Transitive dependency on deprecated inflight package

[skagedal]

As noted in this eslint issue, mocha has a transitive dependency to the deprecated, memory-leaking inflight package.

This is not a direct dependency of mocha, but comes in through several paths.

For some reason, I don't get the deprecation warning when I run npm install --ignore-scripts from current main (commit 2f3fedcc):

❯ npm i --ignore-scripts
npm warn deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm warn deprecated gulp-header@1.8.12: Removed event-stream from gulp-header
npm warn deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained
npm warn deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained
npm warn deprecated har-validator@5.1.5: this library is no longer supported
npm warn deprecated w3c-hr-time@1.0.2: Use your platform's native performance.now() and performance.timeOrigin.
npm warn deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
npm warn deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm warn deprecated @hapi/address@2.1.4: Moved to 'npm install @sideway/address'
npm warn deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm warn deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm warn deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm warn deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained
npm warn deprecated coffee-script@1.12.7: CoffeeScript on NPM has moved to "coffeescript" (no hyphen)
npm warn deprecated @hapi/joi@15.1.1: Switch to 'npm install joi'
npm warn deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm warn deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 1939 packages, and audited 1940 packages in 16s

However, the deprecated module inflight does get installed into node_modules. This issue exist to track its removal through various dependencies.

[skagedal]

Going through npm why inflight, these seem to be the top-level dependencies where it enters mocha:

❯ npm why inflight | grep "root project" | awk '{$1=$1};1' | sort | uniq
dev @11ty/eleventy@"^1.0.0" from the root project
dev @rollup/plugin-commonjs@"^21.0.2" from the root project
dev @rollup/plugin-multi-entry@"^4.0.1" from the root project
dev assetgraph-builder@"^9.0.0" from the root project
dev canvas@"^2.11.2" from the root project
dev eslint@"^8.56.0" from the root project
dev hyperlink@"^5.0.4" from the root project
dev karma-mocha-reporter@"^2.2.5" from the root project
dev karma-sauce-launcher@"^4.3.6" from the root project
dev karma@"^6.4.2" from the root project
dev markdownlint-cli@"^0.30.0" from the root project
dev nyc@"^15.1.0" from the root project
dev rimraf@"^3.0.2" from the root project
glob@"8.1.0" from the root project

(adding links to other issues here)

• glob: https://github.com/mochajs/mocha/issues/5148
• karma: this is already at the (almost) latest version, and the project has been deprecated, not receiving any updates. So this would have to be replaced or removed...

[JoshuaKGoldberg]

Yeah, this comes in as a dependency of glob. Moving to a newer version is tracked in #5148. Thanks for filing!