search

open-cli-tools / concurrently

Run commands concurrently. Like `npm run watch-js & npm run watch-less` but better.
https://www.npmjs.com/package/concurrently
MIT License
7k stars 228 forks source link

Drop dependency on `spawn-command` #407

Closed mcmxcdev closed 3 months ago

mcmxcdev commented 1 year ago

We recently started using https://socket.dev/ as part of our dependencies maintenance and it flagged spawn-command as problematic due to it being unmaintained: https://socket.dev/npm/package/spawn-command

The last release was 8 years ago, so there's probably other solutions out there or even can be written with native Node.js nowadays.

gustavohenke commented 1 year ago

I'd take that warning with a grain of salt. Just because a package hasn't been updated in a while, is that really a problem?

I've been writing code for Node.js for more than a decade now, and the child_process API has been quite stable for a while. It's probably why spawn-command didn't need to update either.

See also: https://fagnerbrack.com/how-the-fuck-did-we-get-here-b9bac6ba7a0f

On another note, we briefly played with using a different package to spawn commands between v3.0.0 to v3.2.0. It was causing a couple of issues, so if we're to use a different package at all -- I'd like it to address #69. cc @paescuj

mcmxcdev commented 1 year ago

An old package itself is not a problem as long as it doesn't pull in any dependencies itself which become outdated, contain CVEs etc. Doesn't seem to be an issue with spawn-command from a quick look into our lockfile.

I simply opened this issue to raise awareness about it. If it is looked at and the conclusion is that everything is fine, even better :)

gustavohenke commented 1 week ago

Hi folks, this is now done in v9.0.0. https://github.com/open-cli-tools/concurrently/releases/tag/v9.0.0