Currently, deprecated packages show a short string with some information from the deprecated property. This often includes information about another package to migrate to, either due to a package rename or a fork. Unfortunately, this makes it hard or impossible to automate any sort of migration, in the same way that tools like Dependabot or Renovate can for version upgrades.
Allowing structured data in the deprecated property, with information about a replacement package or packages, would allow these tools to perform package migrations as well as package upgrades.
Example
Renovate currently has a manually curated list of these package migrations^1, and I am discussing whether or not this addition makes sense as part of the Open Source Vulnerability schema^2. I think there are definitely security applications for deprecated packages that have CVEs, it would also be useful for general package migrations.
How
Current Behaviour
The deprecated property in package.json currently only allows a string or boolean to show some information about what package to migrate to. For example:
"deprecated": "No longer supported. Migrate to @example/package-name"
Desired Behaviour
Allowing for structured data in the deprecated property would allow for automation to perform migrations in users code. For example:
"deprecated": {
"description": "No longer supported. Migrate to @example/package-name",
"migration": {
"name": "@example/package-name",
"version": "2.0.0"
}
}
Motivation ("The Why")
Currently, deprecated packages show a short string with some information from the
deprecated
property. This often includes information about another package to migrate to, either due to a package rename or a fork. Unfortunately, this makes it hard or impossible to automate any sort of migration, in the same way that tools like Dependabot or Renovate can for version upgrades.Allowing structured data in the
deprecated
property, with information about a replacement package or packages, would allow these tools to perform package migrations as well as package upgrades.Example
Renovate currently has a manually curated list of these package migrations^1, and I am discussing whether or not this addition makes sense as part of the Open Source Vulnerability schema^2. I think there are definitely security applications for deprecated packages that have CVEs, it would also be useful for general package migrations.
How
Current Behaviour
The
deprecated
property inpackage.json
currently only allows a string or boolean to show some information about what package to migrate to. For example:Desired Behaviour
Allowing for structured data in the
deprecated
property would allow for automation to perform migrations in users code. For example:References