today :D

unisys12 commented 1 year ago

Merged and done! Sorry I didn't give you time to send the PR, it's because I need to make a release today :D

Perfectly fine.