Open dependabot[bot] opened 3 months ago
This upgrade would resolve the deprecation warning about punycode
seen when using this tool:
(node:282386) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
running with --trace-deprecation
gives (for example):
(node:282619) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
at node:punycode:3:9
at BuiltinModule.compileForInternalLoader (node:internal/bootstrap/realm:399:7)
at BuiltinModule.compileForPublicLoader (node:internal/bootstrap/realm:338:10)
at loadBuiltinModule (node:internal/modules/helpers:99:7)
at Module._load (node:internal/modules/cjs/loader:1099:17)
at TracingChannel.traceSync (node:diagnostics_channel:315:14)
at wrapModuleLoad (node:internal/modules/cjs/loader:217:24)
at Module.require (node:internal/modules/cjs/loader:1339:12)
at require (node:internal/modules/helpers:126:16)
at Object.<anonymous> (.../node_modules/whatwg-url/lib/url-state-machine.js:2:18)
checking where whatwg-url
shows up I found:
$ npm ls whatwg-url
pin-github-action@1.9.1 .../pin-github-action
└─┬ @octokit/rest@18.12.0
└─┬ @octokit/core@3.6.0
└─┬ @octokit/request@5.6.3
└─┬ node-fetch@2.6.7
└── whatwg-url@5.0.0
and indeed, trying to run this project with this update makes the initial deprecation warning go away, seemingly as a result of dropping whatwg-url
:
$ npm ls whatwg-url
pin-github-action@1.9.1 .../pin-github-action
└── (empty)
This isn't as easy as it appears sadly 😢
Octokit has moved to ESM modules away from CommonJS, which means some fairly involved work to update the rest of the project
I see :disappointed: A quick (and dirty?) solution could be to await import("@octokit/rest")
inside the return Promise
. It's already async so this shouldn't be a problem.
The following diff works for me when running the application:
-const { Octokit } = require("@octokit/rest");
-const github = new Octokit({
- auth: process.env.GH_ADMIN_TOKEN,
-});
-
let debug = () => {};
module.exports = function (action, log) {
debug = log.extend("find-ref-on-github");
return new Promise(async function (resolve, reject) {
+ const { Octokit } = await import("@octokit/rest");
+ const github = new Octokit({
+ auth: process.env.GH_ADMIN_TOKEN,
+ });
+
const owner = action.owner;
However, when running tests Jest complains that it needs --experimental-vm-modules
which can be solved by running e.g. NODE_OPTIONS="--experimental-vm-modules" npm run test
.
Alternatively, I'm also willing to look into porting the codebase to ESM, but that will take some more time.
Bumps @octokit/rest from 18.12.0 to 20.1.1.
Release notes
Sourced from
@octokit/rest
's releases.... (truncated)
Commits
7058346
fix: update REST endpoints (#428)b4e2102
ci(action): update actions/checkout digest to 0ad4b8f (#426)9d99a65
ci(action): update actions/checkout digest to 1d96c77 (#425)c751cb5
ci(action): update actions/add-to-project action to v1.0.1 (#424)792bb39
chore(deps): update dependency undici to v6.11.1 [security] (#421)9adf1a4
feat(security): Add provenance (#420)9ab9253
ci(action): update actions/add-to-project action to v1335f2d2
ci(action): update actions/add-to-project action to v0.6.1 (#418)8f0efe0
build(deps-dev): Bump follow-redirects from 1.15.4 to 1.15.6 (#416)5bf5fa6
build(deps-dev): Bump follow-redirects from 1.15.4 to 1.15.6 in /docs (#415)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show